At its 2025 Cybersecurity Summit, the telco argued that a “zero trust” and “secure by design” philosophy is the only way to survive, as government data reveals a tidal wave of attacks.
Safaricom hosted its 2025 Cybersecurity Summit in Nairobi today, setting a stark scene for Kenya’s digital landscape: according to the Communications Authority (CA), the country faced a staggering 4.6 billion cyber threats in the second quarter of 2025 alone.
Against this backdrop, the company made a bold claim: its own advanced security measures have reduced cybersecurity incidents for its business customers by nearly 90%.
We are attending the @SafaricomPLC Cybersecurity summit 2025.
Theme: Powering Progress. Securing Growth.
Follow the conversation using tag: #SafaricomCyberSecuritySummit2025 pic.twitter.com/uiUcE4vU1B— Techish (@TechishKenya) November 13, 2025
Safaricom attributed this success to its Managed Security Operations Centre (MSOC), a 24/7 command center that provides real-time threat detection and response for its enterprise clients.
But the central message from the company’s leadership wasn’t a product pitch; it was a forceful call for a fundamental change in philosophy.
“The old reactive models are failing,” said Nicholas Mulila, Safaricom’s Chief Corporate Security Officer. “We have moved past simple prevention. Today, cyber-resilience is greater than prevention, and a zero-trust architecture is the new baseline.”
Mulila argued that organisations must move from a “prevention-only” mindset to three core principles:
- Secure by Design: This means embedding security into a product’s DNA from the initial concept stage, not trying to bolt it on after it’s built.
- Zero Trust: The new baseline posture is, “Don’t trust anyone.” Mulila urged for stricter identity controls and “least-privilege access,” meaning systems and people should only have access to the absolute minimum they need to function.
- Resilience Over Prevention: Mulila framed success not as stopping every attack—which he suggests is impossible—but as reducing the impact and dramatically accelerating the recovery time after an incident occurs.
The brutal irony, Mulila pointed out, is that despite the growing sophistication of attacks like ransomware, many of the most damaging breaches still stem from basic, avoidable vulnerabilities: weak passwords, unpatched software, and poor collaboration within organisations.
Safaricom’s push for a new security model received a strong endorsement from the government.
Eng. John Tanui, Principal Secretary for the State Department for ICT and the Digital Economy, stated that the national strategy has evolved to mirror this approach. “Our national cybersecurity strategy has evolved from being reactive… to a proactive ‘security by design’ approach,” Tanui said, adding that “it is critical to apply AI and Machine Learning to detect and tackle cyber threats.”
This “shared responsibility” model, a theme echoed by Safaricom CEO Peter Ndegwa, was presented as a proven concept. Mulila cited Safaricom’s multi-year collaboration with Kenyan financial institutions, which combined coordinated controls with joint public awareness campaigns. The result, he claimed, was a reduction in certain types of fraud by as much as 90% over four years.
The summit, which coincides with Safaricom’s 25th anniversary, ultimately argued that cybersecurity can no longer be siloed as an “IT department issue.” Safaricom’s leadership, along with its government partners, framed it as a core boardroom responsibility and a pillar of national development, essential for preserving trust as more of the country’s economy moves online.
