RC: Where should responsibility for an organisation’s cyber security sit – in the IT department or in the boardroom?

Robbertse: Protecting an organisation’s cyber security should be a boardroom responsibility. Recent attacks on businesses such as Apple, Sony and Lenovo demonstrate that even world class technology brands are not immune to the risks. The issue for many businesses – large, medium and small – is that there is often a skill-gap round the board table when it comes to addressing major technology issues. While it is regarded as basic good governance to have company directors with accountancy and legal qualifications, the same does not always apply to IT. This can greatly increase an organisation’s risk profile, especially in the event of a cyber attack when urgent and decisive actions need to be taken at board level to prevent organisational and reputational meltdown.

Gutteridge: There are parallels here with the banking crisis when the boards of financial institutions did not have adequate oversight of their complex financial instruments and risky trading activities, relying too heavily on the so-called experts within their organisations. In the case of cyber security, the risks are a ‘known known’ and companies should be taking urgent action to ensure that they have the necessary board-level skills in-house, or a trusted adviser to whom they can turn.

Jul-Sep 2015 Issue