Getting ahead of cyber security and AI compliance: Why SA organisations are outsourcing GRC

Choose the right GRC partner. (Image: CSI Cyber Security Institute)

---

Recent weeks have prompted growing concern in South Africa over escalating cyber security incidents. A series of high-profile breaches combined with DDOS attacks on internet infrastructure have contributed to a noticeable spike in adverse cyber security events in both the public and private sectors.

Along with the increased targeting of South Africa, the proliferation of threats is being fuelled by the increased use of AI augmentation. The rise of AI means that the risk calculus has changed rapidly over a short space of time. It has lowered the barrier to entry for cyber criminals but has also elevated the volume, speed and complexity of attacks.

This has resulted in much discussion and reflection on both the attribution front and the inevitable questions about the protection and preparedness of both private and public organisations. Aside from AI, two common themes that always arise are, firstly, regarding the skills shortage of cyber security and AI professionals in the country; and the second is whether the increased targeting of South African entities will result in increased regulatory focus and sanctions.

This press release is aimed at addressing these two questions, together with how they combine to create significant challenges for all organisations in terms of managing risk and regulatory compliance. This is a critical question as South Africa's legal and regulatory environment grows increasingly demanding and complex. Aside from escalating cyber security risk, many companies are now also contending with getting to grips with the governance aspects of AI.

A cursory review of governance, risk and compliance (GRC) job vacancies reveals a high number of vacancies for experienced security GRC specialists. The increased number of vacancies is partly driven by a growth in the number of positions being creating due to increased regulatory obligations. However, international competition for GRC specialists is also a contributing factor. The broader IT industry has faced an ongoing skills exodus driven by emigration and the lure of foreign opportunities for years.

International recruiters often target workers at the middle or senior levels, meaning that local companies often find themselves in a cycle of constantly upskilling junior workers, only to lose them after significant investment. This migration problem has now been exacerbated by the growth of “offshoring”, ie, remote working opportunities in foreign jurisdictions. This has led to many professionals exiting the local workforce, albeit remaining domiciled in South Africa. Many offshoring recruitment firms underline that South African professionals are increasingly sought after for their skills, resilience and English language skills. Of course, they cost less as well, further cementing the value proposition.

Another often neglected driver is that there is no obvious single development pipeline for GRC workers, unlike for technical cyber security specialists. GRC teams often comprise legal, compliance and risk specialists but sometimes lack practitioners who combine these attributes with strong technical skills. This is a critical combination for cyber security and AI compliance. A further complicating factor is that many South African organisations operate in more than one jurisdiction, requiring regulatory compliance with international regulatory regimes. Suffice to say, achieving the required level of experience and mix of skills in a GRC team is a complex task, often made more difficult by skills retention challenges.

Hyper technology change has resulted in a near constant stream of new international regulations. Organisations have traditionally faced IT and cyber security audits; these have increasingly become major priorities at the enterprise level. However, innovative technologies, namely artificial intelligence (AI) and post quantum cryptography (PQC), pose novel challenges, and the workforces required to deal with them are only now coming into a nascent existence.

In the Global North, AI compliance is already evolving and moving towards auditable outcomes. However, technology advancements are relentless, and the evolving raft of AI regulation is closely being tracked by quantum-related developments, with the EU and USA already moving on PQC roadmaps.

It is tempting for South African entities to imagine that significant domestic legislation and regulation for these technologies is a distant future GRC challenge. The reality, however, is different. An example is the FSCA’s 2025-2028 Regulation Plan, which outlines future interventions, including the development of regulatory frameworks for emerging technology and risks, one of which is AI.

On the cyber security and data privacy front, South Africa's data protection and cyber security landscape matured significantly in the past 12 months, with new POPIA regulations, a joint cyber security standard for financial institutions and the introduction of King V, which is a considerable departure from King IV. King V places high emphasis on information governance, data privacy and emerging technology governance. It also places the responsibility on directors to ensure that technology security, governance, risk management and data privacy management are all firmly in place. As a result of these developments, regulators and auditors increasingly expect well documented governance, risk and compliance programmes. The challenge here is that building out an increased governance capability across both cyber security and AI requires dedicated resources that many organisations have difficulty sustaining.

The local market has a critical shortage of professionals who specialise in GRC across both the governance and technical disciplines. This requires professionals who can conduct AI and cyber security risk assessments and manage programmes, eg, ISO 27001/2, ISO 42001, King V, POPIA, GDPR, DORA and the FCSA Joint Standards 1 and 2, not to mention the remaining myriad global regulatory frameworks. These are distinct, mature disciplines that take years to develop. A solution to this problem is through outsourcing to a specialist GRC service provider. This provides organisations with timely access to a multidisciplinary practice that has already built and tested these capabilities across a range of industries.

Cost is another significant factor. Growing and sustaining internal GRC capabilities across both cyber security and AI is a substantial undertaking, and many organisations are finding that it is neither practical nor cost-effective. By electing to outsource certain GRC functions, either for bespoke projects or permanently, organisations can ramp up their GRC capabilities rapidly. They also experience the added benefit of access to an expert team without the staffing challenges. According to Prof Elmarie Biermann, Director at the Cyber Security Institute, the past year has seen unprecedented growth in the number of companies seeking to outsource or augment their GRC capabilities to external providers. She attributes this to the growth in regulatory and legal obligations and increased regulatory scrutiny. This has created far greater obligations for companies to remain compliant, a situation that is aggravated by skills scarcity.

In a recent survey of chief information officers in South Africa, 72% of CIOs named cyber security and compliance as their top priories, indicating a “rising concern around regulatory obligations, data privacy and the growing sophistication of cyber threats”. These concerns are compounded by costs, scare skills deficiencies and the high velocity in uptake of emerging technologies.

In meeting these challenges, many organisations below the enterprise level have opted for outsourced managed cyber security services to augment their technical operations. Conversely and somewhat counterintuitively, companies have been slower to outsource GRC functions. This is likely due to GRC being less complex in the past and traditionally viewed as an in-house function. However, growing regulatory and technology complexity has seen upsurge in the uptake in GRC outsourcing, particularly for SMEs. Notably, enterprises are also increasingly opting for outsourcing to augment current in-house GRC teams. This is a recognition of the fact that much the same as technical security, the establishment and maintenance of GRC capabilities for cyber security and AI require highly skilled staff and significant resources.

Ultimately, the goal of a robust GRC programme goes beyond compliance, because compliance does not equal security. The focus of GRC is to build trust, manage risk and achieve compliance, but above all, contribute to building security and resilience. In achieving these aims, companies are increasingly realising the benefits of outsourcing to an established GRC partner. Choosing the right GRC partner, which is well versed in both cyber security and emerging technologies, provides a unified risk and compliance view, a predictable cost model and the level of proven experience and expertise. Working with trusted partners to build a well-executed GRC programme provides an expedited pathway to elevate real security and resilience and ensure trust and compliance.