Ideas & Debate

How cyber security is shaping director role

cyber

Kenya is seen as a pace-setter on matters information technology; and cyber security is right up there. FILE PHOTO | NMG

Today, organisations are taking a keen interest in the impact of risky internet connectivity for their businesses, employees and customers. This is referred to collectively as cyber security — a structured way of using computer software and systems designed to monitor, detect and prevent unauthorised access to computerised information. In most cases this kind of access has turned out to be mischievous.

Yet, while we can safely say that the rise is commendable, it is still far too slow to make a real impact. Since most sensible companies have a business continuity plan as part of risk management, it is emerging that several are yet to stress-test their plans against emerging and evolving cyber security threats.

The board of directors is in a position to push for this actively, but unfortunately there is a severe low appreciation of the need to include cyber security risk as a key success factor for regular discussion. As a result, many business leaders, including chief executive officers and chief information officers, are unable to ramp up cyber security risk to the directors, citing their low appreciation of the gravity of exposure to internet connectivity without a safety methodology that keeps criminals at bay.

Even though these issues may initially seem like those that the management can deal with, there is a well-developed school of thought that cyber security is no longer just that within the purvey of top management. The board of directors must be consciously aware of the organisation’s cyber risk profile at any given time. Directors need to possess a strong understanding about investment in systems, personnel and continuous knowledge about cyber security.

There is mounting evidence that cyber security is now more of a strategic issue for the organisation. The degree of losses from cyber fraud and the scale of attacks are rising with every passing year.

Sh50 billion

Indeed, available data shows that African organisations lost nearly Sh350 billion in 2017 alone to cyber criminals. Kenya, specifically, has suffered over the last four years with public and private organisations collectively losing Sh50 billion, according to Serianu’s Cyber Security Survey and Report.

Granted, many of the board matters are driven by regulators: from finance to insurance, human resources and even corporate governance. So where does cyber security come in?

It actually does on two fronts. The first is internal, the second external. Internal means that each board has to finally find a way to measure and present cyber security risk exposure and its possible impact on the organisation. Cyber security is a strategic matter for the board because in addition to financial losses, it is the source of major reputational risk.

Fortunately, there is already a growing wave of emerging regulation regarding cyber risk policies due to piling insurance claims lodged as a result of cyber security losses.

With a firm grasp of cyber security issues and the risk profiling of their respective organisations, directors are then able to focus on the impact- be it legal, regulatory or financial consequences of cybercrime.

Is cyber security a complicated subject for directors? Probably so. But courses can easily be tailor – made with content simplified for their ease of understanding as they usually come from diverse back grounds.

Other IT industry players have said that the issue is a lack of a methodology that gives directors a mechanism for evaluating and assigning a value to the cyber security risks. This way, the directors can possess a visibility on the effectiveness of various controls implemented to address cybersecurity within their organisation.

The reality is that globally, board directors are increasingly required to include cyber security as a critical component of their overall role as a risk oversight body chaperoning the management. Since the board of directors typically owns the vision of the organisation, it therefore follows that each member should have a depth of understanding and appreciation about cyber security.

Compliance

It is the responsibility of the board to make sure that compliance requirements are met. Boards must proactively manage cybersecurity and drive the organisation’s attention to and readiness for cybersecurity risks. In order to understand and appreciate the state of their organisation’s risk profile, they must implement a policy that guides the frequency of evaluation, the shape and form of its valuation and adopt a reporting style that is in line with global best practice.

Fortunately, Kenya is seen as a pace-setter on matters information technology; and cyber security is right up there. We look forward to more directors taking up the mantle and using modern global best practice to show the way for their colleagues to follow.

In any case, Kenya is ready to embrace this concept and the best way to do it is to have the board and senior management include this methodology when developing the ICT strategy.

The writer is a Cyber Risk Quantification Specialist at Serianu Limited.