For years, cybersecurity was something that got “handled later”, usually after more pressing work was done. That gap between innovation and protection could linger for months, sometimes years, until a breach forced the issue.

That world is gone. Attackers are constantly evolving. Digital transformation touches nearly every part of business and security has moved from the IT basement to the boardroom.

Security as a business accelerator

At Vodacom, security is seen as a business accelerator, not just a cost centre.

Luks Zahela, acting executive head of department: security at Vodacom, explains that organisations embedding security early in their strategies experience dramatically fewer costly rework cycles. By addressing security gaps from the outset, companies avoid the expensive and disruptive process of retrofitting protections after systems are already deployed. This approach means organisations are prepared for incidents before they occur, rather than scrambling to respond after the fact.

Anna Collard, senior vice president for content strategy at KnowBe4 Africa and member of Vodacom’s Extraordinary Business Advisory Board, uses a different analogy: “Cybersecurity is a bit like the brakes of a race car. The better the brakes, the faster the car. Cybersecurity shouldn’t be seen as a gatekeeper, but rather a strategic enabler of digital trust. Without trust, no digital transformation can succeed.”

The biggest threats facing South African businesses

Ransomware remains the most pressing threat. Zahela explains that a single ransomware incident can cripple operations for anywhere from a day to several weeks. As organisations accelerate their digital transformation and cloud migration, misconfigurations have become commonplace, creating opportunities that attackers actively exploit.

Supply chain attacks have become a significant concern. When direct breach attempts fail, attackers pivot to targeting an organisation’s partners, contractors and service providers. Even routine maintenance work by trusted third parties can create entry points into corporate networks if those partners lack adequate security controls, Zahela explains.

He says hybrid work has created new vulnerabilities, too. Remote employees connecting from hotels, coffee shops and home networks often lack the security measures present in corporate environments, expanding the attack surface considerably.

According to Collard: “Right now, the biggest risks come from social engineering, business e-mail compromise (BEC) and ransomware, often enabled by weak human controls and poor digital hygiene. South Africa’s high digital adoption rates, combined with limited skills capacity, create the perfect storm for attackers.”

The human element: 85% of attacks

Zahela stresses that social engineering and human factors are the most critical vulnerabilities. “More than 85% of successful attacks exploit human error or behaviour, with criminals deliberately targeting individuals as their primary point of entry.”

Collard adds that artificial intelligence is making social engineering even more convincing. “We’re seeing a sharp rise in AI-driven phishing, deepfakes and supply-chain vulnerabilities, all exploiting human trust and connectivity.”

Zahela says conventional phishing attempts were easy to spot by their poor grammar and bad spelling, which are obvious red flags. Unfortunately, today’s AI-powered attacks are personalised, professionally crafted and psychologically manipulative. They exploit people’s emotions – urgency, fear and helpfulness – in ways that even well-trained users find difficult to resist.

Culture as the primary defence

This is why technology alone cannot solve the human problem. Zahela insists that security cannot remain confined to IT departments. It must become an organisational responsibility, championed from executive leadership down through every level of the company.

Collard highlights the importance of regular testing. “Building human resilience through awareness, simulation and leadership engagement is key. Technology alone isn’t enough. Culture, communication and clarity of accountability make the difference.”

Building trust through transparent controls

Trust has become the foundation of digital business. “Trust is the new currency of the digital economy. When customers know that a company handles data responsibly and transparently, it builds long-term loyalty,” Collard explains. “A robust security posture signals maturity. It tells regulators, investors and partners that the organisation takes accountability seriously.”

Vodacom‘s approach centres on implementing transparent controls that deliver consistent outcomes, building trust with customers and partners alike. By adhering to international standards and governance frameworks, the telecoms giant establishes premium partnerships based on demonstrated security maturity.

The practical benefits are significant. Zahela says that when organisations complete security assessments and implement recommended mitigations, they enjoy reduced audit times and lower insurance premiums. “The proactive work done upfront translates directly into measurable business value.”

Security by design from day one

Collard is adamant about early integration. “Particularly when dealing with AI or AI agent deployment, we must ensure cybersecurity is embedded into these projects from day one, starting from initial design and concept phase to implementation and testing. Governance and safeguarding cannot be an afterthought.”

Vodacom, says Zahela, employs a multi-layered security architecture that leverages its core strengths as both a connectivity and cloud services provider. At the network layer, malicious traffic is intercepted before it reaches critical workloads. At the application layer, security application programming interfaces enable real-time access decisions.

Crucially, these layers communicate and coordinate with each other, creating an integrated defence in-depth approach.

Identity first: zero trust in practice

Identity has become the cornerstone of modern security. Zahela advocates an identity-first approach that continuously validates three critical questions. Is this the right person? Do they have appropriate access? Is this the right time? A legitimate user connecting from an anomalous location at an unusual hour should trigger immediate scrutiny, irrespective of whether or not they have valid credentials.

This approach has fundamentally changed yesterday’s perimeter-based security approach. Where VPNs once granted broad network access to authenticated users, zero trust architecture enforces granular, contextual access controls. Users and systems can only access specific resources at specific times, with every connection requiring fresh authentication and authorisation.

AI: learning from every attack

AI has changed both attack and defence. Zahela says that while AI dominates positive headlines, it’s as important to recognise that malefactors are leveraging the same capabilities. “Vodacom has deployed AI-driven detection systems that learn and improve with each attack. When an incident occurs anywhere in the world, the threat intelligence feeds into the system, enabling proactive protection for all clients before they encounter the same threat.”

Collard remarks on the scale: “For every innovation in defence, attackers innovate too. Bad actors use it to craft convincing BEC scams and automate attacks at scale.”

The performance improvements are dramatic. Mean time to detection and response has compressed from hours to minutes or even seconds. As Zahela observes, this speed is essential because threat actors are constantly improving their tactics: defenders must evolve at the same pace.

Security moves to the boardroom

Over and above financial losses and disruptions to operations, reputation remains the most valuable asset at stake, says Zahela. When customers lose confidence in a company’s data protection, they leave and join competitors. The aftermath is not only immediate financial losses but also long-term harm to reputation and lost future business, damage that is hard to quantify and harder to repair.

Perhaps this is why the conversation has fundamentally shifted. Zahela says cybersecurity has moved from being relegated to IT departments to becoming a standing agenda item in boardroom discussions. “Business leaders now consistently rank security among their top concerns, with many placing it as their number one risk. Budget discussions now begin with security considerations rather than treating them as an afterthought.”

This shift fuels faster, more confident innovation. When security risks are appropriately managed and visible to leadership, executives can make better decisions more quickly, knowing their risk exposure is understood and controlled.

Ultimately, security enables growth.

Collard concludes: “When leaders integrate cybersecurity into their strategy, they create the psychological and operational safety net that enables experimentation, data-driven decision-making and customer confidence. It’s what allows innovation to scale responsibly.”

In a world where digital transformation is no longer optional, security isn’t the brake; it’s what makes speed possible.