Bringing the C-level on board with cyber security
Directors and other C-level executives should always be involved in, and keep up to date with, the cyber security discussion.
This is the word from Vincent Mello, manager: system administration and risk management at Rand Water, who was speaking at the ITWeb Security Summit 2018 at Vodacom World in Midrand, Johannesburg, this week.
"It is crucial that management and the board understand the immense risk that cyber crime poses to the efficient running of the business," said Mello. "Management needs to establish viable strategic direction, ensure compliance, and execute the cyber security strategy within their organisations."
Not just an IT issue
Mello said discussion of cyber risk at management level should include identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach.
"Directors ought to understand and approach cyber security as an enterprise-wide risk management issue, not just an IT issue. They need to understand the legal implications of cyber risks as they relate to their company's specific circumstances. They also ought to establish an enterprise-wide risk management framework with adequate staffing and budget."
He added that it was imperative that management also has adequate access to cyber security expertise, and discussions about cyber risk management should be given regular and adequate time at board meetings.
Quoting a New York Stock Exchange study conducted last year on 200 board members in various industries, Mello said it was evident that although cyber security is discussed at most board meetings, many directors lack confidence in their company's ability to thwart an attack, and are increasingly holding the CEO, and in some cases the entire executive team, accountable.
"It's obvious that cyber security is no longer just an IT story, but also a business story. Directors and board-level members need to have a clear plan on how to address identified risks as well as provide oversight activity such as re-evaluation of budgets for cyber security programmes and policies, as well as internal and external audits."