“As cyber security professionals, it’s safe to say that what we are doing isn’t working. The proof is in the headlines − from Marks & Spencer to Jaguar Land Rover – the scale, impact and frequency of cyber incidents is clearly on the increase.”
Budgets have risen dramatically, and cyber teams have more tools than ever before, and yet, things just keep getting worse, said Duncan Rae, group CISO, Pepkor.
He shared these thoughts during yesterday’s afternoon session of the Cape Town leg of ITWeb Security Summit 2026, at the Century City Conference Centre.
Why is this the case?
Rae believes it’s because infosec has lost sight of its mission. “We enjoy being able to say we work in cyber security because it makes us feel important, and we use complex jargon and fancy graphs because we like to feel smarter than everyone else. But the sad truth is that when we focus too much on the titles and the terminology, this is just vanity theatre and it creates a false sense of security.”
He mentioned the many different governance and compliance frameworks, programmes and guidelines as an example of this noise.
“Don’t get me wrong, these frameworks are essential and provide incredible roadmaps for where we should be headed, but many of us have our heads so buried in these maps that we've taken our eyes completely off the road, which is pretty dangerous. Our mission must come before metrics.
“When we focus too much on audit findings and pretty dashboards, it’s easy to start optimising what we do to meet that metric or audit report,” he said. So many organisations have beautifully crafted security policies tucked away in a drawer somewhere, and no one knows where they are, but they pass audits simply because they have them.
“This kind of thing doesn't actually make us safe; it only makes us feel safe. Treating information security like a box-ticking exercise is a great way to cover your ass if something goes wrong, but is it proper risk management? Are you really keeping the business safe?”
Rae advises cyber professionals to focus on the basics. This isn’t to say they mustn’t keep up with industry changes, but it does mean doing away with all the “extra stuff” they think they need and focusing instead on building a solid foundation.
“This week, I challenge you to pick one process you work on and ask yourself, does this genuinely reduce risk, or is this just security theatre?”
To drive this shift in thinking around what does and doesn’t matter, he believes the industry needs fresh ideas and perspectives. “This means not just recruiting more disciples who think the same way as we do.
“What we need to do is raise up revolutionaries who are curious and who aren’t afraid to ask why and question established dogma and who challenge us, as seasoned cyber professionals, to do the same.”
Share
