In an era where operational disruptions are a daily reality for South African businesses, a new warning has emerged from the cybersecurity sector: treating digital defense as a mere IT problem is a strategic mistake that could threaten the very survival of modern enterprises.
Tony Anscombe, chief security evangelist at global cybersecurity firm ESET, argues that the time for viewing cybersecurity as a defensive silo is over.
Instead, businesses must treat cyber risk as a fundamental commercial risk, akin to the way South African organizations manage physical infrastructure redundancies like solar power and backup generators.
The Grudge Purchase Fallacy
For many organizations, cybersecurity is still viewed as a “grudge purchase”—a necessary but unwelcome expense. Anscombe highlights a common boardroom scenario that illustrates a dangerous misunderstanding of financial exposure.
“Imagine a boardroom where a CISO requests a R10-million budget based on detailed threat modeling, but the board only approves R6-million,” Anscombe notes. “That R4-million difference is not a saving for the business; it is an unmitigated financial risk that the business has chosen to absorb.”
This perspective shifts the focus from technical vulnerabilities to bottom-line exposure, requiring C-suite executives to translate patches and firewalls into acceptable risk.
Defining Appetite for Risk
Using a casino analogy, Anscombe explains that cybersecurity is not a binary “safe or breached” status. It is entirely dependent on an organization’s specific appetite for risk. While some may take high-risk gambles with their data, others spread their “bets” across multiple defensive layers.
For major financial services institutions, this challenge is compounded by Technical Debt. Many organizations rely on complex legacy systems that are functionally essential but technologically unpatchable.
“The discussion shifts away from patches to asking how to best segment and protect a vulnerable old heart with a modern shield,” says Anscombe. This, he argues, is a strategic architectural decision rather than a simple software installation.
The Cost of Hyper-Aggressive Security
One of the most overlooked aspects of digital defense is the hidden cost of friction. While a lack of security leads to breaches, hyper-aggressive security can lead to false positives, where security software blocks legitimate business activities.
In high-volume environments like trading floors or e-commerce hubs, a disruption of just a few minutes has a quantifiable financial cost.
Anscombe suggests the blueprint for Good Security is a light touch approach that:
- Works Invisibly: Boosts commercial ROI without eating into daily profits.
- Uses Intelligence-Driven Context: High-quality platforms that understand user behavior.
- Reduces Friction: Only interrupts the user when behavior is genuinely suspicious (e.g., detecting logins from two different continents within minutes).
Interrogating the Substations
Drawing a parallel to the infamous Heathrow Airport power outage, caused not by a core system failure but by a neglected utility substation, Anscombe urges leaders to look beyond their own walls.
The modern business risk profile includes:
- Third-party vendors
- Integrated supply chains
- Legacy applications
No Finish Line
The core message for the Nigerian and South African business ecosystems is clear: cybersecurity is a continuous, boardroom-led exercise.
“There is no finish line in cybersecurity,” Anscombe concludes. “You cannot arrive. All you can, and should, do is strategically and tactically plan your race according to the risk you are willing to take on board.”
