Executive leadership at board level must attach the same importance to cyber security as they do to financials or operations strategies. In this digital centric world, cyber security governance has become non-negotiable.
This is according to Tichaona Zororo, digital transformation and innovation advisory director at IT advisory firm Enterprise Governance of IT (EGIT), based in South Africa, Namibia, Zambia and Zimbabwe.
ITWeb caught up with Zororo ahead of his participation at the ITWeb Governance Risk and Compliance (GRC) 2025 event, taking place on 20 February at The Forum, in Bryanston.
“Governing cyber security is a prerequisite imperative for successful business performance in today’s digital world. Hackers and hactivists are taking advantage of the capabilities brought in by generative artificial intelligence. Organisations and boards must ensure they have cyber security on their radar,” he said.
But research from EGIT suggests businesses have become distracted.
While 34% of organisations do have a formal cyber security policy and strategy approved by their boards of directors, the same amount (34%) do not have this in place, the research indicates.
Organisations were asked whether their boards of directors have cyber security expertise and are ‘cyber security savvy’.
Only 24% of organisations responded yes; 42% said this is not the case.
Asked if their board of directors and senior executives simulate cyber security incident response plans, just 18% said yes and 51% said no.
“Cyber security governance is more important than ever before,” said Zororo, “to provide the needed direction, because when cyber attacks happen, business comes to a complete halt. Cyber security governance is about taking a proactive approach to provide oversight, monitoring and supervision of cyber risk."
Zororo stressed that organisations without a mature or developed cyber security strategy will be in for a tough time.
“Business will be disrupted when cyber attacks happen; businesses will be found wanting… they will be attacked for prolonged periods.”
Cyber security threat landscape
“The cyber security threat landscape continues to shoot through the roof at unprecedented levels. Every year for the past decade, the World Economic Forum (WEF) sites cyber security as one of the top 10 global risks,” Zororo added.
Asked for his view on the link between GRC and cyber security, Zororo said there is a disconnect, mainly because of a lack of skills.
“This is mainly because a number of board members lack the prerequisite cyber security knowledge and understanding to ask the right questions… they are afraid of exposing themselves.”
Zororo added that in several cases, cyber security governance is largely ignored by directors and the boards they represent.
“My session [at the GRC summit] aims to provide the right questions that board members and senior executives can ask about cyber security in their organisations.”
Cyber security governance culture
Zororo said cyber security governance must be at the forefront of a company’s culture.
“Cyber security is the responsibility of everyone in the organisation and it is not a ‘tick-the-box’ exercise,” he said.
SA has the Public Finance Management Act and the Municipal Finance Management Act, which, according to Zororo, are strong governance, risk and compliance legislations.
But, as Zororo pointed out, of the 257 municipalities, only 34 have a clean audit report as of the 2022/2023 financial year.
“In several cases, these regulations and compliance requirements are treated as a ‘tick the box’ exercise – they are not built into the culture of day-to-day operations.”
In a digital-centric economy, business leaders need to grasp the fundamentals of cyber security and the impact on effective GRC.
Share