The Cyber Security Challenge - Are The Boards Ready? Denish Osodo Director – Internal Audit Safaricom Limited 27 May 2016 Safaricom Public C13
The Cyber Security Challenge - Are The Boards Ready?
Denish Osodo
Director – Internal Audit
Safaricom Limited
27 May 2016
Safaricom Public C13
Safaricom Public C1
The situation in Kenya
Safaricom Public C1
What keeps business leaders awake
Global
Africa
Kenya Source: PwC’s 2016 The Africa business agenda survey
Source: PwC’s 19th Annual Global CEO Survey
Source: Serianu Kenya Cyber Security Report 2015
Safaricom Public C14
Functions and Accountability of the board
The board of directors is ultimately responsible for the company’s business affairs and governance
Assume responsibility of leadership and control of the
corporate
Direct and supervise the corporate’s
affairs
Make decisions in the interests
of the corporate
Board Accountability
Accountability to shareholders
Accountability for Board
Operation.
Accountability for Strategic
Decisions and Performance.
Safaricom Public C1
Integrity and Ethics
• Emphasis on a culture driven by the organization’s value
system.
• Injudicious risk-taking is the new warning sign on which
prudent boards are seeking substantial assurance.
• Greater emphasis on leadership by example
• Embedding ethics as part of the organization’s DNA.
2
Cybercrime and Technology governance
• Boards are upskilling to provide effective direction
and oversight in areas of rapid technological
advancement and change.
• Cyber security and social media are examples of IT
risks that can cause privacy breaches, reputational
damage, and significant investor loss.
3Governance in the public interest
• Regulators are requiring that corporate entities are
created to protect the public interest, where public funds
or resources are involved, that are separate from the
primary commercial entities. There is also a move towards
prescribing the competency matrices for directors and
oversight functions of those entities.
• There is a growing tendency to account for the wider
stakeholder view of governance that is not limited to
shareholder democracy.
4
Governance Trends
Board Accountability
• Board members are increasingly being held to account,
individually or collectively, for failure to provide
oversight
• Media, activists and public pressures are augmenting
the objective standard of care for directors. Director
action (or inaction) will be more and more visible.
• Onerous risk coverage requirements on directors that
require oversight of internal controls and risk
management.
• Greater scrutiny of board composition, capabilities and
skills for effective direction of management teams.
1
Safaricom Public C1
Board Engagement and Oversight
Leadership and
Governance
Human Factors
Information Risk
Management
Business Continuity
Operations and
Technology
Legal and Compliance
General areas of concern to Boards
Safaricom Public C1
Financial impact
• Will investment in cybersecurityincrease my revenue?
• How much loss would result from a cybersecurity incident?
Reputational damage
• Can I sustain the fury of KoT(Kenyans on Twitter?)
• Can customers trust me
Regulatory Compliance
• Fines by the regulator
• Legislation targeted against my company
• Requirement by regulators for compulsory IT audits
Stakeholder/ Customer Focus
• Uninterrupted services to customers
• Customer data privacy
• Enhance partner confidence
Lost of Intellectual Property
• Will they steal my trade secrets?
Areas to address in increasing Board awareness and action
What the Board cares about
Safaricom Public C1
Perception that information security governance is best handled by the company’s management
Board members may be overly confident about the effectiveness of their cybersecurity governance processes
Management may not be providing information on cyber attacks and data breaches affecting the organization i.e. lack of transparency
It may not be clear to the board on what an effective cybersecurity function should be achieving i.e. what does success look like?
Perception that cybersecurity is an issue to be handled by law enforcement authorities
Limited knowledge on cybersecurity
Why Cybersecurity may not be on the Board’s Agenda
Safaricom Public C1
Form a special cybersecurity committee to elevate the attention and importance of cybersecurity risk and ensure it is on the board's agenda
To increase transparency, establish parameters for accountability without blame and with appropriate, pre-understood consequences
Establish an understanding that cybersecurity is an enterprise-wide risk management issue. not just an IT issue
Include cybersecurity as a standing topic in every risk committee and board meeting
Frequent briefings on state of cybersecurity in the organization to keep the board members informed about the threat landscape and how they may impact the company
Create and standardize security metrics and KPIs. Use risk-based frameworks to which the board can relate
Think business and communicate cyber impact in terms of business-based outcomes
Bridging the gap
Safaricom Public C1
Cybersecurity governance: policies, strategy, frameworks
User security awareness and training
Risk assessment of internal and external threats
Adequacy of incident response mechanisms
Continuous monitoring & assurance
Customer data privacy (PII)
Business continuity and prompt recovery of operations
Questions that a well-informed board will ask regarding Cybersecurity
Safaricom Public C13
The Cyber Security Challenge – is your Board Ready?
Safaricom Public C1
Thank You
Reactions