IT leaders shared ideas on how to create a cyber-aware culture in the digital age.
A CIO Day roundtable discussion brought together industry experts, cybersecurity professionals and thought leaders to address the challenges and strategies for creating a cyber-aware culture. The urgent need for cybersecurity transformation, the power of effective storytelling, and the significance of behavioural change and collaboration were the key themes explored.
Colin Iles, a disruptor in the cybersecurity space, set the stage for the roundtable discussion by boldly proclaiming that, ‘Cybersecurity is what keeps CIOs awake at night.” Highlighting the pressing challenges faced by CIOs in the digital age, Colin said the rapid advancement of technology, coupled with the rise of artificial intelligence, has created a formidable challenge for cybersecurity.
Colin emphasised that South Africa faces a shortage of cybersecurity experts, adding that “This shortage is further compounded by the escalating number of cyberattacks, including ransomware and breaches, which are expected to increase tenfold over the next decade.”
The art of storytelling for cybersecurity advocacy
Ritasha Kalidas, the CISO of Tiger Brands, stressed the importance of being a persuasive storyteller when advocating for cybersecurity initiatives, and the need to move beyond technical jargon when engaging with C-suite executives. Instead, she recommended framing the importance of cybersecurity in terms of reputational risk, business impact, and bearing on core business processes.
Ritasha shared her experience of encountering leaders who lacked the ability to articulate their needs effectively, despite having great strategies and ideas. “CISOs need to balance their technical expertise with the ability to communicate effectively, ensuring that their audience understands the urgency and relevance of cybersecurity initiatives,” she said. She added that it’s important to speak in simple language, make clear and concise requests, and provide relatable examples.
Ritasha also stressed the significance of understanding the core business operations and where IT fits within the broader organisational context. “CISOs need to build trust and frame cybersecurity as a fundamental part of the cost of doing business for gaining support from executives,” she said, pointing out that there is great value in sharing information about breaches with executives to demonstrate the real-world risks associated with cybersecurity.
Promoting behavioural change and collaboration
Sithembile Songo, group head of information security at Eskom, highlighted the human element in cybersecurity. She pointed out that protecting infrastructure from cybersecurity threats often relies on changing human behaviour.
Sithembile stressed the need for a clear vision and articulated behavioural changes, transitioning from a compliance-driven approach to a proactive and active one. She stressed the importance of top-down support from the board level and the involvement of everyone within the organisation to ensure cybersecurity practices are ingrained in all business units.
Sithembile also emphasised the significance of designing user-friendly solutions from the outset, involving people in the process to prevent human error resulting from poor usability.
Sithembile advocated for a risk-based approach to cybersecurity, explaining that organisations should prioritise their security efforts based on the most likely and damaging threats. She said it’s important to implement real-time solutions and to use a cyber kill chain, a framework that breaks down a cyberattack into a series of steps, allowing organisations to identify and mitigate threats more effectively, to proactively address vulnerabilities.
She further acknowledged the opportunities in using AI-enabled solutions to augment human behaviour. She explained that AI can be used to automate security tasks, monitor for threats, and train employees on cybersecurity best practices: “This can help to compensate for factors such as human forgetfulness and fatigue, which can increase the risk of cyberattacks.”
Insights and perspectives
Participants from the floor shared additional insights and perspectives on cybersecurity.
One participant highlighted the need to destigmatise breaches, acknowledging the heroic efforts of cybersecurity professionals in dealing with such incidents. They stressed the importance of building communities within the cybersecurity space and fostering collaboration, mirroring the coordinated efforts of cybercriminals. By sharing information and resources, cybersecurity professionals can collectively strengthen their defences against evolving threats.
The challenge of convincing leaders to appreciate the level of risk and see cybersecurity as an investment rather than a cost was also discussed. Colin suggested CISOs may need to imagine themselves as external service providers with a service to sell. He recommended adopting a consultancy approach to build trust, bring people together, and engage in meaningful conversations.
“Finding influential individuals who can advocate for cybersecurity initiatives is crucial in creating a belief system that paves the way for execution,” he said. “Presenting the story of cybersecurity’s importance in simple and practical terms, highlighting the potential consequences of inaction, and emphasising the need for a swift response are key strategies to communicate with executives and the board effectively.”
Participants acknowledged the need for proactive measures and multiple layers of safety to address vulnerabilities effectively. They expressed concerns about the limited number of internet service providers in South Africa and called for greater regulatory action to ensure the security of digital infrastructure.