What are the key issues facing CISOs in Africa at present? How do they differ from other geographies? Is Africa a target for particular types of attack? 
While the role of the CISO is contextual in nature, I do not think that there are unique issues that a CISO in Africa will experience from CISO’s in other parts of the World. The cyber space does not have geographic boundaries.
Threats and actual attacks don’t tend to discriminate based on Continent. The only difference is the statutory requirements applicable to a certain Country. With the exception of Kenya, very few countries in Africa (if any) have promulgated cybercrime and cybersecurity laws. Our very own Cybercrime and Cybersecurity Bill was published in the Government Gazette in 2016 but even today it has still not been made effective.
In the absence of such legislations, organisations in Africa are not forced to disclose cybersecurity breaches. As a result, we cannot say with much certainty that there are particular types of attacks geared towards Africa because African companies do not disclose these attacks.
The evolution of the CISO role in Africa is still in its infancy. Most companies in the rest of Africa still rely on only a few professionals in the IT department dedicated to the security of their infrastructure. Even in Kenya where SS-Consulting has footprint through partnership, the adoption of the CISO role is still fragile. It is only the big organisations like Commercial Bank of Africa Group, NIC Group and Diamond Trust Bank that have CISO roles or equivalent.
Statutory requirements play a huge role in accelerating the evolution of the CISO role. Those who have been in the cyber security fraternity long enough will recall that the role of the CISO dates as far back as 1994, when Citigroup suffered a series of cyber-attacks from a Russian Hacker named Vladimir Levin. The giant bank responded by creating the World’s first senior-level executive position responsible for information security.
This position was given to Steve Katz, who now works as a cyber security consultant like myself. It is the statutory requirements such as the US’ Patriotic Act that was promulgated in October 2001, which required that all Federal IT departments employ an individual solely dedicated to IT security, that ultimately created an avenue for the CISO role to press forward.
What’s the impact of the current move to remote working? The move to cloud? Greater reliance on mobile devices?
There is a negative impact that remote working brings – loss of productivity. It’s one thing making sure that your workforce has all the toolsets needed to work remotely, but it’s another thing making sure that they are.
There is also loss of productivity as a result of not having the privilege of a Desktop Technician coming to your desk each time you experience technical problems with your computing devices. For instance, if the remote worker’s laptop is hit by a ransomware, they have to lose four (4) to five (5) days of productivity because the laptop has to be shipped back and forth to the Technician’s new location for it to be re-imaged.
SS-Consulting provides a robust solution to end-user devices that can go a long way towards addressing these challenges. Through our partners, we offer endpoint detection and response (EDR) solutions that come with advanced antivirus functionality as well as both pre-infection and post-infection defences to keep endpoints – and your network – clear of malicious malware. Even if the remote worker’s device has been compromised, we are able to detect, defuse, and remediate live incidents, thereby enabling remote workers to stay on task.
The move to remote working has fast-tracked cloud adoption significantly. With this rushed transition, we are seeing companies remotely connecting their remote workers and redirecting them to their cloud-based applications, and then backhauling all of that traffic back through their network and down to the remote users. This has a detriment of overwhelming both internal resources as well as external bandwidth.
We always advise our clients to connect directly to their cloud (SaaS) applications using split-tunnelling VPN method such that remote workers have a secure connection to the corporate network to access resources like email or databases, and a separate direct link to the internet and cloud.
This method provides better protection because it ensures that internet-based transactions can’t backflow into the VPN connection and put our client’s  network at risk. However, this method needs to be complemented with a good cloud access security broker (CASB) solution for policy-based insights into users, behaviours, and data stored in those cloud (SaaS) applications.
This approach still ensures that CISOs maintain visibility, compliance, data security, and threat protection for cloud-based services. By placing SaaS security in the cloud, SS-Consulting can scan provisioned cloud resource configurations and SaaS application data for threats, proprietary information, or sensitive customer records. We can also ensure that all SaaS users are monitored and protected no matter where they are or what device they are using.
 How do CISO’s prioritise their budget spend given the scale and velocity of attacks? 
The budget picture is not clear for most CISO’s. CISOs tend to prioritise budget allocation based on new risks and available toolsets to mitigate the risks. As such, we are seeing a lot of ‘emergency purchases’ being channelled to toolsets for endpoint security, mobile security, network security and multi-factor authentication. These areas are being prioritised more now given the increase in the number of remote workers.
