A recent thought leadership piece by Doros Hadjizenonos, Regional Director for Southern Africa at Fortinet, argues that South African public sector IT leaders are trapped between modernisation mandates and an increasingly rigid compliance environment. The core argument is one of the more genuinely useful ideas in enterprise cybersecurity: ticking every regulatory box is not the same as being secure. Organisations that treat compliance as an annual audit exercise rather than an operational discipline are creating exactly the blind spots attackers exploit. That argument holds. What’s more complicated is whether the prescribed remedy fits the actual patient.
Every major cybersecurity vendor, Palo Alto Networks with its “platformisation” push, Check Point with its Infinity architecture, Cisco with its Security Cloud, is telling a version of the same story right now. Consolidate your fragmented tools onto our unified platform, get a single pane of glass, automate the evidence collection, stop firefighting. Cisco’s own research found that only 5% of South African organisations had reached a mature level of cybersecurity preparedness in 2025, the same figure as the year before, which tells you something about how much the platform argument alone is shifting the needle. Fortinet’s Security Fabric is its version of that pitch, and it’s a legitimate one. The consolidation argument is driven by real buyer fatigue with disconnected tooling, not just vendor self-interest. But when the same message comes from every major player in the space simultaneously, it’s worth separating the structural insight from the product positioning.
The South African public sector context sharpens that distinction considerably. The backdrop here is the government’s own Roadmap for the Digital Transformation of Government, which sets an ambitious mandate to modernise services and expand digital public infrastructure, including pushing more sensitive citizen data through multi-cloud environments. That expansion of surface area is real, and it does raise the compliance stakes. But the Auditor-General’s consolidated report on national and provincial audit outcomes for 2024/2025 found that of 70 government entities assessed for cybersecurity, 45 had notable weaknesses in their security posture, and R5.5 billion in government IT infrastructure spending “failed to support modernisation and resilience” because many entities were still operating with ageing infrastructure. The South African Bureau of Standards was still recovering systems and data 15 months after a cyberattack at the time of the report. The AG found that the SABS breach revealed the absence of a structured response mechanism, an untested disaster recovery plan, and a delayed recovery process, despite the AG having been making the same recommendations since 2021/2022.
This is the operating environment into which the unified-platform argument is being made. It’s an environment with skills constraints, procurement dysfunction, and documented failure to act on known recommendations. The five priorities outlined in the Fortinet piece, covering foundational inventory, policy harmonisation, continuous compliance, automation for rapid response, and auditability by design, are all technically sound. They’re also a reasonably advanced capability stack. Most of them presuppose an IT organisation that has already resolved the basics: clear ownership, functional change management, staff who have the time and training to operate sophisticated tooling.
That’s not pessimism about the public sector. The Digital Transformation Roadmap, launched as part of Operation Vulindlela Phase II in May 2025, sets out a focused plan to modernise government services through digital public infrastructure, and the ambition is real. The PA and FSCA published a Joint Standard on Cybersecurity and Cyber Resilience Requirements that took effect in June 2025, with enforcement action, including significant fines, expected in 2026. The regulatory environment is genuinely tightening, and the compliance burden is not going away.
But the Fortinet piece frames the compliance maze as primarily an architectural problem, solvable through the right platform. The Auditor-General’s evidence suggests it’s as much an accountability and governance problem. You can deploy a security fabric that automates compliance evidence collection and still have an entity where senior officials ignore recommendations for four consecutive years. Platform consolidation helps the technically capable. It doesn’t resolve the governance failures that allow known vulnerabilities to persist.
Where the piece is on stronger ground is in its core philosophical point. South Africa faces a real and intensifying threat landscape: SABRIC estimated cybercrime costs the country around R2.2 billion annually, with phishing responsible for 78% of all digital banking fraud in 2025, and Accenture reporting that 54% of local breaches involved compromised user identities. The argument that perimeter-based, siloed security models are insufficient is not vendor spin. It reflects a genuine structural shift in how attacks work. An entity that passes a compliance audit while running disconnected tools across a hybrid estate is genuinely more exposed than one that has end-to-end visibility, regardless of what the checklist says.
The visibility argument is also practically relevant in ways the article doesn’t fully develop. South African government IT is rarely a clean cloud migration. It’s typically a hybrid of legacy systems running workloads that predate POPIA, newer public cloud applications procured by individual departments without central oversight, and a growing surface area of connected devices in environments with unreliable connectivity and no dedicated security staff. A unified platform approach that normalises policy enforcement across that kind of heterogeneous estate has genuine operational value, not just compliance value. This is also where Fortinet has a realistic advantage over competitors: its strength in hybrid and distributed environments at a price-to-performance ratio that is more compatible with constrained public sector procurement than the cloud-native alternatives.
The honest version of this message is that platform consolidation is a meaningful part of the answer, but it needs to be paired with the harder conversations the technology industry tends to avoid: procurement reform, skills investment, and the kind of accountability frameworks that make people act on audit findings rather than defer them indefinitely. South African regulators are entering a more assertive phase of supervision, with expectations shifting from policy alignment to demonstrable, executive-level accountability when cyber, data, or AI risk materialises. That shift in regulatory posture may do more to change behaviour than any platform argument.
The compliance maze is real. The architectural solutions being offered are technically sound. The gap is between what good security infrastructure makes possible and what the organisational conditions in most public sector entities currently allow. Closing that gap requires both, and the technology conversation is probably the easier one.