Misaligned Leadership in African Cybersecurity

Understanding the Cybersecurity Gap in Africa

A significant gap is emerging in African cybersecurity, particularly between what leaders believe about their employees' readiness and what those employees actually experience. This mismatch highlights a critical issue that needs immediate attention.

According to the KnowBe4 Africa Human Risk Management Report 2025, many leaders are overestimating their employees’ preparedness while underestimating the gaps in trust, training, and action. As organizations focus on strengthening their defenses and investing in security awareness training, this overlooked divide poses an increasing risk.

Anna Collard, SVP of content strategy and evangelist at KnowBe4 Africa, emphasizes that it's not just about awareness alone but also about understanding the level of employee awareness. “The level of employee’s awareness is being misunderstood by the organisational leaders responsible for it,” she says.

The Perception Gap: A Growing Concern

The perception gap is becoming more evident. In 2025, 50% of decision-makers rate employee cyber threat-reporting confidence at 4 out of 5. However, in 2024, only 43% of employees felt confident recognizing a threat, with one-third disagreeing that their training was sufficient.

Moreover, over two-thirds of decision-makers (68%) believe that Security Awareness Training (SAT) within their organizations is tailored by role. Yet, only 33% of employees in 2024 felt that to be true, with 16% actively disagreeing. This discrepancy has serious implications because a workforce that appears trained and aware on paper may actually be uncertain, unsupported, and vulnerable.

“This discrepancy between perception and experience is exactly where human risk thrives,” says Collard. “If leaders don’t correct course, they’re building security strategies on false confidence.”

Measuring Awareness: Beyond the Surface

One of the most frequently cited challenges in the report is measuring whether SAT works. More than four in ten respondents said they struggle to track whether their security awareness programs translate into safer behaviors.

A key contributing factor identified in the report is that many organizations still rely on one-size-fits-all SAT, often delivered only annually or biannually, without role-specific customization or behavioral feedback loops. While the report finds that 68% of organizations offer role-based training, this claim is undermined by the fact that a lack of role alignment remains one of the top challenges. The discrepancy is clearest in sectors like manufacturing and healthcare, where generic SAT is most common.

Larger organizations are consistently less confident in employee readiness, train less frequently, and struggle more to measure outcomes. “Awareness without action is like an alarm that no one responds to,” says Collard. “Organizations are investing in security awareness training, but without the structure, tailoring, and follow-through to translate that into secure behavior.”

The New Blind Spot: AI and Shadow Usage

One of the most urgent themes to emerge is the rapid rise of “shadow AI” use. With nearly half of all organizations still busy developing formal AI policies, yet up to 80% of employees using personal devices for work, the risk of unmonitored, unsanctioned AI usage is rising fast.

“Technology has moved faster than policy,” says Collard. “And unless AI tools are properly governed, they become as much a risk vector as they are an asset.”

East Africa is leading the way with more proactive AI governance, while Southern Africa, despite topping training frequency, lags behind on AI policy implementation. This lack of oversight is echoed in the South African Generative AI Roadmap 2025, a recent report by World Wide Worx in partnership with Dell Technologies and Intel. It found that 67% of large South African enterprises are already using generative AI (GenAI), yet fewer than one in seven have a comprehensive strategy to manage its use.

Even more concerning, 59% either have no governance in place or are still in the planning stages. While the GenAI boom reflects technological ambition, it also highlights a growing human risk. The report reveals that only 13% of organizations have implemented safety, privacy, and bias safeguards—meaning most employees may be engaging with powerful tools without clear guidance or accountability.

The Road Ahead: Action and Awareness

The KnowBe4 Africa Human Risk Management Report 2025 outlines five imperatives for African organizations:

• Customize SAT by role and risk exposure.
• Track what matters—not just participation, but behavioral outcomes.
• Formalize reporting structures employees trust and understand.
• Close the AI policy gap before misuse becomes systemic.
• Contextualize strategies based on region and sector—because resilience is not one-size-fits-all.

“The human element is often spoken about, but rarely measured in ways that lead to action that acknowledges context,” says Collard. “Our goal is to help organizations stop guessing and start structuring their defenses around real, contextual insights.”

“This is a moment to move from compliance-driven box-ticking to culture-driven resilience. We have the data. Now we need the will.”