Five Questions Board Members Should Ask About Cybersecurity

By Thomas Paavo Hamata

In an era where digital transformations are sweeping across industries, the role of

corporate boards in overseeing cybersecurity is becoming increasingly critical.

For many boards in Namibia, the challenge is particularly pronounced due to a

general lack of cybersecurity expertise among their members. This article aims to

bridge the knowledge gap and empower board members with strategic

questions that can drive meaningful conversations about cybersecurity risks and

the robustness of their companies’ cyber defences.

Why Cybersecurity Matters for Boards

The comprehensive focus on the board’s IT governance and risk oversight in

Chapter 5 of the NamCode emphasises that cybersecurity is a critical strategic

concern, not just a technical issue. With cyber threats becoming more

sophisticated and pervasive, the potential for significant financial, reputational,

and operational damage has escalated. Boards have a fiduciary duty to protect

the assets of their companies, and this includes safeguarding against cyber

threats. Understanding the landscape of cybersecurity and ensuring that the

organisation adheres to reasonable security standards is not just prudent; it is a

crucial aspect of a board’s oversight responsibilities.

1. What are our key cyber risks, and how are we managing them?

Board members should initiate their cybersecurity oversight by requesting

a detailed and clear risk assessment from management that pinpoints the

organisation’s most critical digital assets. Understanding the specific cyber

risks that could impact these crucial assets is foundational. It’s vital for

boards to not only grasp the nature of these risks but also to comprehend

the management strategies in place to mitigate them effectively. This

question helps ensure that the board is well-informed about the

vulnerabilities and the proactive measures being undertaken to safeguard

the organisation’s Crown Jewels.

2. How does our cybersecurity strategy align with our overall business

objectives?

Cybersecurity should not be siloed as a standalone issue but integrated

into the broader business strategy. Board members should inquire how the

cybersecurity strategy supports the overall business objectives and

enhances operational resilience. Understanding this alignment helps

ensure that cybersecurity measures are not just reactive but proactive and

strategic. It is also key that board members verify that a program to

implement the cybersecurity strategy is in place, is regularly monitored

and is appropriately benchmarked to best practice. The concept of

“reasonableness” is key for cyber security programs, and boards should

ensure that their companies are meeting reasonable standards.

3. What is our incident response plan, and how often is it tested?

The board would be ignoring an important part of their fiduciary

responsibility if it does not ensure that an organisation has both protection

and detection capabilities. An effective incident response plan is a board’s

best assurance that the organisation can quickly recover from a cyber

incident. Board members should ask about the specifics of the plan and

ensure it includes not just the immediate response but also steps for

recovery and communication. Additionally, knowing how frequently this

plan is tested through drills and simulations can provide confidence in its

effectiveness.

4. How do we stay informed about the latest cybersecurity regulations

and ensure compliance?

With the legal landscape around data protection and cybersecurity

constantly evolving, boards must ensure their organisations remain

compliant with current laws and regulations. Questions should be directed

at how the organisation keeps abreast of these changes and the processes

in place to adjust practices accordingly. It is important to verify that these

compliance processes are integrated with the overall risk management

framework, ensuring that legal updates translate into actionable steps

across the organisation.

5. What cybersecurity training do our employees receive?

Human error remains one of the largest vulnerabilities in cybersecurity.

Board members should understand the scope and effectiveness of the

cybersecurity training provided to employees across the organisation.

Ensuring that everyone is educated about common cyber threats and safe

practices is a foundational step in creating a robust cybersecurity posture.

Additionally, it is critical to periodically assess and update training

programs to address emerging threats and to ensure that training

methods are engaging and effective in promoting cybersecurity

awareness and compliance.

Board members do not need to be cybersecurity experts, but they should be able

to engage in knowledgeable discussions about cyber risks. By asking the right

questions, they can significantly strengthen their organisation’s cybersecurity

defences. As the digital landscape intensifies threats, board vigilance has

become more crucial than ever, especially as cybersecurity expertise is

increasingly sought for board co-option and succession planning. As cyber

threats evolve, it is imperative that boards adapt their oversight practices to

effectively address these ongoing challenges.