Barney de Villiers will present a cyber security version of the Survivability Onion at the Cape Town leg of ITWeb Security Summit 2026 Some might argue that attack is the best form of defence, but an even better form of defence is not being there in the first place. That’s the initial layer of the Survivability Onion framework, which outlines progressive tactical steps for avoiding conflict and offers fallbacks for when outer layers fail. The framework relies on the principle that the best way to stop an attack is in the earliest stage, but provides steps right through to the point that, if an attack cannot be avoided, it shows how to deal with and recover from it.Borrowing from the military framework, Barney de Villiers, director of security at payments firm Stitch, says its layered approach can be equally applied to cyber defence.“The first step in the framework is ‘don't be there’, so don't put yourself in a dangerous situation. In cyber space, that means being ruthless and terminating systems that you don’t need, reducing your attack surface,” he says.As well as reducing risk, he says reducing the attack surface helps to drive down costs spent on protection of an organisation’s digital environment. “You can save money if you don't have to protect so much real estate,” he adds. The next step in the framework is that if there is a need to ‘be there’ (or if systems or applications can’t be terminated), the question is what can be done not to be detected.“That would be camouflage in the military space, but what can you do to make sure that your systems aren’t visible, reducing the chance that they are targeted?”De Villiers has worked through the various steps of the framework, applying a cyber security lens to them, and will present his findings at the Cape Town leg of the ITWeb Security Summit.He says the approach focuses on fundamentals rather than tools and has already been adopted by Stitch. The payments infrastructure company is a start-up and, according to De Villiers, has a fast-paced environment with new software being developed and shipped frequently. For more established companies, he says, adoption of the framework might require change management as it challenges some existing ways of thinking, particularly in the software development space. “It’s about asking the right questions, like ‘why is this designed like this?’ Developers or system implementers often have a feature requirements spec, and they just want to get their solution out. They don't really look at security; they're not really thinking about how to minimise what they're building to protect the system,” he says.The framework is not just for developers, however. He believes that to be truly effective, the framework needs to be driven by technology leaders, such as CISOs and CIOs, and applied across the whole business. And it’s not something that can be outsourced to security service providers. “To be successful, you need to hire correctly and to build the right capacity in your teams. But you also need to be a key partner with the business, to be in the design processes, to understand the product line and build bridges with teams across the business to understand what's needed and what's not needed.”Alongside other cyber security leaders, De Villiers will present his framework at the upcoming ITWeb Security Summit, to be held at Century City Conference Centre in Cape Town on Tuesday, 26 May.