Change leaders are accustomed to thinking in terms of people and process. These are the pillars of transformation, the levers that guide organisations through mergers, digital rollouts or shifts in operating models.
Yet today, where technology is ingrained in the heartbeat of every business, process and engagement, a third pillar is no less important. And that is security.
As a change leader, you would be remiss to treat protection and security as a downstream concern once the change design is set and the people are mobilised. They need to be part of the change blueprint from the beginning, or the cost of neglect could cripple the business.
The scale of the costs associated with a breach is not a scare tactic; they are real and they could be crippling. In South Africa, the average cost of a data breach in 2024 was R53.1-million, decreasing to around R44.1-million in 2025. This decline could be seen as a positive indicator that security measures are improving, but it remains a staggering figure for any business. What’s even more concerning is that the most serious cases have reached as high as R360-million. These numbers are not guesses; they are balance sheet consequences that can derail or even sink ambitious transformation or change programmes.
Consequences of back-burner security
What happens when we leave security too late? In July 2021 Transnet was hit by a ransomware attack that disrupted port and rail operations. The organisation was in the midst of a broader digital transformation aimed at modernising logistics and integrating systems. Instead, it was forced to declare force majeure, revert to paper-based processes and watch as export flows slowed to a crawl. Transformation stalled, reputational damage mounted and the recovery effort became a change project of its own.
The pattern is familiar across industries. During Capital One’s move to the cloud, a single misconfigured firewall exposed credit card data from more than 100 million people. The eventual cost of penalties and settlements exceeded US$190 million. When Marriott acquired Starwood, the lack of early cyber due diligence meant that an existing breach in Starwood carried over into the merged entity. Regulators fined Marriott £18.4-million, with further multi-state settlements in the US.
Even rapid digital rollouts can be dangerous. In 2021 Microsoft’s Power Apps platform shipped with default public settings, leading to the exposure of 38 million records across airlines, government agencies and consumer brands. Each example delivers the same lesson, transformation without early security input is an invitation for cybersecurity risk to become reality.
Putting change into security
We strongly maintain that change management is designed to create clarity during times of disruption. How? It establishes the processes, communication lines and governance structures that enable complex change to occur. Yet if cybersecurity is not part of that scaffolding, change leaders risk leaving the most vulnerable points outside the plan.
According to IBM’s findings, the average lifecycle of a breach in South Africa can stretch to 227 days before it is contained, and every week that passes without detection magnifies the financial and reputational damage. For projects in which new systems are being deployed or products from external vendors are being integrated, those delays can translate into missed deadlines, spiralling budgets and a collapse in stakeholder confidence.
Where business is hit the hardest
The attack vectors that dominate in South Africa are a clue to the link between change and vulnerability. Nearly a fifth of breaches originate from supply chain compromises. Every transformation that involves a new vendor, a systems integrator or a low-code developer is, therefore, a moment of heightened exposure. Unless procurement and contracting processes embed secure configuration and breach notifications from the start, the seeds of the next incident are already planted, just waiting to sprout.
Financial services have always been, and will always be, the target of attackers. These firms face average breach costs of around R70.2 million, yet PwC reports that only 29% of South African organisations expect to increase their cybersecurity budgets by 6% to 10% for 2025. The mismatch between risk and investment is stark.
Change leaders, who already advocate for resources to support training, communication and adoption, must now also make the business case for security. It is not an ancillary cost; it is part of protecting the value of transformation itself.
Security must be part of the change process
Inserting security into the change process isn’t hard, but it does require a shift in mindset. Security should be treated as a formal workstream within every change initiative. That means requirements gathering that includes threat modelling, design reviews that incorporate secure configuration and go-live milestones that are gated by security readiness checks.
In mergers and acquisition, it means conducting cyber due diligence pre-close and reassessing integration at day one and day 100. In cloud migrations, it means configuring least-privilege access and conducting red-team exercises before production rollout. These are technical tasks, governance and leadership decisions, all rolled into one, and they belong on the agenda of those steering change.
To succeed, change leaders must be as deliberate about protection as they are about process and people. Security can’t be a bolt-on after the work of change is done. It must be the foundation that ensures the future and success of change.
