Recently, I asked a room full of business leaders who among them would rate their cybersecurity posture as “excellent”. Only one hand went up. When I dropped the ranking to “good,” just a few more hands were tentatively raised.
By Kudakwashe Charandura, head of cybersecurity at SNG Grant Thornton
The uncomfortable silence that my question was met with reinforced what I have long known – that most organisations don’t actually know what the state of their cybersecurity actually is.
That’s because the way business has always approached cybersecurity simply isn’t working. Despite massive investment in security tools and technologies, breaches continue to spike. Even tech giants with seemingly unlimited resources fall victim to attacks. And the disconnect between expense and results is getting wider.
It’s ironic because, in most boardrooms today, you’ll hear a lot about the latest AI-enabled security tools, state-of-the-art firewalls and expensive Security Operations Centres. Yet when my team conducts assessments of these same businesses, we find that few, if any, of these expensive solutions were ever independently tested before going live. You wouldn’t implement a major financial system without having internal audit review it first, so why do we treat our security infrastructure differently?
This question is especially relevant when you consider the security breach statistics. Shadow IT now accounts for 69% of attacks, while third-party supply chain risks contribute to 59%. Misconfigured cloud services remain the number one cause of cloud-related data breaches. But perhaps most alarming is that 60% of attacks exploit unpatched systems, and 62% of breaches take months or longer to be detected.
The problem isn’t a lack of technology. It’s that most organisations lead with technology in their cybersecurity strategies, when it should actually feature much lower down on the list of priorities. Before deploying any tools, you need to understand your business, establish governance, develop policies, build response processes and educate your people. Deploying expensive security solutions without this foundation is like building a house starting with the roof.
That’s because, when you lead with tools instead of strategy, you miss the systemic weaknesses that matter. Social engineering, for example, remains devastatingly effective because it exploits trust, not technology.
Employees will fall for clever tricks – that’s human nature. When we conduct assessments, we always discover that hackers don’t need sophisticated tools to breach organisations; they simply need to ask nicely for passwords or we create believable phishing campaigns, and people hand over credentials because they want to be helpful.
But even this human error isn’t the real issue. If a single employee clicking a malicious link can compromise your entire organisation, that’s not a people problem – it’s an architecture problem. Where are your layers of defence? Where’s your segregation of duties? Where are your access controls? Most organisations focus exclusively on external threats while overlooking internal vulnerabilities.
The solution to this isn’t more employee awareness training emails that everyone ignores. It’s meaningful, targeted, role-specific education combined with proper technical architecture that assumes humans will make mistakes, and builds resilience around that reality. And that education imperative extends all the way to the top because the majority of cyber security failures happen on the back of governance failures.
In our experience, traditional security approaches have all three of these critical blind spots. They rely excessively on technology while neglecting human factors and processes. They have limited visibility into IT infrastructure and user behaviour. And they are reactive rather than proactive in their security measures. Add to this the complexity of modern IT environments and you have the makings of a perfect storm.
And the only real protection against such a storm is true cyber resilience. This isn’t just about preventing attacks; it’s also about a built-in ability to survive and recover from them. I like to tell my clients to think of this resilience as an onion with layers upon layers of controls protecting your core assets. The formula is straightforward: cyber resilience equals cybersecurity, plus backup, plus business continuity, plus incident response, plus crisis management, plus physical security.
It sounds complex, but there’s a fairly straightforward roadmap to achieving it:
* Understand your business. What are your crown jewels? What keeps your CEO awake at night? What would cause customers to leave? Protect those things first.
* Establish proper governance. Form a cybersecurity steering committee. Define clear roles and responsibilities. Ensure your board receives digestible reports that connect cyber risks to business impacts.
* Develop clear, concise policies. The type that people can actually read and understand. If it takes days, or even hours, to locate your cybersecurity policy, something is fundamentally wrong.
* Build your protection, detection, response and recovery capabilities (in that order). Each represents a vital layer of your resilience “onion.”
* Educate your people. Give them targeted, relevant training. After all, an IT manager needs different training than an HR professional who handles sensitive employee data.
* Deploy your tools and technologies. But, critically, test them independently to ensure they work as intended.
* Monitor and improve continuously. Cybersecurity isn’t a project with an end date; it’s an ongoing programme requiring constant assessment and adaptation.
AI-powered security technologies are not panacea for cyber security.
AI is a mirror. It learns from us, and, like us, it can make mistakes or hallucinate. Without proper configuration, governance, and continuous monitoring, even the most advanced AI systems will fail to deliver meaningful protection.
Cyber resilience is not achieved through tools alone, it is built through consistent governance, testing, and culture of accountability. A high-end alarm system is useless if it is never turned on or monitored.