Enterprise cybersecurity has a habit of showing up late, after the architecture is locked in, the delivery date is set and the organisation has already decided what it is willing to tolerate. That pattern was never ideal, but it was workable when systems moved slowly and any changes were contained. Cloud, automation and AI have shortened decision cycles to the point where risk now appears while systems are being designed, not once they are already live. That is largely because enterprises are under pressure to ship new services. “The number-one priority is speed,” says Tom Soderstrom, executive in residence and enterprise strategist at AWS. “Speed to market, speed to profitability, speed to compliance, speed to training and new skills.” This obsession with release cadence shows in how teams are funded, how delivery is measured and how little tolerance there is for work that does not translate into value for the business. The problem is that cyber decisions are being made in that environment, whether security teams are brought on board at the outset or not. “If you’re on the leading edge, you lead. If you’re on the bleeding edge, you bleed,” he says.
Treating security as something that can be reviewed later no longer fits in with how enterprise systems are designed and delivered. “If it’s not secure, it just doesn’t go anywhere,” says Soderstrom, adding that security as an afterthought will become an obstacle. Where enterprises make progress, he says, is not by asking how to improve security, but by starting with the outcome the business is aiming to deliver. This means that security can’t be viewed in isolation. Products need to be brought to market faster without increasing risk, regulatory requirements need to be met without slowing delivery, and AI needs to be used in ways that do not erode customer or regulator trust.
“That’s why you really have to work backwards,” says Soderstrom. “What is the business outcome you want, and how do you get there?” Working backwards changes the nature of the conversation. Instead of starting with tools or architectures, teams will now talk about what they are actually trying to achieve. Once that question is asked, the tradeoffs will become evident. “Most decisions are two-way door decisions,” says Soderstrom. “You can try something, see if it works and, if it doesn’t, you can step back.”
One big security challenge is that large organisations often respond to complexity by making things bigger. Governance expands, programmes accumulate and responsibility moves further up the chain, which slows delivery and makes it harder to see what is actually improving. This is a pattern Soderstrom has seen again and again. “What I see all the time is organisations trying to take on too big a piece,” he says. “It’s very difficult to do something big, fast.” As scope grows, security programmes often expand on paper without changing day-to-day behaviour. Soderstrom says this is why a contained use case makes it possible to see the cause and effect, to understand what has improved in practice and what has not. It also, more importantly, lowers the cost of being wrong. “Think big, start small, scale fast,” he says. In his experience, this approach inside larger enterprises tends to travel further than broad security initiatives that promise future value but, instead, deliver complexity.
Cyber risk is business risk. Every disruption, whether from a data breach, ransomware, or system downtime, has a measurable financial, legal and reputational impact.
Russell Thipha, Intellehub
Small wins, however, do not actually improve security posture unless they are carried forward. Many organisations can point to individual teams or systems where controls work well, but struggle to turn those successes into shared ways of operating. “Don’t let an inability to do everything become an excuse to do nothing,” says Scott Francis, security innovation principal director at Accenture. According to the Verizon’s ‘2025 Data Breach Investigations Report’, most successful breaches still exploit familiar weaknesses, including unpatched systems, excessive privileges, flat networks and poor monitoring, patterns that repeat across industries and environments. “It turns out that it’s really effective to do the stuff that you already know how to do,” says Francis. There’s no question that patching, least privilege, segmentation, robust monitoring, secure defaults and defence in depth limits can all reduce the impact of failures. The difficulty is not knowing what to fix, but sustaining those controls as environments sprawl. Enterprises are better at launching new initiatives or buying additional tools as a bandage than maintaining foundational hygiene, which is how security posture quietly degrades.
A mature cyber posture is not built on the assumption that incidents can be prevented indefinitely. Every organisation has to assume that, at some point, something will get through. “A breach will happen,” says Francis. “Rather than trying to get 100% prevention against a breach, focus on articulating a plan for how you're going to respond." Preparation is not only about documentation. Fire drills, he says, work for a reason. “They're effective because people practise," he adds. In security terms, that means thinking through, in detail, how the organisation would respond to ransomware, data theft, spear phishing or the disclosure of customer or company information. It also means knowing who needs to be involved and when. "Understand who you need to talk to in legal, and who your regulators are that you need to notify," says Francis. "Know how you’re going to respond, what your backups look like and when you last practised restoring something from backup.”
If you’re on the leading edge, you lead. If you’re on the bleeding edge, you bleed.
