The reality is cybersecurity is not an ICT issue anymore, it is now a boardroom issue. Zimbabwean companies must be diligent and vigilant with the latest cybersecurity attack being,”TM Pick n Pay, Cyber Breach is a tip of the iceberg” , 

The company board must understand that it is not only their duty under law, but because they have a duty of care to their customers, shareholders and stakeholders. Cybersecurity is  ever-increasing in the Covid-19 era. On one hand, businesses are going through a radical transformation while on the other hand the attack surface is rapidly expanding due to more people working from home and being online more than ever. There is increased pressure on executive teams to step-up and get a better handle on cybersecurity.

As board members, cybersecurity has grown so large that their consequences can significantly impact a company’s valuation. As a result, network security and data privacy are now boardroom governance concerns. Regulators like Securities and Exchange Commission of Zimbabwe (SECZ), should respond by increasing oversight and highlighting the need for public companies to make disclosures related to the cybersecurity risks. Zimbabwe’s Boardrooms should not only devote more attention to this ever-increasing cybersecurity risks but also evaluate their company’s corporate readiness for such attacks.

In Zimbabwe and beyond, data breaches and cybersecurity attacks have proliferated over the past few years and incidents occurring at Zimbabwe’s large and reputable companies are further stressing the harsh reality that no company is safe from this modern day threat.

Zimbabwe is a cashless society and the realm of the fight against corporate cybersecurity hacks and the mishandling of confidential data are boards of directors and their management teams whose challenge is further exacerbated by tougher disclosure requirements as required by the now Cyber Security and Data Protection Bill and the speed at which the threats are evolving. As a cashless society, what constituted a valid preventive strategy five years ago is unlikely still appropriate today. 

Social engineering is now the number one crime and cybersecurity now extends well beyond criminal organizations conducting targeted attacks on corporations to include personal data gathered from social media platforms like facebook, navigation systems and home security monitoring to personal health tracking devices.

The only companies that has CTO/CIO professionals on their board are telecommunications and mobile network operating (MNO) companies. The rest still have ICT security buried within the ICT department. The Chief Information officer (CIO) or the Chief Technology Officer (CTO) is left to decide security levels in isolation from the actual business risks, he or she is trying to manage, with little access to decision-makers at board level or to adequate funding.  Unaware of the risks, business units frequently perceive ICT security simply as a cost and an obstruction and ways to circumvent it. Similarly, they plan strategy and take business decisions with scant regard for the risk consequences. The lack of board involvement means the regime is not focused and board reporting is inaccurate. 

With the COVID-19 out-break, companies must implement a new ICT corporated governance strategies and processes. Board members, senior managers and the CIO/CTO, must understand the severity of the cyber security threat landscape and how cybersecurity attacks could impact the company’s business model, customers and reputation. 

Having the CIO/CTO on the company’s board, it makes it easier for the board to identify the damaging impacts and to be identify priorities for the business and the ICT security team.  It is not enough to simply increase the security budget, the budget must be focused on the highest priority risks. 

It is essential that the appropriate ICT governance is implemented within a structure that suits the individual organisation’s corporate governance model, risk appetite and culture, business activities and specific threat landscape. 

As the organisation improves its ability to manage cybersecurity risk, the cyber ICT governance process will mature and become more embedded in wider risk ICT governance, integrating with related business processes e.g. resilience, business continuity, fraud management and crisis management. The increased maturity of ICT corporate governance will also enable the organisation to introduce more quantitative measurements and to exploit the use of software tools. 

Cybersecurity is now critical aspect of boardroom oversight, but an overwhelming majority of directors rate their own and their board’s knowledge of ICT risk as ‘in need of improvement’. A lack of cyber-knowledge at board level can lead to overreliance on cyber experts and difficulty for directors in judging an appropriate level of involvement.

To help board members address this critical topic, the Institute of Directors of Zimbabwe  (IODZ), along with Zimbabwe Information and Communication Technology (ZICT), the ICT division of Zimbabwe Institution Of Engineers (ZIE) will be organizing a series of roundtable discussions across the country, with the meetings focused on implications for the boardroom: how directors can effectively oversee cybersecurity risk; the necessary processes and policies to protect sensitive networks, systems and data from unauthorized access or attack; and the potential for financial and legal problems created by cyber-threats. 

If you need any further information, do not hesitate to contact us on email [email protected] or whatsapp/call +263772278161

Engineer Jacob Kudzayi Mutisi