Cyber security governance is often reactive, with organisations only responding when an attack occurs. This, combined with inaction, escalating cyber security costs and the rise of AI-driven attacks highlights significant gaps in protection.
These were the key points made by Tichaona Zororo, digital transformation and innovation advisory director at Enterprise Governance of IT (EGIT), during his keynote at the ITWeb GRC Conference 2025, held on 20 February at The Forum, in Bryanston.
Zororo emphasised that SA’s threat landscape is rapidly evolving, with organisations now facing automated phishing campaigns, AI-based vishing, smishing, deepfakes, social engineering and misinformation.
But the cost of protection is steep. Zororo said cyber security costs reached $9.5 trillion in 2024, equating to an average of $302 000 per second, and are projected to hit $11.5 trillion in 2025.
Beyond financial costs, Zororo stressed that inaction and outdated systems pose even greater risks.
He cited recent attacks on the South African Weather Service and National Health Laboratory Services as examples of the dangers of complacency.
"On 26 January 2025, the South African Weather Service was hit by a cyber attack, and as of 18 February, its website remains down," he said. The attack involved RansomHub ransomware delivered via AI and ransomware as a service.
Zororo also noted the absence of cyber security mentions in annual reports and the lack of involvement from boards and senior executives due to concerns about their cyber security knowledge. He highlighted the difficulty in translating complex cyber security issues into practical business language for decision-makers.
Public sector vulnerability
In the public sector, research revealed that of 1.2 million civil servants, only 0.4% work in IT or ICT roles, and just 1% of those have cyber security expertise. Zororo pointed to fragmented cyber security approaches, a shortage of skilled professionals and isolated tools as key barriers to effective management.
He urged organisations to create evolving, comprehensive cyber security strategies aligned with business goals, emphasising that cyber resilience – ensuring critical services can continue during a cyber attack – should be a priority.
He also called for cyber security to be embedded in risk management practices, with executives possessing cyber security expertise and a clear incident response plan in place.
“A CIRP [cyber incident response plan] is not the same as business continuity or disaster recovery. These must align, and executives must actively simulate CIRP scenarios,” Zororo said.
He stressed the importance of maintaining an up-to-date inventory of IT assets and developing a roadmap and budget for modernisation, warning that legacy systems and a lack of action are among the top cyber security risks.
Share