Why Corporate Board Members Need To Adopt Cyber-security As A Strategic Part Of Business Operations
As a continent the thought has always been that digital issues within our organisations are dealt with by the IT department and this rang true a few years ago and maybe to the organisation that still operates with a localised mind-set. This old adage has slowly ran its course, not only is digitalisation or “IT” a topic that demands attention from the top (management) of the organisation, this very term IT is not just a stand-alone division in the organisation but has proliferated into all other divisions/department (operations, marketing, production and financial) of the modern day organisation
Through legendary vision and experience the great Peter Drucker stated, “The diffusion of technology and the commodification of information transforms the role of information into a resource equal in importance to the traditional important resources of land, labour and capital.”
Digitisation or technology which is effectively Information processed by technology has of recent times been dubbed the “blessing and the curse”, why do I say so. Universally digitalisation has been a revolution, it has helped with better and quicker decision making, encouraging innovation, created more efficiency and has provided greater reach. The flip side to that is the “curse” which is the downside of digitalisation and the chief perpetrator is the security of this digital landscape.
The security of the digital space termed “Cyber security” which is the major concern that all organisation need to be weary off and be vigilant. A security mindset is therefore imperative and this security mindset creates and rubber stamps a security culture that will ensure that Information Security is ‘everyone’s responsibility’ in the organisation. This mindset starts at the top and the matter of fact is that the “Board and Executives” are the main drivers of security awareness and culture in an organisation.
In management level the Chief Executive Officer (CEO) is the one who is accountable to the board of management regarding any cyber security risk. It is common knowledge that the Chief Technology Officer (CTO) is responsible at looking at the Information Technology of the business or, in some instances if there exists one the Chief Information Security Officer (CISO) interfaces with the board and is held accountability for cyber security risk management.
Why is it important for the board and the executive to be at the helm of digital information security (IS)?
This approach builds from a technology knowledge platform, but the major challenge is governance of the total enterprise requiring established management skills of communications, project management, behavioural science and command presence. A clear Information Security governance direction is therefore imperative for organisations to derive and this direction of an organisation is determined by the leadership (the board executive level).
Focusing on the review and approval aspects of board responsibilities, there is great recommendation that boards provide strategic oversight regarding information security, and some of these recommendations including:
- Understanding the criticality of information and information security to the organisation
- Reviewing investment in information security for alignment with the organisation strategy and risk profile
- Endorsing the development and implementation of a comprehensive information security programme
- Requiring regular reports from management on the programme’s adequacy and effectiveness.
- Strategic alignment of information security with business strategy to support organisational objectives
- Risk management by executing appropriate measures to manage and mitigate risks and reduce potential impacts on information resources to an acceptable level
- Resource management by utilising information security knowledge and infrastructure efficiently and effectively
- Performance measurement by measuring, monitoring and reporting information security governance metrics to ensure that organisational objectives are achieved
- Value delivery by optimising information security investments in support of organisational objectives
It is therefore worth to note that for effective oversight of Information Security governance senior management have to be held accountable and has to foster a clear and concise strategy with the right understanding of nontechnical terms. This should be in place along with systems and controls to monitor any and all security threats faced by the modern day organisation.
Published: 01 Nov 2019, Harare, Zimbabwe, Africa.
Author: Jonathan Gochera is the General Manager of WeSecure https://www.wesecure.africa Jonathan is a holder of a BSc (Hons) Business Management and Information Technology Degree at the University of Hull, England; Diploma in Business Studies at Greenwich School of Management, England; is also a Sophos Certification holder. Jonathan has more than 10 years’ experience in ICT industry covering Database Management and Administration and Cyber Security. Jonathan sits on the Standards Association of Zimbabwe ICT Committee and is currently working and developing ICT governance systems, securing the confidentiality, integrity and availability of individual and corporate information.