Why must a successful cyber security strategy combine technical and organizational measures?
Because attackers exploit the human factor, not just technology — so technical controls alone are insufficient; you need the right mix of technical and organizational measures.
Every organization that uses IT needs a strategy for dealing with threats. But a strategy resting only on technical defenses (firewalls, encryption, patching) leaves a huge gap: people. Phishing, social engineering, weak passwords, and misconfiguration all target humans, not code.
Effective strategies therefore integrate organizational concerns — policies, training, processes, governance — to manage the "human factor." The key is the right balance of both elements: strong tech with careless people fails, and vice versa.
Tip: This is why security is often summarized as People, Process, Technology — all three, not just the last one.
Go deeper:
Social engineering (security) (Wikipedia) — why the human factor defeats technical-only defenses.