Herman Young, group CISO of Investec; Ritasha Kalidas, group head of cyber security at Coca-Cola Beverages Africa; and TV personality Leanne Manas.
South African chief security information officers (CISOs) have seen “marginal” increases to their budgets in the past year.
This is one of the biggest takeaways from the preliminary results of the 2025 edition of the ITWeb Brainstorm CISO Survey, presented last night at the CISO Banquet in Houghton, Johannesburg.
The online survey, conducted from mid-May to mid-June, yielded verified responses from 67 CISOs or senior cyber security decision-makers.
Presenting the preliminary results, Adrian Hinchcliffe, ITWeb editor-in-chief, said the largest share of respondents (27%) work for organisations with 1 000 to 4 999 employees.
Meanwhile, 26% are from organisations with over 10 000 employees, 25% from those with fewer than 1 000, and 22% from companies with 5 000 to 10 000 staff. When asked how many people report to them, 31% said fewer than five and another 31% said six to 10 – meaning 62% manage teams of fewer than 10.
As to the size of their security budget compared to the previous year, 49% of the CISOs said it increased “marginally” while 21% said there was a “significant” increase.
The CISOs were also asked about the main drivers of security expenditure, with 46% citing compliance.
“CISOs are cost-conscious and this was the top reason for delaying or preventing investments,” said Hinchcliffe.
“Leaders seem to have adopted more measures for various issues, such as ways to measure and justify investments and internal threat.”
Ninety percent of CISO respondents said they conduct security risk assessments using a formal, recognised framework.
As for frequency, responses are fairly evenly split between monthly and quarterly assessments, Hinchcliffe noted.
Among leaders, the most common frequency is once a month (12% of all respondents), while followers show a more even distribution across all options – with 12% also conducting assessments just once a year. For late adopters, the most popular frequency is once a quarter, representing 4% of total responses.
Most respondents report having a security incident response playbook. While 81% of all respondents said they have an incident response plan, the frequency of testing varies.
Annual testing is the most common across both leaders and followers, the survey found. However, a concerning finding is that 63% of late adopters with a playbook admit they never test it. Notably, none of the leaders reported skipping trial runs.
The overwhelming majority (66%) identified limited resources as the biggest challenge in responding to security incidents.
According to Hinchcliffe, this was the top concern for both leaders and followers. Among late adopters, it tied with lack of real-time visibility as the most cited obstacle.
On cyber approach to generative artificial intelligence (AI), the majority (55%) said they are still experimenting with it and are letting staff use it. Some 37% said they are already using it and have implemented data loss prevention while training staff. However, 6% have banned it.
ITWeb editor-in-chief Adrian Hinchcliffe, presenting the results.
Commenting on the overall results, Hinchcliffe said: “The CISO is most likely to report to the group CIO and seem unlikely to have a seat on the exco, while the majority believe the board of directors see cyber security as a priority.”
The top areas of focus for a CISO are cyber risk management, security strategy and governance, he added.
“Phishing was the most ‘popular’ security incident experienced in the past year. The number of attacks prevented, threats blocked, along with compliance outcomes, were the top ways to measure and justify security expenditure.
“Most CISOs have, or are working on, a threat intelligence programme, a security incident response book.
“The majority have cyber-specific insurance, and 37% have implemented data loss prevention and staff training for generative AI.”
The event also hosted a fireside chat, facilitated by TV personality Leanne Manas, featuring Herman Young, group CISO of Investec, and Ritasha Kalidas, group head of cyber security at Coca-Cola Beverages Africa.
Young expressed concern about the constantly evolving threat landscape, highlighting the emergence of new risks and vulnerabilities.
He noted that third-party risks are especially troubling, because of the complexity involved in managing and mitigating them.
“While fundamentals like access management and vulnerability management remain crucial, the landscape is constantly evolving with new risks and threats.”
For Kalidas, user education is key to mitigating cyber threats. She emphasised the importance of educating users and measuring the effectiveness of training. Her priority is keeping users informed and encouraging good cyber hygiene, while also ensuring they know who to contact when issues arise.
“Most attacks originate from phishing e-mail, predominantly business e-mail compromise. It’s crucial to understand entry points and have coverage against them. For me, it’s about how do we keep these users abreast of what’s actually happening because they are the weakest link.”
With Coca-Cola being a global brand, Kalidas said supply chain attacks are increasing globally, and Africa’s diverse supplier landscape presents unique challenges.
“From manual processes to cyber vulnerabilities, one weak link can bring the entire chain to a standstill. With customers demanding timely delivery and competition fierce, managing third-party risks is crucial to maintaining business continuity and trust.”
Young noted that cyber criminals are now using AI tools like ChatGPT to launch attacks, such as generating malware or phishing e-mails.
“Cyber criminals are using ChatGPT like regular users, but there are no automated attacks or platforms for that yet. We are not saying it’s not coming, so obviously what you need to do is try and stay ahead.”
Kalidas noted that the skills shortage in cyber security is a significant challenge, particularly in finding deeply technical experts. This scarcity drives up costs and often leads to relying on offshore talent, which isn’t ideal.
“As the CISO community, we need to focus on building and developing local talent to drive cyber security forward.”
Download the preliminary results presentation here.
