Tag: AI

The Facade of Progress: Why GovTech Barbados is Stalling Digital Transformation

nielharper

In the humid corridors of Barbados’ public service, there is a new buzzword circulating with the frequency of a tropical breeze: “GovTech.” Established in late 2023 with the high-octane promise of dragging a paper-clogged bureaucracy into the 21st century, GovTech Barbados Ltd. was heralded as the “silver bullet” for the nation’s digital woes.

However, as we move through 2026, the initial honeymoon period has ended. While the PR machinery hums with talk of “AI-powered prototypes” and “digital champions,” the average Barbadian citizen is still standing in physical lines, clutching paper forms, and wondering when the promised “sweeping transformation” will actually increase the ease of doing business.

The reality is that GovTech Barbados, despite its modern branding and high-profile leadership, is currently a victim of institutional inertia, misplaced priorities, and a “startup” culture that is fundamentally incompatible with the weight of government bureaucracy.

The Prototyping Trap: Appearance vs. Reality

The most visible “achievement” of GovTech Barbados so far has been the rollout of rapid “prototyping.” Using AI to turn a paper form into a digital interface in “minutes” sounds like a revolution. It makes for excellent LinkedIn posts and impressive demos for the Ministry of Industry, Innovation, Science and Technology (MIST).

But a prototype is not a service.

The “Prototyping Trap” occurs when an organization prioritizes the UI (User Interface) over the UX (User Experience) and the underlying backend processes. Turning a paper form into a digital PDF or a web form is the easiest 5% of digital transformation. The difficult 95% involves:

  • Integrating with the national identity system.
  • Automating backend approvals so a human doesn’t have to print the digital form to file it.
  • Introducing workflow management tooling to handoff tasks between different government departments or control points.
  • Updating the 40-year-old legislation that still requires a physical signature.

By focusing on what they believe to be “tangible outputs” to win public confidence, GovTech is essentially painting the windows of a house that has no plumbing. Citizens may fill out a form online, but if the “transformation” stops there, the inefficiency is simply moved from the front counter to a back-office inbox. Instead of focusing on throughput (how many forms can we digitize?), GovTech Barbados needs to focus on outcomes (how much time and money can we save the citizen?). It’s also quite telling that the GovTech team has neither the deep expertise nor a visible focus on ICT law and business process reengineering.

The CEO Dilemma: A Startup Mindset in a “Legacy” Environment

Mark Boyce, hired in July 2024, has brought a seemingly more tech savvy energy to the role. His background, marked by a vocal critique of the “safe” career paths of doctors and lawyers in Barbados, suggested he was the disruptor the island needed. However, in reality, Mr. Boyce does not have the qualifications or experience to lead a major national digital transformation initiative like GovTech Barbados. He has never led complex enterprise or government implementations which include cloud computing, interoperability layers, cybersecurity, e-commerce, digital identity, and big data. Unfortunately, neither has the majority of his key hires.

Digital transformation in a government setting is less like a tech startup and more like an organ transplant. The “host body” (the existing Civil Service) often rejects the “new organ” (GovTech) if the cultural and legislative prep work isn’t done.

I can’t help but to think that GovTech is operating as an isolated island of innovation. While Boyce and his team speak the language of “The Radical How” and “agile execution,” the rest of the government still speaks the language of “The General Orders” and “Financial Rules.” This cultural mismatch has led to a bottleneck where GovTech builds prototypes that sit in limbo for months because the “human review process” in traditional ministries remains unchanged.

The Sovereign Cloud and the “Hardware Hubris”

One of GovTech’s early and most controversial claims was that Barbados was “on the brink” of a sweeping transformation fueled by a Tier 3 data center and a “sovereign cloud.”

As I noted in a previous blog post, this often feels like “déjà vu.” Barbados has a history of announcing expensive infrastructure projects that fail to deliver service-level improvements. It’s important to note that:

  • Costs are astronomical: A greenfield Tier 3 data center can cost upwards of $20 million in capital expenditure, with millions more in annual operating costs.
  • Infrastructure vs. Service: A data center is just a room with servers. If the software running on those servers is poorly designed or the data remains siloed in different ministries, the “Sovereign Cloud” is just a very expensive local hard drive.

Furthermore, the focus on building local infrastructure ignores the global trend toward public cloud utilization (AWS, Azure, Google Cloud), which offers better security, scalability, and disaster recovery than a small island nation can typically manage on its own. The obsession with “sovereign hardware” often masks a lack of “sovereign software” capability.

A better approach would be a hybrid cloud model with a smaller footprint sovereign data center hosting “mission critical” and “secret” data (e.g., Digital ID, Electronic Patient Records, BimPay, etc.) and leveraging the public cloud for non-sensitive, high-scale applications (e.g., public-facing websites, information portals).

