Cyber risk still gets treated as an IT problem, which leads to fear-driven decisions that either stall valuable work or push risk forward without real understanding.
Duncan Rae, Chief Information Security Officer at Pepkor NexTech, frames security as a business partner that educates leaders and places risk ownership where decisions are made.
His approach turns uneducated risk acceptance into informed business decisions by focusing on availability, financial impact, and disciplined spending that builds trust and enables growth.
The modern security executive isn’t paid to say no. The role has shifted from technical gatekeeper to strategic business partner, with cyber risk treated like any other operational exposure, alongside supply chain shocks or currency swings. The goal isn’t to eliminate risk, but to make sure leaders understand it well enough to make clear, informed decisions.
It’s a philosophy embodied by Duncan Rae, a certified information security executive and the current Chief Information Security Officer for Pepkor NexTech. With extensive experience in the retail sector, including leading information security at Pick n Pay, Rae has built a career on turning security into a business enabler. His approach begins by rejecting the historical view of cyber risk as an IT problem, replacing outdated, fear-based tactics with a partnership grounded in education.
"My goal is to make sure cyber risk is treated no differently than any other business risk. It belongs in the same category as supply chain disruption, civil unrest, or currency fluctuations. It is not an IT problem," Rae says. For him, this mindset is designed to prevent two equally damaging outcomes: either valuable innovation is stopped out of fear, or business units proceed with a project anyway, accepting risks they don’t fully understand.
From 'no' to know: Instead, Rae's model creates a middle path. "We're trying to turn 'uneducated risk acceptance' into 'educated risk acceptance,'" he says. But it also hinges on another core principle: risk ownership belongs to the business, not the security team. Here, the security function is to empower operational leaders with the information they need to make the final call, Rae explains. "Even if I say, 'This is a really dangerous risk,' it is their decision to make, not mine," Rae says. "I do not own risk. I highlight it, and it's their case to go forward."
Shared accountability becomes the foundation of trust in Rae's framework. "If a risk manifests, I will be there with them, and I will help them. We will sit in those meetings and explain to the board what we found, why the decision was made, and what happened. We deal with it together."
From the get: For Rae, building that partnership means embedding the security team in the business and learning to "think like them and talk like them." The objective is to evolve from a reactive gatekeeper at the end of a project to a proactive consultant involved from the very beginning. "We are now included in meetings from the very beginning. We are invited to architecture and ideation sessions, where people want our viewpoint early on."
Security as a side effect: When improvements are sold as business benefits, it transforms security into a true business enabler, Rae explains. "We're trying to make sure we're selling these things as a business benefit, not a security benefit. Security is a side effect, and I'm happy with that."
To make his case, Rae focuses on the universal language of the C-suite: finance and availability. "For a retailer, the most powerful conversation is about availability. The finance team can tell me to the cent how much money we bring in on a Saturday morning. That makes it a straightforward business calculation."
The real company killer: The method replaces abstract threats like "brand damage" with tangible data the business already has. "A data breach is survivable for most companies," he explains. "But if we were to lose our point-of-sale systems to ransomware for even two weeks, I'd be looking for a new job, as would everybody. We're done."
Tell a story: A philosophy of education based on storytelling can yield tangible results, according to Rae. In a previous role, he recalls using a penetration test as a teaching moment. "We got a penetration tester in to see how quickly he could get in, and he got in in a couple of hours. I then took the CEO through the story, not in a technical way, but to educate. That immediately opened up the interest, and the next year, we got a lot more money in our security budget."
The ultimate proof is a final, counter-intuitive strategy that builds deep trust with business leaders: "I am very vocal that I am trying to spend as little as I can on security. I think most companies spend too much," Rae concludes. "We spend a lot of time reevaluating tools and service providers to get the best bang for our buck. Doing that work and being vocal about it helps build trust, proving you are a partner focused on the company's bottom line. You're making sure you get as much value as you can out of every cent."
