“Regulation alone is not enough if boards don’t build a security posture that challenges applications, devices, and people!”

ALL my.t Business AI Summit

• “People want to know: can I delete all the information about me? Who do I call? How do I do it?”
• “The bad day will happen. The question is: how ready are you to respond quickly?”
• “Data has a currency value, and you must protect it like you protect money.”
• “The challenge is that defenders cannot move as fast as attackers”

At the ALL my.t Business AI Summit in Mauritius, leaders from banking, technology, telecoms and hospitality shared how they are rethinking cyber governance, shifting from purely defensive measures to a board-level culture of trust, transparency, and resilience in the face of intensifying digital threats.

Cybersecurity has moved from the sidelines to the heart of corporate strategy, with boards under growing pressure to treat resilience and data protection as core business priorities rather than technical afterthoughts. That message came through forcefully during the second panel of the ALL my.t Business AI Summit, titled Guardians of Growth: Board-Ready Playbooks for Cyber Compliance and Trust.

Moderated by Jean-Pierre Young, partner at PwC Mauritius, the panel gathered senior figures from banking, hospitality, telecoms and global cybersecurity firms to explore how cyber investment and risk governance can underpin long-term trust and growth.

“Boards are now expected not only to protect value, but to enable it,” Jean-Pierre Young noted at the outset. “It’s no longer just about defensive controls — it’s about creating advantage through trust, compliance, and resilience.”

Alban Lo Gatto, Senior Vice-President Corporate Affairs at Orange Middle East and Africa, spoke candidly about the hard decisions that boards face. “If you look at the P&L in the short term, a data centre is a tough sell,” he said, describing a recent secure data centre initiative. “You have to accept that it won’t be filled straight away, but you invest now to protect your own assets, then open it up to others. That is what builds trust.”

He argued that data localisation and what he called “sovereignty” are essential. “The more you invest in a country, the more you’re building trust for companies and consumers to follow,” he said.

Patrice Hervé, Head of Technology at MCB, emphasised that trust sits at the very heart of the banking model. “Cybersecurity is critical in building this trust from our customers,” he explained. “It is at the core of what we do. It cannot be an afterthought.”

The threat environment has changed dramatically in just a few years, panellists warned. Jayant Dave, Chief Information Security Officer for Asia Pacific and Japan at CheckPoint, pointed to the rapidly falling cost of cyberattacks thanks to AI-enabled tools. “The cost of a DDoS attack five years ago was $100 an hour. Now it is $10,” he said. “The bad day will happen. The question is: how ready are you to respond quickly?”

“There was a tendency to hide issues. We need to move beyond that.”

Jayant Dave argued that zero-trust architectures — shifting from perimeter-based security to identity and access-based controls — are now essential. “You cannot protect every asset,” he said. “You have to segment and prioritise critical infrastructure because the perimeter is no longer just a firewall.”

From the hospitality industry, Abdool Kadell, Group CIO at Sunlife Ltd, described a major cultural shift. “Our board asked us, ‘Are we prepared?’ rather than ‘How much will it cost?’” he noted. “That was a huge difference. Our cybersecurity budget tripled in three years, but it built the trust with our guests.”

“One leakage of data can bring your brand down,” Abdool Kadell added, noting the enormous reputational stakes in a guest-centric business.

Paul Williams, Country Manager for Fortinet across Southern Africa and Indian Ocean Islands, described how data itself had become a unit of economic value. “Gone are the days of just usernames and passwords,” he said. “Data has a currency value, and you must protect it like you protect money.”

He warned that regulation, while necessary, cannot alone keep pace with fast-evolving threats. “Frameworks like NIST 2 are emerging,” he said, “but regulation alone is not enough if boards don’t build a security posture that challenges applications, devices, and people.”

Abdool Kadell noted that rigorous self-assessment is indispensable. “Every six months we benchmark against frameworks like ISO 27001 or NIST,” he said. “Otherwise, you risk overlooking basic things that fraudsters will exploit.”

The conversation then turned to whether compliance itself risks slowing down innovation. “If you are in a heavily regulated sector, you have no choice,” Jayant Dave explained. “The challenge is that defenders cannot move as fast as attackers. So, there is a balance: our job is to let the business adopt emerging technologies safely.”

Alban Lo Gatto suggested that local frameworks alone would not be enough to address global data risks. “Politics is politics — it takes time,” he said. “So, the answer will have to be regional and international conventions.”

He also noted that public expectations about data rights are changing. “People want to know: can I delete all the information about me? Who do I call? How do I do it?” he explained. “That has to be part of the trust we build.”

As the session drew to a close, the panel explored how Mauritius could strengthen its profile as a trusted investment hub for technology in Africa. Paul Williams argued that skills remain a weak link. “We need to educate the older generation as well as the youth,” he said. “Africa alone has 600,000 cybersecurity jobs unfilled today.”

Abdool Kadell underlined the risk of undervaluing technical roles. “The skills are there, but they are not always recognised. People need to understand the true value of these skills,” he explained.

Patrice Hervé called for a more transparent culture around cyber incidents. “There was a tendency to hide issues,” he said. “We need to move beyond that. If an incident happens in one company, it can happen in another. We must share, collaborate, and help protect the entire economy.”

Finally, Jean-Pierre Young, summarising the discussion, argued that “cybersecurity, today, is not just about protection. It is about building resilience, confidence, and trust — and making that a board-level priority.”