Missing the “Human” in the Human Firewall

For a “GovTech” agency, there has been a glaring lack of focus on the digital literacy of the civil service. Digital transformation is 10% technology and 90% people.

While GovTech talks about “Digital Champions” within ministries, these individuals are often overstretched civil servants with no formal technical training and no authority to change the processes they are “championing.” Without a massive, nationwide upskilling program for the thousands of government workers who actually process the forms, GovTech’s tools will remain shiny toys that no one knows how to play with.

The Transparency Deficit

Meaningful digital transformation requires trust. Yet, GovTech Barbados must be questioned for its approach to:

  • Cybersecurity: Barbados continues to score poorly on the ITU Global Cybersecurity Index. Announcing “AI-powered” government services without a robust, transparent cybersecurity framework or government-wide AI governance standard is a recipe for a national data disaster.
  • Data Protection: As GovTech moves to “release public datasets” to spur local tech growth, there are unanswered questions about how citizen privacy is being protected under the Data Protection Act. Where is the Open Data Policy? What about Freedom of Information (FOI) legislation? What will be the overarching data governance framework? Is the Data Protection Commissioner being continuously engaged?
  • Procurement: Is GovTech empowering local startups, or is it becoming a middleman for expensive foreign “turnkey” solutions that don’t fit the local context?
  • Digital Identification: Considering the existence of the Trident ID system, why haven’t centralized and federated digital ID been prioritized? GovTech should have already built a “Single Sign-On (SSO)” for all government portals. Instead of having separate logins for Taxes (TAMIS), NIS, and the Land Registry, a citizen uses one verified Trident identity. GovTech can also act as a “Trust Broker.” For example, local banks should be mandated to use the Trident ID API to verify a new customer’s identity instantly, rather than requiring them to visit a branch with a passport. Banking customers should also be able to login to their Internet and mobile banking applications with the Trident digital ID.

Notwithstanding a clear lack of transparency, GovTech Barbados has been granted a multi-million dollar budgetary increase in the 2026–2027 Estimates. The public must now ask: how is this agency being held accountable for its results – or the evident lack thereof?

The Verdict: Is it Transformation or Decoration?

As of early 2026, GovTech Barbados has achieved Digital Decoration. It has made the government look more modern, but it hasn’t made it work more efficiently.

For GovTech to move from a PR success to a systemic success, it needs to stop focusing on “tangible prototypes” and start doing the “unsexy” work of:

  1. Legislative Reform: Working with the Attorney General to kill the “physical signature” requirement once and for all.
  2. Interoperability: Forcing ministries to share data through a central API, so citizens don’t have to provide their birth certificate to five different departments.
  3. Radical Transparency: Publishing real-time KPIs on service delivery times, not just “how many forms we digitized.”

If GovTech continues down its current path, it risks becoming just another “State-Owned Enterprise (SOE)” – a well-funded agency that produces beautiful reports and prototypes while the people of Barbados continue to wait in the sun for a service that should have been a website click years ago.

Why CISOs Must Fight Back Against Scapegoating

nielharper

  • CISO ignores red flags in recruitment where business leaders repeatedly mention their “unique developer culture”.
  • CISO joins a major company which claims to be committed to cybersecurity.
  • CISO publishes 30-60-90 day plan and immediately performs a maturity assessment upon joining.
  • CISO meets with over 50 organizational leaders to outline their strategic vision and build support. Not a single person provides any meaningful input. The organization has no Internal Audit or Risk functions.
  • After completing the maturity assessment, CISO develops and publishes a draft cybersecurity strategy and multi-year roadmap for feedback. Not a single member of the executive management board reads the documents or provides feedback (including the CTO and CIO).
  • When asked about weak asset management (less than 35% of devices have EDR or MDM installed), the CIO states that developers don’t like being monitored. The CIO also states that cloud security posture management isn’t a priority (the organization employs a ‘multi-cloud strategy’ with a large footprint across multiple public clouds).
  • The organization’s CI/CD pipeline is fragmented with limited security controls. The CTO refuses to commit to robust security in the CI/CD pipeline because the organization is focused on code velocity and bringing new products/features to the market. CTO cannot explain why the Security Champions program failed.
  • The organization’s ecosystem is filled with thousands of vulnerable apps because there has literally been zero investment in relevant security controls. CISO develops a detailed plan addressing the people, process, and technology required to enhance security in the marketplace. The CISO is pretty much ignored.
  • The organization is obsessed with its annual SOC 2 audit (security theater).
  • CISO makes first presentation to executive management, addressing the security vision in accessible language such as business resilience, competitive advantage, market differentiation, regulatory compliance, collaborative risk management, etc. CISO highlights the “poor security culture” and asks that executive management make a formal statement about their commitment to security, authority to the CISO, and need for business leaders to own security in their domains and cooperate with the CISO. The executive management team is angry and criticizes the CISO for asking them to do what they see as his job.
  • A few weeks later, management and the CISO decide to part ways because of a “poor cultural fit”.

