Boards lack a real understanding of IT risks facing their companies, says delegates who attended the recent CSZ Security Event- Ransomware.
Only 6% of board directors and 3% of CEOs of leading companies have professional technology experience. More than two-fifths of companies have no board members with professional technology experience.
Cyber-risk oversight is becoming an increasingly dangerous job for corporate boards. As with the recent wannnacry attacks, more than 30 local companies and institutes were affected.According to the attendees, many directors may not be equipped with the knowledge and understanding they need to provide that oversight. A lack of knowledge can create a disconnect between technology professionals and directors leading to the potential for breakdowns in IT risk management and cybersecurity.
“You know at executive level there are companies where a lawyer is acting, a doctor is acting. We should advocate that ICT professionals should be at executive level. I fought hard while working at Hwange (colliery Company Limited) to be in the executive board where I effected some crucial changes in the company with regards to ICTs.
“I was the one who ensured that all employees get company email addresses. But within four months of my departure the company had made many changes which could leave the company vulnerable to cyber threats,” said one Benard Tongogara.
The numbers and size of cybersecurity attacks are increasing and Australia is one of the world’s largest targets. The reasons are many and include a lack of direction and commitment to understanding information security at the strategic level.
This is troubling given the ultimate accountability and their lack off of board directors.
While most cyber professionals feel their organizations have the basics covered, a large majority think there is more to done and significantly more work to do.
Budget, security awareness and understanding of the real threat were the biggest factors holding back cyber approach.
The problem with this approach to ICT policies is that too little effort is being made to understand the value, control, and cost of the information that an organization holds.
A small research done by Techunzipped at the event shows executives should be identifying the value and sensitivity of the information in their organizations. Only then can they make practical decisions about what IT infrastructure should be used and whether to seek skilled help by outsourcing or “stealing” from other companies.