Business leaders are urged to shift focus from cyber security to cyber resilience as Africa’s expanding threat landscape continues to test organisations' readiness to detect, respond to and recover from cyber attacks. There is renewed pressure on business leaders to use governance, skills and innovation to build this readiness and resilience.
This is according to cyber security experts who spoke at the Cyber Security Summit 2025, hosted by SNG Grant Thornton this week in Johannesburg.
Serving as MC, Thembi Manyike, head of talent acquisition and employer branding at Santam, said cyber security is no longer just a technical concern; it is a business imperative, a social safeguard issue and a leadership priority.
“I read somewhere that the cost of cyber crime is projected – just for 2025 – to be $10.5 trillion, which makes it the greatest economic threat of our time,” she said.
A report by Cybersecurity Ventures confirms this statistic, adding that the annual amount is up from $3 trillion 10 years ago.
Grant Hughes, CISO at GVW Group and founder and president of the ISC2 Cape Town Chapter, said while there has never been more focus on and investment in cyber security than there is now, the situation continues to worsen and complexity has become the norm.
Hughes said one of the reasons for this is because traditionally, a lot of resources were applied to threat and attack prevention, so if an incident did occur, there was little to no response.
He also cited the advent of remote working, remote connectivity and multiple touch points that cyber criminals have been able to manipulate.
Hughes added that the approach taken by the industry is often flawed, weakened by factors like ‘security theatre’ as opposed to compliance-driven, real security.
“Security theatre is used to describe measures that make people feel more secure without doing anything to improve security – things like vendor security questionnaires and VM [virtual machine] scans without remediation,” he said.
Conversely, real security incorporates measures that improve security, including adversary simulations, configuration and VM, firewall configuration and rule reviews, and focused training with repeat offenders.
The event focused on building resilience to leverage governance, talent and innovation to strengthen cyber security.
“Shifting to resilience encourages us to ask better questions… we move from ‘can we get breached?’ to ‘can we recover?’" Hughes added.
He said achieving cyber resilience requires a focus on six pillars: embed security into the design; prioritise basic security controls; strengthen the human firewall; focus on readiness and incident response; secure the supply chain and vendor ecosystem; and understand the active risk profile.
While there are challenges to achieving resilience, including lack of leadership commitment, failure to align business objectives, neglecting the human factor and over-reliance on technology, an approach that centres on governance, risk and compliance, understanding of the active risk profile (the real risk factors within the organisation) and continuous independent assurance can go a long way to help.
Continuous independent assurance is real-time visibility of the organisation, performance of cyber security and data controls against specific metrics and KPIs.
Cyber security blind spots
Kuda Charandura, head of cyber advisory at SNG Grant Thornton, emphasised the need for organisations to be fully aware of the state of their cyber security, particularly because of the number of cyber security blind spots
He listed several of these blind spots and relevant statistics, including that shadow IT/AI accounts for 69% of attacks; 30% of cyber attacks involve or exploit IOT devices; e-mail and collaboration tools are used in 91% of attacks; 62% of breaches took months or longer to detect; and only 34% of boards understand cyber risk.
Charandura emphasised the need for regular cyber awareness programmes and phishing simulations, executive training on regulatory and risk governance, as well as role-based training tailored for IT and SOC staff.
The ability to ensure future-fit skills was also emphasised during a panel discussion about emerging threats, technologies and regulatory horizons in 2026.
Panellists agreed that next year will be characterised by the advent of space technology and infrastructure, more digital and cyber laws in Africa, quantum computing (and application within cyber security), as well as intense focus on skills and resources to keep up with the speed and sophistication of threats.
Share