Even before the COVID-19 pandemic, most CISOs budget prioritisation and spending have been nothing short of being ‘impulsive’. Despite all the money that is available in the South African cybersecurity industry, there is a general lack of thought leadership in cybersecurity strategy formulation and budget planning. As the old adage goes “it takes two to tango”, this problem exists from both the buyer (i.e. CISO’s) and seller(i.e. technology vendors) perspective.
In general, SA’s cybersecurity practice is invaded with excitable technology vendors whose main interest is pushing unconnected technologies “bottled” and sold as commodities, which creates a complex and weak cybersecurity posture with no value for money. On the other hand, we have inexperienced CISOs who buy security solutions with no underpinning plan. This has unfortunately resulted in a phenomenon where the cybersecurity industry is now a “platform” for buying and selling technology wares and not advancing or securing business value! Consequently, there is an inversely proportional relationship between spend and business confidence in security. A good craftsman neither blames his tools nor does he throw tools to each and every problem.
I, personally believe that there are two root-causes to this problem; (1) most CISO’s come from a technology background. Very few people want to be in the cybersecurity field because they want to write policies and plans. We all joined this field because we got fascinated by cybersecurity technology in one way or another. Consequently, this has created a headway for technology vendors to drive companies’ cybersecurity agenda instead of that agenda being driven by business strategic objectives. At the end of the day, CISO’s complain that they do not get a seat at a Boardroom table when their very own language is laden with technology jargon that the Board of Directors struggle to understand; and (2) there is a huge shortage of Enterprise Security Architects to address the problem of cyber security solutions being designed, developed/acquired and implemented on a tactical basis.  SS-Consulting resolves these piecemeal problems through better understanding of business requirements as well as a vendor-agnostic approach.
There is also another challenging aspect of the CISO role, which is proving the worth of each Rand spent towards cybersecurity. Not only must the CISO ascertain which projects to implement to mitigate business risks, but the CISO must also take the security budget into consideration to see if a security project is worthwhile. One way of justifying a project is to show its return on investment (ROI) or else the project will not get a nod of the Financial Director or CFO. Proving ROI for security projects is very challenging because the benefits of investing in security are intangible (e.g. improved customer trust, prevented security breaches, etc.) and have a lagging effect in that the benefits or returns are not realised immediately.
It often seems like CISOs are losing the battle against cybercriminals. Is that true? Any hope on the horizon? How should they approach creating a security strategy given the extent of the threats and the need for the business to be open and responsive?
My take on this one is that CISOs are not losing the battle against cybercriminals because of the overwhelming threat landscape, but primarily because of skills shortage. It is the battle of the wits where CISOs are losing the skills race to the cybercriminals. There are myriad of reports and surveys that have been conducted to highlight the dearth of cybersecurity skills. This has resulted in so much pressure amongst CISO’s as they have to do more with less. A widely circulated report earlier this year noted that about one in seven CISOs turned to drugs or alcohol to cope with job pressures.  The vast majority – almost nine in 10 – typically worked beyond 40-hour weeks and many couldn’t truly disconnect during limited downtime. This likely included the 23% who admit work negatively impacted personal relationships. A recipe for burnout, you say? That may explain why the tenure for 55% of survey respondents was less than three years (30% had served less than two years).
Is security being taken seriously in corporate SA (public and private sectors), and is IT security on the board agenda? Impact of King IV? 
Corporate SA is starting to take security seriously, both public and private sectors. The past few years have seen a growing awareness of the importance of cyber security, particularly in light of numerous ransomware attacks against state-owned entities (e.g. City of Johannesburg) and high-profile breaches that have seen millions of consumer records exposed. As a result, CISOs have increasingly been brought into Boardrooms to advise on risk mitigation and protective measures.
Even more recently, when it became clear that COVID-19 was going to be more than a minor disruptor, CISOs were tasked with assisting Boards the World over in helping to prepare for the effects the virus was going to have on their operations. Coronavirus risk mitigation and preparation have been their focus area for months – mainly from a technical perspective.
It is so unfortunate that the CISOs’ voice seems to be limited to the technical world only when there is a wealth of knowledge input they can impart to the Board from a business perspective. Nonetheless, the amount of CISOs in the Boardroom is finally catching up. A strong relationship between CISO and Board is an indication that cyber security is at the forefront of Board agenda.
In your view, what are the up-and-coming security threats/ trends that CISOs need to understand?
Herewith a list of up-and-coming trends that CISO’s need to be on a lookout for:

