Speaking exclusively to Telecom Review during GISEC 2023, Celia Mantshiyane, chief information security officer, MTN South Africa, delves into the dynamics of cybersecurity and empowering women in this male-dominated domain.
What has been your toughest challenge as a cybersecurity professional in the current digital ecosystem in general and specifically in South Africa?
The biggest challenge currently is perhaps moving from traditional to more modernized infrastructure, such as the cloud. So, making sure that security is embedded in every process — SecDevOps, ISOs, NIST— from a security point of view is crucial. But, among people, processes and technology, I think my biggest challenge is people. In cybersecurity, you leverage other departments to do the right thing for you to be secure. I find that the weakest link in any organization, whether it is users or customers, is people. My biggest challenge is to make sure that our people have the right skills and are knowledgeable in cybersecurity, and that the process of cybersecurity is embedded in every process. However, when it comes to external threats our defense and prevention are in place. We have a great team that manages our operations. To be honest, we deploy the best technologies just to make sure that MTN is secure.
What are the cyber hygiene best practices MTN incorporates, and how are they significant for customers?
From an MTN point of view, all three pillars — people, process, and technology — are key in terms of implementing world-class standards within the organization. Our financial apps are PCI DSS and we are ISO certified. We make sure that all our cyber-control basics are intact in that we want to provide services within an environment that is confident of a trust system with our customers. Apart from this, we implement a stringent self-awareness strategy for our customers, because whatever happens to our customers affects us from an organizational point of view. We are enhancing our cyber awareness campaigns for different customers who have different requirements.
Please give us an idea of how AI will play a role in cybersecurity.
To ensure cybersecurity controls are effective, you want to use the latest technology because the hackers out there are not hacking us manually. They are using automated tools to do that. So, the best way to combat that is with AI and machine learning, and [to] ensure that your processes are always automated with fewer human interventions. From a security point of view, human behavior analytics is quite important that includes identity and access that are abnormal. AI is playing a critical role in terms of how to combat any threats within the environment. I must be honest; the maturity of it is quite slow because some of the processes have AI capability while [others] are still manual. You want to have end-to-end AI capability within all your processes, and that is a journey that we are currently busy with.
Traditionally, the cybersecurity field has been seen as dominated by men. What is your message to the women professionals who are trying to break into this field?
I think that's my favorite topic. As a woman in cybersecurity, you need to be all in. You need to go through all the emotions and get trained in the right qualifications. What is also important is believing in yourself. It's not the external environment that’s a barrier. Sometimes I find it's internal how women feel within this industry. I speak to a lot of young women and tell them about cybersecurity, and most of them don't want this career, not because it's not a good career option, but because the role models are males dominated or unknown. So firstly, we need to be role models for the upcoming women in cybersecurity. Women need to believe in themselves, go through all the emotions — feel good and bad, cry — and learn. I have been mentored by men in this environment. Hence, it's quite important to have women leaders to mentor young girls. I don’t mean to say that men are not great leaders, but currently, the number of women is growing, and they should also play a role in leading the younger generation into the cybersecurity world. Just like in any other environment, in cybersecurity, diversity is key. You want to have diverse teams, and women are a part of that diversity, including a woman is very important. I've mentored a lot of women on how to enter the cybersecurity environment, and it's not difficult. You just have to believe in yourself.
Any other comments that you would like to make on the importance of cybersecurity in today’s current digital economy?
Within the digital economy, there are generations of both young and old. My mother currently uses online banking, but I feel the cybersecurity training for the elderly needs to be tailored according to their age. And I feel more needs to be done on those aspects. Cybersecurity training needs to be customized for certain ages and groups according to their preference. For example, if you send an awareness video to my son, who's 13, he might have a look at it. But if it is sent to my mother, chances are that she might not see it. Depending on what country one would implement the cybersecurity awareness programs, it could be done through workshops or road shows, and so on for the elderly. It is key to ensure that we close the digital communication gap within the older generation. Another key issue for me is the leadership involvement when it comes to cybersecurity issues. I think we should move away from the word “cybersecurity” as it creates silos. Hence, we need to talk about business resilience with cybersecurity strategy incorporated into the business objectives. Today, if an organization is not elevating cybersecurity, chances are that it can go out of business in no time. Talking to executives in terms of security patches or malware is not going to add any value. But talking about cybersecurity in terms of their systems, products, objectives, and profits can be rewarding. For example, when I talk to my CFO, I explain to her by saying that if this system is down, this is how much it is going to cost per minute, instead of telling my CEO that I need to patch this server and need one-hour downtime. By putting in value to explain the difference between the costs of downtime versus being hacked in four hours, executives can make better decisions on what steps to take. How we incorporate cybersecurity into our businesses and objectives within the organization is crucial.