SA’s cyber security readiness remains low.
Despite the escalating number of cyber attacks on South African organisations, cyber security readiness among surveyed local firms is still “pretty low”, remaining unchanged from 2024.
This is according to networking firm Cisco’s 2025 Cyber Security Readiness Index. The findings were shared with South African media yesterday.
Now in its third instalment, the index is based on a double-blind survey of 8 000 global business leaders, including 150 from South Africa, who have cyber security responsibilities in their companies. It was carried out in January and February 2025 via online interviews.
The research respondents were drawn from a range of private sector industries, such as financial services, retail, technology services and manufacturing.
The index is measured across five key pillars: identity intelligence, machine trustworthiness, network resilience, cloud reinforcement and artificial intelligence (AI) fortification.
In addition, the respondents detailed their deployment stages of cyber security solutions, ranging from beginner, formative, progressive and mature.
The report highlights that the majority of companies surveyed remain in the formative stage of security readiness, while facing new complexities brought on by AI and the ongoing talent shortages and cyber security skills gaps.
Detailing the local findings yesterday, Nabeel Rajab, cyber security technician at Cisco South Africa, revealed that only 5% of surveyed organisations in the country have achieved the mature level of readiness. This is the same as last year.
Readiness refers to the maturity of an organisation’s ability to detect and effectively respond to cyber breaches and threats, Rajab explained, highlighting that adopting a secure cyber posture is not happening fast enough.
A further look at the deployment stages shows the progressive stage of the index improved from 28% in 2024, to 36% this year.
The formative stage showed a shift from 57% last year to 53% currently, while there were fewer beginner deployments in 2025, at 6% compared to 10% in 2024.
“Not a lot has changed,” he said about this year’s figures. “The one good thing is that we are at about half of the number of beginners that we had last year, scoring a lot better in terms of immaturity.
“We’re still not moving in terms of the mature area of the index; we can see a shift in the right direction but just not full maturity. We’ve seen and continue to see a lot of breaches in South Africa.
“I think a lot of organisations are waking up to the fact that we could potentially be a target, because we have good infrastructure and a lot of business happening, but certain aspects of protection are still being missed from a maturity perspective.
“We have a lot of large, complex organisations that are targets, but the skills are maybe not there, in terms of adopting and rolling out protection controls.”
According to the report, AI is providing more security assurances across various solutions, but businesses are cautious about viewing the technology as a guaranteed layer of protection.
In SA, the research indicates little has changed in terms of overall AI fortification readiness since the 2024 report, highlighting persistent uncertainties around AI-driven cyber security automation.
“While there have been significant advancements in AI, its deployment in cyber security defences appears to have stalled, suggesting companies are still grappling with concerns around trust, effectiveness and integration,” states the report.
Smangele Nkosi, GM of Cisco South Africa, pointed out that as AI and generative AI (GenAI) adoption increases, it also drives innovation, which is a good thing. At the same time, it also introduces new complexities for security teams.
“AI introduces different dynamics when it comes to security, because malicious actors are becoming more sophisticated. This requires increased defences and deploying an AI defence in your environment.”
Overall, AI is seen as both revolutionising security and escalating threat levels, with nine in 10 organisations facing AI-related security incidents last year.
However, only 59% of respondents are confident their employees fully understand AI-related threats, while 61% believe their teams fully grasp how malicious actors are using AI to execute sophisticated attacks. This awareness gap leaves organisations critically exposed.
Nine in 10 of the respondents in SA said their companies are at least partly using AI technologies, such as GenAI, in threat intelligence.
AI is also largely being used in the areas of threat detection (89%), threat response (81%) and incident recovery (82%). However, the degree to which companies rely upon AI for these tasks is still growing.
Other areas, such as policy deployment (17%), red teaming AI models and applications (13%), infrastructure upgrades (11%) and rule testing (9%), are yet to cross significant comfort thresholds. “AI has more to prove in these areas and we can expect it to take longer for that game-changing trust-level to be reached.”
Rajab noted that AI and GenAI are new interfaces in organisations’ data, providing a completely new way in which data is accessed.
Nkosi added: “To meet today’s cyber security demands, organisations must prioritise AI-powered solutions, streamline their security architecture and build greater awareness of AI-driven threats.
“It’s crucial to focus on AI for faster detection, response and recovery, while also addressing talent shortages and mitigating risks from unmanaged devices and shadow AI.”
