How to address the Board's lack of cybersecurity expertise

What happens when a company is undergoing a digital transformation, implementing AI technologies to automate processes and personalise customer experiences, but the board lacks expertise in cybersecurity?

While the board may understand the potential benefits of AI, if they are not fully equipped to oversee the cybersecurity risks and governance issues arising from AI adoption, the board risks being unable to make informed decisions relating to cybersecurity.

?

Acknowledge the problem

Firstly, we need to acknowledge the problem. Present your concerns to the board and emphasize the potential consequences of a lack of cybersecurity expertise, such as financial losses, reputational damage, and regulatory penalties. This should be done in a way that highlights cybersecurity as a strategic business enabler rather than just an IT issue.

When you speak the Board's language in terms of their role in cybersecurity oversight in accordance with King IV and The Companies Act, you are more likely to get buy-in.

?

Address the problem

Next, we need to determine how the board will gain the missing cybersecurity experience. This can be done in a number of ways.

• Cybersecurity training: The CEO can implement a training program tailored for the board, covering basic cybersecurity concepts, industry best practices, and the specific risks associated with AI adoption. The training should be ongoing and updated regularly to reflect the evolving threat landscape. Whilst this is a cost-effective way of handling the risk, it may not bring the in-depth expertise needed.
• Appointing a board member with cybersecurity expertise: This option can bring much-needed knowledge and experience to the board. The company should conduct thorough due diligence to ensure the candidate possesses the necessary skills and experience and consider the specific attributes of expertise needed. This may be a longer process and it may be difficult to find suitable candidates but you will have dedicated expertise on the board.
• Appointing a cybersecurity advisor: An external advisor can also provide specialised guidance and support to the board on cybersecurity matters. This advisor can also help educate the board and bridge the knowledge gap.
• Engaging an assurance provider: An assurance provider, like Internal Audit, can review and assess the company's cybersecurity practices and provide independent assurance to the board.

?

Management's role in ensuring the Board's effective monitoring of cybersecurity risks

Management should that they are providing the board with regular and comprehensive reports on cybersecurity risks and the company's efforts to mitigate them. Some of the ways to do this include:

• Integrate cybersecurity into the organisation’s overall risk management framework.
• Develop a cyber-risk matrix and identify business outcomes to be avoided in the event of a cyberattack.
• Implement detective and monitoring controls.
• Plan for cyberattack simulations and stress-test business continuity plans.
• Procure adequate Directors and Officers liability insurance cover, including cyber liability insurance.
• Table cybersecurity at the risk committee so that relevant information can be filtered to the full board. This ensures that cybersecurity receives dedicated attention and that the board is kept informed of key developments.

By taking these actions, the company can ensure its board is equipped to provide effective oversight of cybersecurity risks, particularly in the context of its digital transformation and AI adoption.