For cyber leaders, focusing predominantly on security tools alone isn’t enough anymore. Organisations need to evolve their positioning from just focusing on the avoidance of data loss to the broader philosophy of cyber resilience, says Grant Hughes, CISO at GVW Group.
“Historically, the focus was on the prevention of being breached, but we've seen history repeat itself time and again – breaches happen despite having a multitude of security controls in place.”
He says there's recognition of this in the paradigm shift to cyber resilience.
“We now live in a world where, despite the best laid plans, we acknowledge that things can still happen. There are a million ways for companies to suffer a cyber attack that don't relate to negligence or lack of effort. Somebody could hold a family member hostage and force you to give over your password.”
Cyber resilience is about the organisation being able to carry on after a breach. Hughes says the philosophy still recognises the value of, and places importance on, cyber defence and protection, but places equal attention on backups, recovery and continuity.
It isn’t just a technology-led cyber strategy either; it requires the organisation to adopt the philosophy, and the cyber leaders need to drive that adoption.
“It's an educational thing, a cultural thing. It takes time to get there; it's not an instant thing where you just flip the switch,” he says.
Hughes expands on the point that a key part of the shift to cyber resilience involves educating stakeholders.
“For example, in cyber resilience, the board of directors aren’t asking cyber leaders for assurance that the organisation is secure and can't get hacked; instead, the board want assurance that even if an organisation does get hacked, it can recover.
“The level of education your board has directly influences their questions and expectations. If the board is saying, ‘I gave you R10 million, I want the guarantee that we can't get hacked’, then you have failed to educate them properly.”
In addition to the identification and management of stakeholders, Hughes outlines six other pillars to shifting an organisation to cyber resilience.
1. Embed security into the design
2. Prioritise the basics
3. Strengthen the human firewall
4. Focus on preparedness and incident response
5. Secure the supply chain
6. Perform continuous independent assurance activities.
Hughes is the founding president of the ISC2 Cape Town Chapter and one of the most decorated and qualified cyber leaders in SA. He will be digging into the shift to cyber resilience in greater detail when he presents at the Cape Town leg of Security Summit 2026, on 26 May.
For more information, including sponsorship and super early-bird discounts for delegates, click here.
Share