Africa is not what you’d call a hotbed of information security (infosec) expertise. Some in the field tell me that in three crucial infosec sub-professions — malware expertise, exploit writing, and cryptanalysis/cryptography — the continent cannot boast of even a single expert of world-class standing.

It might therefore come across as hubristic to suggest that Africa has much to teach a manager laying out the infosec strategy at an enterprise with world-class aspirations. Yet discussions with security specialists have convinced me that Africa might actually a good place to learn about and experiment with novel and exciting notions about corporate infosec.

That’s because corporate infosec strategies in most of the world are designed with 99% focus on impenetrability. Nearly all the resources — time, talent and material — are dedicated to reinforcing and extending perimeters. That may turn out to be a massive misallocation of resources, as I will explain.

Let us start with the company you work for.

Does it procure desktops/workstations, tablets or even smartphones for the use of its employees in the office and out of it? How do you know if a couple of logic gates in your computer’s processor — an area only visible under a powerful microscope — have been compromised to enable the slow “exfiltration” of valuable or sensitive information until the precious data can be ferried over an external network to some hostile or rival group or person? Do you even have a “hardware anti-virus” policy at all?

How much time do your security folks spend vetting the supply chain of your equipment for counterfeit machines that may be harbouring deadly worms within the actual micro-circuitry?

Another question: are your work colleagues and yourself allowed to carry work devices outside the office building? Are you allowed to bring your own devices into the office? What is the policy on “trusted networks”? If you or your colleagues use your devices on networks you or your company does not control how do you “sanitise” them before allowing them to interact with other devices and systems within your network?

And considering that email address spoofing has become so sophisticated (I regularly get malicious spam from the work addresses of colleagues in respectable firms) all a rogue agent needs to do is know enough about a particular current situation to spoof a completely plausible email from your boss designed to extract vital information about, for instance, a negotiation you may be handling. Inflitrators can likewise spoof an email from your intranet administrator convincing you to take certain actions that might disclose or compromise your access credentials for the corporate network. With sufficient access they can even duplicate your profile and shift your activity to a mirror domain, gaining trusted status in the network and recomposing a plausible, dynamic, workspace for you for several days or even a week. The damage they will be able to cause over that period would be enormous.

It is hard to argue, from the scenarios painted above, that your current infosec strategy is up to scratch.

Clearly, there are only two inevitabilities: EVERYTHING you own or use will be connected to the “info-grid” and EVERYTHING will be hacked. The only way to break this inevitability cycle is to stop being competitive, innovative and responsive. Which is the same thing as asking you and your company to close shop and pack off to a deserted island.

My conversations with some of the few Africa-based corporate security professionals, as well as some who work in the Global North but are of African origin, point me to a different mindset about penetrability. There is an easy acknowledgment in Africa that systems are probably already breached or will be breached soon without detection. African infosec professionals are therefore getting more involved in building a working relationship with operational managers so that they can work hand-in-hand designing day-to-day business functions and operating procedures as if a breach is a matter of course. That is tough and not always coherent, but I get the impression that time and practice will make them better at it.

The other key component of this mindset is a sensible allocation of resources to salvage and recovery readiness, so that if critical systems fail in the event of a breach the day-to-day business functions can still proceed because a reasonable quantity of critical functions can be extracted from the debris. Mind you, this is not the same as double-shielding the “crown jewels” of the business, an approach used by progressive security thinkers in the West that is still not sufficiently removed from the “impenetrability” logic/doctrine.

It is easy to see why an African corporate infosec professional approach things differently. Very few African corporations have their crown jewels already networked. Yet they have been operating, even if not at the most efficient pace. It is therefore possible to envision a scenario of continued functioning even in a context of only partial connectivity.

Another way of making the point is that the African infosec manager can negotiate a state of “reduced technology dependence” with operational managers from a position of greater credibility than her Western counterpart. The Western infosec professional is placed on a vulnerable and exposed Olympian pedestal and armed with mythological weapons to keep the titans at bay. The African infosec professional, aware of her partial expendability, suffers much less hubris.

So next time you visit a fully networked African bank branch that still insists on you filling in a paper slip, I hope you understand the larger picture.