By: Tony Anscombe - Chief Security Evangelist at ESET

South African businesses have evolved alongside the reality of the country’s physical infrastructure challenges. Organisations instinctively build redundancies for power, whether that takes the form of solar installations and battery back-up solutions, UPS systems or generators. When the grid fails, the failover kicks in. Related to this, most businesses have multiple connectivity failovers because everyone understands operational disruption intimately. 

And yet, when it comes to digital infrastructure, many businesses treat “security” as a separate, IT-delegated silo rather than a core pillar of operational performance and, in the worst-case scenario, survival. This is a mistake, because the era of viewing cybersecurity merely as a defensive IT function is well and truly over. Cyber risk is fundamentally a business risk, which means that true resilience demands a commercial, rather than a purely technical, approach.

What does this mean? If we are honest, security is often viewed as a grudge purchase. Imagine a boardroom where a Chief Information Security Officer requests a budget of R10-million based on detailed threat modelling. The board reviews this and counters with approving R6-million. That R4-million difference is not a savings for the business. It is an unmitigated financial risk that the business has chosen to absorb. This is an important insight – the C-suite needs to translate technical vulnerabilities into bottom-line exposure.

Defining acceptable risk

Cybersecurity is not binary. In other words, you are not “safe” or “breached”. Cybersecurity is entirely about an organisation’s specific appetite for risk. By way of analogy, imagine two people walking into a Las Vegas casino with $200. They make their way to the roulette tables, where the first person puts the entire $200 on a single, high-risk number. That’s a high tolerance for risk. The second person spreads the bet across multiple, defensive layers.

Businesses, especially enterprise-level financial services institutions, are burdened by complex legacy systems, which work. Because of this, they cannot eliminate risk entirely. Therefore, they need to define what “acceptable risk” looks like and then strategically map out which of their systems are uniquely vulnerable. 

Remember, risk is not just about hackers – it is also about accessibility. For example, a bank or insurer’s risk profile is complicated by the need to broaden the client base and bolster social and financial inclusion. If a bank tightens security by forcing app-only biometrics in all interactions with the customer, it risks alienating its least tech-savvy customers. In many cases, this forces organisations to rely on legacy SMS, which comes with vulnerabilities, creating a permanent risk window that the board must acknowledge.

The hidden cost of friction

The whole point of cybersecurity is to try to keep digital infrastructure safe. Yet, as we all know, hyper-aggressive security can, ironically, also be damaging to the bottom line if it disrupts operations. Organisations, then, need to work with platforms and partners that are known for reducing false positives, where security software blocks legitimate business. In high-volume environments, such as trading floors or during busy periods, a system disruption of just a few minutes has a meaningful, quantifiable financial cost.

Understanding that, organisations have the blueprint for good security. It works almost invisibly, with a light touch. Disruptive security eats into profits daily, while good security boosts commercial ROI through quality threat intelligence. 

Good, or quality, security is not just about an impenetrable wall. It is also about telemetry and context. High-quality security platforms understand user behaviour. If a system detects a login from Cape Town and almost immediately from New York, it understands that no one can travel halfway around the world in three minutes and therefore flags the anomaly. This intelligence-driven approach personifies light touch because it only interrupts the user when context and behaviour is genuinely suspicious. 

Are you asking the right questions?

When organisations reframe cyber risk as business risk, the next step is to understand that risk extends beyond their own walls. Many people reading this will remember when Heathrow Airport suffered a major power outage. A major global hub was taken offline for a day, not by a direct attack on its core systems, but because a utility provider ignored an earlier alert about moisture in a nearby power substation. 

C-suites would do well to challenge their organisations to ask the right questions. Are they simply checking if the primary systems are safe, or are they interrogating the “substations” connected to their operations: their legacy applications, third-party vendors and integrated supply chains? 

The sobering truth is that risk isn’t just the lack of a firewall. It is also a technical debt. There are systems running, right now, in financial organisations that are unpatchable. And so, the cybersecurity discussion shifts away from patches to asking how do you best segment and protect a vulnerable old heart with a modern shield. This is a strategic architectural decision and not a simple software install.

Cybersecurity should be a continuous, boardroom-led exercise in commercial resilience that requires working with partners who understand there is no finish line in cybersecurity. You cannot arrive. All you can – and should – do is strategically and tactically plan your race according to the risk you are willing to take on board.