South African CISOs are operating in a perfect storm. The rising volume and sophistication of attacks, constrained budgets, and a deepening skills shortage are adding to the mental strain of alert fatigue and the growing expectations from boards.

While AI holds a vital part of the solution, without a human-centric approach, security leaders are unlikely to avoid the burnout facing so many of their peers.

Heino Gevers, senior director, technical support at Mimecast, says local security leaders are facing a unique convergence of pressures.

“Our security leaders find themselves facing a confluence of challenges. The existential threat of machine-driven attacks, chronically limited budgets and a critical lack of cybersecurity professionals, are combining to create an environment where burnout is fast becoming the rule, not the exception,” he warns.

One of the most immediate stressors is the sheer volume of threats. Gevers says teams can spend up to 40% of their time in managing false positives with analysts stuck in a loop of triaging alerts, many of which turn out to be noise.

Organisations have responded to this alert fatigue by layering on more point solutions in an attempt to plug gaps. But Gevers says each additional platform brings more alerts, more dashboards and more complexity.

“Tool sprawl creates operational complexity and the mythical single pane of glass remains out of reach. What’s more, the mindset in South Africa is still one of seeing security teams as cost centres rather than strategic enablers. When breaches occur, security is the first place for blame to land,” he says.

AI both threat and opportunity

Research confirms the pressure CISOs are under. Gartner found 37% of security leaders faced unrealistic expectations, 62% experienced burnout at least once, and 44% multiple times.

Despite this bleak picture, Gevers believes the local industry has reached an inflection point. He says the key question now is whether local organisations can turn that inflection into a genuine pivot.

Looking at potential solutions, Gevers is quick to point out that AI currently sits at the heart of a growing industry tension.

On the one hand, generative AI and automation are being weaponised by attackers, increasing the speed, volume and sophistication of threats. On the other hand, AI is also one of the few realistic levers security leaders have to scale their defences without adding headcount.

For Gevers, the promise of AI lies in its ability to tackle noise, fragmentation and cognitive overload, which he says are the most toxic drivers of burnout. By automating routine triage and integrating signals from email, collaboration platforms and other security tools, AI can approximate the single pane of glass humans have been missing.

“We’ve seen significant ticket volume reduction month over month through AI handling customer requirements that previously required human intervention. We are living proof that it works when implemented correctly,” he says.

Technology alone not enough

Gevers says it’s vital for security leaders to treat their teams’ wellbeing as a strategic concern rather than a soft add-on.

“It’s vital to take a human-centric approach and this means measuring more than incident counts and mean time to respond. It means tracking retention, skills development and the mental health of the people who make the day-to-day risk decisions, and deliberately designing AI deployments to reduce their cognitive load,” he shares.

He also warns against trying to build everything from scratch, saying that in a resource-constrained market, like South Africa, the time to value for home-grown AI initiatives can be 18 to 24 months or more.

Gevers suggests the more pragmatic route of working with partners that already have AI-driven human risk management capabilities as well as integrations into existing collaboration and communication stacks.

“These can act as a ‘parent AI’, learning what normal and risky behaviour look like in a given organisation and providing a foundation from which more tailored, internal agents can later be developed,” he says.

Gevers says there is hope for overworked teams, sharing some immediate steps that can be taken.

He offers these tips to help CISOs navigate stormy waters

Scale with AI, not just people – Use AI to handle routine triage, false positives and cross-channel correlation so resource-stressed teams can keep pace with the volume and velocity of attacks.

Consolidate and integrate – Reduce tool sprawl by prioritising platforms that integrate across email, collaboration and key security tools, creating something closer to a single pane of glass and cutting cognitive load.

Make wellbeing a measurable priority – Treat analysts’ mental health, retention and skills development as strategic metrics, and design AI deployments explicitly to remove ‘low-value work’ so humans focus on higher‑value decisions.

“The only way that South African security teams can master this perfect storm and make exponential progress is by using AI to scale the work, and human‑centric thinking to protect the people doing it,” Gevers sums up.