By Job Angula
Imagine driving a car without ever checking the brakes—it works until one day, it doesn’t, and the consequences are catastrophic.
The same holds true for cybersecurity oversight. Recently, Telecom Namibia reported a “cyber incident”. While investigations are allegedly ongoing and the nature and extent of the breach, this incident once again highlights a critical need for stronger cybersecurity governance.
For Namibian boards, this incident should serve as a wake-up call. While businesses prioritize revenue and growth, they often overlook the invisible yet essential “brakes” of cybersecurity controls. Without effective governance, organisations are left vulnerable to operational, financial, and reputational damage.
This article outlines practical strategies for Namibian boards to implement effective oversight and align with corporate governance principles, such as those set forth in the Namibia Code of Corporate Governance (NamCode) and King IV.
These steps are not just about protecting digital assets but ensuring sustainable organisational success in a rapidly evolving threat landscape.
The Imperative for Cybersecurity Oversight
Cyber threats in Namibia are escalating, targeting sectors ranging from telecommunications to finance. For boards, cybersecurity is no longer an operational issue—it is a governance priority. According to King IV, boards hold ultimate responsibility for risk governance, including information security.
Similarly, NamCode emphasizes the need for risk management processes that safeguard company assets.
However, most boards face two major challenges:
1. Knowledge Gaps: Many directors lack the technical expertise to evaluate cybersecurity effectiveness.
2. Accountability Misalignment: Cybersecurity is often seen as IT’s responsibility, rather than a shared governance duty.
To bridge these gaps, boards need a structured approach that integrates governance frameworks with actionable strategies.
A Governance Framework for Cybersecurity
The following steps provide a practical roadmap for Namibian boards to oversee and strengthen cybersecurity operations effectively:
1. Establish Cybersecurity as a Board-Level Priority
● Action: Include cybersecurity as a standing agenda item in all board meetings.
● Outcome: Elevates cybersecurity from a technical issue to a strategic priority.
Guidance from NamCode and King IV: Both frameworks stress the board’s responsibility for risk governance. Boards must ensure policies and processes are in place to identify, mitigate, and respond to cyber risks.
2. Build Cybersecurity Expertise on the Board
● Action: Appoint a cybersecurity advisor or train existing board members on cyber risk and governance.
● Outcome: Informed decision-making and enhanced oversight capability.
Practical Tip: Host regular workshops on emerging cyber threats and trends tailored to the Namibian context.
3. Demand Regular Cybersecurity Reporting
● Action: Require management to present quarterly cybersecurity reports, including metrics such as incident response times, penetration testing results, and audit findings.
● Outcome: Ensures the board has visibility into the organisation’s cyber resilience.
Guidance from NamCode: Boards must actively monitor performance and compliance with risk management frameworks.
4. Mandate Third-Party Assessments and Audits
● Action: Engage independent cybersecurity firms to perform regular assessments and penetration tests.
● Outcome: Provides an unbiased view of vulnerabilities and strengthens accountability.
5. Incorporate Cybersecurity into Risk Appetite Statements
● Action: Define the organisation’s risk appetite concerning cyber threats and ensure alignment with business objectives.
● Outcome: Creates a balance between risk-taking and security investments.
Practical Tip: Set clear thresholds for acceptable downtime, data loss, and financial impact.
6. Oversee Incident Response and Recovery Plans
● Action: Review and approve the organisation’s incident response plan (IRP). Conduct regular simulations to test its effectiveness.
● Outcome: Reduces response times and ensures preparedness during a crisis.
Guidance from King IV: Boards must oversee mechanisms to ensure the continuity and recovery of operations during disruptions.
7. Cultivate a Cybersecurity Culture
● Action: Endorse company-wide cybersecurity training programs and reward proactive behavior.
● Outcome: Builds a culture where employees act as the first line of defense.
Practical Tip: Incorporate cybersecurity into employee performance reviews.
Cybersecurity Oversight Checklist for Namibian Boards
To simplify implementation, boards can use this quick checklist:
1. Is cybersecurity discussed at every board meeting?
2. Are directors trained or supported by cybersecurity experts?
3. Does the board receive clear and actionable cybersecurity reports?
4. Are third-party audits conducted regularly?
5. Do we have an incident response plan and is it tested annually?
6. Is cybersecurity embedded into the company’s risk strategy and culture?
Conclusion
The recent incident at Telecom Namibia is a reminder that no organisation is immune to cyber threats. Boards in Namibia must step up and embrace their responsibility to govern and oversee cybersecurity proactively.
By aligning with the principles of NamCode and King IV and adopting the practical steps outlined here, boards can transform cybersecurity from a reactive measure to a strategic enabler.
In the end, cybersecurity governance is not just about protecting data—it’s about ensuring the long-term sustainability and trustworthiness of the organisation. Like the brakes on a car, robust cybersecurity oversight allows organisations to accelerate confidently, knowing they can navigate risks safely.
*Job Angula is a Certified Information Security Manager (CISM) and co-founder of Accelerate Advisory Services (Pty) Ltd. He can be reached at info@acceler8namibia.com
