Africa CEOs should be personally liable for Cyberattacks!


InfoSec Advisory with Del ADEN

Cyberattacks with consequences in the real world will be more common in the years to come, analysts believe.

That adversaries are becoming more knowledgeable and launching more sophisticated attacks in increasing numbers is a grave concern. The potential for extortion and physical damage is just as grave.

Meanwhile, many companies use legacy systems running on older operating systems and control equipment with known vulnerabilities.

This toxic combination has the potential for most organisations in Africa to be susceptible to serious cyber-attacks such as data breach ransomware, and disruptions to key National Infrastructure such as banking and electricity.

However, a new report suggest that decision makers are less knowledgeable about the changing threat landscape and its significance.

According to a survey by Ponemon Institute, Fifty-two percent (52%) of CEOs either did not know or were unsure about their organisation programs and strategies to combat cyber-attacks and data breaches.

The same research and industry experience revealed that senior corporate executives are less likely to be briefed about security initiatives (54%).

The attitude that ‘it won’t happen to me’ still prevails in the boardrooms of industry when senior executives consider the threat of targeted cyber intrusions that lead to theft of intellectual property and confidential information.

The consequences of even major security breaches seem not to be felt by the leaders of victim companies. Why is this so?

Are the consequences of targeted intrusions so insignificant that the captains of industry tolerate them?  Or do only others feel the pain of their failure?

The view that directors are not sufficiently prepared to deal with cybersecurity risk has raised alarm bells with risk experts globally.

Even as organisations increase their investments in security, we are seeing more — and more serious — cyberattacks.

If corporate boards are not sufficiently prepared to deal with cybersecurity, how will they be able to determine the effectiveness of current and proposed cybersecurity strategies?

How can they know what operationally effective cybersecurity should look like and how it should evolve? And how can directors know what to ask so that they can make the right cybersecurity investment decisions?
What should keep CEOs awake at night

If and when cyberattacks are actually realized, the consequences to organisations – in terms of human casualties, property loss, litigation, reputation damage and stock price plunges – could be overwhelming.

This should keep CEOs awake at night. But it should also galvanize them and their boards to do all they can to ensure that their organisations will withstand the highly-sophisticated targeted cyber-attacks that are sure to come.

The board’s role in managing cybersecurity risks
Today, more than ever, the demands posed by issues of cybersecurity clash with both the need for innovation and the clamor for productivity.

Increasingly, cybersecurity risk includes not only the risk of a network data breach but also the risk of the entire enterprise being undermined via business activities that rely on open digital connectivity and accessibility.

As a result, learning how to deal with cybersecurity risk is of critical importance to an enterprise, and it must therefore be addressed strategically from the very top. Cybersecurity strategies can no longer be a concern delegated to the information technology (IT) or Infosec department only.

It needs to be everyone’s business — including the Senior Management, the Board’s, and most especially the CEO’s
Asking the right questions
In our work with dozens of companies and in surveys of executives in Africa, we have found that many directors currently cannot ask the right questions because they lack meaningful knowledge required to assess the cybersecurity posture of their organisation.

This is why Delta3 International offers a one-day training in Cyber Security for Executives (CSE) – The course will help senior management to understand the legal, regulatory and management responsibilities for protecting their business and therefore protecting jobs and stake-holder’s assets.

In addition, Delta3 International offers Cyber Consultancy for Management (CCM) – A consultancy service that offers direct support to Senior Management and help them identify the main cyber security risks, explain why they are relevant and offer guidance on how to manage them.

In order to be able to ask the right questions, each and every member of the Senior Management team (including Senior Managers, the Board and the CEO) must do the following three things:

1. Get Involved in what your organisation is doing to prevent cyber attacks
2. Acquire the skills required to better understand the intricacies of cyber threats
3. Seek independent views and second opinions from experts, away from your team

In conclusion, Cybersecurity can no longer be the concern of just the IT departments, it needs to be everyone’s business — including the boards.

They must take the initiative to make life harder for cyber threat actors. They cannot wait for government leadership on policy, strategy or coordination.

A good CEO should understand that Cyber security is closely tied to customer loyalty and trust as well as innovation.

A breach can seriously undermine consumer confidence and damage brand reputation. In fact, building cyber security into products and processes can be a competitive advantage.

Of course, regulators and relevant Governments agencies across Africa also need to enact the rules and regulations governing the responsibilities of senior management, however, it is the responsibilities of the CEOs in Africa to engage with Technology leaders who can help them understand the risks that cyber-attacks represent and the need to dedicate focus and budget to securing their organisation assets.

Consequently, Africa CEOs should not be allowed to plead ignorance or retreat behind the InfoSec and I.T teams.

As a matter of fact, the Board and the CEOs should be held personally liable for Cyberattacks that has serious adverse impacts on the organisations they lead!
Support Information Security in Africa by sponsoring this Weekly Article and promote your Brand

About the Author
Del Aden

Del Aden is a UK-based Enterprise Architect

Del Aden is a UK-based Enterprise Security Architect and Solution Consultant with expertise in Digital Transformation, Building & running security programs, Security Strategy Assessment & Consulting, Cyber Practitioner, Business Continuity and Strategic Consulting. Del is also an Astitute speaker, a Trainer and a Technology journalist. Contact: [email protected] | WhatsApp:+44 7973 623 624 | Web:

Leave a Reply