- Softstart BTI Building, 136 2nd St, Randjespark, Midrand, 1685
- 011 695 4800
- 082 805 1949
Cybersecurity has never been this important
SS-Consulting’s Chief Security Strategist, Simphiwe Mayisela, takes us through the issues facing South Africa right now with regards to cybersecurity, while also driving home the importance of protecting your business
Cybercrime is on the rise. With the advent of COVID-19, more and more people are now working from home, making the data and information of businesses across the globe vulnerable to cyberattacks.
This is why it is so important for businesses to beef up their cybersecurity and start to take this field of expertise seriously. Often seen as a luxury rather than a necessity, Chief Information Security Officers (CISO) and Chief Security Strategists (CSS) are the gatekeepers who ensure a business is protected from cybercrime. Without such protection, the potential losses are unthinkable.
Simphiwe Mayisela is one such gatekeeper. He is the Chief Security Strategist for consulting firm SS-Consulting, a Black owned company that specialises in strategic and technical consultation in the fields of cybersecurity, governance, risk, and compliance.
Mayisela finds himself in a high-pressure environment. With the amount of attacks growing by the day across the globe, his job is a thankless one, but one which is so vitally important for not only the businesses he represents, but the privacy of those businesses’ customers. The problems deepen when you consider that the industry is understaffed on the whole–and that makes for very difficult working conditions for those tasked with keeping businesses safe.
“CISOs are not losing the battle against cybercriminals because of the overwhelming threat landscape, but primarily because of skills shortage. It is the battle of the wits where CISOs are losing the skills race to the cybercriminals. There are a myriad of reports and surveys that have been conducted to highlight the dearth of cybersecurity skills,” says Mayisela, who has nearly two decades of experience in the field of cybersecurity.
“This has resulted in so much pressure amongst CISOs, as they have to do more with less. A widely circulated report earlier this year noted that about one in seven CISOs turned to drugs or alcohol to cope with job pressures. The vast majority typically worked beyond 40-hour weeks and many couldn’t truly disconnect during downtime. This likely included the 23% who admit work negatively impacted personal relationships. That may also explain why the tenure for 55% of survey respondents was less than three years.”
These issues are what Mayisela is pushing to see the back of. “My number one challenge is addressing the skills gap crisis that continues to loom over the industry. As a consulting firm, we are in constant need of skilled resources, particularly within the penetration testing discipline. According to (ISC)², the shortage of cybersecurity professionals is estimated at three-million globally.”
The advent of remote working
With more and more people working from home due to the pandemic, the threats to cybersecurity have skyrocketed. In the United Kingdom alone over the past year, a record 723 serious hacker attacks have been recorded. Those numbers do not make for pretty reading–and it is something which will only rise as long as unsecured systems are in play. Mayisela says that the challenges presented now are unprecedented, with the consequences of attacks filtering down to productivity of those working from home.
“The current move to remote working has given rise to ‘COVID-19- focused attacks’. Most companies have responded by implementing remote worker systems comprised of an endpoint VPN client and an online teleconferencing system. However, we need to be mindful that this move has somehow increased the cybercriminals’ attack vector in that the cybercriminals are not only targeting the remote worker, but even their children who are now being schooled at home using e-learning. Attackers are aware that this move to remote working is rushed and will therefore have gaps in security, so they will try to take advantage of this unplanned transition and inexperienced teleworkers. Attackers are also taking advantage of insecure online teleconferencing systems such as Zoom. Recently, there has been news of pornographic content being injected on Zoom sessions while members of Parliament are having online meetings from home.
Home networks do not provide the same level of security that a corporate network can provide,” Mayisela states.
In another exciting step, Accenture has recently onboarded them into their Enterprise Supplier Development Programme.
Mayisela realised there is a huge gap in the market when it comes to cybersecurity, and a massive skills shortage.
Being able to provide these sought-after skills to clients is what gives SS-Consulting the edge.
“In the US alone, there are about 1 million cybersecurity workers, but there were around 715 000 jobs yet to be filled as of November 2021, according to a report by Emsi Burning Glass (now Lightcast),” he says.
“The SA government has also identified a big gap in cybersecurity skills and is currently working to develop a National Cybersecurity Skills Framework to guide the training of cybersecurity professionals in the country.
