Cyber risk: A test of leadership

At first glance, South African organisations appear to be modernising at an impressive pace. Cloud migration, hybrid work strategies, AI experimentation, internet of things (IOT) expansion, and an increasingly data-driven business culture are reshaping the corporate landscape.

But beneath this digital transformation lies a more complex story. Governance systems are not evolving quickly enough to manage the risks that come with innovation. Complexity is rising faster than control.

Interpol’s Africa Cyber Threat Assessment Report 2025 placed South Africa among the most targeted nations on the continent for ransomware. But the deeper concern is not the rise in cyber crime alone. It is the persistence of outdated thinking.

Too many business leaders still treat cyber security as a technical support function rather than an enterprise risk that requires oversight and strategic management.

That mindset is no longer sustainable.

The King IV Report on Corporate Governance emphasises that cyber risk is a governance responsibility connected to value, risk and assurance. Cyber security now belongs at the centre of business risk conversations.

If it continues to be viewed as an isolated IT problem managed through procurement or outsourced support, then no amount of spending will be enough to protect the organisation. Only through structured, transparent and accountable governance can cyber risk be managed effectively.

Effective cyber security risk management is not about eliminating threats. That ambition reflects a false promise that no longer fits the reality of the digital economy.

Instead, the work begins with understanding which risks actually matter, what levels of exposure can be tolerated, and how to make trade-offs between innovation, speed and control.

This process happens not on the technical fringes, but where strategy, operations and governance meet.

Emerging technologies are not simply introducing new risks. They are changing the nature of responsibility.

Five domains need to work together to enable sound risk decisions. These include clarity about which products and services are most critical to the business, which systems and data enable them, a realistic understanding of risk appetite, insight into the threat landscape, and clear ownership of controls and response.

The South African context brings additional urgency. Regulatory, legal and financial risks are mounting.

The Protection of Personal Information Act requires that data breaches be reported to both regulators and affected individuals. The Cyber Crimes Act formalises a range of offences that could turn routine breaches into criminal investigations.

The economic consequences of cyber incidents are also becoming more severe. IBM’s global breach reports, when applied to local conditions, show that losses can easily stretch into the tens of millions of rand.

These costs include not just recovery but legal exposure, reputational damage, customer churn and potential penalties. This makes it clear that cyber security cannot be treated as a badge of digital maturity.

Many organisations believe they are secure because they have a long list of tools in place. Firewalls, endpoint protection, identity systems, e-mail security, backups and incident response plans are all well represented in corporate environments.

But attacks continue to succeed, and the reason is often not technical failure. It is because cyber security decisions are made in isolation, disconnected from the organisation’s broader strategy and risk priorities.

When controls are deployed without a clear risk rationale, three common problems emerge. The first is reactive investment. Security tools are chosen based on industry buzz or vendor influence rather than their relevance to actual threats.

The second is weak governance. Boards receive activity reports but lack visibility into posture or exposure.

The third is misplaced confidence. Dashboards show green, teams are busy, and yet the most dangerous scenarios remain untested and unresolved.

To move cyber security into the realm of executive governance, organisations need a different starting point. That begins with identifying the business’s most critical assets and services. These are the systems that, if compromised, would disrupt operations immediately. They usually include customer platforms, payment services, identity infrastructure and sensitive data repositories.

From there, leadership must define what levels of risk are acceptable in concrete terms. Vague ratings like high or medium are no longer useful. Executives need to know how much downtime the organisation can afford, what level of data loss would be deemed tolerable, and what financial hit could be absorbed without significant disruption.

International frameworks such as NIST, ISO and FAIR can provide a starting point. But certification alone is not the goal. What matters is developing repeatable practices that align with the organisation’s specific context.

A dynamic risk register should be at the heart of this system. It should document risk scenarios with realistic impact narratives, provide reasoning for their likelihood, assign ownership, record associated controls and schedule reviews.

Decisions about risk treatment must also be visible and reasoned. Some risks will require active mitigation. Others may be accepted, transferred through contracts or insurance, or avoided through operational changes. What matters is that decisions are made consciously, documented properly and approved by leadership.

Despite all the technical investment, human behaviour remains the most exploited vulnerability in the digital environment.

In 2024, Kaspersky reported tens of millions of phishing link clicks across African networks, many from inside corporate systems. This reveals that human behaviour is not a mere soft concern. It is a fundamental part of the organisation’s risk surface, as critical to security as any technical system.

When organisations treat employees as unpredictable and unchangeable, they give up the opportunity to design systems that guide and support secure behaviour. This mindset weakens overall security. Fatigue, urgency and learned responses are all known factors that attackers leverage.

Unless behavioural controls are taken seriously, technical defences will continue to be undermined from within.

Resilience is not proven by the absence of breaches. It is tested through the ability to recover from them.

Organisations should focus their preparation on the scenarios that truly threaten their continuity. These scenarios include ransomware attacks that encrypt systems while exfiltrating sensitive data, identity breaches that enable attackers to move laterally across networks, compromises of high-trust third-party suppliers, executive impersonation using deepfake audio or video, and data leaks triggered by uncontrolled AI behaviours.

These are not fringe possibilities. They are defining risks that require rehearsal, not just theoretical discussion.

Emerging technologies are not simply introducing new risks. They are changing the nature of responsibility.

AI systems may quietly expand access to personal data or make decisions that lack explainability. IOT deployments multiply entry points into environments that were never designed for cyber defence. Big data platforms can amplify the impact of a single breach. And social media can turn misinformation and impersonation into a fast-moving risk factor.

Boards and executives must begin to ask harder questions. What trade-offs are being made in the name of innovation or efficiency? Which of these trade-offs are defensible? And who will be held accountable if those decisions fail?

Talent is part of frontline defence. Even the best-designed cyber security plan will fail without people who can deliver it.

South Africa’s shortage of cyber security talent remains a material constraint. While outsourcing can support execution, it cannot replace internal judgement, contextual awareness, or institutional learning.

This means that training is not a secondary concern. It is a primary control. Investing in skills directly improves the quality of decisions, the speed of response and the credibility of reporting.

The local cyber security skills gap is not just about technical expertise or executive literacy. It is about the missing link in between.

Organisations need professionals who can turn strategic direction into operational clarity. These are not necessarily the most certified individuals. They are the ones who can build risk registers that boards can understand, justify investments with clear logic and explain exposure without relying on jargon.

Without this layer, security governance remains fragmented and disconnected from enterprise priorities.

A technical breach is rarely a failure of security controls alone. More often, it is the visible symptom of deeper governance failures and business decisions that did not fully account for risk.

In the digital economy, resilience is no longer defined by the number of tools in place or the speed of compliance. It is shaped by how deliberately organisations govern risk, how consistently they oversee it, and how clearly leadership understands its role in shaping outcomes.

In South Africa’s high-risk and fast-evolving environment, the organisations most likely to succeed will be those that stop treating cyber risk as a technical issue to be delegated.

They will recognise it for what it truly is – a reflection of leadership quality, institutional accountability and the capacity to make tough decisions under pressure.