Op-Ed: Why CISOs are drowning in alerts but missing the real threat

Cyber-enabled fraud is increasing.

Ransomware groups are becoming more sophisticated.

Identity compromise is evolving rapidly.

AI-assisted phishing attacks are scaling globally.

And organised criminal networks continue adapting faster than many institutions can respond.

This raises an uncomfortable but increasingly important question: Why are organisations seeing more alerts, more data, more monitoring capability, and more visibility – yet still struggling to stay ahead of emerging threats?

VIEW ALL

In my view, the answer sits in what I describe as the operational intelligence gap.

For many years, cyber security environments focused primarily on technical visibility:

• detect anomalies,
• monitor behaviour,
• identify patterns,
• flag irregularities,
• and automate response.

AI has accelerated this capability dramatically.

Modern systems are now exceptionally effective at processing enormous volumes of information and identifying technical abnormalities at scale. But while AI is highly effective at recognising patterns, it still struggles with something fundamentally human: intent.

And intent matters.

Sophisticated threat actors are no longer simply attacking systems blindly. Increasingly, organised cyber groups operate more like adaptive businesses – constantly testing environments, analysing behavioural weaknesses, identifying governance blind spots, exploiting operational inconsistency, and adjusting methodologies in real time.

This is where many organisations remain vulnerable. Most monitoring systems are designed to identify what is happening technically. Far fewer environments are capable of interpreting why it is happening operationally.

That distinction is becoming critically important.

Many cyber environments now generate overwhelming volumes of alerts, notifications, anomalies, and behavioural indicators. But more visibility does not necessarily create more understanding.

In fact, many organisations are now facing a form of operational saturation:

• too much data,
• too many alerts,
• too many disconnected signals,
• and insufficient capability to interpret adaptive behavioural threat patterns coherently.

For SMEs, the problem is often even more significant.

Large enterprises may at least possess dedicated cyber teams, governance structures, AI capability, and specialised monitoring systems. SMEs, however, frequently assume cyber risk remains primarily a technology problem that can be solved through software deployment, endpoint protection, or outsourced monitoring.

Increasingly, that assumption is becoming dangerous.

Modern threat actors exploit behaviour as much as technology. They exploit trust. Routine. Human inconsistency. Governance lag. Poor operational visibility. Weak escalation culture. Fragmented communication. And small configuration gaps that appear operationally insignificant in isolation.

The issue is no longer simply a system compromise. It is behavioural manipulation operating inside increasingly complex digital environments.

This is why AI alone will not solve the cyber problem.

AI will remain an extraordinarily powerful capability layer – but future resilience will depend on something broader: the integration of AI capability, operational intelligence, behavioural interpretation, governance oversight, and human-led strategic analysis.

Because ultimately, cyber security is no longer simply about detecting technical anomalies. It is about understanding adaptive human behaviour operating behind them.

And that may become one of the defining security challenges of the next decade.

Keith Bulfin is the founder of the Applied Financial Intelligence Programme and author of the bestselling book “Undercover”. His background includes work across global financial intelligence, organised crime investigations, illicit finance systems, and operational intelligence environments involving international agencies and investigations.