This is unfortunately a widespread scenario highlighting why the average CISO tenure is 18-24 months: poor tone from the top, unrealistic expectations, inadequate resources, accountability without authority, regulatory & legal pressure, and poor organizational culture.

It’s time for CISOs to pushback against these toxic situations!

The Dangers of Relying on Security Theater

nielharper

In 2026, phrases like “We take security seriously” or “Your security is important to us” have become the ultimate red flags.

When companies lead with these lines in their PR, it often signals the opposite: Security Theater 🎭

As a global digital trust and corporate governance professional, I see this daily. Theater is easy; resilience is hard. Theater is about “checking a box” for a board mandate, audit finding, or customer requirement; resilience is about an internal ethos that guides every business decision.

How do you spot the actors? Here are 6 signs of a “Theatrical” security posture:

  • Non-Existent or Weak “Tone at the Top”: The attitude and commitment of the Board and C-suite dictates the security culture that governs every employee’s daily actions. When the tone at the top is weak, the security program in most every case fails.
  • Compliance as a Destination: Treating a SOC 2 or ISO certification as the finish line rather than the baseline. Attackers don’t care if you passed an audit; they care about your unpatched edge devices and unsecured cloud assets.
  • “Shadow IT” Amnesia: Bragging about a new “AI Policy” while employees are quietly feeding sensitive intellectual property into unmanaged non-enterprise LLMs, leveraging third-party code with no security gates or approvals, and using unapproved plugins or add-ons in browsers / IDEs / issue-tracking platforms that are vastly insecure.
  • The “Culture” Conundrum: Forcing employees through 10 minutes of outdated, boring video slides once a year and calling it a “Security Culture.” Real culture is when people believe in security and live it each day in their actions and decisions. This also goes for the businesses whose “developer culture” requires security leadership to be ‘flexible’ and to ignore heinous security practices by software developers.
  • MFA Mirage: Having Multi-Factor Authentication (MFA) enabled, but allowing so many “exceptions” for executives or legacy systems that the front door is essentially unlocked.
  • Asset and Configuration Management: No accurate inventories exist for hardware / software / data assets, the majority of enterprise devices aren’t running unified endpoint management (UEM) or endpoint protection, cloud assets and their configuration status are unknown, an embarassingly low number of critical assets have logging enabled, and hardening templates don’t exist across virtual servers / microservices / network devices.

Digital Trust isn’t a marketing slogan. It is a measurable KPI. In 2026, the market must shift to rewarding candor and specificity over “vague invulnerability.”

The companies that thrive won’t be the ones that never get hit – they’ll be the ones that had the integrity to build real defenses before the curtain went up.

Stop the performance. Start the protection.

Mismanagement of the BRA Breach: Lack of Cyber Preparednes is Expensive

nielharper

In this year’s budget, the Ministry of Finance, Economic Affairs, and Investment is asking for $36.9 million to cover the costs associated with managing last year’s data breach at the Barbados Revenue Authority (BRA). Given that the average cost of responding to a data breach in 2024 was USD $4.88 million (BBD$9.94 million), this quoted figure is exceptionally high and warrants a detailed examination.

Here’s my breakdown of why such an amount is considered excessive:

1. Financial Strain:

  • Depletion of Public Funds: $36.9 million is a substantial amount that severely depletes the country’s financial resources at a time the nation is struggling with heavy debt obligations and underperformance in key sectors. It more than likely will require budget cuts in other critical areas, halt planned projects, or even threaten the country’s ability to service existing debts or meet its overall financial needs.
  • Opportunity Cost: The money spent on data breach response could be better used for investments in economic growth, innovation, social services, workforce development, or other strategic initiatives that contribute to Barbados’ long-term success.
  • Citizen Impact: This is at its core an erosion of trust in government’s effectiveness in managing cybersecurity and data protection, and can have a knock-on negative impact in terms of reduced quality and investment in citizen services (e.g., education, healthcare, transportation, sewage, housing, etc.), increased public debt, additional taxes, and hindered development.

2. Cost-Benefit Analysis:

  • Value of Data: It’s essential to compare the recovery cost with the actual value of the compromised data. I am certain no quantitative assessment was performed by the government to determine the cost of the data. In this case, the data might not be worth $36.9 million, making the recovery expenditure disproportionate.
  • Potential Losses: While data breaches can lead to financial losses, including regulatory fines, legal fees, and compensation to individuals harmed by their data being misused or abused, it’s crucial to estimate these potential losses accurately. A $36.9 million recovery cost in my opinion exceeds the estimated losses the government would have otherwise incurred.

