South African organisations are being urged to confront a hard truth: legacy “trusted network” security is no longer fit for purpose, especially in sectors that keep the country running. According to Armand Kruger, head of cybersecurity at NEC XON, the old idea that anything inside the network can be trusted has become a major systemic risk for businesses, utilities and public institutions alike.
For many local organisations, the shift away from perimeter-based thinking is still incomplete. But that lag, Kruger argues, is exactly where Africa’s cybersecurity opportunity lies. Unlike mature markets that are weighed down by decades of ageing infrastructure and patchwork upgrades, many African enterprises can move straight to newer, cloud-first security models without having to drag old systems along for the ride.
That could prove to be a strategic advantage for South African cybersecurity planning, particularly as attacks become more sophisticated and the workplace becomes more dispersed. From remote work to cloud applications and cross-border operations, the old assumptions that underpinned traditional network security simply do not match how organisations operate today.
Kruger says the continent is in a rare position to leapfrog outdated architectures and adopt zero-trust security from the outset. Instead of building on trust, zero trust is built on verification. Every access request is checked continuously, and no user or device is trusted automatically, even if it is already inside the network.
“This is one of the few areas where being behind is actually an advantage,” Kruger says. “Africa can jump straight into identity-driven, context-aware zero-trust architectures that are designed for distributed environments.”
South African cybersecurity and the case for zero trust
That message is gaining traction as more organisations in Africa begin to rethink how they secure access to systems, applications and data. NEC XON says it has already supported large-scale zero-trust and secure access transformations across enterprise and public-sector environments, helping clients move from implicit trust to more controlled, measurable security frameworks.
The change is not simply about buying new tools. It requires a different mindset. In many organisations, security is still organised around the perimeter — a firewall here, a VPN there, and the assumption that internal access is inherently safer than external access. Kruger says that thinking belongs to a different era.
“The issue is not just technological,” he says. “It is philosophical. If your security model assumes trust inside the network, you do not have a cybersecurity strategy — you have a liability.”
That point is especially relevant in South Africa, where many critical systems still rely on older access methods. Large businesses, utilities, transport systems and public services are among the environments most exposed to attack because they often depend on legacy infrastructure that was never designed for today’s cloud-heavy, mobile, always-on world.
The result is a dangerous mismatch. Systems created for fixed office networks are now expected to protect users working from home, contractors connecting from different locations, and data flowing across multiple cloud platforms. In Kruger’s view, the old secure perimeter has effectively disappeared.
“Today’s organisations operate across cloud platforms, remote workforces and multiple geographies,” he says. “The idea of a secure perimeter is fundamentally outdated.”
For attackers, that gap presents an obvious opening. If a system still relies on the assumption that an internal user is a safe user, then one compromised account or device can cause widespread damage. That is why the move to identity-first cybersecurity is becoming so important.
Under a zero-trust model, access is based on who the user is, what device they are using, where they are connecting from and how they are behaving. It is a more dynamic way of thinking about security, but one that better matches modern threats.
“These days, cybersecurity is about identity, not location,” Kruger says. “Where you are on the network matters far less than who you are, what you’re accessing and under what conditions.”
For organisations that delay modernisation, the downside is growing. The risks include ransomware, data breaches, service disruption and the potential collapse of trust in systems that people rely on every day. In critical infrastructure, that can have consequences far beyond the IT department.
Kruger warns that sticking with outdated security models does not just leave gaps unfilled — it actively makes the environment more vulnerable. As threats evolve, so too do the assumptions criminals exploit.
“Clinging to legacy security models doesn’t just slow you down,” he says. “It increases your exposure. Threat actors are taking advantage of assumptions of trust that simply should not exist anymore.”
A growing number of organisations are pairing zero trust with Secure Access Service Edge (SASE) frameworks, which combine networking and security functions in a cloud-delivered model. For companies expanding across regions, this approach can help simplify access while tightening control.
It is also becoming more relevant as African businesses scale digitally. With operations no longer tied to a single office or country, security frameworks need to be flexible enough to support growth without opening the door to unnecessary risk.
Kruger says the real value of zero trust and SASE is that they are not just defensive tools. They can actually help enable transformation by giving organisations the confidence to modernise faster, work more flexibly and support a wider range of users and systems.
“Security should not be a barrier to innovation,” he says. “Done correctly, it becomes the foundation that allows organisations to operate confidently in a connected, digital-first world.”
The broader message for South African decision-makers is clear. As cyber threats intensify and digital operations become more complex, the country cannot afford to keep leaning on systems built for a world that no longer exists. The opportunity now is to build smarter from the start — and in cybersecurity, that may be one area where Africa really can move ahead of the pack.