Artificial Intelligence and Machine Learning are quickly becoming a double-edged sword:

The advancement in these innovative technologies are benefiting both the good guys (blue team) and the bad guys (red team). This simply means that the malicious use of Machine learning and AI will develop on a parallel track to its application in defences. SS-Consulting has partnered with security vendors who have implemented Machine learning and AI within their security products to get ahead of the cyber criminal horde.
From a defence perspective, we are starting to see companies eliminating the need to have SOC level-1 security analysts through the adoption of machine learning. On this aspect, we advise our clients to be cautious of the data they feed to machine learning models and AI. Garbage in, garbage out.
Machine learning and AI solely rely on the datasets that are fed to them. While machine learning an AI go a long way in alleviating the cybersecurity skills shortage, they do not completely eliminate the need for human intervention. This is because Machine learning and AI lacks the business context that only humans can provide.
Machine learning and AI only gives probabilities and not definite answers – it is these probabilities and associated biases that require human intervention. Take a scenario where one of the employees suddenly rocks up at work at 4:30am in the morning to access file shares that he does not normally require. He then downloads documents and sends them to a shared printer.
Will Machine learning and AI determine if this is a legitimate user or a corporate spy? Will machine learning and AI be able to flag this incident as a false-positive and have context to understand that this might be an employee who has recently been assigned to a new project and wants to impress the boss by putting in extra hours to ramp up the project?
From an attack perspective, we are starting to see Machine learning and AI improving cyber-attacks like spear phishing and malware at a much unprecedented scale that is becoming impossible to manage. Attackers are now using machine learning and AI algorithms to obfuscate malware and hide it from signature-based anti-virus systems.  Machine learning and AI is now being used by attackers to search the network for weaknesses at machine speed.
The identified weaknesses are then exploited using malware that is fine-tuned using machine learning. We are starting to see the rise of botnets equipped with distributed power that can be applied to run algorithms and train AI networks to execute illicit instructions from their command and control (C&C) centres. Unsuspecting users will find it difficult to pin-point an AI-powered phishing email.
The good news is that we have not seen full-blown AI-powered weaponization yet, but that is only one or two years into the horizon. The concept of ‘flash wars’ is no longer exists in comic books alone. Machine learning and AI will accelerate the attack and kill chains, and years in the future, their speed and variability will be beyond human comprehensibility, leading to so-called flash wars.

Rise in Ransomware attacks targeting local Governments

South Africa remains the most targeted African country in terms of ransomware and business email compromise. Last quarter of 2022 saw an increase in new types of ransomware, including “Akira” ransomware which was found on the servers of the Development Bank of South Africa in May 2023. TransUnion South Africa suffered a ransomware attack in 2022 where hackers demanded R220 million in ransom. We are expecting this trend to continue rising with added sophistication. This trend underscores the need for the public sector to invest in cyber security with the same urgent approach as seen in the private sector.

Focus shifting to 3rd Party vendor security

A customer data breach through a third-party service provider at Nedbank in February 2020 and the aforementioned incident where a third-party obtained access to a TransUnion South Africa server through misuse of an authorised client’s credentials, are some of the indications that it is no longer enough to have a good cyber security strategy. Third party vendors and service providers must also be diligently assessed. Attackers use smaller 3rd Party vendors as conduits to gain a toehold into larger enterprises.