How to instil a culture of cyber security in your business

Joanne Carew
By Joanne Carew
Johannesburg, 29 May 2024
Rashika Ramlal, Public Sector Country Leader, South Africa at Amazon Web Services (AWS).
Rashika Ramlal, Public Sector Country Leader, South Africa at Amazon Web Services (AWS).

South African firms are paying an average of R18 million to ransomware attackers and, following that action, it can take between one and six months for the business to recover fully from the attack.

Further, South Africa is ranked fifth in the world when it comes to cyber crime density.

“This means that from a cyber security perspective, South Africa is the fifth worst country in the world,” said Rashika Ramlal, public sector country lead for South Africa at AWS, in her address at the ITWeb Security Summit Cape Town.

Given this environment, we can longer see cyber security as being the responsibility of a single person or department, she said, adding that cyber is everyone’s responsibility. To achieve this, putting security at the heart of your business is essential and she outlined a few ways to do so.

First, you need to embed security into every aspect of the business, Ramlal said. “You cannot run security as a project or a programme. It needs to be a core function of your business. It must run as part of your broader operations.”

This means making sure teams receive regular training and the board is properly educated around the landscape and the risks. To do the latter successfully, she suggested that CISOs and security executives focus on impact.

To win over the leadership team, demonstrate the potential impact of an attack – be it on customers or business operations – because impact can very easily be linked to the business’ bottom line, she said.

The next step, said Ramlal, is focussed on promoting an escalation friendly culture that fosters psychological security.

Within an escalation friendly environment, individuals feel like they can speak up. And when they do so, they will feel a sense of psychological safety if they are thanked for coming forward, even if they are responsible for whatever has gone wrong. Ramlal said it’s important to praise them for having the courage to highlight the issue before it becomes a larger problem.

Finally, she suggested that businesses back ‘security champions’ – existing staff who aren’t security professionals but who have a keen interest in security. Given a global shortage of cyber talent, upskilling the resources already in the business makes sense. In doing so, businesses can better scale their security efforts and promote a more holistic security culture. Think of these champions as security ambassadors who have the knowhow to embed security into every aspect of the business – from product development all the way through to customer service.