Cybersecurity is no longer an IT problem; it’s an exercise in risk tolerance 

Posted on by Africa Business

By Tony Anscombe, Chief Security Evangelist at ESET

South African businesses have evolved alongside the reality of the country’s physical infrastructure challenges. Organisations instinctively build redundancies for power, whether that takes the form of solar installations and battery back-up solutions, UPS systems or generators. When the grid fails, the failover kicks in. Related to this, most businesses have multiple connectivity failovers because everyone understands operational disruption intimately.

And yet, when it comes to digital infrastructure, many businesses treat “security” as a separate, IT-delegated silo rather than a core pillar of operational performance and, in the worst-case scenario, survival. This is a mistake, because the era of viewing cybersecurity merely as a defensive IT function is well and truly over. Cyber risk is fundamentally a business risk, which means that true resilience demands a commercial, rather than a purely technical, approach.

What does this mean? If we are honest, security is often viewed as a grudge purchase. Imagine a boardroom where a Chief Information Security Officer requests a budget of R10-million based on detailed threat modelling. The board reviews this and counters with approving R6-million. That R4-million difference is not a savings for the business. It is an unmitigated financial risk that the business has chosen to absorb. This is an important insight – the C-suite needs to translate technical vulnerabilities into bottom-line exposure.

Defining acceptable risk

Cybersecurity is not binary. In other words, you are not “safe” or “breached”. Cybersecurity is entirely about an organisation’s specific appetite for risk. By way of analogy, imagine two people walking into a Las Vegas casino with $200. They make their way to the roulette tables, where the first person puts the entire $200 on a single, high-risk number. That’s a high tolerance for risk. The second person spreads the bet across multiple, defensive layers.

Businesses, especially enterprise-level financial services institutions, are burdened by complex legacy systems, which work. Because of this, they cannot eliminate risk entirely. Therefore, they need to define what “acceptable risk” looks like and then strategically map out which of their systems are uniquely vulnerable.

Remember, risk is not just about hackers – it is also about accessibility. For example, a bank or insurer’s risk profile is complicated by the need to broaden the client base and bolster social and financial inclusion. If a bank tightens security by forcing app-only biometrics in all interactions with the customer, it risks alienating its least tech-savvy customers. In many cases, this forces organisations to rely on legacy SMS, which comes with vulnerabilities, creating a permanent risk window that the board must acknowledge.

The hidden cost of friction

The whole point of cybersecurity is to try to keep digital infrastructure safe. Yet, as we all know, hyper-aggressive security can, ironically, also be damaging to the bottom line if it disrupts operations. Organisations, then, need to work with platforms and partners that are known for reducing false positives, where security software blocks legitimate business. In high-volume environments, such as trading floors or during busy periods, a system disruption of just a few minutes has a meaningful, quantifiable financial cost.

Understanding that, organisations have the blueprint for good security. It works almost invisibly, with a light touch. Disruptive security eats into profits daily, while good security boosts commercial ROI through quality threat intelligence.

Good, or quality, security is not just about an impenetrable wall. It is also about telemetry and context. High-quality security platforms understand user behaviour. If a system detects a login from Cape Town and almost immediately from New York, it understands that no one can travel halfway around the world in three minutes and therefore flags the anomaly. This intelligence-driven approach personifies light touch because it only interrupts the user when context and behaviour is genuinely suspicious.

Are you asking the right questions?

When organisations reframe cyber risk as business risk, the next step is to understand that risk extends beyond their own walls. Many people reading this will remember when Heathrow Airport suffered a major power outage. A major global hub was taken offline for a day, not by a direct attack on its core systems, but because a utility provider ignored an earlier alert about moisture in a nearby power substation.

C-suites would do well to challenge their organisations to ask the right questions. Are they simply checking if the primary systems are safe, or are they interrogating the “substations” connected to their operations: their legacy applications, third-party vendors and integrated supply chains?

The sobering truth is that risk isn’t just the lack of a firewall. It is also a technical debt. There are systems running, right now, in financial organisations that are unpatchable. And so, the cybersecurity discussion shifts away from patches to asking how do you best segment and protect a vulnerable old heart with a modern shield. This is a strategic architectural decision and not a simple software install.

Cybersecurity should be a continuous, boardroom-led exercise in commercial resilience that requires working with partners who understand there is no finish line in cybersecurity. You cannot arrive. All you can – and should – do is strategically and tactically plan your race according to the risk you are willing to take on board.

Photo credit: ESET.

Share

Related Posts

Unlocking Profit: A Guide to Commercial Property Investment

Commercial property investment offers long-term returns, portfolio diversification, and strategic growth opportunities. Post-pandemic recovery, easing interest rates, and urban development have boosted South Africa’s commercial real estate market, with prime office, retail, and industrial spaces showing strong performance. Success relies on understanding location, vacancy rates, zoning, development potential, and sustainable practices, while avoiding speculation. Informed investors can capitalize on market cycles, rising rental yields, and low vacancies to maximize returns.

The Intersection of IT & Business: Making Tech Decisions That Drive Growth

Digital transformation has moved IT from a back-office function to the core of business strategy. However, many organisations struggle to translate technology investments into measurable outcomes. This article explores why aligning IT decisions with business goals is essential for growth, outlining how CIOs, CTOs, and business leaders can collaborate to ensure technology acts as a strategic enabler rather than just infrastructure. From shifting IT’s role to value creation, to balancing innovation with governance, and embedding modern frameworks for agility and control, the piece highlights actionable insights for making tech decisions that drive profitability, efficiency, and competitive advantage.

Remain vigilant in the face of increased banking scams urges the SAFPS

The end of the year is fast approaching, and with it, the festive season and general anticipation for that hard-earned vacation that many South Africans work so hard for during the year. While this is a time of good cheer and increased shopping activity to prepare for the December break, it is also a busy time for scammers who want to take advantage of this activity. Many South Africans have recently contacted a popular Johannesburg radio station reporting increased attempts at banking fraud, with scammers sometimes becoming increasingly aggressive and convincing.