When it comes to cybersecurity, the role of the board has grown massively.
By Martin Potgieter, regional chief technology officer at Integrity360
Viewing cybersecurity as a purely technical concern just isn’t viable. A board that is genuinely breach-ready can ensure an organisation not only survives an incident but protects its value and reputation.
To achieve this, directors must take a proactive stance, embedding cyber resilience into the very fabric of governance, culture, and strategic decision-making.
Understand cyber risk as business risk
A security breach is a business crisis. It can inflict direct financial damage, cause severe operational disruption, trigger regulatory penalties, and evaporate customer trust. These outcomes directly threaten an organisation’s viability and must be managed with the same rigour as financial risk, supply chain stability, or market shifts.
By framing cyber threats in these terms, directors can make informed choices about investments, risk appetite, and long-term resilience.
Set the tone from the top
A board’s engagement sends a clear message that security is a shared responsibility, not a siloed function.
When directors ask pointed questions, demand regular, data-driven updates, and emphasise the importance of resilience, they shape an organisational culture where security is integrated into daily operations.
This top-down commitment ensures that employees at all levels recognise their role in protecting the organisation.
Regulations are demanding board accountability
Regulators in South Africa and abroad are increasingly shifting responsibility for cyber resilience directly onto the boardroom. Locally, the Protection of Personal Information Act (POPIA) places direct accountability on senior leadership for protecting personal data, with the Information Regulator empowered to issue significant fines for breaches.
Furthermore, the principles of the King IV Report on Corporate Governance compel boards to govern technology and information in a way that supports the organisation’s strategic objectives, making cybersecurity a core component of their fiduciary duty.
While international frameworks like the EU’s DORA (Digital Operational Resilience Act) may not apply directly, they are setting global standards for board-level accountability that are influencing local best practices. These frameworks make it clear that board engagement is not optional – it is a core expectation.
Demand clear, business-focused reporting
One of the most common obstacles to effective board oversight is the communication disconnect between technical leaders and non-technical directors.
Boards must insist on reporting that translates technical risks into measurable business impacts – such as potential financial losses, operational downtime, or regulatory penalties.
When risks are expressed in the language of business, they can be evaluated and prioritised alongside other strategic concerns.
Require data-driven assessments
Effective boards move beyond anecdotal updates and require evidence-based assessments of the organisation’s security posture. Independent audits, maturity assessments, and benchmarking against industry standards provide a clear, objective picture of strengths and weaknesses.
This data allows the board to track the return on security investments, identify the most significant gaps, and create accountability for continuous improvement.
Test resilience through crisis simulation
Being breach-ready means preparing for when, not if, an incident occurs. Boards must ensure the organisation has a practical and tested incident response plan. Crucially, directors and C-suite leaders should actively participate in crisis simulation exercises.
These simulations reveal gaps in communication, clarify decision-making authority under pressure, and test the organisation’s ability to meet its legal and regulatory obligations. Just as financial stress-testing is essential, cyber stress-testing is vital for true breach readiness.
Align budgets with the greatest risks
A board’s most powerful lever is budget approval. Security spending should be viewed as an investment in resilience and continuity.
Resource allocation must be guided by formal risk assessments, ensuring funds are directed where they will have the greatest impact on protecting revenue and shareholder value, rather than being based on arbitrary percentages of the IT budget.
Push for continuous oversight
Cyber threats evolve far too quickly for a quarterly review cycle. Boards should push for continuous visibility through dashboards that track key metrics, such as incident detection times, patching rates, or phishing simulation performance.
This ongoing oversight allows directors to respond to emerging risks in near real-time and adapt strategy accordingly.
Embed accountability into governance
To be truly breach-ready, boards must embed accountability into their governance structures.
This can involve tying executive performance metrics to improvements in security posture, appointing a dedicated board member with cyber oversight, or ensuring that risk and audit committees regularly and rigorously review cyber risk.
When accountability is clear and visible, the entire organisation is better positioned to respond effectively.
Foster a partnership with security leaders
A breach-ready board fosters a collaborative partnership with its CISO and other security leaders. This requires moving beyond surface-level updates to engage in constructive dialogue about strategic priorities and risks.
Directors should encourage transparency, rewarding honesty about challenges. By building this trust, boards empower security leaders to raise difficult issues and secure the support needed to strengthen resilience.