Ziyasiza Insights – conversations with thought leaders

Building cyber resilience: Why a cyber resilience culture must be a strategic priority.

In collaboration with Wolfpack Information Risk.

Andre Swart, Managing Director of Ziyasiza invites Edwin Mpofu, Head of Cyber Defence of Wolfpack Information Risk, to talk about the urgent attention that business leaders must give to building a culture of cyber resilience. Watch the video and read the conversation that follows.

Follow the conversation:

Andre Swart:

The extent of cybercrime in South Africa, across Africa and globally is severe and costly. At Ziyasiza we believe that business leaders should avoid taking a digital only view of cyber resilience. Resilience strategies need to drive the right investments in the areas of greatest vulnerability, and a clear road map to achieve organisation wide cyber resilience needs to be built.

At Ziyasiza, we’ve partnered with Wolfpack to help organisations embed cyber resilience into their culture and their operations. I’m joined today by a guest from Wolfpack, Edwin Mpofu. 

Edwin, thank you very much for your time today and welcome to this conversation.

Edwin Mpofu:

Thank you.

Andre Swart:

Edwin, can you tell us a bit about your role at Wolfpack, specifically please?

Edwin Mpofu:

At Wolfpack I am the business unit head for the Cyber Defence division, where I’m responsible for driving the activities around technical cyber defence in terms of assessments, incident response, and implementing cyber security programmes within that division. 

Andre Swart:

How do you assess whether an organisation has effectively built cyber resilience into their culture?

Edwin Mpofu:

So, the most accurate definition of cyber resilience is being able to anticipate, respond to, and recover from attacks.

Taking into account that the environment that you operate in is contested, so you’re not just running your operation there and no one is taking shots at you. There will always be attackers trying to access your data maliciously and unauthorised people trying to do whatever they can to your information resources.

So, you need to take that broad perspective in terms of cyber resilience. So, we see that a lot of people, it’s a bit ad hoc in terms of how this is approached. There is not much in terms of planning those activities that should form part of that particular programme. People don’t understand what their threat model is, the kind of attackers that are going to target them, what assets they are interested in, and what tactics are going to be used against them.

So, there’s that void and aligned to that void then is a lack of preparation because there’s no situational awareness that goes with that.

Andre Swart:

If I had to ask you to think about the organisations that you’ve been working with that that you have assisted. What in your experience has typically been the weakest link in any cyber resilience strategy?

Edwin Mpofu:

So, in most cases, right, that strategy does not exist. People are reacting to situations and situations come up.

Andre Swart:

So, the weakest link is actually a complete lack of strategy.

Edwin Mpofu:

Yes, in most cases it actually doesn’t exist. So, what then happens is people do what they need to do when they need to do it. But there’s nothing that’s ordered in terms of that approach in a lot of cases.

And there are several reasons for that. Firstly, there is that disconnect between the operational teams, mostly with technical teams, IT, and the senior management layer in terms of the executives, the audit and risk committees that should be governing these activities. There’s a clear disconnect in most cases between those two areas where the expectations from senior management are not crystallised enough for the operational teams to be able to carry out actions that are specific to the organisation’s mission.

What then happens is then at a technical or operational level, there’s acquisition of tools, certain activities being done, but without a clear bearing in terms of what risks we’re trying to address at a business level.

Andre Swart:

What can executives do to make cyber resilience stick within the organisation?

Edwin Mpofu:

So, that really comes down to building that culture within the organisation and the executives who have to lead by example as far as that is concerned.

In most cases, a lot of the initiatives like building security awareness, for instance, some of the executives don’t participate in those activities fully as they should, which is a problem because then it sets the example for all the other layers going down. So, that leadership by example should be a key part of the programme, firstly.

Secondly, that layer at the executive level should be able to articulate what the company’s objectives are, and then build that interface to the technology assets which are deployed to achieve those objectives. When that is articulated, it’s easy for them to then say because we have these objectives, there are these KPIs and using technology to achieve these objectives, what risks could arise because of the use of technology? That gives context with operational teams to be able to then say, what is our control posture on these assets? How could a breach, for instance, affect key objectives for the organisation? What would be the cost of that bridge? How do we counter such activities from an adversary perspective? How would we anticipate that and try and make sure that we minimise that impact.

So, then those teams would have the perspective in terms of this is the cause we’re trying to address, and this is how much we can spend in terms of controls, processes, technical solutions to address the risk.

Andre Swart:

If I bring that back to you now as a security professional, if you were given the task of building that cyber resilience aspect into an organisation’s culture, what approach would you take? How would you approach it?

Edwin Mpofu:

It’s obviously a difficult task, I think, but I would start off with an awareness drive, trying to sensitize the people in terms of the reality of cyber risks. We are all aware of the different incidents that make the headlines, and the reality is that a lot of them don’t make the headlines. But for those that do make the headlines, we see what that impact is. And in a lot of cases, people think it won’t happen to us for whatever reason, when there’s nothing special or specific about an organisation that makes them exempt from such threats.

So, I would start by educating the people so they understand exactly what can happen, what that impact is, and what we can do as an organisation to counter those specific threats.

And let them understand as well that it’s not just throwing a tool at the problem, throwing a big budget to the problem, but it’s a whole lot of things, processes that have to build in, people, factors in terms of education, training, capacity building, that should all go into the task of alleviating the issues that arise as a result of the cyber crime activities.

Andre Swart:

So Edwin, if we take this culture of cyber resilience and expand it into the country, we all live here, and as organisations we will operate here. In your view are South African organisations getting better at cyber resilience or not?

Edwin Mpofu:

I think there are improvements. Things are getting better in some industries more than others, but it’s a bit difficult to really give an informed perspective for a number of reasons. Firstly, there are no laws that mandate the publication of cyber breach incidents in the country except for specific industries, and that is also not within the public domain. A lot of them make the headlines. People realize, oh OK, I could also be targeted. So, that drives a bit of awareness and people then try to improve their situations accordingly. 

Also, I think as individuals we do experience some of those things and we know that it is a reality and based on that we have that informed perspective and we carry that on to our companies, and also try and improve things.

Andre Swart:

So Edwin, thanks. Thanks very much for the conversation. I think if I can if I try and sum up the main messages that I’m taking away from this particular conversation:

  • Resilience is not just about responding and recovering, the anticipation of events is just as important. The preparation that that one needs to go through or that an organisation needs to go through is the first step into becoming a cyber resilient organisation. Would be the first take away.
  • If I think about the approach that that you spoke about that you would take. Building that awareness. Starting off with building that awareness, within the resource base, within the people base is a good place to start.
  • And then lastly and possibly most unfortunately is that while South African organisations are improving, they’re probably not doing it at the right speed because of many unregulated industries as it were. So, we need to do more as South African organisations and not wait for regulation in order to become more cyber resilient.

Edwin Mpofu:

Yes, that’s correct. I think that accurately sums it up.

Andre Swart:

Great. Edwin, thanks again.

And just to wrap up, at Ziyasiza, we believe that we can achieve more together and that’s why we work with specialist firms like Wolfpack, and we’ll be bringing you many more stories from the boardroom. So please follow us. Please interact with us, follow us on LinkedIn, check out our website, ziyasiza.com, and we’ll bring you more stories about how we work with other organisations, put our heads together to solve major problems through innovative thinking and also reducing risks.

Edwin, thanks again for your time. Thank you. See you soon.

Edwin Mpofu:

Thanks.