Because Instant Matters: A Roadmap for BiMPay’s Success in Barbados

nielharper

Introduction

On June 12, 2026, the Central Bank of Barbados (CBB) will launch BiMPay, a national Instant Payment System (IPS). While the Caribbean has seen high-profile struggles with Central Bank Digital Currencies (CBDCs), specifically the Bahamas’ Sand Dollar, Jamaica’s JAM-DEX, and the Eastern Caribbean’s DCash, BiMPay arrives with a different structural approach.

BiMPay is not a new currency; it is a payment platform designed to facilitate 24/7/365 transactions between existing banks and digital wallets. However, because BiMPay utilizes digital wallets to reach the unbanked, it faces the same “adoption wall” that stalled its regional neighbors. To ensure BiMPay becomes a fixture of daily life rather than a technical footnote, the Government of Barbados must learn from the failures of the prior wave of digital currencies.

Bridging the Gap: Make It Better Than Cash

The regional landscape is a graveyard of “technically sound” projects that failed to reach critical mass.

  • The “Utility Conundrum” (Sand Dollar & JAM-DEX): In the Bahamas and Jamaica, users often asked, “Why do I need this?” If it takes longer to operate the app than to hand over a $10 bill, cash remains king.
  • The “Merchant Friction” (DCash): Merchants were often treated as an afterthought, forced to adopt new hardware or navigate complex settlement delays.
  • The “Trust Deficit”: In several jurisdictions, citizens feared government surveillance of their transactions, leading to a wait and see approach that effectively killed momentum. There is also a deep mistrust across the region when it comes to privacy and security protections in online services, which significantly hampered uptake.
  • The “Onboarding Hurdle”: The enrollment phase must be virtually seamless. Traditional digital wallets require cumbersome identity verification to comply with anti-money laundering regulations. By hooking BiMPay’s onboarding process directly into the Trident ID framework, the system could instantly verify a citizen’s identity remotely via a mobile device.

BiMPay must solve a burning problem for the average citizen. This means moving away from abstract goals like “financial inclusion” and focusing on Instant Settlement, the ability for a street vendor or a ZR driver to receive funds and use them to buy supplies ten seconds later.

Solve the “Merchant Friction” Problem

In Jamaica and the Eastern Caribbean, adoption was crippled because merchants were slow to join. Businesses were often required to invest in new Point of Sale (POS) hardware without clear incentives.

Recommendations:

  • Lower Barriers to Entry: BiMPay’s use of QR codes and aliases (like phone numbers) is a strong start, as it eliminates the need for expensive card readers.
  • Address Cash Flow Directly: The government must highlight BiMPay’s Instant Settlement as its primary selling point for small businesses. In a cash-based economy, a vendor who can access their funds in 10 seconds rather than waiting for a bank clearing cycle has a massive competitive advantage.

Enforce “Radical Interoperability”

DCash suffered when commercial banks were slow to integrate, creating “walled gardens” where users couldn’t send money across different institutions.

Recommendations:

  • Mandatory Participation: The CBB has already taken the vital step of making BiMPay a foundational rail that integrates with all banks and existing digital wallets.
  • Level the Playing Field: The government must ensure that smaller fintechs and credit unions can offer services on par with larger commercial banks. This competition will lower costs for the end-user and drive innovation in the digital wallet space.

Build Trust in the Platform

Previous initiatives often mistook a lack of adoption for a “natural disinterest” in digital tools. In reality, users were simply worried about security, privacy, and resilience.

Recommendations:

  • Be Transparent About Privacy: Explicitly detail what data is collected and why. Following the lessons of the Sand Dollar, the government should clarify why certain tiers of wallets require identification while others do not.
  • Showcase Security: BiMPay uses multi-factor authentication (MFA) and other layered security controls. Educational campaigns should not just say the system is “secure,” they should demonstrate how these features protect the user’s money. Furthermore, awareness building must be continuous throughout the lifecycle of BiMPay, because treating security as a “one-and-done” fails to account for human psychology and the fast-moving nature of digital threats.
  • Fraud Prevention: The CBB must embed strict, real-time fraud monitoring natively into the central infrastructure of BiMPay to address critical risks like transaction irrevocability, social engineering, phishing, money laundering, and ultimately to preserve sovereign digital trust.
  • Redundancy & Resilience: To prevent a prolonged outage like DCash (54 days), BiMPay must implement an active-active infrastructure across geographically dispersed data centers to provide real-time failover, and network diversification through multiple telecom providers to mitigate localized disruptions. Furthermore, BiMPay should incorporate offline payment capabilities to maintain transaction continuity during Internet or power outages. Regular, mandatory failover testing and continuous health monitoring across all participating financial institutions are essential to maintaining operational resilience.