Tom Soderstrom, AWS
And then there’s agentic AI. According to BCG, effective AI agents can accelerate business processes by up to 50%, which affects how quickly security teams can detect and respond to attacks at enterprise scale. “Imagine you’ll have an agent that understands threats, an agent that understands your organisational assets and appetite for risk,” says Dorit Dror, chief technology officer at Check Point. “Now put all these experts in a room. Govern them yourself, manage them and let them do the SOC operation.” In this model, multiple specialised agents work together inside the security operations centre, reasoning across threats, identities and environment-specific risk rather than handling alerts in isolation. With reasoning, those agents are able to surface and address problems security teams did not anticipate. “That’s what makes them super strong for defence,” says Dror, particularly in environments where attacks are automated and operate at volume.
As agentic systems move into production environments, the question for enterprises is no longer whether AI should be used in security, but how much authority they should be given. Automated remediation, quarantining, access changes and configuration fixes all compress response times, but they also raise the stakes when something goes wrong. “This is not a binary, ‘trust it or don’t trust it’ situation,” says Accenture’s Francis. “Think about it as a spectrum of risk.” Low‑impact actions are easier to verify and easier to reverse; higher‑impact decisions demand tighter controls, clearer approval paths and stronger auditability. In security operations, that translates into staged autonomy, where agents are allowed to act within defined boundaries and escalate when risk rises, rather than being turned loose on critical systems. “The question isn't just, ‘can I do the thing’, but, ‘should we even be doing this?’” says Francis.
In the enterprise, cyber posture is not ultimately set by policy statements or architectural intent, but by what systems will and will not allow as environments scale and delivery accelerates. Controls that depend on late reviews, manual approvals or one-off exceptions rarely survive sustained speed. Over time, those weaknesses show up as uneven enforcement, informal workarounds and risk decisions that vary from team to team. This is where posture is tested, not in strategy decks, but in whether controls can be still effective when change is constant and complexity compounds. “Most of the problems we see aren’t technology problems,” says Soderstrom. “They’re organisational problems.” In practice, those limits surface as technical debt, fragmented controls and security mechanisms that cannot keep pace with how the enterprise actually operates. That reality is pushing security deeper into the fabric of system design and delivery.
“Security is absolutely crucial,” says Soderstrom, “and having it built in is the answer.” At AWS, that means security that starts at chip, purpose-built hardware to minimise the attack surface and protect workloads by default. But not every organisation needs the same architecture – enforceability matters more than intent. In the enterprise, cyber posture is defined less by what teams aspire to do than by what systems consistently enforce as complexity grows. This is also where capability becomes a constraint. “Leaders need to become technology teenagers — experimenting, clicking around, learning by doing. You already have the people you need, they just don’t have the skills yet,” says Soderstrom. That is the difference between security as a vision and security as an operating reality in the enterprise. “You can only know if something will work by trying it hands-on.”
WHAT DOES “BUILT-IN SECURITY” LOOK LIKE?
Russell Thipha, chief solutions architect at Intellehub, says there are practical steps enterprises use to turn security posture into a policy that can withstand speed, scale and constant change. “Enterprises must quantify cyber threats in terms of business outcomes,” he says. “Cyber risk is business risk. Every disruption, whether from a data breach, ransomware, or system downtime, has a measurable financial, legal and reputational impact.”
Start with visibility, not tools
Most security gaps stem from fragmented visibility rather than missing technology. Establish a real-time inventory of devices, applications, identities and data flows in cloud, network and endpoint environments, so security teams understand what exists and what is exposed.
Integrate monitoring across the estate
Bring telemetry from networks, endpoints, cloud workloads and identity systems into a single dashboard. This means security teams can detect patterns and risks as they emerge.
Control access at the identity layer
Enforce identity governance and privileged access management to ensure that access to systems is limited, auditable and aligned with business roles, rather than inherited through legacy permissions.
Reduce security sprawl deliberately
Audit existing tools to identify overlaps and gaps. Consolidate where possible around platforms that support shared governance and standard frameworks such as ISO 27001, NIST or COBIT.
Treat resilience as an organisational Capability
Run simulated attack exercises, test recovery procedures and link cyber scenarios to business impact. Security becomes durable only when response and recovery are practised, not assumed.
Turn security data into business insight
Use role-based dashboards to translate technical signals into operational and strategic indicators, enabling leaders to make informed, outcome-driven decisions.
* Article first published on www.itweb.co.za
Share