Security culture. This is more than training employees, sneaking fake phishing tests and putting cybersecurity on the budget.

It’s a culture of using security solutions as part of the very fabric of the organisation to reduce vulnerabilities and ensure the organisation is as agile in its evolution as the security threats themselves.

This culture comes from leadership, clear reporting processes, and placing security at the centre of corporate strategy, says Mandla Mbonambi, CEO of Africonology.

“Leadership has to embody the heart of this security culture,” he continues. “If leadership places investment into security at the forefront of all IT and business decision-making, then this commitment filters down through the rest of the organisation. This focus on security as a strategy and a priority also ensures the organisation is well prepared for the current cyber-threat.”

And this threat is at an all-time high – cybercrime is anticipated to cause damages to a staggering total of $8-trillion globally. As of August 2023, the largest case of data breach worldwide was the Cam4 Data Breach that compromised more than 10-billion data records, second only to Yahoo in 2013. In 2023, 33 billion records have been stolen in total, cybercrime grew by 40% and compromised electronic records increased by 175%. The landscape is complex, fraught, and increasingly deadly.

“Organisations can’t ignore the threat and they can’t comprehensively plan for it either,” says Mbonambi. “Threat actors are accessing the same technologies as security companies, using them to perpetrate intelligent attacks designed to bypass security systems and employee training.

“Nobody can plan for the threats on the horizon or for when someone is distracted and accidentally clicks on a link and compromises business passwords. These incidents are inevitable. What you can plan for is the response to the threats by creating a resilient and security business culture.”

McKinsey underscores this in a discussion with chief risk officers (CROs) from around the world. The crises will happen – it is how the organisation responds to the crises that make the difference. CROs believe decisions made during crises have lasting effects and that cybersecurity remains one of the top five risks facing every organisation today.

The goal of leadership is to ensure that security is so deeply entrenched within the business that reactions to threats and vulnerabilities are rooted in resilience, not reactions.

“This ties into the need for clear reporting processes and ensuring that security sits at the heart of corporate strategy,” says Mbonambi. “All these elements are crucial to ensuring that the business can make choices that protect it from the threats or, in the worst-case scenario, allow for it to respond intelligently. They also dictate how the organisation approaches its security investments.”

A recent Accenture report found that 74% of CEOs aren’t sure their business can ‘avert or minimise damage to the business from a cyberattack and yet 96% believe that cybersecurity is critical to ensuring the organisation is capable of growth and stability.

Unfortunately, many CEOs believe that investing in security solutions is expensive, more so than the cost of a cyber-attack (56%) which is a false economy. The loss of reputation and data alongside the risks of legislative repercussions are heavy prices to pay for poor security infrastructure and a weak security culture.

“Yes, the business can take a chance on a firewall and some training,” concludes Mbonambi. “However, the disconnect between the decision-maker and the technology can cost companies millions and potentially shut them down for good – around 60% of small companies go out of business after a cyber-attack.

“Instead of taking a risk, face the risk. This is a far smarter way of changing the security narrative within the organisation and staying ahead of the threats.”