The WeChat/Grab Model: Building a “Super App” Ecosystem

The most successful peer-to-peer (P2P) platforms, like China’s WeChat and Southeast Asia’s Grab, succeeded because they became “lifestyle companions.” They didn’t just move money; they integrated daily necessities.

Recommendations:

  • Social Integration: WeChat succeeded because it integrated payments directly into the messaging app people were already using. BiMPay must ensure that sending money is as easy as sending a WhatsApp message.
  • The “Network Effect”: The government must incentivize anchor institutions such as utilities, supermarkets, and gas stations to offer BiMPay-exclusive discounts or loyalty rewards.
  • In-App Ecosystem Mini Programs: BiMPay should open its API to allow local businesses to build mini-programs directly into the BiMPay wallet environment. For example, a user could open the BiMPay app, order food from Chefette or another local restaurant, buy a ticket to a Crop Over event, or pay for a taxi, and complete the entire transaction securely via the built-in payment rail without ever leaving the ecosystem.
  • Alternative Credit Scoring: Many unbanked Barbadians struggle to secure financing because they lack a formal credit history. BiMPay could safely aggregate user transaction histories (with strict user consent and privacy controls overseen by the Data Protection Commissioner) to allow local credit unions or fintech lenders to offer micro-loans or flexible insurance policies directly inside the app, based on the user’s real digital footprint rather than rigid banking metrics.
  • Peer-to-Peer Group Splitting and Local Gifting: BiMPay should feature a highly intuitive peer-to-peer (P2P) tool that allows users to seamlessly split dinner bills, crowdsource funding (local version of GoFundMe), or tip local musicians and hospitality workers seamlessly.

Strategic Integration: The Bridge to PayPal, Google, and Apple

For a tourism-dependent economy like Barbados, isolation is the enemy of growth. While BiMPay is a domestic solution, its long-term success depends on its ability to talk to the world.

Why Global Integration Matters:

  • Tourism Tension: A tourist from New York or London shouldn’t have to download a “Barbados-only” app. Future integration with Google Pay and Apple Pay via the BiMPay rail would allow visitors to spend seamlessly at local vendors who currently can’t afford expensive merchant terminals.
  • The Remittance Lifeline: Integration with PayPal would revolutionize how the Barbadian diaspora sends money home. By allowing a PayPal transfer to settle instantly into a BiMPay wallet, the government removes the predatory fees and multi-day delays of traditional remittance services.

Tactical Recommendations for the Government of Barbados

To avoid the fate of the Sand Dollar, the Government must execute on five specific pillars:

Use “G2P” as the Adoption Engine

The government is the nation’s largest payor. To drive adoption, all Government-to-Person (G2P) payments, including pensions, welfare, tax refunds, and student grants, should be defaulted to BiMPay wallets. When 50,000 citizens have “digital money” in their pockets on the first of the month, merchants will be forced to accept it.

Mandate Interoperability

The Central Bank must ensure that the BiMPay Interoperability Hub is truly open. No bank should be allowed to close off its customers. A user with a wallet from a small credit union must be able to send money to a user at a large commercial bank with zero friction.

Zero-Cost Merchant Onboarding

The government should subsidize the “last mile” for small businesses. This includes providing free QR code signage and ensuring that the merchant transaction fees for BiMPay are significantly lower than traditional credit card fees (which can reach 3-5% in the region).

Allow Users to Quickly and Conveniently “Cash Out”

Users must not be locked into a digital ecosystem without access to traditional cash. BiMPay should allow users to get physical cash back at any merchant location, reducing dependency on automated teller machines (ATMs).

Privacy-First Communication

Transparency is the only cure for skepticism. The government must effectively communicate that BiMPay uses robust privacy-enabling controls and that, while the system is audited for fraud, it is not a tool for granular government surveillance of lawful private spending.

Operational Independence

To operate most effectively, I recommend that that the government convert BiMPay into an independent public-private corporate structure (somewhat akin to what Denmark has done with NemKonto).

Under this model, the Central Bank retains ownership of the invisible “underground pipe” (the payment rail) to ensure safety and neutrality, but hands day-to-day operations, marketing, and developer relations over to a dedicated, agile management team that operates outside the slow-moving framework of standard civil service.

Recommendations:

  • Technical Agility and Speed: A separate, dedicated corporate entity operates outside the rigid hiring and procurement frameworks of civil service. It can recruit specialized, top-tier cybersecurity and software engineers at market rates, ensuring rapid software updates and preventing prolonged system overshoots like the DCash outage.
  • Dedicated Service Focus: Freed from managing monetary policy, an independent operational team can focus entirely on customer onboarding, merchant marketing, 24/7 technical support, and building open APIs for local fintech startups.
  • Regulatory Neutrality: Spinning off the day-to-day operations ensures that the Central Bank of Barbados can act as a strictly neutral referee. It eliminates conflicts of interest, allowing the CBB to regulate the national payment rail objectively without favoring its own digital wallet product over private innovations.

The Collaborative Layer: The BiMPay Forum

To avoid operating in an authoritarian vacuum, the CBB should establish a BiMPay Forum. This would be a permanent, institutional governance and oversight body.

Recommendations:

  • Plurality & Representation: The Forum would include representatives from traditional commercial banks, credit unions, fintech startups, payment institutions, business associations, consumer groups, academia, and the technical community.
  • Working Groups: The governance framework would utilize specialized sub-committees to improve on the platform. These groups would collaborate on structural components like:
    • Business Models: Designing new transaction methods (e.g., recurring bills).
    • Technical Requirements: Mapping security standards and message formats.
    • Audit & Risk: Dedicated to updating anti-fraud mechanisms, maintaining regulatory compliance, upholding privacy rights, and the monitoring and remediation of other material risks.

Conclusion: Beyond 12 June 2026

BiMPay has the potential to be the most significant upgrade to the Barbadian economy since independence. However, as the failures of the Sand Dollar and DCash have shown, “if you build it, they will come” does not apply to digital finance.

The Government of Barbados must act as an ecosystem curator, not just a software deployer. By focusing on merchant instant-settlement, mandating bank interoperability, and building a roadmap for integration with global giants like Apple, Google and PayPal, Barbados can turn BiMPay from a local project into a global standard for digital excellence.

In the digital age, Instant Matters. And not just for convenience, but for the very survival of the Caribbean economy.

The Facade of Progress: Why GovTech Barbados is Stalling Digital Transformation

nielharper

In the humid corridors of Barbados’ public service, there is a new buzzword circulating with the frequency of a tropical breeze: “GovTech.” Established in late 2023 with the high-octane promise of dragging a paper-clogged bureaucracy into the 21st century, GovTech Barbados Ltd. was heralded as the “silver bullet” for the nation’s digital woes.

However, as we move through 2026, the initial honeymoon period has ended. While the PR machinery hums with talk of “AI-powered prototypes” and “digital champions,” the average Barbadian citizen is still standing in physical lines, clutching paper forms, and wondering when the promised “sweeping transformation” will actually increase the ease of doing business.

The reality is that GovTech Barbados, despite its modern branding and high-profile leadership, is currently a victim of institutional inertia, misplaced priorities, and a “startup” culture that is fundamentally incompatible with the weight of government bureaucracy.

The Prototyping Trap: Appearance vs. Reality

The most visible “achievement” of GovTech Barbados so far has been the rollout of rapid “prototyping.” Using AI to turn a paper form into a digital interface in “minutes” sounds like a revolution. It makes for excellent LinkedIn posts and impressive demos for the Ministry of Industry, Innovation, Science and Technology (MIST).

But a prototype is not a service.

The “Prototyping Trap” occurs when an organization prioritizes the UI (User Interface) over the UX (User Experience) and the underlying backend processes. Turning a paper form into a digital PDF or a web form is the easiest 5% of digital transformation. The difficult 95% involves:

  • Integrating with the national identity system.
  • Automating backend approvals so a human doesn’t have to print the digital form to file it.
  • Introducing workflow management tooling to handoff tasks between different government departments or control points.
  • Updating the 40-year-old legislation that still requires a physical signature.

By focusing on what they believe to be “tangible outputs” to win public confidence, GovTech is essentially painting the windows of a house that has no plumbing. Citizens may fill out a form online, but if the “transformation” stops there, the inefficiency is simply moved from the front counter to a back-office inbox. Instead of focusing on throughput (how many forms can we digitize?), GovTech Barbados needs to focus on outcomes (how much time and money can we save the citizen?). It’s also quite telling that the GovTech team has neither the deep expertise nor a visible focus on ICT law and business process reengineering.

The CEO Dilemma: A Startup Mindset in a “Legacy” Environment

Mark Boyce, hired in July 2024, has brought a seemingly more tech savvy energy to the role. His background, marked by a vocal critique of the “safe” career paths of doctors and lawyers in Barbados, suggested he was the disruptor the island needed. However, in reality, Mr. Boyce does not have the qualifications or experience to lead a major national digital transformation initiative like GovTech Barbados. He has never led complex enterprise or government implementations which include cloud computing, interoperability layers, cybersecurity, e-commerce, digital identity, and big data. Unfortunately, neither has the majority of his key hires.

Digital transformation in a government setting is less like a tech startup and more like an organ transplant. The “host body” (the existing Civil Service) often rejects the “new organ” (GovTech) if the cultural and legislative prep work isn’t done.

I can’t help but to think that GovTech is operating as an isolated island of innovation. While Boyce and his team speak the language of “The Radical How” and “agile execution,” the rest of the government still speaks the language of “The General Orders” and “Financial Rules.” This cultural mismatch has led to a bottleneck where GovTech builds prototypes that sit in limbo for months because the “human review process” in traditional ministries remains unchanged.

The Sovereign Cloud and the “Hardware Hubris”

One of GovTech’s early and most controversial claims was that Barbados was “on the brink” of a sweeping transformation fueled by a Tier 3 data center and a “sovereign cloud.”

As I noted in a previous blog post, this often feels like “déjà vu.” Barbados has a history of announcing expensive infrastructure projects that fail to deliver service-level improvements. It’s important to note that:

  • Costs are astronomical: A greenfield Tier 3 data center can cost upwards of $20 million in capital expenditure, with millions more in annual operating costs.
  • Infrastructure vs. Service: A data center is just a room with servers. If the software running on those servers is poorly designed or the data remains siloed in different ministries, the “Sovereign Cloud” is just a very expensive local hard drive.

Furthermore, the focus on building local infrastructure ignores the global trend toward public cloud utilization (AWS, Azure, Google Cloud), which offers better security, scalability, and disaster recovery than a small island nation can typically manage on its own. The obsession with “sovereign hardware” often masks a lack of “sovereign software” capability.

A better approach would be a hybrid cloud model with a smaller footprint sovereign data center hosting “mission critical” and “secret” data (e.g., Digital ID, Electronic Patient Records, BimPay, etc.) and leveraging the public cloud for non-sensitive, high-scale applications (e.g., public-facing websites, information portals).

Missing the “Human” in the Human Firewall

For a “GovTech” agency, there has been a glaring lack of focus on the digital literacy of the civil service. Digital transformation is 10% technology and 90% people.

While GovTech talks about “Digital Champions” within ministries, these individuals are often overstretched civil servants with no formal technical training and no authority to change the processes they are “championing.” Without a massive, nationwide upskilling program for the thousands of government workers who actually process the forms, GovTech’s tools will remain shiny toys that no one knows how to play with.

The Transparency Deficit

Meaningful digital transformation requires trust. Yet, GovTech Barbados must be questioned for its approach to:

  • Cybersecurity: Barbados continues to score poorly on the ITU Global Cybersecurity Index. Announcing “AI-powered” government services without a robust, transparent cybersecurity framework or government-wide AI governance standard is a recipe for a national data disaster.
  • Data Protection: As GovTech moves to “release public datasets” to spur local tech growth, there are unanswered questions about how citizen privacy is being protected under the Data Protection Act. Where is the Open Data Policy? What about Freedom of Information (FOI) legislation? What will be the overarching data governance framework? Is the Data Protection Commissioner being continuously engaged?
  • Procurement: Is GovTech empowering local startups, or is it becoming a middleman for expensive foreign “turnkey” solutions that don’t fit the local context?
  • Digital Identification: Considering the existence of the Trident ID system, why haven’t centralized and federated digital ID been prioritized? GovTech should have already built a “Single Sign-On (SSO)” for all government portals. Instead of having separate logins for Taxes (TAMIS), NIS, and the Land Registry, a citizen uses one verified Trident identity. GovTech can also act as a “Trust Broker.” For example, local banks should be mandated to use the Trident ID API to verify a new customer’s identity instantly, rather than requiring them to visit a branch with a passport. Banking customers should also be able to login to their Internet and mobile banking applications with the Trident digital ID.

Notwithstanding a clear lack of transparency, GovTech Barbados has been granted a multi-million dollar budgetary increase in the 2026–2027 Estimates. The public must now ask: how is this agency being held accountable for its results – or the evident lack thereof?

The Verdict: Is it Transformation or Decoration?

As of early 2026, GovTech Barbados has achieved Digital Decoration. It has made the government look more modern, but it hasn’t made it work more efficiently.

For GovTech to move from a PR success to a systemic success, it needs to stop focusing on “tangible prototypes” and start doing the “unsexy” work of:

  1. Legislative Reform: Working with the Attorney General to kill the “physical signature” requirement once and for all.
  2. Interoperability: Forcing ministries to share data through a central API, so citizens don’t have to provide their birth certificate to five different departments.
  3. Radical Transparency: Publishing real-time KPIs on service delivery times, not just “how many forms we digitized.”

If GovTech continues down its current path, it risks becoming just another “State-Owned Enterprise (SOE)” – a well-funded agency that produces beautiful reports and prototypes while the people of Barbados continue to wait in the sun for a service that should have been a website click years ago.

A Dark Day for Digital Freedom: The RightsCon Cancellation in Zambia

nielharper

The sudden, last-minute cancellation of RightsCon 2026 by the Zambian government is more than just a logistical nightmare for the 5,000 delegates already en route, it is a chilling signal for the future of global civic discourse and Internet freedom.

As the world’s premier summit on human rights in the digital age, RightsCon was set to provide a vital platform for activists, technologists, and policymakers to tackle urgent issues like online censorship, AI surveillance, and the protection of marginalized voices.

Why this matters for all of us:

  • The “National Values” Trap: The government’s justification, citing a lack of “alignment with national values”, is a familiar and dangerous euphemism used to suppress difficult conversations. When “values” are used as a filter for human rights dialogue, it sets a precedent that the state, not the citizens, decides which rights are worthy of discussion.
  • The Closing of African Civic Space: Hosting RightsCon in Lusaka was supposed to be a milestone for African digital sovereignty. Instead, this cancellation reinforces a growing trend of “digital authoritarianism” across the continent, where governments prioritize state control over open, transparent debate.
  • Silencing the Marginalized: RightsCon is one of the few global spaces where LGBTQ+ advocates, Sexual and Reproductive Health and Rights (SRHR) researchers, and digital rights defenders from the Global South can organize. Shutting it down disproportionately harms those already facing criminalization and digital exclusion.
  • A Blow to Accountability: From surveillance technology to data privacy, holding Big Tech and governments accountable requires international collaboration. By blocking the gates to this summit, the Zambian government hasn’t just stopped a conference; it has attempted to stall the global movement for a free, open and human-centric Internet.

Digital rights are human rights. When a space for these rights is forcibly closed, the silence is deafening.

Is your biggest security risk already inside your castle?

nielharper

I recently sat down with Mary K. Pratt (always wonderful to speak with her) to discuss “insider threats” for her CSO Online article.

My message was that the definition of an “insider” has fundamentally changed. It’s no longer just about disgruntled employees; it’s about a complex web of social engineering, digital savviness, and agentic AI.

Below are three critical takeaways from our discussion on “new” face of insider threats:

>> Social Media as a Recruitment Tool: Threat actors are using OSINT on social platforms to find “mercenaries”. By identifying employees under economic or personal pressure, they can bribe or blackmail insiders to do their dirty work.

>> The Rise of the “High-Risk” Average User: You don’t need to be a developer to be a threat. With modern digital tools and GenAI, the average staffer now has the capability to become a high-impact threat actor, intentionally or otherwise.

>> AI as the New Insider: We must start viewing AI agents as insiders. If an agent has privileged access and goes rogue — or is manipulated — it can exfiltrate data at machine speed. Essentially, AI has changed the paradigm of what constitutes an insider threat!

But what’s the solution? It’s time to move beyond “set and forget” background checks. Security pros must insist on regular, tiered background reinvestigations (especially for high-access roles), integrating behavioral signals with technical telemetry, and extending risk frameworks to include non-human/AI identities. In a world of remote work and outsourced contractors, trust must be continuous, not just a one-time onboarding event.

How is your organization adapting its Insider Risk Management framework for the AI era?

Check out the article here: https://lnkd.in/dkwhGMNE

DNS is the first line of defense for security and resilience

nielharper

On March 19, 2026, NIST finalized the SP 800-81r3 (Secure DNS Deployment Guide). This isn’t just a routine update; it is a fundamental shift in how we approach Internet resilience and organizational trust.

For years, DNS was the “quiet utility” in the background. In the modern threat landscape, NIST Revision 3 reimagines it as a proactive security control point.

Why does this matter for your 2026 security roadmap?

1️⃣ DNS as a Policy Enforcement Point (PEP): Moving beyond simple resolution, r3 integrates DNS into Zero Trust Architecture. By leveraging DNS as a PEP, organizations can neutralize threats such as malware, phishing, and command and control (C2) callbacks at the resolution stage, before a single packet of malicious data is exchanged.

2️⃣ Closing the Privacy Gap: For the first time, we have a definitive standard for deploying DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) at scale. This effectively encrypts the “digital breadcrumbs” of our network metadata, protecting against unauthorized surveillance and data harvesting.

3️⃣ Operational Resilience & Integrity: Through rigorous DNSSEC validation and the elimination of “dangling CNAME” exploits, r3 provides a fail-safe directory. In a world of automated attacks, your “Single Source of Truth” must be immutable.

NIST SP 800-81r3 ensures that DNS is no longer your weakest link, but your most resilient shield. Standardizing these protocols isn’t just about compliance, it’s about building an Internet that is secure by design.

Do you plan on auditing your DNS architecture against the new r3 standards?

Download the SP 800-81r3 (Secure DNS Deployment Guide) now!

Why CISOs Must Fight Back Against Scapegoating

nielharper

  • CISO ignores red flags in recruitment where business leaders repeatedly mention their “unique developer culture”.
  • CISO joins a major company which claims to be committed to cybersecurity.
  • CISO publishes 30-60-90 day plan and immediately performs a maturity assessment upon joining.
  • CISO meets with over 50 organizational leaders to outline their strategic vision and build support. Not a single person provides any meaningful input. The organization has no Internal Audit or Risk functions.
  • After completing the maturity assessment, CISO develops and publishes a draft cybersecurity strategy and multi-year roadmap for feedback. Not a single member of the executive management board reads the documents or provides feedback (including the CTO and CIO).
  • When asked about weak asset management (less than 35% of devices have EDR or MDM installed), the CIO states that developers don’t like being monitored. The CIO also states that cloud security posture management isn’t a priority (the organization employs a ‘multi-cloud strategy’ with a large footprint across multiple public clouds).
  • The organization’s CI/CD pipeline is fragmented with limited security controls. The CTO refuses to commit to robust security in the CI/CD pipeline because the organization is focused on code velocity and bringing new products/features to the market. CTO cannot explain why the Security Champions program failed.
  • The organization’s ecosystem is filled with thousands of vulnerable apps because there has literally been zero investment in relevant security controls. CISO develops a detailed plan addressing the people, process, and technology required to enhance security in the marketplace. The CISO is pretty much ignored.
  • The organization is obsessed with its annual SOC 2 audit (security theater).
  • CISO makes first presentation to executive management, addressing the security vision in accessible language such as business resilience, competitive advantage, market differentiation, regulatory compliance, collaborative risk management, etc. CISO highlights the “poor security culture” and asks that executive management make a formal statement about their commitment to security, authority to the CISO, and need for business leaders to own security in their domains and cooperate with the CISO. The executive management team is angry and criticizes the CISO for asking them to do what they see as his job.
  • A few weeks later, management and the CISO decide to part ways because of a “poor cultural fit”.

This is unfortunately a widespread scenario highlighting why the average CISO tenure is 18-24 months: poor tone from the top, unrealistic expectations, inadequate resources, accountability without authority, regulatory & legal pressure, and poor organizational culture.

It’s time for CISOs to pushback against these toxic situations!

Cybersecurity & Data Privacy Virtual Summit 2026 

nielharper

It was my esteemed pleasure to have participated in the Cybersecurity & Data Privacy Virtual Summit 2026 these past 4 days.

I shared the “virtual floor” in 2 sessions with Dr. Bright Gameli Mawudor and Godphey Sterling and we discussed the various elements of a successful response to a cybersecurity breach, specifically looking at the Technical Response to neutralize the threat and a Strategic Response to manage business operations, legal obligations, and reputation damage.

We also touched on several topics of critical importance to cyber capacity building in the Global South (e.g., national cybersecurity strategy, CSIRTs, critical infrastructure protection, security awareness, privacy, public sector security standards, supply chain risk management, open-source as an alternative for cost containment, security in emerging technologies, international cooperation, etc.).

Kudos to the other amazing professionals who delivered top-tier presentations and deep knowledge sharing with the captive audience: Grace Lindo, Jason Lau, Rory Ebanks, Greg Richards, Kellye-Rae Campbell, Ann Cavoukian, Karnika Seth, Rosalind Lake, and Deborah Hileman.

Special thanks to Douglas Davidson for the invitation to impart my knowledge and experience and to Andrea Chisholm Anglin for her expert hosting of the event.

The Dangers of Relying on Security Theater

nielharper

In 2026, phrases like “We take security seriously” or “Your security is important to us” have become the ultimate red flags.

When companies lead with these lines in their PR, it often signals the opposite: Security Theater 🎭

As a global digital trust and corporate governance professional, I see this daily. Theater is easy; resilience is hard. Theater is about “checking a box” for a board mandate, audit finding, or customer requirement; resilience is about an internal ethos that guides every business decision.

How do you spot the actors? Here are 6 signs of a “Theatrical” security posture:

  • Non-Existent or Weak “Tone at the Top”: The attitude and commitment of the Board and C-suite dictates the security culture that governs every employee’s daily actions. When the tone at the top is weak, the security program in most every case fails.
  • Compliance as a Destination: Treating a SOC 2 or ISO certification as the finish line rather than the baseline. Attackers don’t care if you passed an audit; they care about your unpatched edge devices and unsecured cloud assets.
  • “Shadow IT” Amnesia: Bragging about a new “AI Policy” while employees are quietly feeding sensitive intellectual property into unmanaged non-enterprise LLMs, leveraging third-party code with no security gates or approvals, and using unapproved plugins or add-ons in browsers / IDEs / issue-tracking platforms that are vastly insecure.
  • The “Culture” Conundrum: Forcing employees through 10 minutes of outdated, boring video slides once a year and calling it a “Security Culture.” Real culture is when people believe in security and live it each day in their actions and decisions. This also goes for the businesses whose “developer culture” requires security leadership to be ‘flexible’ and to ignore heinous security practices by software developers.
  • MFA Mirage: Having Multi-Factor Authentication (MFA) enabled, but allowing so many “exceptions” for executives or legacy systems that the front door is essentially unlocked.
  • Asset and Configuration Management: No accurate inventories exist for hardware / software / data assets, the majority of enterprise devices aren’t running unified endpoint management (UEM) or endpoint protection, cloud assets and their configuration status are unknown, an embarassingly low number of critical assets have logging enabled, and hardening templates don’t exist across virtual servers / microservices / network devices.

Digital Trust isn’t a marketing slogan. It is a measurable KPI. In 2026, the market must shift to rewarding candor and specificity over “vague invulnerability.”

The companies that thrive won’t be the ones that never get hit – they’ll be the ones that had the integrity to build real defenses before the curtain went up.

Stop the performance. Start the protection.

Agents Unleashed: Can We Control What We’ve Created?

nielharper

Wrapped up Day 2 of Black Hat MEA participating in a Fireside Chat with two amazing security leaders Trina Ford and Priya Mouli.

The topic of our chat was “Agents Unleashed: Can We Control What We’ve Created?” We talked about the promise of agentic AI and the underlying risks that businesses and cyber professionals need to address.

This thought-provoking conversation explored areas such as:

  • Output Gates: Ensuring that final action requests by agents are mediated by a security-controlled API or service layer that checks the output against strict, predetermined enterprise policies.
  • Rate Limiting: Temporal controls to prevent infinite loops, rapid escalation, or denial-of-service, preventing misaligned or hallucinating agents from causing immediate, high-volume harm.
  • Reversibility: Autonomy is acceptable only when the agent’s actions can be immediately and easily undone without a system failure or data loss.
  • Identity and Access Management: Why agents should have unique service identities and must be restricted by controls such as PAM, least privilege, and zero wildcard permissions.
  • Governance: Subjecting agents to governance processes such as architecture reviews, threat modeling, risk classification, and incident response management (e.g., playbooks, tabletop exercises, etc.).
  • Shadow AI: Leveraging policy frameworks, identity governance, and network/data layer monitoring to protect against unauthorized or unmanaged agents.

Business leaders often view agents as highly efficient macros or bots. They fail to grasp that the agent’s autonomy and emergent behavior – its ability to reason, adapt, and combine tools – creates risks that are fundamentally different from traditional automation. 

The deployment of Agentic AI necessitates robust, layered security controls because it introduces unique, high-velocity risks that traditional perimeter and human-speed security models cannot handle.

Ransomware as a Service (RaaS) from code to cartel

nielharper

Yesterday at Black Hat MEA, my first deep dive session of the day focused on “Ransomware as a Service (RaaS) from code to cartel”.

I was privileged to share the stage with Ira Winkler, Patricia Titus, and Bjørn R. Watne.

We explored the evolution of ransomware into today’s organized, profit-centered, multi-disciplinary threat collectives, and delved into some key areas such as:

  • The affililiate model and how ransomware groups function like legitimate companies
  • Recruitment for capabilities (e.g., exploit developers, cloud security engineering, C2 servers, payment portals, compromise of trusted insiders, etc.)
  • The importance of business resilience as a risk response (e.g., disaster recovery testing, incident response planning, ransomware playbooks, tabletop exercises)
  • How the transition from double extortion to triple extortion is also manifesting as threats of bodily harm and targeting of family members
  • Emphasized that cyber insurance is not a replacement for robust security controls (e.g., air-gapped backups, MFA, PAM, EDR, security awareness, etc.)
  • How critical infrastructure protection (CIP) and operational resilience legislation factor into the overall industry response (e.g., DORA, NIS 2, CRA, etc.)
  • Detailed why software developers and their tooling are increasingly targeted by RaaS consortiums due to risks such as privileged access to sensitive environments (staging, production), API and cloud infrastructure key custodianship, DevSecOps weaknesses, trust injection across CI/CD pipelines, code repository theft, etc.
  • Addressing encryption-related risks like quantum computing and cryptographic agility
  • How both defenders and attackers are leveraging AI

Many thanks to my fellow panelists for their brilliant insights and a note of appreciation for all those who attended.