From Nairobi to the continent, Njuguna is shaping Africa’s cyber future through responsible AI, resilience, and talent development
George Njuguna is a dynamic cybersecurity and AI governance leader driving digital trust across Africa’s financial, telecom, and regulatory sectors. He translates global standards like PCI DSS, SWIFT, ISO, NIST, SOC2, GDPR, FedRAMP, COBIT and ITIL into enterprise resilience strategies that support innovation and compliance. As Kenya’s Global Ambassador for Responsible AI, he advocates for secure and ethical AI adoption aligned with local context and global accountability.
George advises Banks, Governments, Telcos, Regulators and Businesses on Digital Transformation, Information & Cybersecurity, Risk, Data Privacy and Emerging Threats and Technologies. Through Africa Cyber Defenders, he has mentored hundreds of emerging professionals, while contributing to high-level policy and boardroom conversations. As a respected speaker and panelist on global cybersecurity and AI forums, he continues to shape resilient, inclusive, and future-ready digital ecosystems across the continent.
In this exclusive interview, George Njuguna unpacks how African enterprises can align cybersecurity with business goals, harness AI responsibly, and build digital trust in an era of rising risk.
Q&A with George Njuguna
Q: From intern to influential leader, what inspired your cybersecurity journey, and how did Kenya shape your early perspective on digital trust?
A: Growing up, I was driven by a strong desire to create solutions that could meaningfully address societal challenges. I didn’t yet know what form that would take but I had a natural curiosity for how things worked, especially electronics. This inquisitive nature, paired with a love for learning, became the bedrock of a journey that would eventually lead me into cybersecurity.
My formal path began at Jomo Kenyatta University of Agriculture and Technology (JKUAT), where I pursued a Bachelor’s degree in Information Technology (BSc IT). At JKUAT.
But beyond the theory, I became increasingly fascinated by how technology could be applied to solve real world problems, especially those affecting everyday people and institutions. During my university years, I had the opportunity to intern at the Communications Authority of Kenya (CA), which gave me a foundational understanding of the tech regulatory landscape.
The Serianu Cybersecurity Immersion Program (SCIP) exposed me to real world cybersecurity challenges, particularly in the financial sector, where digital trust isn’t just important, it’s existential. I learned how breaches, fraud, and weak infrastructure don’t just compromise data; they compromise confidence.
Cybersecurity wasn’t just a technical field it was a mission-driven profession. It was about enabling societies, communities and the continent to move forward confidently in the digital age. Through SCIP, I also attended the inaugural ISACA Kenya InterVarsity Bootcamp at the United States International University (USIU‑Africa), thanks to the sponsorship of Serianu and the support of Mr. William Makatiani. That spirit of contribution inspired me to volunteer with ISACA, particularly within the Kenya Chapter, where I’ve continued to serve in various capacities for nearly a decade.
I also led the leadership segment, conducting interviews with notable figures such as Dr. Nancy Onyango (then Director of Internal Audit at IMF), George Njuguna (then CIO, Safaricom), Joan Mburu (CISO, Airtel), and Dr. Vincent Ngundi (Director of Cybersecurity & Head of the National Cybersecurity Centre at CA). These conversations were more than inspiring, they were formative.
I’ve been privileged to work with organizations like Craft Silicon, Silensec and now CYBER RANGES, where I engage with clients across multiple sectors from banking and telecoms to national cybersecurity agencies supporting capacity building, resilience, and digital trust across Africa. Reflecting on my journey, Kenya has been both the training ground and the launchpad. It is a country where digital innovation runs deep, and so do the risks.As we continue to accelerate digital transformation across Africa, we must remember that cybersecurity is not just about defense it is about enabling progress. And that’s the responsibility that continues to inspire me: to protect not just data, but the future we are building together.
Q: You’ve led cybersecurity programs across 5+ African countries and advised banks, telcos, and regulators. What are the biggest governance gaps you’ve seen and how do we close them?
A: From my experience across multiple African countries, the biggest governance gap isn’t just about policies or technology, it’s about how disconnected and uncoordinated our cybersecurity efforts remain.
Many organizations, regulators, and industries operate in silos, which creates blind spots and leaves critical digital infrastructure vulnerable.
Another challenge is the lack of investment in building local expertise and sustainable capacity. Without skilled people on the ground, even the best frameworks stay on paper.
A crucial missing piece is effective cyber threat intelligence sharing, when organizations don’t collaborate or share insights, it’s harder to anticipate and respond to emerging threats collectively.Closing these gaps means building stronger partnerships across governments, regulators, and industry, establishing clear roles and accountability, and investing deeply in local talent development.
Q: What does “cyber resilience” mean to you at a boardroom level and how do you translate technical risk into executive language that drives decisions?
