SA's security posture is dire, yet it remains a neglected concern at the highest levels of government. This is according to Dr Jabu Mtsweni, head of information and cyber security centre and chief researcher at the Council for Scientific and Industrial Research (CSIR). He was speaking at the recent ITWeb Governance, Risk and Compliance (GRC) Conference, held at The Forum in Bryanston.
Mtsweni said despite being a critical component of national security, cyber security has failed to receive the attention and prioritisation it deserves from the country's leadership.
He highlighted that even in the recent State of the Nation Address, president Cyril Ramaphosa only emphasised the issue of digital transformation – nothing was said about cyber security.
While SA is among the top 10 African countries driving digital transformation, its cyber security efforts lag significantly, noted Mtsweni
“Even if we can go back to five years ago, nothing has been said about cyber security even in Parliament... digital transformation is the most talked about. But we know that digital transformation does not exist in isolation.”
Mtsweni further emphasised the gravity of the situation, revealing that SA ranks 59 out of 93 countries in terms of cyber security. “Imagine if this were a competition, we'd be almost last.”
He said the consequences of a data breach can be severe, with most organisations taking three to six months to recover. Looking at how most organisations respond to attacks, Mtsweni noted that having an incident response plan is no longer sufficient. He emphasised that what truly matters is how organisations respond in the aftermath of a breach. He also noted that it's not a question of if, but when, an organisation will face a cyber attack.
Mtsweni said the culture of shame and silence surrounding cyber security breaches must be addressed, as it hinders the sharing of experiences and best practices.
He also made a plea to all governance, risk and compliance professionals to recognise that technical teams may not fully comprehend the importance of GRC. He highlighted that their focus on technical aspects can sometimes lead to a lack of awareness about breaches, particularly when mechanisms for detection are inadequate.
The critical role of company culture in cyber security was emphasised, with a particular focus on the need for board and executive members to be actively involved in cyber security issues.
“While cyber security awareness is crucial, it's the organisational culture that ultimately minimises risks. However, many organisations overlook the significance of culture, which drives everything. A strong cyber security culture must start at the top, with the board of directors setting the tone.
“If the board is complacent about security practices, such as regularly changing passwords, that attitude will trickle down and undermine even the best risk management frameworks. Ultimately, a weak culture will leave an organisation vulnerable to breaches.”
He said addressing cultural issues is essential to maintaining robust cyber security.
He also shared results from the CSIR national cyber security surveys that were published in October 2024, focusing on various aspects of SA’s national cyber security posture.
Share