Building cyber resilience: Why a cyber resilience culture must be a strategic priority. In collaboration with Wolfpack Information Risk. Andre Swart, Managing Director of Ziyasiza invites Edwin Mpofu, Head of Cyber Defence of Wolfpack Information Risk, to talk about the urgent attention that business leaders must give to building a culture of cyber resilience. Watch the video and read the conversation that follows. Follow the conversation: Andre Swart: The extent of cybercrime in South Africa, across Africa and globally is severe and costly. At Ziyasiza we believe that business leaders should avoid taking a digital only view of cyber resilience. Resilience strategies need to drive the right investments in the areas of greatest vulnerability, and a clear road map to achieve organisation wide cyber resilience needs to be built. At Ziyasiza, we’ve partnered with Wolfpack to help organisations embed cyber resilience into their culture and their operations. I’m joined today by a guest from Wolfpack, Edwin Mpofu. Edwin, thank you very much for your time today and welcome to this conversation. Edwin Mpofu: Thank you. Andre Swart: Edwin, can you tell us a bit about your role at Wolfpack, specifically please? Edwin Mpofu: At Wolfpack I am the business unit head for the Cyber Defence division, where I’m responsible for driving the activities around technical cyber defence in terms of assessments, incident response, and implementing cyber security programmes within that division. Andre Swart: How do you assess whether an organisation has effectively built cyber resilience into their culture? Edwin Mpofu: So, the most accurate definition of cyber resilience is being able to anticipate, respond to, and recover from attacks. Taking into account that the environment that you operate in is contested, so you’re not just running your operation there and no one is taking shots at you. There will always be attackers trying to access your data maliciously and unauthorised people trying to do whatever they can to your information resources. So, you need to take that broad perspective in terms of cyber resilience. So, we see that a lot of people, it’s a bit ad hoc in terms of how this is approached. There is not much in terms of planning those activities that should form part of that particular programme. People don’t understand what their threat model is, the kind of attackers that are going to target them, what assets they are interested in, and what tactics are going to be used against them. So, there’s that void and aligned to that void then is a lack of preparation because there’s no situational awareness that goes with that. Andre Swart: If I had to ask you to think about the organisations that you’ve been working with that that you have assisted. What in your experience has typically been the weakest link in any cyber resilience strategy? Edwin Mpofu: So, in most cases, right, that strategy does not exist. People are reacting to situations and situations come up. Andre Swart: So, the weakest link is actually a complete lack of strategy. Edwin Mpofu: Yes, in most cases it actually doesn’t exist. So, what then happens is people do what they need to do when they need to do it. But there’s nothing that’s ordered in terms of that approach in a lot of cases. And there are several reasons for that. Firstly, there is that disconnect between the operational teams, mostly with technical teams, IT, and the senior management layer in terms of the executives, the audit and risk committees that should be governing these activities. There’s a clear disconnect in most cases between those two areas where the expectations from senior management are not crystallised enough for the operational teams to be able to carry out actions that are specific to the organisation’s mission. What then happens is then at a technical or operational level, there’s acquisition of tools, certain activities being done, but without a clear bearing in terms of what risks we’re trying to address at a business level. Andre Swart: What can executives do to make cyber resilience stick within the organisation? Edwin Mpofu: So, that really comes down to building that culture within the organisation and the executives who have to lead by example as far as that is concerned. In most cases, a lot of the initiatives like building security awareness, for instance, some of the executives don’t participate in those activities fully as they should, which is a problem because then it sets the example for all the other layers going down. So, that leadership by example should be a key part of the programme, firstly. Secondly, that layer at the executive level should be able to articulate what the company’s objectives are, and then build that interface to the technology assets which are deployed to achieve those objectives. When that is articulated, it’s easy for them to then say because we have these objectives, there are these KPIs and using technology to achieve these objectives, what risks could arise because of the use of technology? That gives context with operational teams to be able to then say, what is our control posture on these assets? How could a breach, for instance, affect key objectives for the organisation? What would be the cost of that bridge? How do we counter such activities from an adversary perspective? How would we anticipate that and try and make sure that we minimise that impact. So, then those teams would have the perspective in terms of this is the cause we’re trying to address, and this is how much we can spend in terms of controls, processes, technical solutions to address the risk. Andre Swart: If I bring that back to you now as a security professional, if you were given the task of building that cyber resilience aspect into an organisation’s culture, what approach would you take? How would you approach it? Edwin Mpofu: It’s obviously a difficult task, I think, but I would start off with an awareness drive, trying to sensitize the people