Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

Opinion – Boards’ effective governance on cybersecurity 

Opinion – Boards’ effective governance on cybersecurity 

Imagine driving a car without ever checking the brakes. 

It works until one day, it does not, and the consequences are catastrophic. 

The same holds for cybersecurity oversight. Recently, Telecom Namibia reported a “cyber incident,” and investigations are allegedly ongoing. 

This incident once again highlights a critical need for stronger cybersecurity governance. 

For Namibian boards, this incident should serve as a wake-up call. 

While businesses prioritise revenue and growth, they often overlook the invisible yet essential “brakes” of cybersecurity controls. 

Organisations are left vulnerable to operational, financial and reputational damage without effective governance.

This article outlines practical strategies for Namibian boards to implement effective oversight and align with corporate governance principles, such as those outlined in the Namibia Code of Corporate Governance (NamCode) and King IV. These steps are about protecting digital assets and ensuring sustainable organisational success in a rapidly evolving threat landscape.

Imperative for cybersecurity oversight

Cyber threats in Namibia are escalating, targeting sectors ranging from telecommunications to finance. 

Cybersecurity is no longer an operational issue for boards – it is a governance priority. 

King IV states that boards are responsible for risk governance, including information security. 

Similarly, NamCode emphasises the need for risk management processes that safeguard company assets.

However, most boards face two significant challenges.

Knowledge gaps: Many directors lack the technical expertise to evaluate cybersecurity effectiveness.

Accountability misalignment: Cybersecurity is often seen as an information technician’s responsibility rather than a shared governance duty.

To bridge these gaps, boards need a structured approach integrating governance frameworks with actionable strategies.

Cybersecurity governance framework 

The following steps provide a practical roadmap for Namibian boards to effectively oversee and strengthen cybersecurity operations.

establish cybersecurity as a board-level priority

Action: Include cybersecurity as a standing agenda item in all board meetings.

Outcome: Elevates cybersecurity from a technical issue to a strategic priority.

Guidance from NamCode and King IV: Both frameworks stress the board’s responsibility for risk governance. Boards must ensure policies and processes are in place to identify, mitigate and respond to cyber risks.

Build cybersecurity expertise on the board

Action: Appoint a cybersecurity advisor or train existing board members on cyber risk and governance.

Outcome: Informed decision-making and enhanced oversight capability.

Practical tip: Host regular workshops on emerging cyber threats and trends tailored to the Namibian context.

Demand regular cybersecurity reporting

Action: Management must present quarterly cybersecurity reports, including metrics such as incident response times, penetration testing results, and audit findings.

Outcome: Ensures the board has visibility into the organisation’s cyber resilience.

Guidance from NamCode: Boards must actively monitor performance and compliance with risk management frameworks.

Mandate third-party assessments and audits

Action: Engage independent cybersecurity firms to perform regular assessments and penetration tests.

Outcome: Provides an unbiased view of vulnerabilities and strengthens accountability.

Incorporate cybersecurity into risk appetite statements

Action: Define the organisation’s risk appetite concerning cyber threats and ensure alignment with business objectives.

Outcome: Creates a balance between risk-taking and security investments.

Practical tip: Set clear thresholds for acceptable downtime, data loss and financial impact.

Oversee incident response and recovery plans

Action: Review and approve the organisation’s incident response plan. Conduct regular simulations to test its effectiveness.

Outcome: Reduces response times and ensures preparedness during a crisis.

Guidance from King IV: Boards must oversee mechanisms to ensure the continuity and recovery of operations during disruptions.

Cultivate a cybersecurity culture

Action: Endorse company-wide cybersecurity training programmes and reward proactive behaviour.

Outcome: Builds a culture where employees act as the first line of defence.

Practical tip: Incorporate cybersecurity into employee performance reviews.

Cybersecurity oversight checklist for Namibian boards

To simplify implementation, boards can use this quick checklist:

Is cybersecurity discussed at every board meeting?

Are directors trained or supported by cybersecurity experts?

Does the board receive clear and actionable cybersecurity reports?

Are third-party audits conducted regularly?

Do we have an incident response plan, and is it tested annually?

Is cybersecurity embedded into the company’s risk strategy and culture?

Conclusion

The recent incident at Telecom Namibia reminds us that no organisation is immune to cyber threats. Boards in Namibia must step up and embrace their responsibility to govern and oversee cybersecurity proactively. 

By aligning with the principles of NamCode and King IV and adopting the practical steps outlined here, boards can transform cybersecurity from a reactive measure to a strategic enabler.

In the end, cybersecurity governance is not just about protecting data. 

It is about ensuring the long-term sustainability and trustworthiness of the organisation. 

Like the brakes on a car, robust cybersecurity oversight allows organisations to accelerate confidently, knowing they can navigate risks safely.

*Job Angula is a certified information security manager and co-founder of Accelerate Advisory Services (Pty) Ltd. 

He can be reached at info@acceler8naamibia.com