By Igor Santos
VP of Sales, DataGroupIT
Every quarter, I sit across the table from CISOs and IT directors who tell me the same thing: “We’re doing Zero Trust.” Then I ask a simple question. What does that mean for your organisation, specifically? The answers vary wildly. Some point to a firewall upgrade. Others mention a new VPN replacement. A few reference a vendor pitch deck they received last month.
That gap between intention and execution is where risk lives. And it is wider than most security leaders realise.
A 2024 Gartner survey found that 63% of organisations worldwide have implemented some form of Zero Trust strategy. Sounds like progress. But dig into the detail and the picture shifts: for the majority of those organisations, their Zero Trust strategy covers half or less of their environment, and mitigates a quarter or less of overall enterprise risk. The industry has adopted the language of Zero Trust without adopting the discipline behind it.
The Product Trap
The biggest misconception I encounter in the field is that Zero Trust is a technology purchase. It isn’t. No single product delivers Zero Trust. No vendor can sell you a box that makes your organisation “zero-trust compliant.” The term itself has been so thoroughly co-opted by marketing departments that it has almost lost operational meaning.
Zero Trust is an architectural philosophy. At its core, it means one thing: never grant implicit trust, to any user, device, application, or network segment, regardless of location. Every access request is verified explicitly, every session is scoped to least privilege, and every interaction is monitored continuously. That requires policy, process, and technology working together across the entire environment. It is not something you install on a Thursday afternoon.
Gartner projected that by 2026, only 10% of large enterprises will have a mature, measurable Zero Trust programme in place. That figure should concern every board. It means the vast majority of organisations that believe they are “doing Zero Trust” are operating with significant structural gaps they haven’t yet identified.
Identity: The Perimeter That Actually Matters
If there is one area where the gap between Zero Trust ambition and Zero Trust reality is most visible, it is identity.
The 2025 Verizon DBIR confirmed, again, that compromised credentials remain the single most common initial access vector, responsible for 22% of all breaches. In attacks against basic web applications, that figure climbs to 88%. Attackers are not breaking through walls. They are walking through doors with stolen keys.
IBM’s 2025 Cost of a Data Breach Report reinforces this. Breaches initiated through stolen credentials took an average of 246 days to identify and contain. That is more than eight months of undetected access. Eight months during which an attacker moves laterally, escalates privileges, and extracts value, all while looking like a legitimate user.
The lesson is structural: if your Zero Trust strategy doesn’t begin with identity, it doesn’t begin at all. And yet, in my experience across African and Middle Eastern markets, identity remains one of the most underfunded security domains. Organisations will spend aggressively on network firewalls and endpoint detection while leaving identity governance, multi-factor authentication, and privileged access management chronically under-resourced.
That asymmetry is what attackers exploit.
Culture Eats Architecture for Breakfast
“Never trust, always verify” is a powerful principle. But principles only matter if they are embedded in organisational behaviour, not just network architecture.
I have seen organisations deploy sophisticated microsegmentation across their data centres while their finance team shares credentials over email. I have seen Zero Trust network access tools implemented alongside legacy VPN tunnels that no one remembered to decommission. Technology without policy is just expensive complexity.
The cultural dimension of Zero Trust requires that every employee, from the boardroom to the service desk, understands why access controls exist and why verification is non-negotiable. It means IT leadership has to communicate security decisions as business enablers, not bureaucratic friction. It means HR and operations need to be part of the conversation, because onboarding, offboarding, and role changes are identity lifecycle events with direct security implications.
The 2025 Verizon DBIR found that 60% of all breaches involved the human element. Training programmes alone don’t solve that. What solves it is a security culture where verification is the default expectation, where questioning access is normal, and where the burden of proof sits with the request, not the system.
The Journey, Not the Destination
One of the most damaging things a CISO can do is frame Zero Trust as a project with a completion date. It isn’t a project. It is a continuous programme of improvement, re-evaluation, and adaptation.
The threat surface does not stand still. Attackers adapt. Cloud environments expand. New applications get deployed. Employees change roles. Contractors come and go. Each of these events changes the trust posture of your environment, and your Zero Trust architecture must evolve with it.
At DataGroupIT, we work with partners and enterprises across 16 African markets, and the pattern I observe is consistent: organisations that treat Zero Trust as a journey, with phased milestones, measurable outcomes, and regular reassessment, build genuinely stronger security postures than those that try to buy their way to compliance in a single procurement cycle.
The practical starting points are well established. Map your critical assets and data flows. Understand who accesses what, when, and why. Enforce multi-factor authentication everywhere, not just on privileged accounts. Implement least-privilege access as a default, not an aspiration. Monitor continuously, and build the organisational muscle to respond when anomalies surface.
None of that requires a seven-figure capital outlay on day one. It requires clarity of intent, executive sponsorship, and a willingness to confront the uncomfortable truth that your current trust model probably has more holes than you think.
The Real Measure of Maturity
There is a question I ask security leaders that tends to cut through the noise: If an attacker compromised one set of credentials in your organisation today, how far could they get before anyone noticed?
The honest answer, for most organisations, is uncomfortably far. And that is precisely the gap Zero Trust is designed to close. Not by preventing every intrusion, because no framework can promise that. But by containing the blast radius when something goes wrong, and ensuring that a single compromised identity does not become an enterprise-wide catastrophe.
That containment mindset is where real maturity lives. Not in product count. Not in vendor logos on a slide deck. In the disciplined, continuous work of verifying, segmenting, monitoring, and adapting.
Zero Trust is not something you buy. It is something you become.
Igor Santos is VP of Sales at DataGroupIT (DGIT), a pan-African cybersecurity value-added distributor operating across 16+ countries with 350+ channel partners and 1,000+ enterprise customers. DGIT helps organisations build security architecture across identity, data, cloud, network, and managed security services.