Why Change Leaders Must Put Security at the Heart of Transformation

Sep 23, 2025 | Change management solutions

By Keenan Crouch, Executive Associate at Change Logic

As we enter another cybersecurity month, it has left me thinking about the subject from a change management perspective. When we talk about organisational transformation, the conversation almost always begins with two familiar pillars: people and process. These are the foundations of any successful change initiative: how teams work, how they adapt, and how the organisation evolves.

But in today’s hyper-connected world, where every major change is powered by technology, there’s a third pillar that’s too often left out of the conversation: security.

The truth is, security can no longer be an afterthought in transformation programmes. If it is, the cost of neglect could bring even the most ambitious change efforts to a standstill.

The Real Cost of Overlooking Security

The numbers paint a sobering picture. In South Africa, the average cost of a data breach in 2024 was a staggering R53.1 million, according to IBM’s annual Cost of a Data Breach report. While that figure dropped to R44.1 million in 2025, the most serious breaches have cost as much as R360 million.

These aren’t hypothetical risks; they’re balance sheet realities. The wrong breach, at the wrong time, can derail transformation projects, delay digital rollouts, or even wipe out projected returns on investment.

When Security Comes Too Late: Lessons from Real-World Breaches

Consider Transnet’s ransomware attack in July 2021. The organisation was in the middle of a large-scale digital transformation when attackers brought South Africa’s port and rail operations to a halt. Transnet was forced to declare force majeure and revert to manual, paper-based processes. Instead of modernising, the company spent months recovering—its transformation momentum gone, along with millions in losses and reputational damage.

It’s not just South Africa.

  • Capital One suffered a US$190 million fallout after a single misconfigured firewall exposed the data of more than 100 million customers during its cloud migration.
  • Marriott inherited a breach from Starwood Hotels because cyber due diligence wasn’t prioritised during acquisition talks. The penalty? A £18.4 million fine in the UK alone, plus multiple U.S. settlements.
  • Even Microsoft wasn’t immune: in 2021, default settings on its Power Apps platform exposed 38 million records, from airlines to government agencies.

Each case underscores the same point: transformation without security at the table from day one is a risk no organisation can afford.

Change Management Without Security: A Gap Waiting to Be Exploited

Change management exists to bring order to chaos, establishing governance, communication channels, and adoption frameworks during times of disruption. Yet, if cybersecurity isn’t built into this scaffolding, transformation projects can become soft targets for attacks.

On average, it takes 227 days in South Africa to identify and contain a breach. That’s more than seven months of potential damage before organisations even realise what’s happening. For transformation programmes with tight budgets and deadlines, that’s catastrophic.

And the risks aren’t evenly spread. Research shows that nearly 20% of breaches in South Africa stem from supply chain vulnerabilities, third-party vendors, low-code developers, and systems integrators. Every new partner in a transformation project represents a fresh point of exposure.

The Financial Sector: High Stakes, Low Budgets

Financial services remain prime targets, with average breach costs reaching R70.2 million. Yet, PwC reports that only 29% of South African organisations plan to increase cybersecurity budgets by even 6–10% in 2025.

The disconnect is clear: companies are pouring millions into digital transformation while underfunding the very safeguards needed to protect it.

Change leaders, who already advocate for adoption budgets and training resources, must now make the business case for security as an essential part of transformation ROI.

How to Put Security at the Centre of Transformation

Treating security as a core workstream – not a side task – means integrating it into every stage of the change process:

  • Planning: Include threat modelling in requirements gathering.
  • Design: Embed secure configuration reviews in system designs.
  • Execution: Gate go-live milestones with security readiness checks.
  • M&A: Conduct cyber due diligence before Day One, and reassess regularly post-integration.
  • Cloud rollouts: Use least-privilege access principles and red-team testing before production deployment.

Security decisions are not just IT tasks; they are leadership decisions. Change leaders must bring cybersecurity into the same conversations as people, process, and adoption to safeguard the entire transformation journey.

Digital transformation promises speed, agility, and competitiveness. But without security built into its foundations, those same projects risk becoming the very source of vulnerability.

For change leaders, the message is simple: security can’t wait until after the change is done; it must shape the change itself.

Because in the end, the success of any transformation depends not just on what you build, but on how well you protect it.

Join our team

We look forward to hearing from you if you’re a self-motivated, solutions-driven change champion who has a passion for excellence and the determination to get it done