The boards of SA’s 40 largest companies on the JSE may be heaving with accountants — but there’s pretty much nobody there who could pick a hacker out of a line-up. This is one of the alarming insights from a report analysing the 49 nonexecutive directors appointed to these boards last year, produced by the Chicago-based executive search firm Heidrick & Struggles.
The report, the first by Heidrick & Struggles looking at SA boards specifically, will be released this week.
"It’s definitely an area of huge weakness," says Véronique Parkin, the head of the firm’s SA practice. "With all these incidents and risks of hacking, boards are meant to focus on cybersecurity, but it’s so difficult to find suitable directors with these [skills]".
It’s a conspicuous hole. On July 22, Transnet was hit by a cyberattack with all the hallmarks of the Eastern European "Death Kitty" ransomware hacks. It meant that when Transnet’s officials fired up their computers, they were greeted with a ransom note, demanding they visit a dark-web chatroom to "negotiate".
More than a terabyte of personal data and financial reports were held hostage, Bloomberg reported, which led Transnet to declare force majeure at its ports.
Now, SA’s boards aren’t unique. Across the world, boards are often filled with over-the-hill Luddites, who need to make three calls to their grandson to figure out how to turn on their iPad and live in fear of the incurable dental condition known as Bluetooth.
But SA seems worse than most. A round 0% of the nonexecutive directors appointed at a JSE top 40 company last year had cybersecurity experience, and just 8% had "digital or social media experience".
But in the US, where 425 board seats were filled last year at Fortune 500 companies, 8% had cybersecurity experience, while 40% had digital experience. Of the 843 European board hires, 6% had cybersecurity experience and 9% had digital experience.
As Chiara Pierdomenico from Heidrick & Struggles’ European business puts it: "If you compare SA to companies overseas, it’s clear they’re falling behind on cybersecurity. It’s a big focus in Europe, but not here."
Heather Sonn said the stunning degree of groupthink was one cause of the R106bn fraud at Steinhoff
Parkin says when she’s asked to recruit new directors, cybersecurity skills are on the wish list — but it’s a rare commodity. "Companies want diversity, and at the same time, they want people with experience in digital and cybersecurity. But it’s not that easy to find."
Many director seats went to foreigners, as you’d expect with large multinational companies. But of the 31 SA nonexecutive directors hired at the JSE’s top 40 companies last year, 16 were black African (52%), one was a coloured woman (3%), and 14 were white. No Indian South Africans were appointed.
The board report says coyly: "There was some progress on racial diversity, but companies still have a long way to go." But as SA aims for more racially representative boards, is this a fast enough rate?
"I expected black South Africans to have made up a larger number of new board appointments," says Parkin. "When we look to recruit directors, companies are clear that the first prize is to appoint a female black South African, often with board experience in … audit, remuneration, cybersecurity or compliance."
There are other interesting facts in the data, including that 43% of the new director positions went to women, which is higher than in the US (41%).
But what’s intriguing is that SA has a far greater preference for picking people with skills in "risk and compliance" — 55% — which is more than double the 21% of the US, or the 24% of Europe.
This would seem to be a result of the recent wave of scandals. Given the eye-watering swindling at the likes of EOH and Tongaat Hulett, you don’t want to be the one in court, explaining how your board spent weeks fine-tuning the jargon in the annual report but somehow missed billion-rand related-party deals.
As Parkin puts it: "You’ve also had Covid and its significant economic impact to deal with, so companies are tending to stick to the safer, rather than more creative, board appointments."
Whether this always works is debatable.
Heather Sonn, the former chair of Steinhoff, said one reason that that R106bn fraud happened was the stunning degree of groupthink. "Almost everyone you ever met at Steinhoff was an accountant. There was only one perspective," she said.
One accountant who worked for Markus Jooste gushed that the culture "consists of people who trust each other blind … we think alike, we operate alike, we respect alike, and we like alike". If that doesn’t sound like a recipe for disaster, what does?
Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.