South Africa-based chief information security officers (CISOs) have laid out their top cyber security concerns, with third-party risk (60%) front and centre.
This is one of the biggest takeaways from the preliminary results of the 2026 edition of the ITWeb Brainstorm CISO Survey, hosted as part of ITWeb’s annual Security Summit and in partnership with MTN Business.
The CISOs’ worries are escalating as South African organisations continuously fall victim to cyber attacks, coupled by the advent of artificial intelligence (AI)-driven threats.
An overview of this year’s respondents shows the biggest segment (35.8%) work for organisations with over 10 000 employees, a departure from last year’s sample where the top employee size grouping was between 1 000 to 5 000. The largest segment of respondents, just under a third, work in financial services.
In addition, the CISOs that completed the survey were most likely to report to the group CIO (43%). In terms of number of direct reports, 30% have a team size of 11 to 25.
The online survey, conducted from mid-May to mid-June, yielded verified responses from CISOs or senior cyber security decision-makers.
In the case of third-party risk, this covers cyber hygiene and cyber poverty within an organisation’s partner ecosystem.
In addition to the third-party risk, according to the CISOs, the other top risks are unauthorised access/hacking (51%), social engineering/phishing (47%), configuration weaknesses (43%), malicious software (34%), device vulnerabilities (32%) and external interfaces (21%).
While the top three cyber risks remained the same as last year, there was a switch between third-party risk and unauthorised access, moving to first and second place, respectively.
Presenting the preliminary results, Adrian Hinchcliffe, ITWeb editor-in-chief, told the audience that third-party risk and supply chains remain top of mind for CISOs. He added that there has also been some negative sentiment around budgets and a glass ceiling often keeping the CISO from progressing.
In another first, this year’s results were integrated with inputs from a panel of experts. The panellists included Celia Mantshiyane, CISO at Rand Merchant Bank; Karin Hone, CISO at Barloworld; Justin Williams, head of group information security at MTN Group; and Pepkor’s Duncan Rae.
Asked to comment on the shifts caused by AI automation and emerging technologies and the impact they have on cyber risk management and security strategy, Barloworld’s Hone said: “We have over the past year realised that the human firewall − the people that we are relying on to help us protect our information and our systems − need much more focus, effort and energy.It needs to be made much more approachable and fascinating for them to help us be one of our frontline defence mechanisms.
“I think with the advent of AI, the threats are just exponentially growing and coming out much faster, and for that you need to be able to in a more effective manner look at your threat detection and response.
“The exponential growth in the emerging tech market and AI automation…we’ve never seen such growth as we’ve seen in those types of areas and it forces us as CISOs to really dig into them and get to grips with them in a much more cost-effective manner than we would probably have done in the past.”
Williams added: “Security awareness has always been important...but certainly there's a realisation in this fast-moving world that if your staff are not educated, don’t understand the risk of what they’re doing, they can cause a lot of damage. So, you need that trust relationship that, if they make a mistake, they can come to you quickly and you can sort out the problem and not have to find things that people are too scared to talk about.
“I think the massive changes we’ve seen in the threat landscape, particularly over the last 12 to 18 months, means that threat detection and response is a non-negotiable − you have to be focused on that and be spending more time than we have in the past.”
Moving to some of the biggest security incidents that happened in the past year, phishing (59%) was noted as the top threat, followed by social engineering (43%), then identity theft (28%) and malware (26%).
In addition, the respondents listed DOS/DDOS attacks (23%), advanced persistent threats (21%), none (21%), internal staff-related breach (19%), attack on internet/telecoms traffic (15%), attacks on remote systems/workforces (13%) and penetration of network (11%).
Meanwhile, ransomware was the least (8%) frequently identified incident – down from 10% in 2025.
Compared to last year’s results, the same top two were experienced − phishing incidents at 56% and social engineering by 33% of respondents.
Hinchcliffe also highlighted that 67.9% of CISOs state that cyber security is already a top-three board priority, and 58.5% present to the board quarterly.
However, 43.4% of CISOs report directly to the group CIO, and only 17% hold a formal seat on the executive committee.
The results also show that 60% of CISOs saw an increase in budgets compared to the previous year, while 9% said they saw a decrease in budget and 53% of all respondents said they are underfunded.
In addition, the survey highlighted there is a need to improve identity management, with 28.3% of respondents admitting identity theft incidents in the past year. Despite the growth of non-human identities, 75% of organisations rate their maturity in managing machine identities at a score of three or lower.
CISOs are also far more prepared with playbooks for data breaches (92.5%) and ransomware (83%), while just 64% have one for third-party risk, yet it’s identified as the single highest concern.
Download the preliminary results presentation here.
Share
