Professor Olayinka David-West

Cybersecurity is no longer a back-office concern; it now sits squarely at the heart of boardroom discussions. As the frequency and sophistication of cyber threats continue to rise, organisations are grappling with the reality that being unaware or unprepared is not just risky, it could be fatal. The unsettling questions that keep surfacing in executive circles are consistent: Are we truly safe? How do we know? What should we do if we’re attacked? These are no longer just IT inquiries; they are critical governance issues involving financial, data, and reputational risks.

One of the greatest challenges is the illusion of control. Many organisations believe that because they have installed intrusion detection systems or patched vulnerabilities, they are adequately protected. But digital attackers are patient and strategic. They can gain access and remain hidden within systems for months, watching, learning, and waiting for the right moment to strike. Vulnerabilities are everywhere—from outdated software to unsuspecting employees.

YOU CAN ALSO READ: Refining Brands, Building Friendships: Marketing + Red Wine Comes to Lagos

Even when organisations use the same technology platforms, the configurations and environments differ, which can result in unique weaknesses. A seemingly minor setting change in one system could be the very opening a hacker needs. Therefore, a deep understanding of your technology stack, vendor updates, and policy enforcement is critical. It is not enough to have cybersecurity policies; organisations must rigorously monitor and ensure compliance.

More importantly, businesses need to accept that cyber incidents are inevitable. It is not a matter of whether an incident will occur, but when. In spite of this, many leadership teams have not put in place a clear incident reporting protocol. This means that when breaches occur, the board might not find out until long after the damage is done. This gap in communication weakens trust, delays response, and can cause significant operational and financial disruption. Incident response is no longer a technical procedure handled by the IT department—it is a business survival strategy. It requires thinking holistically about every stage of an attack, from early detection to containment, recovery, and public communication. It even involves making decisions on ransom payments in the case of ransomware attacks.

When asked whether ransom should be paid during an attack, one company I engaged with was clear: they would not pay. Their recovery strategy hinged on a secondary offsite backup system. This response highlights the importance of having an effective and well-tested disaster recovery plan. Without it, recovery could take weeks or months, if it happens at all.

Reducing the mean time to recovery should be a key metric for any organisation. For companies that cannot afford comprehensive recovery infrastructure, cyber insurance may be a necessary fallback. But even insurance is not a silver bullet; without preparation, the consequences can still be devastating.

YOU CAN ALSO READ:  “To Thyself Be True”: Ibukun Awosika Urges Women to Embrace Intentional Living, Self-Reflection

Another critical issue is how and when organisations should communicate with external stakeholders. Many companies wait until a cyber threat has been fully neutralised before notifying regulators or the public. While this may seem like a cautious approach, it can actually increase systemic risk. Early notification to regulators, in particular, can help other organisations protect themselves against similar attacks. In a connected world, transparency is no longer optional. Keeping security failures secret does not help anyone, but sharing knowledge strengthens collective defence and contributes to an overall safer digital ecosystem.

The truth is that incident response planning is not an add-on to business strategy. It is an essential component of business continuity. But beyond planning, organisations must commit to continuous learning. The cyber threat landscape evolves daily, and so must our defences. Companies, industries, regulators, and nations must work together, share intelligence, and support each other. No organisation is truly secure until every organisation raises its security posture.

Professor Olayinka David-West is an esteemed academic and thought leader in business and technology. As Dean of Lagos Business School, she has led the institution to global acclaim and driven impactful research in digital transformation and inclusive finance. Her work through the Sustainable and Inclusive Digital Financial Services initiative has positioned her as a national voice on financial inclusion and digital innovation. With a portfolio of cybersecurity certifications, research publications, and industry collaboration, she brings valuable insight to the intersection of leadership, governance, and cyber risk. Her passion for mentoring, advocacy, and bridging theory and practice continues to shape the future of Africa’s digital economy.