3. Inefficiencies and Overcharging:

  • Vendor Pricing: Given my experience managing data breaches over the last 20+ years, unscrupulous vendors usually exploit the urgency and panic surrounding a breach to inflate their prices. This appears to be the case in this instance (given that the government has limited cybersecurity capabilities and little to no experience responding to breaches).
  • Scope Creep: Recovery efforts can sometimes expand beyond the initial scope, leading to unnecessary expenses. There’s no doubt in my mind that the government did not have defined security incident response procedures or objectives, which led to the recovery scope being too wide and unconstrained to avoid cost overruns.
  • Ineffective Strategies: The chosen security incident response strategies were poorly defined and inefficient, leading to prolonged recovery times and increased costs.

4. Failure of Prevention:

  • Security Gaps: As I have said numerous times, the government does not have the capabilities in place to secure the technologies that they have implemented, and this $36.9 million bill confirms these significant weaknesses in their cybersecurity infrastructure and practices. It raises questions about why they have failed to implement the numerous detailed security strategies provided to them over the last decade by the European Union (a project which I led), International Telecommunications Union (ITU), Organisation of American States (OAS), and others.
  • Missed Opportunities: Investing in robust cybersecurity measures, such as firewalls, intrusion detection systems, personnel training, and regular security audits, could have prevented the breach or minimized its impact, potentially saving millions of dollars in recovery costs. And while investments have been made in some of these areas, the implementation of the solutions have left a lot to be desired.

5. Reputation Damage:

  • Public Perception: While the financial cost is significant, the reputation damage from the BRA data breach doesn’t seem to be substantial. While the breach was severe, involved sensitive data, and came on the heels of the cyber-attacks against the Queen Elizabeth Hospital and many other government departments, there are many residents who still don’t seem to understand how dire the government’s cybersecurity situation really is.
  • Public Trust: The constant data breaches impacting public services and citizens’ data have a detrimental effect on public trust (which is already low). This will prevent the uptake of digital services being implemented by the government as well as reduce the confidence in e-commerce as a whole. Basically, it jeopardises the entire digital transformation agenda of this administration and the ability of Barbadians to reap the associated benefits.

In conclusion, while data breach recovery is a necessary expense, $36.9 million is an exorbitant amount that warrants careful scrutiny. It’s crucial that the Public Accounts Committee (PAC) and the Office of the Auditor General conduct a thorough investigation, evaluating vendor pricing, identifying inefficiencies, and addressing underlying security vulnerabilities to ensure that recovery efforts in the future are effective and cost-efficient.

New ISACA Research: 63 Percent of Privacy Professionals Find Their Jobs More Stressful Now Than Five Years Ago

nielharper

The ISACA State of Privacy 2025 survey report, which gathered responses from over 1,600 privacy professionals globally, revealed that 63% of these professionals find their roles more stressful than they were five years ago, with 34% reporting a significant increase in stress levels. The primary sources of stress identified in the survey were the rapid pace of technological advancements (63%), difficulties with compliance (61%), and a lack of resources (59%).

“In an increasingly complex international regulatory environment, often with lacklustre resources, it is understandable that many privacy professionals are feeling strain from their efforts to stay compliant and keep their organizations’ data safe. Addressing these challenges and getting practitioners the support they need will be vital to not only ensure a healthy privacy workforce, but also to maintain data integrity and security, and avoid potential harm to data subjects.” I made these comments via BusinessWire on the report to emphasize not only the challenges associated with implementing privacy programs, but also the importance of organizations demonstrating their commitment to data governance, data ethics, privacy rights, and overall digital trust.

With AI, the privacy landscape has changed dramatically, including the regulatory burdens for companies. Continued leadership in the boardroom, at the executive level, as well as embedding privacy principles in organizational values is integral to nurturing the trust relationship between enterprises, their customers, and society at large.

Dispelling the Myths of Defense-Grade Cybersecurity

nielharper

Defense-grade cybersecurity solutions are specifically designed to provide advanced protection against sophisticated threats but there are many misunderstandings about this level of protection. 

Sectors like finance, healthcare and critical infrastructure can use battle hardened defense-grade cybersecurity to tackle today’s cyber threats.  

In this webinar hosted by Infosecurity Magazine, I joined an expert group of panelists to uncover the truth behind common misconceptions about defense-grade cybersecurity, demonstrating its relevance, affordability, adaptability and effectiveness for organizations beyond the military or government.

We tackled myths such as, “defense-grade cybersecurity can’t stop APTs”, “it’s only for the government” and “it’s too complex and difficult to deploy”, providing insights into how modern defense-grade measures are accessible, scalable and essential for critical sectors.

We also discussed real-world applications of defense-grade principles, explaining how these solutions address today’s advanced threats.

Register to watch the on-demand recording at this link.