SS-Consulting has been appointed as a member of the Advisory Panel for the MICT SETA Cyber Security Qualification Working Group from August 2020 to develop a Cybersecurity Tertiary Qualification.
“SS-Consulting provides a robust solution to end-user devices that can go a long way towards addressing these challenges. Through our partners, we offer endpoint detection and response (EDR) solutions that come with advanced antivirus functionality, as well as both pre-infection and post-infection defences to keep endpoints – and your network – clear of malicious malware. Even if the remote worker’s device has been compromised, we are able to detect, defuse, and remediate live incidents, thereby enabling remote workers to stay on task.”
Now is clearly the time for corporates to reevaluate their cybersecurity.
While this is improving in the country, Mayisela believes that there is still room for growth in shifting the mindset of corporates. “Corporate South Africa is starting to take security seriously, both the public and private sectors. The past few years have seen a growing awareness of the importance of cybersecurity, particularly in light of numerous ransomware attacks against state-owned entities and highprofile breaches that have seen millions of consumer records exposed.
As a result, CISOs have increasingly been brought into boardrooms to advise on risk mitigation and protective measures. Even more recently, when it became clear that COVID-19 was going to be more than a minor disrupter, CISOs were tasked with assisting boards the world over in helping to prepare for the effects the virus was going to have on their operations,” Mayisela, who holds a Master’s Degree in Computer Science specialising in Information Security from Rhodes University, adds. “Coronavirus risk mitigation and preparation have been their focus area for months – mainly from a technical perspective.
It is so unfortunate that the CISOs’ voice seems to be limited to the technical world only when there is a wealth of knowledge input they can impart to the board from a business perspective. Nonetheless, the amount of CISOs in the boardroom is finally catching up.
A strong relationship between CISO and board is an indication that cybersecurity is at the forefront of board agenda.”
Is there a difference in Africa?
There is a misconception that first-world countries are more often than not the targets of cyberattacks.
This could not be further from the truth, insists Mayisela, who feels this is a problem we all have to start taking seriously. “While the role of the CISO is contextual in nature, I do not think that there are unique issues that a CISO in Africa will experience from CISO’s in other parts of the world.
Cyberspace does not have geographic boundaries. Threats and actual attacks don’t tend to discriminate based on continent. The only difference is the statutory requirements applicable to a certain country.
With the exception of Kenya, very few countries in Africa have promulgated cybercrime and cybersecurity laws. Our very own Cybercrime and Cybersecurity Bill was published in the Government Gazette in 2016, but even today it has still not been made effective,” he continues. “In the absence of such legislation, organisations in Africa are not forced to disclose cybersecurity breaches.
As a result, we cannot say with much certainty that there are particular types of attacks geared towards Africa, because African companies do not disclose these attacks.”
So what exactly is the solution? How does one drive home the point that cybersecurity is so vitally important in the 21st century? This is the challenge facing Mayisela and SS-Consulting–one which they hope to win sooner rather than later.
“The evolution of the CISO role in Africa is still in its infancy. Most companies in the rest of Africa still rely on only a few professionals in the IT department dedicated to the security of their infrastructure. Even in Kenya, where SS-Consulting has a footprint through partnership, the adoption of the CISO role is still fragile.
It is only the big organisations like Commercial Bank of Africa Group, NIC Group, and Diamond Trust Bank that have CISO roles,” Mayisela concludes. “Statutory requirements play a huge role in accelerating the evolution of the CISO role.
Those who have been in the cybersecurity fraternity long enough will recall that the role of the CISO dates as far back as 1994, when Citigroup suffered a series of cyber-attacks from a Russian Hacker named Vladimir Levin. The giant bank responded by creating the world’s first senior-level executive position responsible for information security. This position was given to Steve Katz, who now works as a cybersecurity consultant, like myself.
It is the statutory requirements such as the US Patriotic Act that was promulgated in October 2001, which required that all Federal IT departments employ an individual solely dedicated to IT security, that ultimately created an avenue for the CISO role to press forward.” It is evident that protecting your business from cyberattacks is far more important than it has ever been. So what’s your excuse?
All companies are unique in their own right, as such, we strive to acquire an in-depth understanding of our clients’ business objectives, goals and vision in order to ensure that our solutions do not only support critical business initiatives, but are also an enabler to our clients’ business objectives.
Send us your details for us to keep in touch
