Cyber Resilience

Ziyasiza Insights – conversations with thought leaders

Building cyber resilience: Why cyber resilience must be a boardroom priority.

In collaboration with Wolfpack Information Risk.

Join Andre Swart, Managing Director of Ziyasiza, and Craig Rosewarne, Managing Director of Wolfpack Information Risk, on the latest Ziyasiza Insights video, as they explore the topic of why cyber resilience must be a boardroom priority. Watch the video and read the conversation that follows.

Follow the conversation:

Andre Swart:

We want to talk today about how organisations can go about building cyber resilience, why it’s important to build cyber resilience and why cyber resilience has to be a boardroom priority. Ziyasiza has partnered with Wolfpack to help organisations address their cyber resilience and embed it into the organisation’s culture and operations. I’m joined today by Craig Rosewarne, Managing Director of Wolfpack. Craig, welcome. Can you just start off by telling us a bit about Wolfpack and what is it that Wolfpack does?

Craig Rosewarne:

Yes, sure, Andre. So, Wolfpack, an organisation I established 12 years ago, primarily helps governments in terms of dealing with cybercrime, cybersecurity. We work with organisations and then we also work with communities, typically those elements that don’t have anyone helping them such as individuals, schools, charities that we help on a pro bono case. But collectively these three elements, you know, we work across all these three areas, and I guess they feed into each other as well because at the end of the day you’ve got employees working for organisations that you know once they finish working, they go home and they a number more every day, you know moms and dads and they also get attacked.

Andre Swart:

So, I guess as Wolfpack you get to see first-hand when companies don’t have such good cyber resilience. So, what have you seen that that companies get exposed to if they if they’ve got what I would refer to as a weak cyber resilience capability?

Craig Rosewarne:

So, we generally get called in at the behest of out of the board or Exco, who want an independent view of what’s going on or we get called in when there’s an incident and you know what happened and how can we prevent this from going on or we just get engaged to come in and do various pieces of security work. And we often start off with an assessment.

And the assessment is quite a rigorous exercise where we dive through and look at the processes and technology and people’s side of things and we give companies the review of their security posture in view of what the business elements are expecting.

And I think the big gaps that we found there is very much at a senior management leadership point of view from a security governance point of view to support the security program.

Third party risk is another big issue where you know supply chains are getting hit. So, it’s you’re upstream in terms of integration into your clients, downstream into your suppliers. All of those elements have a substantial amount of risk and then good old human elements 101. So, you know as much as people are your biggest asset, they can also be your biggest risk in the organisation as well.

Andre Swart:

How would you describe the difference between cyber resilience versus cybersecurity?

Craig Rosewarne:

Good question. Look, cybersecurity is, and I mean we can get very complex about this because you’ve got cybersecurity, information security and these things form part of enterprise risk. And so, it’s a really ‘’ingewikelde” [complicated] process at the end of the day, but cybersecurity is very much around protecting your information in cyberspace and that is no longer now in your own organisation because you no longer have the traditional boundaries, perimeters, etc. It’s still there, but your information is sitting everywhere and your third parties in the cloud, etc. 

So that’s all-around cybersecurity and an element of that is cyber resilience, which is very much an element of dealing with incidents, incident management.

If you’re able to contain the incident or if you’re not able to contain the incident, you’ve got your disaster recovery, business continuity side of things and your process management, that whole element.

If you imagine a tennis ball hitting a wall and compressing and bouncing back, that resilience is the ability of an organisation to withstand a serious impact at the end of the day and carry on, you know, bouncing back.

Andre Swart:

And in your experience, are companies taking cyber resilience serious enough? Is it being focused on or are we still seeing the sort of ostrich syndrome? You know, that’s just the head in the sand. And if we don’t, then we hope it will go away.

