Public sector IT leaders in 2026 find themselves trapped in a strategic vice.
By Doros Hadjizenonos, regional director: southern Africa at Fortinet
On one side is the urgent mandate to modernise – to deploy AI-driven services, migrate to the cloud, and deliver on the Roadmap for the Digital Transformation of Government.
On the other side is an increasingly rigid maze of compliance requirements, including POPIA, the Cybercrimes Act, and complex internal governance frameworks.
Trying to innovate within these constraints can feel like driving with the handbrake on. The task is clear, but the operating conditions make gaining headway more difficult than most expect.
The challenge is not a lack of intent, though. Most government environments are a hybrid of legacy systems and brand-new cloud applications. Managing a secure, compliant path through this technical debt requires moving beyond the “checkbox” approach to security.
The compliance versus security deadlock
A fundamental philosophy we hold at Fortinet is that being compliant does not automatically mean you are secure.
It is possible for an organisation to tick every box on a regulatory checklist and still suffer a catastrophic breach. This happens when security tools are siloed and do not communicate with one another.
In South Africa, the stakes have risen as we approach the final stages of Phase 1 of the National Digital Transformation Roadmap. With the focus on digitising social protection, the volume of sensitive citizen data in transit is unprecedented.
If compliance is treated as a manual, after-the-fact exercise, it becomes a bottleneck. If security is treated as a “bolt-on” for these new services, it creates blind spots that attackers are quick to exploit.
Visibility as the core architecture
You cannot secure, nor can you report on, what you cannot see. Visibility is the primary requirement that binds security and compliance together. When IT leaders lack a unified view across their entire estate – from on-premise servers to multi-cloud environments – security controls are applied inconsistently.
This is where a unified platform approach, often referred to as a security fabric, becomes essential. Rather than managing a dozen disparate tools, a consolidated architecture provides a “single pane of glass”.
This allows for real-time threat detection while simultaneously automating the evidence collection needed for compliance audits.
By stitching together these siloed environments, organisations – both public and private – can move from reactive firefighting to a proactive stance.
This is particularly critical in the public sector, where employees often spend an inordinate amount of time manually proving compliance. Automation can handle the routine reporting, freeing up skilled employees to focus on the actual delivery of citizen services.
Five priorities for navigating the maze
To reduce complexity without compromising on oversight, public sector IT teams should prioritise the following five areas:
- Establish a foundational inventory: You must have an accurate, real-time view of every device and application connected to your network. This visibility is the starting point for both risk mitigation and auditability.
- Harmonise policies across environments: Modernisation introduces new platforms faster than governance can usually adapt. The goal should be to implement universal controls that achieve the same security outcomes whether data is in a local data centre or a public cloud.
- Transition to continuous compliance: Move away from the “annual audit” panic. Use tools that automatically generate compliance evidence over time, making reporting a natural part of daily operations rather than a disruptive project.
- Leverage automation for rapid response: Manual checks are too slow for the modern threat landscape. Automation should be used to handle routine tasks and to trigger immediate isolation of threats the moment an anomaly is detected.
- Design for auditability: Compliance is easier to prove when the “who, what, and when” of every system change is recorded in an immutable log. High-level accountability depends on this technical transparency.
The path forward
Public sector IT leaders must modernise at pace, but they cannot afford to ignore the mandates that protect citizen trust. The way through the maze is to ensure there is clear visibility into every connection.
By building security into digital services from the start, and using a consolidated platform to manage the hybrid reality of government IT, we can turn security from a constraint into an engine for progress.
In the end, progress in government IT is measured by the reliability of the services citizens can access. Robust security and automated compliance are one of the cornerstones of building this brighter future.