Beyond propaganda: Advocating for a scientific approach to cybersecurity

It turns out that in 2023, global spending on cybersecurity surpassed expectations, reaching approximately $188bn. Picture: FLY:D/UnSplash

It turns out that in 2023, global spending on cybersecurity surpassed expectations, reaching approximately $188bn. Picture: FLY:D/UnSplash

Published Jun 25, 2024


By Andile Masuku

In 2020, Cybersecurity Ventures projected that worldwide spending on cybersecurity would range between $160 billion (R2.9 trillion) and $170bn in 2023.

Cybersecurity risk surge

The forecast by the digital economy and cybersecurity industry-focused research and media organisation was driven by the escalating threat of cybercrime, anticipated to cost the global economy $10.5 trillion annually by 2025.

It turns out that in 2023, global spending on cybersecurity surpassed expectations, reaching approximately $188 billion. According to Gartner’s 2023 cybersecurity sector forecast, the research and advisory firm expects global end-user spending on security and risk management to hit $215bn this year.

Africa’s unsettling underinvestment

Despite the global uptick, it's concerning that in Africa, cybersecurity spending remains disproportionately low. The International Data Corporation’s Worldwide Security Spending Guide projects that security spending in the Middle East and Africa, excluding Israel, will increase by 10.3% annually in 2024, reaching a mere $6.2bn. By 2027, the figure is expected to rise to just $8.4bn, highlighting what some might argue to be a significant underinvestment in the region.

Meet Tswelopele Moshe

On cue, this week’s column hijack comes courtesy of young South African cybersecurity practitioner Tswelopele Moshe.

Moshe, a University of Cape Town applied mathematics Master’s student and Allan Gray Orbis Foundation Fellow, is applying his freshly acquired analytical skills to serving real clients within South Africa’s cybersecurity consulting industry.

He credits a fortuitous internship at Sandton consultancy MWR CyberSec during his BSc Honours in mathematics for enlightening him to the massive security gaps in Africa’s digital landscape. After his successful internship at the company, Moshe now works at MWR CyberSec full time. The experience has ignited his desire to develop and implement improved cybersecurity solutions.

However, these days, Moshe is enthusiastically blending his academic expertise with his growing practical cybersecurity consulting experience. He’s working on innovative information security approaches that challenge traditional methods, which he hopes to take to market when the time is right.

Here’s what's on Moshe’s mind, in his words:

“Sounds like propaganda to me,” were the words of a former close varsity mate. Whenever I parroted ideas picked up from the internet, he’d repeat this phrase – not because the ideas lacked substance, but because he sensed my shallow grasp. These words have tinted my world view, making me question: What if cybersecurity practitioners haven’t fully grasped security assurance? What if much of cybersecurity is mere back-of-the-envelope, heuristic propaganda?

Terminology note: Investopedia defines heuristics as “mental short cuts used to simplify problems and avoid cognitive overload”. The objective is often solving problems quickly while yielding results that are sufficiently useful given time constraints.

Since becoming a cybersecurity consultant, I’ve grappled with the contrast between my academic background and professional reality: from pure mathematics, which delves into abstract concepts without necessarily any immediate practical application, to applied mathematics, where the focus shifts to solving real-world issues using mathematical tools. The tug-of-war reflects the challenge of bridging theoretical knowledge with practical cybersecurity solutions in my daily work.

Much of my professional experience has been rewarding. For example, the excitement of understanding system workings and using the knowledge to simulate malicious activities is thrilling. However, the consulting aspect has often felt like navigating through a murky soup of conjecture where opinions or conclusions are formed with incomplete information, potentially resembling propaganda.

“Sounds like propaganda to me,” are words that keep echoing in my mind as I often struggle to articulate discovered security risks across business functions in precise, unambiguous terms that justify the value of recommended security coverage interventions and inform appropriate levels of urgency and resource allocation.

In many ways, approaches to IT infrastructure security consulting seem heuristic, especially in assessing risks within a business context. While penetration tests identify vulnerabilities, categorising the risks as simply high, medium or low doesn’t adequately inform broader organisational decision-making, especially when accounting for financial impact.

Perhaps brazenly, I’d like to advocate for a more disciplined approach to cybersecurity. One that moves beyond patching flaws sporadically. We need provable security – a science akin to cryptography’s algorithms for confidentiality and authenticity – that aids our ability to track and verify efficacy. Such rigour would compel us to holistically gauge a system’s true security posture and acknowledge our uncertainties, rather than ignoring risks out of fear.

I am convinced that a deep understanding of information security and its risks is vital for advancing towards a scientific approach, away from mere propaganda. The conviction has driven me to embark on a new venture: a start-up dedicated to building a science of information security.

It’s early days and I’m excited and humbled by the scale of the challenge. Our first milestone will be translating information security risk into financial risk – an essential step forward for cybersecurity consulting.

Andile Masuku

Andile Masuku is the co-founder and executive producer of African Tech Roundup. Connect and engage with Andile on X (@MasukuAndile) and via LinkedIn.