5 Questions Board Members Should Ask About Cybersecurity

Thomas Hamata

In an era where digital transformations are sweeping across industries, the role of corporate boards in overseeing cybersecurity is becoming increasingly critical.

For many boards in Namibia, the challenge is particularly pronounced because of a general lack of cybersecurity expertise among their members.

This article aims to bridge the knowledge gap and empower board members with strategic questions that can drive meaningful conversations about cybersecurity risks and the robustness of their companies’ cyber defences.

The comprehensive focus on a board’s IT governance and risk oversight in Chapter 5 of the NamCode emphasises that cybersecurity is a critical strategic concern, not just a technical issue.

With cyber threats becoming more sophisticated and pervasive, the potential for significant financial, reputational and ope­rational damage has escalated.

Boards have a fiduciary duty to protect their companies’ assets, and this includes safeguarding against cyber threats.

Understanding the cybersecurity landscape and ensuring that the organisation adheres to reasonable security standards is not just prudent; it is a crucial aspect of a board’s oversight responsibilities.

  1. What are our key cyber risks, and how are we managing them?

Board members should initiate their cybersecurity oversight by requesting a detailed and clear risk assessment from management that pinpoints the organisation’s most critical digital assets.

Understanding the specific cyber risks that could impact these crucial assets is foundational.

It’s vital for boards to not only grasp the nature of these risks but also to comprehend the management strategies in place to mitigate them effectively. This question helps ensure the board is well-informed about vulnerabilities and proactive measures being taken to safeguard the organisation’s crown jewels.

  1. How does our strategy align with our overall business objectives?

Cybersecurity should not be siloed as a standalone issue, but integrated into the broader business strategy.

Board members should inquire how the cybersecurity strategy supports the overall business objectives and enhances operational resilience.

Understanding this alignment helps ensure that cybersecurity measures are not just reactive but proactive and strategic.

It is also key that board members verify that a programme to implement the cybersecurity strategy is in place, is regularly monitored and is appropriately benchmarked to best practice.

The concept of “reasonableness” is key for cyber security programmes, and boards should ensure that their companies are meeting reasonable standards.

  1. What is our incident response plan, and how often is it tested?

The board would be ignoring an important part of their fiduciary responsibility if it does not ensure that an organisation has both protection and detection capabilities.

An effective incident response plan is a board’s best assurance that the organisation can quickly recover from a cyber incident.

Board members should ask about the specifics of the plan and ensure it includes not just the immediate response, but also steps for recovery and communication. Additionally, knowing how frequently this plan is tested through drills and simulations can provide confidence in its effectiveness.

  1. How do we stay informed about the latest regulations and ensure compliance?

With the legal landscape around data protection and cybersecurity constantly evolving, boards must ensure their organisations remain compliant with current laws and regulations.

Questions should be directed at how the organisation keeps abreast of these changes and the processes in place to adjust practices accordingly.

It is important to verify that these compliance processes are integrated with the overall risk management framework, ensuring that legal updates translate into actionable steps across the organisation.

  1. What training do our employees receive?

Human error remains one of the largest vulnerabilities in cybersecurity.

Board members should understand the scope and effectiveness of cybersecurity training provided to employees across the organisation.

Ensuring that everyone is educated about common cyber threats and safe practices is a foundational step in creating a robust cybersecurity posture.

Additionally, it is critical to periodically assess and update training programmes to address emerging threats and to ensure training methods are engaging and effective in promoting cybersecurity awareness and compliance.

EFFECTIVENESS

Board members do not need to be cybersecurity experts, but they should be able to engage in knowledgeable discussions about cyber risks.

By asking the right questions, they can significantly strengthen their organisation’s cybersecurity defences.

As the digital threats intensify, board vigilance has become more crucial than ever, especially as cybersecurity expertise is increasingly sought for board co-option and succession planning.

As cyber threats evolve, it is imperative that boards adapt their oversight practices to effectively address these ongoing challenges.

  • Thomas Hamata is an IT risk professional and co-founder of Accelerate Advisory Services (Pty) Ltd; www.acceler8namibia.com/blog

Stay informed with The Namibian – your source for credible journalism. Get in-depth reporting and opinions for only N$85 a month. Invest in journalism, invest in democracy –
Subscribe Now!

Latest News