Cybersecurity readiness in South Africa isn’t improving. At all. According to Cisco’s new 2025 Cybersecurity Readiness Index, only 5% of South African organisations have reached a ‘Mature’ level of preparedness against today’s cyber threats — the same as last year. That’s a problem, especially as artificial intelligence rapidly accelerates the threat landscape.
Cisco’s latest report suggests that South African firms are being overwhelmed by AI-enabled attacks, underinvesting in security, and struggling with a critical talent shortage. It paints a grim picture of a sector that knows what’s coming but is moving too slowly to react.
“Fragmented defences and under-resourced teams can’t match the scale or sophistication of today’s attacks,” said Fady Younes, Cisco’s cybersecurity lead for the Middle East and Africa. “Organisations must move beyond incremental fixes. They need AI-native strategies now.”
The index — based on responses from 8,000 global business leaders, including 150 in South Africa, tracks companies across five pillars: identity, networks, trust, cloud and AI. The vast majority of South African companies are stuck in the ‘Formative’ stage, with only a few making it to the ‘Mature’ category.
The AI risk is real — and rising
AI is quickly becoming both the problem and the solution. While 92% of South African organisations say they’re using AI to understand threats, 87% experienced AI-related attacks last year. Worse, 40% of IT teams have no idea how their employees are using public GenAI tools — a shadow IT nightmare.
Unmanaged devices are another weak spot. Hybrid work has made it easier for employees to connect from anywhere — and often, from anything. About 75% of firms report increased security risks because of this, and it’s being compounded by unmonitored GenAI usage.
Budgets are tight. Talent is tighter.
Just 8% of South African companies are spending more than 10% of their IT budgets on cybersecurity. That’s low, considering how many are planning broader IT upgrades this year. And while AI promises faster detection and response, 78% of companies say they don’t have enough skilled cybersecurity staff to manage the load. Over half have more than 10 unfilled roles.
Smangele Nkosi, GM at Cisco South Africa, said, “Organisations need to streamline their architectures, deploy AI-native tools, and close the awareness gap. You can’t defend against what you don’t understand.”
The bottom line is that South African companies are not ready for the next wave of cyber threats, and they know it.
Read the full report: