Is your network holding the business back from AI, Cloud and Hybrid Work?

By Larissa Kolver, Head of Cyber Security at Securecom

Author Introduction

In my daily conversations with Kiwi business leaders, I see a growing tension: we are trying to run 2025’s digital workflows on 2010’s infrastructure. If your team battles slow apps and clunky VPNs while you juggle security tool sprawl, your legacy network is likely the invisible hand holding you back.

Outline

  • The borderless network reality facing NZ organisations.
  • Symptoms that legacy WANs are stifling growth.
  • Why MPLS and VPNs struggle with cloud traffic.
  • The operational risks of security tool sprawl.
  • Core principles of modern, borderless network architecture.
  • Practical self-assessment for IT leaders.

Key Takeaways

If staff are complaining about slow SaaS apps, VPN issues and inconsistent security, the real problem is usually a 20-year-old network and security design that was never built for cloud, hybrid work or AI era data flows.

  • Legacy hub-and-spoke networks create bottlenecks for SaaS.
  • VPNs provide insufficient security for hybrid workforces.
  • Tool sprawl increases complexity and security blind spots.
  • Modern networks require direct internet access and zero trust.
  • AI adoption demands higher bandwidth and data visibility.
  • User experience is the new network performance metric.

Introduction

Over the last few years, most New Zealand organisations have quietly become borderless. The traditional perimeter, once defined by the four walls of the office and the firewall in the server room, has evaporated.

Today, your staff work from offices in Auckland, homes in Christchurch, client sites in Wellington, and Koru lounges in between. Your critical applications have shifted from a central data centre to a distributed mesh of SaaS providers and public clouds. Furthermore, AI tools have suddenly become part of everyday workflows, moving sensitive data in ways your original architecture never anticipated.

Yet, despite this fundamental shift in how we work, many mid-sized organisations still rely on Wide Area Network (WAN) and security decisions made a decade or more ago. We are trying to run 2025’s digital business on 2010’s infrastructure.

Legacy MPLS circuits, hub-and-spoke routing, and bolt-on VPNs were never designed for today’s cloud-first reality. They create backhaul bottlenecks, drive up operational costs, and frustrate users when SaaS performance degrades. Simultaneously, years of buying “just one more” point solution have left IT teams juggling dozens of overlapping firewalls, web filters, and proxies.

This article helps you recognise when your current network and security design has quietly become a constraint on growth and outlines the architectural principles that modern organisations are using to break free.

The Borderless Network Reality in 2025

For decades, the “castle-and-moat” security model served us well. We kept our data and applications inside the castle (the data centre) and built a moat (the firewall) around it. We used expensive, dedicated private lines (MPLS) to connect our branch offices to the castle. If a user went outside the castle, we gave them a long extension cord (VPN) to plug back in.

That model assumed that the data centre was the centre of the universe. Today, that assumption is false.

In the modern digital enterprise, the internet is the new corporate network. The majority of traffic is no longer destined for the data centre; it is heading to Microsoft 365, Salesforce, AWS, and various AI platforms. When you force this cloud-destined traffic through a legacy architecture, you are fighting against the physics of the internet.

Common Symptoms Your Network is Holding You Back

How do you know if your infrastructure has reached its breaking point? It rarely happens with a single catastrophic failure. Instead, it manifests as a slow accumulation of friction that drags down productivity and agility.

If you recognise the following symptoms, your network architecture may be the root cause:

1. The “SaaS Slowdown” Complaint

You invest in high-speed fibre at your branch offices and employees have gigabit connections at home, yet they still complain that Teams is jittery, SharePoint is slow to load, or ERP transactions are timing out. This is often the “trombone effect” or hairpinning. Even though the user is sitting on a fast internet connection, your network is forcing their traffic to travel all the way back to a central data centre for security inspection before heading out to the cloud, adding unnecessary latency.

2. The VPN Disconnect

Your remote workforce views the corporate VPN as a necessary evil. It is often unstable, slows down their machine, and requires constant toggling on and off. From a security perspective, it is even worse: once a user authenticates to the VPN, they are often granted broad access to the entire network (flat network access), meaning if their device is compromised, the attacker has the keys to the kingdom.

3. Security Tool Sprawl and Blind Spots

Over the years, you have likely added a new appliance for every new threat: a box for URL filtering, a box for anti-malware, a box for DLP, and another for firewalling. This leads to “alert fatigue” and operational complexity. Worse, this stack usually only protects users when they are on the network. When a user works from a café without the VPN, or when an API moves data directly from one SaaS app to another, your expensive stack is bypassed entirely.

4. The AI Data Anxiety

Staff are increasingly pasting data into Generative AI tools to boost productivity. Your current legacy firewalls might block the URL or allow it, but they likely lack the granular visibility to say, “You can use this AI tool, but you cannot upload source code or customer PII.”

Why Legacy MPLS and Perimeter Security Struggle

To understand the solution, we must understand why the old tools are failing.

The Problem with MPLS in a Cloud World

Multiprotocol Label Switching (MPLS) was an engineering marvel for connecting fixed branches to a fixed data centre with guaranteed uptime. However, MPLS is expensive per megabit and rigid to provision. In an era where bandwidth consumption is exploding due to video conferencing and data-heavy AI applications, the cost of scaling MPLS becomes prohibitive. More importantly, MPLS is a private network technology in a public cloud world. Backhauling cloud traffic over expensive private links is financially and technically inefficient.

The Problem with the Perimeter Model

Traditional security relies on location. If you are “inside,” you are trusted. If you are “outside,” you are not. Hybrid work breaks this. Users are everywhere. When you try to stretch the perimeter to cover the user (via VPN), you create a bottleneck. Furthermore, the perimeter model cannot see inside encrypted traffic (HTTPS) without significant performance penalties on legacy hardware appliances, leaving you blind to threats hiding in SSL/TLS tunnels—which now constitute the vast majority of web traffic.

The Risk of Tool Sprawl

Many New Zealand organisations try to patch these holes by buying more tools. The logic seems sound: “We have a gap in remote filtering, so let’s buy a cloud proxy agent.”

However, this approach creates a fragmented environment. You end up with different policies for users depending on whether they are in the office or at home. You have multiple dashboards to manage, different vendors to call for support, and no single source of truth for what is happening across your digital estate.

This complexity is not just an annoyance; it is a security risk. Complexity breeds misconfiguration. If your policy to block “unapproved file sharing” has to be updated in three different consoles, the chance of human error triples.

Principles of a Modern, Borderless Network

If the old model is broken, what replaces it? Leading organisations are moving toward an architecture often referred to as the Secure Access Service Edge (SASE), though we can focus on the principles rather than the acronyms.

A modern, future-ready network is built on three core pillars:

1. Direct Internet Access (Local Breakout)

Instead of routing traffic back to a central hub, traffic should go directly from the user to the destination. If a user in Hamilton needs to access Microsoft 365, their traffic should break out locally in Hamilton via the internet. This requires moving the “brains” of the network (routing and optimisation) to the edge, often achieved through Software-Defined WAN (SD-WAN).

2. Identity-Driven Security (Zero Trust)

We stop trusting traffic based on where it comes from (the office LAN) and start trusting it based on who the user is and the context of their request. This is Zero Trust. Before access is granted to any application, the system verifies the user’s identity, checks the health of their device, and enforces policy. This happens regardless of whether the user is at headquarters or a coffee shop.

3. Convergence of Network and Security

Rather than having separate stacks for connecting users (network) and protecting users (security), these functions converge into a single cloud-delivered platform. Security checks (firewalling, web filtering, DLP) happen in the cloud, close to the user, without the need for on-premises appliances. This ensures that the same security policy follows the user everywhere.

A Simple Self-Assessment Checklist

Before you consider specific technologies or vendors, it is vital to understand your current state. Use this simple pulse check to discuss the reality of your environment with your leadership team.

Run a quick internal pulse check:

  • Tool Count: How many separate network and security interfaces does your team log into weekly? (If it is more than 5, you have a complexity problem).
  • The User Experience Test: Ask a remote worker to turn on their VPN and load a large SharePoint file. Then ask them to do it without VPN. Is there a noticeable difference?
  • The “SaaS Visibility” Gap: Can you name every cloud application your finance team is using right now? Can you block them from uploading a specific “Sensitive” labelled document to ChatGPT?
  • The Cost of Bandwidth: Calculate your cost per Mbps for your MPLS links versus a standard business fibre internet plan. The difference is the “tax” you are paying for legacy architecture.

Next Steps

Recognising the problem is the first step toward modernisation. You do not need to overhaul your entire infrastructure overnight, but you do need a plan to move away from the constraints of the past.

To prepare for the next stage of your journey, we recommend you:

  • Map the User Journey: Select two user profiles—for example, a hybrid knowledge worker using Microsoft 365 and a branch-based operational staff member accessing a core ERP. Trace every “hop” their traffic takes to reach the application. Identify the bottlenecks.
  • Capture the Pain Points: Document the top three complaints regarding connectivity and remote access from the last quarter.
  • Review the Data: Bring these findings to your next IT leadership meeting. Use this data to shift the conversation from “buying more bandwidth” to “rearchitecting for the cloud era.”

In the next article, we will look at the financial side of this equation: how to build a business case that justifies the move to a modern network by proving that “new technology” can actually cost less than “old habits.”

TotalNET Zero Trust Blog Series

Are you ready to simplify and secure your network for AI, cloud and hybrid work?

  1. Is your network holding the business back from AI, Cloud and Hybrid Work?
  2. Building the business case to modernise your network with SASE
  3. Evaluating modern network and security options without getting lost in SASE hype
  4. How to de-risk your SASE decision with one accountable NZ provider
  5. Beyond SASE Go-Live: Operating and Optimising a Modern, Secure Network in the AI Era

 

About the Author:

Larissa Kolver PMP®, AgilePM® – Head of Cyber Security, Securecom

Larissa is a seasoned cyber resilience leader who blends disciplined project governance with hands-on security engineering with over a 10-year career across financial, health and safety and technology sectors. At Securecom she heads the Security Operations function, translating continuous attack-surface insights into actionable remediation plans that executives can measure. Larissa is passionate about turning board-level risk appetite into practical cadence – replacing once-a-year checkbox tests with data-driven assurance tied to every release. Her mission is simple: help Kiwi businesses stay one step ahead of attackers while keeping compliance costs in check.

Email: larissa.kolver@securecom.co.nz

Ready to modernise secure access?

Book a TotalNET Zero Trust assessment workshop and receive a clear, ROI-driven roadmap to simplify your network and security stack.

"*" indicates required fields