Craig Rosewarne:

I’d love to say everyone is taking it seriously, but that’s not the case. We’ve done a benchmarking exercise with 118 South African companies at the beginning of the year and that is one of the questions we asked to look at it. And that you can see from a governance point of view that’s got the budgets in place that they’ve got people, you know managing this risk and you know we could almost cut them into two different camps, those that are very, very strictly monitored, regulated, etc.  They take this very, very seriously. Your ecommerce businesses, you know where if the life blood is taken away, the business doesn’t exist anymore and then you’ve got another element that are still catching up with that maybe got sort of half of a person doing a bit of security and a bit of it even bigger companies now with a few thousand employees and they just don’t have that that maturity. In today’s age with all these threats that are all around you and within the organisation, it’s quite scary that they don’t have these things in place.

Andre Swart:

What about companies with good cyber resilience? So, have you, have you come across companies that you would say, in your view, and I don’t expect you to kind of list in this one, this one and this one, but are there companies that are doing it well?

Craig Rosewarne:

Yes, no, definitely they are. And as I must say maybe a culture of companies you deal with have got a fairly substantial maturity in place when it comes to dealing with us. But if you look at the landscape that they have to try and manage, especially the bigger guys out there, incredibly difficult job and people underestimate the amount of work and effort to secure even a midsize organisation. So, we appreciate that it’s not an easy job and even if they’ve got a big team of people and a substantial budget, there’s still so many gaps to address.

Andre Swart:

At the end of the day, effectively big companies, midsize companies could have the same exposures. They’re all using the Internet, they’re potentially all using a cloud-based system, etc. So, exposure stays the same. Or does it not?

Craig Rosewarne:

It depends on the company. Bigger companies may have bigger budgets and bigger teams, but they’ve got a much bigger landscape and typically they’ve got a lot more legacy systems in place as well. Now some of the bigger guys out there have thousands of applications running in the environment, some are no longer supported, some are running on Windows XP for example, which they can’t switch off. So, you know trying to manage that environment with thousands of people and international operations, it is an absolute header to try and do that.

And as you’re getting your hands around managing this, how to take this beast, then you bring on mobile, then you bring on cloud, then you bring on Internet of Things or operational technology.

You know from a manufacturing point, you’ve got scale and industrial control systems, you’ve got third parties, so it’s and now you’ve got artificial intelligence being thrown into the mix as well as if you don’t have enough on your plate, it’s really, really complex.

Andre Swart:

So, thinking about all of those things in the context of South Africa and looking ahead and I mean there’s been reports released that that South Africa from an African context is by far the highest risk country in terms of South of crime. And do you think that that’s something that’s going to continue or we going to get a handle on it or are we going to go back?

Craig Rosewarne:

I would say from a government national viewpoint, no, they’ve been too slow to adapt and change. There are structures, there are laws in place that haven’t been properly enabled operation. Last, private sector is going to have to basically step in and do it and private sector have to come together to form communities to do it as well because at the end of the day, you know you hit you pretty much on your own to try and deal with this thing. So ideally private sector would drive it and pull government along to help support and encourage the growth of key services like your cybercrime in the police slash Hawks department, the NPA in terms of prosecution of criminals etcetera. These are the key things that need to be built. Our country is very, very vulnerable, if I have to be honest at this point in time.

Andre Swart:

Wow, great. Craig, thanks very much. It’s been a great chat.

I guess the important things for me that I’m taking away from this discussion is that there is very much a difference between cybersecurity cyber resilience, you know and what you need to focus on is if those offenses fail you need that resilience capability in order to stay in the game.

What team you’re operating as a business, and you don’t get taken down as a result of whatever the security failure may be.

And second take away don’t wait for our government and we need to take action at it’s from an enterprise. We need to make sure that we’re looking after our own houses and get government to come along with this journey with us.

And thirdly, make sure that you’ve got the budgets and the people to do what you need to do. That is really, really important.

Craig Rosewarne:

I think to add to that is, you know, we always say to clients, you can on the one hand you can do nothing, just leave it and hope nothing’s going to happen. On the other hand, you can spend an absolute fortune on rolling out the best and the greatest. Both those approaches are not right.

You got to get that little balance in the middle by looking at your high probability, high impact incidence that can happen and you’ve got to make sure that those are taken care of first. Your crown jewels at the end of the day are dealt with and then you focus on the other areas next.

Andre Swart:

Excellent. Thank you very much.