Beyond AI: Why cyber security remains a human discipline

Rennie Naidoo, professor in Information Systems at the Wits School of Business Sciences.

---

In the early years of digitisation, cyber security was a backroom concern: firewalls, antivirus software and the occasional audit. It was a technical domain, managed by specialists and monitored through logs that few executives could decipher. But today, the terrain has shifted.

As South Africa’s economy grows more digital, cyber security has evolved from an IT function to an existential concern. It now sits uneasily at the intersection of risk, regulation, reputation and trust. Yet, in this new terrain, one question remains unresolved: what does it really mean to be prepared?

Most organisations answer this through maturity models, risk registers and capability frameworks. These instruments promise measurement, structure, even a kind of strategic comfort. But in an age of permanent compromise, they may also offer something more dangerous: the illusion of control.

Maturity models have gained traction for good reason. They reject binary thinking and instead map security along a continuum, from reactive firefighting to proactive governance. When done well, they encourage capability-building across organisational cultures, processes and technologies.

Cyber security today is not a race to maturity. It is a practice of responsibility.

But the metaphor of maturity can mislead. It suggests a destination, a level of readiness one can eventually arrive at, when in reality the threat landscape evolves faster than any roadmap can keep up.

What we often call maturity may in practice be a well-decorated dashboard. Metrics without meaning, controls without context, and audits that pass while systems silently fail. When the next breach comes – and it will – the question will not be whether the model was followed, but whether the organisation was truly prepared to respond.

In South Africa, this tension is magnified. The country ranks among the most targeted globally for cyber crime. Financial services, utilities, telecoms and government bodies are lucrative and vulnerable. Ransomware, phishing and business e-mail compromise are not rare events; they form the background noise of digital operations.

Yet while threats are global, South Africa’s constraints are deeply local. Many organisations operate with chronic budget limitations, acute skills shortages and fragmented digital infrastructure. Global frameworks like NIST or ISO 27001 offer useful scaffolding, but they often assume a level of capability and cohesion that may not exist in the local context.

Here, cyber security maturity cannot be reduced to a checklist or borrowed wholesale from another jurisdiction. It must become a deliberate and localised practice of strategic humility; the discipline of knowing where you're weak, not just where you're compliant.

No conversation about cyber security maturity today is complete without acknowledging the role of artificial intelligence (AI). On one hand, AI offers powerful capabilities: automating threat detection, enhancing anomaly spotting and accelerating incident response. For overstretched security teams, it promises a kind of relief – intelligence without fatigue and speed without sleep.

But AI also shifts the ground beneath our feet. It empowers adversaries as much as defenders, enabling more convincing phishing, faster vulnerability discovery, and synthetic identities that bypass traditional detection. As attackers evolve, so too must the models we rely on to gauge readiness.

More subtly, AI challenges how we understand maturity itself. When security becomes algorithmically mediated, human comprehension can begin to recede. Decisions emerge from black boxes. Responses are triggered by opaque logic. Our confidence grows, but our understanding shrinks.

This creates a paradox. AI can increase efficiency but reduce transparency. It can make systems appear more secure, while making it harder to explain why they failed. In such an environment, dashboards may show progress, while the underlying posture becomes less intelligible.

For South African organisations, already grappling with skills shortages and complex regulatory obligations, AI is not a shortcut to maturity. It is a force multiplier that requires clear governance, ethical boundaries and human oversight.

Cyber security maturity is not simply about automating more. It is also about staying accountable for what still demands human judgement.

Even the smartest cyber security framework will not hold up if the people behind it are not empowered. At its core, cyber security isn’t just a technical issue – it is a human one. It depends on how decisions are made under pressure, how uncertainty is handled, and how teams translate intention into execution.

This is particularly critical in the South African supply chain ecosystem, where one vendor’s vulnerability can affect dozens of organisations. Third-party oversight should not be treated as a formality. It requires shared responsibility and, above all, clarity about where risk truly resides.

Organisational maturity does not emerge from tools or frameworks alone. It begins with the will to ask difficult questions. What data is truly critical? Which systems matter most? Where are the blind spots? Once these are understood, progress becomes more attainable.

Internal assessments that examine both technical posture and behavioural norms can clarify the next steps. Defining a target state, identifying gaps and building a roadmap are essential, but they only take root when ownership is clear and sustained.

Large enterprises may benefit from external consultants and structured capability reviews. Smaller organisations can begin with freely available frameworks and simplified self-assessments. What matters most is not the complexity of the method, but the seriousness with which the work is undertaken.

Cyber security maturity models offer valuable structure, but they are not strategy. They can help track progress, but they do not confer readiness by themselves. They offer a language, but not the mindset.

The organisations that endure are those that treat security not as a box-ticking exercise, but as a continuous act of vigilance. They question their assumptions. They test their limits. They revise when things break. They invest not only in controls, but in capability.

In the end, resilience is not defined by the ability to avoid every breach. It is defined by the capacity to recover wisely and quickly when a breach occurs.

AI may flag anomalies, and the dashboard may display them in real-time, but both are mirrors of the past. They can only show what has already been captured. Beyond it lies the harder work of cyber security, not just leadership and culture, but the management practices and accountability structures that sustain them.

Cyber security today is not a race to maturity. It is a practice of responsibility. And responsibility cannot be delegated – not to vendors, not to frameworks, not even to AI. You can model threats, automate responses and track compliance. But you cannot outsource judgement. You cannot template trust. And you cannot program accountability.

In the end, every organisation must ask not just whether it is compliant, but whether it is prepared to own what cannot be measured.

* Adapted from a paper co-authored with Awonke Mamane, presented at the Southern African Conference for Artificial Intelligence Research (SACAIR 2025).