Challenge

As one of South Africa’s major financial institutions scaled, it’s vulnerability management became fragmented. While the technical “Cyber Teams” had established programs, the Group Risk and CISO functions identified significant structural gaps that left the organisation exposed.

The project faced immediate friction: the internal cyber teams viewed the initiative as redundant, while leadership saw it as a critical necessity for global oversight. My role was to navigate this pushback, serving as the bridge to ensure the framework wasn’t just another “policy on a shelf,” but a functional decision engine that aligned technical work with enterprise risk appetite.

Project Details

A Multi-Stakeholder Intelligence Phase

To build a framework that worked for the entire group—not just the head office, I led an intensive discovery phase:

Stakeholder Deep-Dives

Conducted comprehensive interviews with Cyber teams, Information Security Officers (ISOs), Business Information Security Officers (BISOs) and Application Teams to name a few, across various business units to understand their specific operational constraints.

Foreign Entity Integration

Engaged with foreign branch entities to map diverse regulatory triggers ensuring the framework was legally compliant across all jurisdictions.

Regulatory Alignment

We mapped triggers across diverse African and international regulatory landscapes to ensure every business unit met its specific regional compliance mandates.

Maturity Level Assessment

We measured the maturity across four critical pillars: People, Process, Technology, and Information.

Testing Mapping & Frequency

We developed a “Testing Mapping” engine that dictates the type of test (e.g., Red Teaming, Social Engineering, OSINT) based on asset classification (Critical “Crown Jewels” to Low) and frequency (Daily to Annually).

The Impact

We delivered a formalised Penetration Testing Programme that functions as a strategic decision tree. This allows business units to independently determine their testing needs based on clear triggers while maintaining centralised oversight. The bank now operates with a structured rhythm, ensuring that high-risk assets are tested with the appropriate intensity and frequency, fully aligned with global regulatory expectations.

  • Moved the organisation from ad-hoc, siloed testing to a structured, trigger-based rhythm across all regions and business units.
  • Transformed technical pentesting data into a decision-tree model, providing the CISO and Risk Committees with real-time clarity on residual risk.
  • Bridged the gap between legacy cyber programs and modern risk requirements, fostering a culture of “security by design” rather than “security by audit.