OP-ED: A little less propaganda, a little more cybersecurity science feat. Tswelopele Moshe

In 2020, Cybersecurity Ventures projected that worldwide spending on cybersecurity would range between $160 and $170 billion in 2023.

Cybersecurity risk surge 

That forecast by the digital economy and cybersecurity industry-focused research and media organisation was driven by the escalating threat of cybercrime, anticipated to cost the global economy $10.5 trillion annually by 2025.

It turns out that in 2023, global spending on cybersecurity surpassed expectations, reaching approximately $188 billion. According to Gartner's 2023 cybersecurity sector forecast, the research and advisory firm expects global end-user spending on security and risk management to hit $215 billion in 2024.

Africa’s unsettling underinvestment

Despite the global uptick, it's concerning that in Africa, cybersecurity spending remains disproportionately low. The International Data Corporation's (IDC) Worldwide Security Spending Guide projects that security spending in the Middle East and Africa (MEA), excluding Israel, will increase by 10.3% annually in 2024, reaching a mere $6.2 billion. By 2027, this figure is expected to rise to just $8.4 billion, highlighting what some might argue to be a significant underinvestment in the region.

Meet Tswelopele Moshe

On cue, this week’s column hijack comes courtesy of young South African cybersecurity practitioner Tswelopele Moshe. Moshe, a University of Cape Town applied mathematics Masters student and Allan Gray Orbis Foundation Fellow, is applying his freshly-acquired analytical skills to serving real clients within South Africa’s cybersecurity consulting industry. 

He credits a fortuitous internship at Johannesburg-based consultancy MWR CyberSec during his B.Sc. Honours in Mathematics for enlightening him to the massive security gaps in Africa’s digital landscape. Following his successful internship at the company, Moshe now works at MWR CyberSec full-time. This experience has ignited his desire to develop and implement improved cybersecurity solutions. 

However, these days, Moshe is enthusiastically blending his academic expertise with his growing practical cybersecurity consulting experience. He's working on innovative information security approaches that challenge traditional methods, which he hopes to take to market when the time is right.

Here’s what's on Moshe’s mind, in his words:

"Sounds like propaganda to me," were the words of a former close varsity mate. Whenever I parroted ideas picked up from the internet, he'd repeat this phrase—not because the ideas lacked substance, but because he sensed my shallow grasp. These words have tinted my worldview, making me question: What if cybersecurity practitioners haven't fully grasped security assurance? What if much of cybersecurity is mere back-of-the-envelope, heuristic propaganda?

Terminology note: Investopedia defines heuristics as “mental shortcuts used to simplify problems and avoid cognitive overload”. The objective is often solving problems quickly while yielding results that are sufficiently useful given time constraints.

Since becoming a cybersecurity consultant, I've grappled with the contrast between my academic background and current professional reality: from pure mathematics, which delves into abstract concepts without necessarily any immediate practical application, to applied mathematics, where the focus shifts to solving real-world issues using mathematical tools. This tug-of-war reflects the challenge of bridging theoretical knowledge with practical cybersecurity solutions in my daily work.

Much of my professional experience so far has been rewarding. For example, the excitement of understanding system workings and using that knowledge to simulate malicious activities is thrilling. However, the consulting aspect has often felt like navigating through a murky soup of conjecture—where opinions or conclusions are formed with incomplete information, potentially resembling propaganda.

"Sounds like propaganda to me," are words that keep echoing in my mind as I often struggle to articulate discovered security risks across business functions in precise, unambiguous terms that justify the value of recommended security coverage interventions and inform appropriate levels of urgency and resource allocation. 

In many ways, approaches to IT infrastructure security consulting seem heuristic, especially in assessing risks within a business context. While penetration tests identify vulnerabilities, categorising these risks as simply high, medium or low doesn’t adequately inform broader organisational decision-making, especially when accounting for financial impact.

Perhaps brazenly, I’d like to advocate for a more disciplined approach to cybersecurity. One that moves beyond patching flaws sporadically. We need provable security - a science akin to cryptography's algorithms for confidentiality and authenticity - that aids our ability to track and verify efficacy. Such rigour would compel us to holistically gauge a system's true security posture and acknowledge our uncertainties, rather than ignoring risks out of fear.

I am convinced that a deep understanding of information security and its risks is vital for advancing towards a scientific approach, away from mere propaganda. That conviction has driven me to embark on a new venture: a startup dedicated to building a science of information security. 

It’s early days, and I’m both excited and humbled at the scale of the challenge. Our first milestone will be translating information security risk into financial risk—an essential step forward for cybersecurity consulting.

Editorial Note: A version of this opinion editorial was first published by Business Report on 25 June 2024.