Subscribe

Why are boards still ignoring cyber security?

Matthew Burbidge
By Matthew Burbidge
Johannesburg, 27 Aug 2020
Tichaona Zororo
Tichaona Zororo

The sorry litany is long, and growing: Experian, Momentum, Nedbank, Ster-Kinekor, Liberty Life, Standard Bank and Citi Power. All these organisations have been hacked in the recent past, but for different reasons.

One of the problems, according to Tichaona Zororo, the director of digital transformation and innovation advisory at consultancy EGIT, is governance, or rather the lack of it.

Speaking at ITWeb’s Security Summit on Thursday, he identified cyber security as a blind spot among boards and had plenty of advice on how they can modernise their approach to what is becoming a business imperative.

But there can be no learning without an understanding of the impetus of this destructive behaviour, the root of which, he believes, is a deep-seated fear among directors and executives of being unmasked as being ignorant.

“Very few boards of directors have skills, so they’re not willing to discuss cyber security,” he says.

At the very least, boards should make sure they have one or two members who can provide insight.

“If you don’t have the skills, how can you direct?”

In fact, the only time the board will be prepared to discuss security is when the organisation has been attacked. By then, it’s, of course, too late. He says the average cost of a data breach is in the region of R43.5 million, and this isn’t counting the reputational damage.

He says boards should treat security in the same way they treat finance or the execution of business strategy. It’s probably a good idea that the board engage in some periodic security training. Security is in place to protect the business, and should be anchored in the business’ objectives. A proper cyber security strategy should enable the realisation and achievement of business objectives.

A strategy that was up to date in January 2020 will be irrelevant because of the coronavirus.

While most organisations have some kind of security, such as anti-virus software, a SIEM or security officer of some kind, solutions are piecemeal, and very often ‘disintegrated’.

“Some applications may be running on Windows 2007, or 2003, or XP. Your patches are not up to date. Your antivirus may be up to date, but it’s not supported with a holistic approach.”

He adds that very few organisations have a security strategy, or clear performance objectives and metrics.

Service level agreements also need to be properly managed, and will be informed by accurate reports from the SIEM (security information and event management). This, in turn, will provide signposts for crafting a strategy.

A board will also need information before it can act, as well as constant input from the CISO.

“Is our strategy up to date? A strategy that was up to date in January 2020 will be irrelevant because of the coronavirus.”

He says it’s vital to have an up-to-date assets register, which will inform the business’ ICT procurement plan. It will also reveal outdated equipment. He remembers consulting to a firm in Namibia, and realising its router had last been updated in 2001.

While the list of security shortcomings is a long one, none are as destructive as that of inaction, he says.

“Most organisations understand cyber security and the risks they face, but inaction is a gap in the governance of enterprise IT. An expensive SIEM is not a panacea to effectively securing an organisation.”

Cyber governance mini poll

Zororo also ran a mini poll among delegates to gauge their cyber governance and preparedness. There were some surprises:

  1. Does your organisation have a formal cyber security strategy approved by the board of directors? (Yes: 63%)
  2. Is cyber security an agenda item for your board of directors, IT governance committee and/or audit and risk committee? (Yes: 69%)
  3. Does your board and senior directors periodically review a summarised cyber security incident and incident management report? (Yes: 63%)
  4. Does your organisation have a cyber security incidence response plan? (Yes: 63%)
  5. Does the board of directors and senior executives simulate a cyber security incidence response plan? (No: about 60%)
  6. Is your organisation still using Windows XP, Windows Server 2003, Windows 7 and Windows Server 2008? (Yes: 53%)
  7. Does your organisation keep an accurate, complete, and up-to-date information and technology asset inventory? (Yes: 50%)
  8. Does your organisation have a CISO? (Yes: 66%)
  9. Who does your CISO report to? (CIO: 32% | CEO: 15% | CFO: 3% |COO: 6% | head of security: 5% | 27% to none of above)
  10. Does your CISO attend board meetings?(No: 60%)
  11. How frequently does your organisation perform third party cyber security risk assessments, including external penetration testing? (Once per annum: 40% | Twice per annum: 17% | Never: 7%)
  12. Are all your patches up to date? (No: 54%)

Share