A: Cyber resilience, at a boardroom level, means the organization’s ability to prepare for, withstand, and recover from cyber disruptions without losing business continuity or stakeholder trust. It’s not just about preventing attacks; it’s about how quickly and effectively we respond, adapt, and keep the business running when incidents happen.When engaging executives, I focus on translating technical risks into business impact, for example: This vulnerability puts the customer data at risk, which could lead to regulatory fines, reputational damage, or service downtime.
My goal is to make cyber a business conversation, not just a technical one, aligning security priorities with strategic objectives, and helping leadership see it as a value enabler, not just a cost center.
Q: With CIMSA, CDPO, CSCSO, CAIP, CC, ISO 27001, ISO 27034, ISO 27035, SOC2 Analyst, ISO 42001, PCI DSS and GDPR under your belt and now finalizing your C|CISO and CISSP, how can African enterprises move from compliance-driven to culture-driven security?
A: Compliance is a good start, but it’s not enough. I’ve seen many organizations achieve ISO 27001 or PCI DSS certification, yet still struggle with day-to-day security behavior. To move from compliance-driven to culture-driven security, leaders need to own the message. That means making cybersecurity a shared responsibility, not something left to IT. It also means embedding security into daily operations, through awareness, user-friendly controls, and recognizing secure behavior, just like we do with safety in other industries.
Regulations like the Kenya’s Data Protection Act and GDPR help build the foundation, but what sustains it is empowered people who understand the “why” behind security.
Q: You’ve mentored 200+ professionals through Africa Cyber Defenders. What’s your message to young cyber talent trying to break into the field today?
To young people trying to break into the field, I always say: start where you are, use what you have, and stay curious. You don’t need to know everything, just be willing to learn, build, break, and grow.
A: The truth is, the field needs your perspective, your creativity, and your hunger. Whether you’re writing code, analyzing logs, or helping people understand risk, you are part of something bigger: protecting trust in a digital world.
I also remind them that no one walks this journey alone. Communities like Africa Cyber Defenders, ISACA, AfricaHackon, GCRAI, eDigital Community, KCSFA among others exist for a reason, to learn together, support one another, and lift as we climb. So, stay grounded, stay hungry, and never underestimate what you bring to the table, because the continent needs you.
Q: As Kenya’s Global Ambassador for Responsible AI, where do you see the greatest risks and opportunities, in merging cybersecurity with artificial intelligence?
A: The intersection of AI and cybersecurity is both one of our biggest opportunities and our greatest risks. AI can help us detect threats faster, respond smarter, and automate defenses at scale, especially in environments where resources are stretched. That’s powerful for Africa.
But the same AI can be weaponized, to launch faster attacks, generate deepfakes, or bypass traditional controls. The risk grows when we adopt AI without understanding the data governance, bias, or security implications behind it.
Q: You juggle roles as a speaker, mentor, consultant, and trainer. What keeps you grounded and how do you stay sharp across such a broad knowledge base?
A: What keeps me grounded is purpose. I’ve always been driven by a desire to solve real problems and contribute meaningfully, whether that’s through mentoring, training, consulting, or speaking.
Staying sharp comes from constant learning and staying close to the community. I learn from the people I mentor, the clients I work with, and the teams I train. I also make time to read, explore new technologies, and engage in forums that challenge my thinking.
Most importantly, I stay humble. In this field, the moment you think you know it all, you’re already behind. So, I approach every opportunity as a learner first, that’s what keeps me both sharp and centered.
Q: In your view, what’s holding back cybersecurity maturity in Africa and what role should collaboration across nations play in solving it?
One of the biggest things holding back cybersecurity maturity in Africa is fragmentation, both in capability and coordination. Some countries or sectors are advancing, but others are still laying the foundation. That unevenness creates weak links, especially as systems become more connected across borders.
A: We also face challenges around skills gaps, underinvestment, and limited threat intelligence sharing, which leaves organizations reactive instead of proactive.
Collaboration is key. We need stronger regional partnerships, not just at the government level, but across industries and civil society, to harmonize standards, pool expertise, and respond to threats as a collective. Cybersecurity is a shared challenge, and Africa’s strength will lie in how well we work together to build trust, capacity, and resilience across the continent.
Q: If you could give just one piece of advice to African CISOs building their teams in 2025, what would it be?
A: Build for mindset, not just skillset. In 2025, tools continue to evolve, threats continue to grow more complex but what will set strong teams apart is how they think, adapt, and collaborate. Hire people who are curious, ethical, and resilient, you can train the rest.
And don’t build in isolation. Invest in mentorship, cross-functional learning, and community engagement. The strength of your team will reflect not just what they know, but how well they can learn, unlearn, and lead through change.
Are you a tech leader driving change in Africa?
If you’re leading in cybersecurity, AI, or digital transformation across the continent, we’d love to share your story.
To be featured on CxOTrail, email us at editorial@cxotrail.com.
