Cybersecurity threats present a significant challenge across the African continent, impacting various sectors and regions. As Africa undergoes rapid digital transformation, cyberthreats such as ransomware, business e-mail compromise (BEC) and malware are on the rise, disrupting essential services across nearly every industry.

This increase is driven by the continent’s expanding digital footprint, fuelled by fintech innovation and e-government services. As a result, African organisations have become increasingly attractive targets for cybercriminals. At the same time, challenges persist around cloud security, insider threats and the protection of critical infrastructure. While efforts to bolster cyber resilience and strengthen law enforcement capabilities are underway, the need for a comprehensive cybersecurity culture has never been more urgent.

A commonly overlooked yet vital element of cyber resilience is people. Employees at every level can either strengthen or weaken an organisation’s defences. To explore this further, TechCentral and Velocity Technology Group convened a select group of industry experts – including CIOs, CISOs, and heads of ESG, GRC, legal and HR – to unpack the role of organisational culture in developing cyber resilience, from leadership to the operational front line.

Lessons from the past

The conversation began with a reflection on the 2013 Target breach – an incident later labelled as the industry’s wake-up call. Despite having numerous security controls in place, Target’s vulnerabilities were exploited, exposing a critical gap: its people. From board members and executives to frontline staff, the human element proved pivotal.

Delegates agreed that cultivating a cyber-resilient culture requires a holistic approach. This begins with leadership, where tone and commitment must be set from the top and communicated clearly throughout the organisation. Everyone must understand their role in safeguarding the organisation against cyberthreats.

A lively debate followed regarding where people-enablement efforts should be focused. Some questioned whether board-level and C-suite executives truly understood cybersecurity risk and whether they were allocating sufficient resources to secure the broader workforce. While many organisations are indeed investing in cyber resilience, there is still considerable work to be done in building a truly end-to-end cyber-resilient workforce.

Scaling human firewalls

Beyond basic phishing simulations, how are organisations transforming employees into proactive cyber sensors? How can leadership drive this shift through measurable cultural change?

Many delegates highlighted the need to move beyond traditional awareness training and towards comprehensive human defence programmes. Key points shared included:

Retaining security awareness and simulation as foundational elements;
Leaders setting the tone by modelling secure behaviour;
Establishing behavioural norms, such as using strong passwords and reporting suspicious activity;
Promoting open communication around cybersecurity policies, incidents and expectations; and
Ensuring all employees understand their responsibilities and are held accountable.

By embedding cybersecurity into day-to-day culture, organisations can create an environment of shared responsibility, significantly reducing breach risks and boosting overall resilience.

Risk appetite vs innovation pace

How do organisations balance the pace of digital innovation with the board’s stated cyber-risk appetite? Which governance measures help keep this balance transparent?

Delegates acknowledged that rapid innovation is vital for competitiveness, but it inevitably introduces cybersecurity risk. They shared the following best practices to align innovation with robust security:

Prioritise security from the outset: Embed security into the earliest planning stages of projects. Conduct initial risk assessments to proactively identify vulnerabilities.
Adopt DevSecOps practices: Integrate security into DevOps processes to create a culture of shared responsibility. Automate security testing and continuously monitor for issues.
Implement secure coding practices: Train developers on secure coding methods – such as input validation and encryption – and conduct regular code reviews to spot risks early.
Foster a security-first culture: Promote security as a core value across development teams and reward proactive cybersecurity behaviours.

Conclusion

Delegates concluded that building a cyber-resilient culture means making security a shared, everyday responsibility. Leadership must be active and visible in setting expectations, while human defence strategies must evolve beyond traditional training. Recognising and rewarding good cybersecurity behaviour reinforces positive habits and helps embed a lasting culture of resilience.

TechCentral and Velocity Technology Group thank all participants for their valuable contributions to this critical discussion.