Cybersecurity is fast emerging as a top risk, but responsibility thereof is a grey area

23rd November 2022 By: Marleny Arnoldi - Deputy Editor Online

The shift in how and where people work since the height of Covid-19 has left many people and organisations vulnerable to new and emerging cyber-risks, finds professional services firm PwC in its newly launched ‘Digital Trust Insights 2023: A South Africa Perspective’ report.

The firm reports that several organisations across South Africa and the continent at large have listed cybercriminals, hackers and their competitors as the top three factors affecting their organisations.

PwC Africa cybersecurity competency leader Hamil Bhoora says cybersecurity has become a highly sophisticated and dynamic field that requires businesses to rapidly adjust and improve their cybersecurity defences to detect and prevent cybercriminals from compromising their organisations.

“This is clearly indicated in the survey results of our latest Digital Trust Insights survey where we see opportunities for business executives and cybersecurity professionals to stress that more work is required to protect their organisation from cybercrime,” he explains.

PwC surveyed more than 3 500 business, security and information technology leaders in various industries across more than 60 territories; 134 organisations in Africa participated, with 68 being South African-owned organisations.

Key findings in the report include that 71% of organisations in South Africa and across Africa are seeing increases in their cybersecurity budgets in the 2023 financial year.

Since 2020, organisations globally say they have been most impacted by the increased exposure to cyberattacks owing to an increase in digitisation.

South African organisations say they expect third-party breaches, hack-and-leak operations and attacks on operational technology and industrial Internet of Things to significantly increase in 2023, compared with this year.

When asked what would make the biggest difference in transforming cybersecurity across their organisation in the next 12 to 18 months, respondents stated leadership that drives cybersecurity throughout the organisation, educating the board on cyber-risks and ensuring all non-cybersecurity employees understand the potential cyber implications of their actions.

PwC South Africa cybersecurity partner Wandile Mcanyana says that, with cybersecurity threats constantly evolving, there is a prominent need for organisations to strengthen their detection, response and recovery capabilities.

This includes regularly testing their preparedness as well as readiness should these threats materialise.

PwC’s survey highlights that 46% of CEOs want to empower their organisation’s chief information security officers (CISOs) to collaborate with the C-Suite on security in the next year.

“This is exactly what is needed to prepare for the tougher challenges that lie ahead,” Mcanyana states.


Although organisations widely agree on the need for increased cybersecurity initiatives, the respondents to PwC’s survey are divided on who should be responsible for cybersecurity within the organisation.

Many indicate that the CISO is responsible for reporting cybersecurity and privacy risks to the board, however, others, including PwC, believe cybersecurity is a shared responsibility across the C-Suite and the CISO primarily accountable for executing a business aligned security strategy and programme.

There seems to also be a grey area between the respondents globally and in Africa as to whether the CISO or chief information officer is responsible for securing software development operations.

However, all respondents are of the view that the CISO should be responsible for coordinating incident response activities and that the CFO should have further input in deciding the size of cybersecurity budgets and expenditure.

According to all the survey respondents, the CISO is expected to lead the charge for coordinating incident response activities, since they generally have more expertise in technical matters than CEOs.

Further, PwC explains that cybersecurity encompasses many different aspects ranging from managing data governance and privacy, communicating with external stakeholders, managing third-party risks, deciding on cyber insurance coverage and evaluating cyber-risks associated with business decisions to securing operational technologies and industrial control systems.

According to global cybersecurity strategist Edwin Doyle, the first CISO position was only created in 1994. African experts believes that a chief digital officer (CDO) should be managing data governance and privacy yet, according to another PwC survey called 'Digital Pulse', not all companies have a CDO or are fully committed to employing a CDO.

“With whom do the different areas or aspects of cybersecurity responsibility sit then?” PwC questions.

For South Africa, the CEO is expected to demonstrably be supportive for managing privacy and governance in the organisation, as a lack of privacy and governance will make the organisation become noncompliant and face exorbitant penalties.

Global respondents hold the view that communicating cyber-related matters with external stakeholders forms part of the CISO’s responsibility whereas, for Africa and South Africa, that responsibility is seen to lie with the CEO.

Communicating cyber-related matters is a key component when dealing with incidents and when there is a difference in opinion of who will be communicating such matters to the public. As seen in these statistics, organisations place their reputation at a phenomenal risk.

Respondents globally see it as appropriate for the CISO to be responsible for procuring security technologies whereas, for respondents in Africa and South Africa, the feeling is that the CEO is responsible.

“Our interpretation is that CEOs in Africa and South Africa are taking on a more active role in directing investments in developing and/or improving organisational cybersecurity capabilities to limit business impact from cyberattacks,” PwC concludes.