Tag: data protection

The Facade of Progress: Why GovTech Barbados is Stalling Digital Transformation

nielharper

In the humid corridors of Barbados’ public service, there is a new buzzword circulating with the frequency of a tropical breeze: “GovTech.” Established in late 2023 with the high-octane promise of dragging a paper-clogged bureaucracy into the 21st century, GovTech Barbados Ltd. was heralded as the “silver bullet” for the nation’s digital woes.

However, as we move through 2026, the initial honeymoon period has ended. While the PR machinery hums with talk of “AI-powered prototypes” and “digital champions,” the average Barbadian citizen is still standing in physical lines, clutching paper forms, and wondering when the promised “sweeping transformation” will actually increase the ease of doing business.

The reality is that GovTech Barbados, despite its modern branding and high-profile leadership, is currently a victim of institutional inertia, misplaced priorities, and a “startup” culture that is fundamentally incompatible with the weight of government bureaucracy.

The Prototyping Trap: Appearance vs. Reality

The most visible “achievement” of GovTech Barbados so far has been the rollout of rapid “prototyping.” Using AI to turn a paper form into a digital interface in “minutes” sounds like a revolution. It makes for excellent LinkedIn posts and impressive demos for the Ministry of Industry, Innovation, Science and Technology (MIST).

But a prototype is not a service.

The “Prototyping Trap” occurs when an organization prioritizes the UI (User Interface) over the UX (User Experience) and the underlying backend processes. Turning a paper form into a digital PDF or a web form is the easiest 5% of digital transformation. The difficult 95% involves:

  • Integrating with the national identity system.
  • Automating backend approvals so a human doesn’t have to print the digital form to file it.
  • Introducing workflow management tooling to handoff tasks between different government departments or control points.
  • Updating the 40-year-old legislation that still requires a physical signature.

By focusing on what they believe to be “tangible outputs” to win public confidence, GovTech is essentially painting the windows of a house that has no plumbing. Citizens may fill out a form online, but if the “transformation” stops there, the inefficiency is simply moved from the front counter to a back-office inbox. Instead of focusing on throughput (how many forms can we digitize?), GovTech Barbados needs to focus on outcomes (how much time and money can we save the citizen?). It’s also quite telling that the GovTech team has neither the deep expertise nor a visible focus on ICT law and business process reengineering.

The CEO Dilemma: A Startup Mindset in a “Legacy” Environment

Mark Boyce, hired in July 2024, has brought a seemingly more tech savvy energy to the role. His background, marked by a vocal critique of the “safe” career paths of doctors and lawyers in Barbados, suggested he was the disruptor the island needed. However, in reality, Mr. Boyce does not have the qualifications or experience to lead a major national digital transformation initiative like GovTech Barbados. He has never led complex enterprise or government implementations which include cloud computing, interoperability layers, cybersecurity, e-commerce, digital identity, and big data. Unfortunately, neither has the majority of his key hires.

Digital transformation in a government setting is less like a tech startup and more like an organ transplant. The “host body” (the existing Civil Service) often rejects the “new organ” (GovTech) if the cultural and legislative prep work isn’t done.

I can’t help but to think that GovTech is operating as an isolated island of innovation. While Boyce and his team speak the language of “The Radical How” and “agile execution,” the rest of the government still speaks the language of “The General Orders” and “Financial Rules.” This cultural mismatch has led to a bottleneck where GovTech builds prototypes that sit in limbo for months because the “human review process” in traditional ministries remains unchanged.

The Sovereign Cloud and the “Hardware Hubris”

One of GovTech’s early and most controversial claims was that Barbados was “on the brink” of a sweeping transformation fueled by a Tier 3 data center and a “sovereign cloud.”

As I noted in a previous blog post, this often feels like “déjà vu.” Barbados has a history of announcing expensive infrastructure projects that fail to deliver service-level improvements. It’s important to note that:

  • Costs are astronomical: A greenfield Tier 3 data center can cost upwards of $20 million in capital expenditure, with millions more in annual operating costs.
  • Infrastructure vs. Service: A data center is just a room with servers. If the software running on those servers is poorly designed or the data remains siloed in different ministries, the “Sovereign Cloud” is just a very expensive local hard drive.

Furthermore, the focus on building local infrastructure ignores the global trend toward public cloud utilization (AWS, Azure, Google Cloud), which offers better security, scalability, and disaster recovery than a small island nation can typically manage on its own. The obsession with “sovereign hardware” often masks a lack of “sovereign software” capability.

A better approach would be a hybrid cloud model with a smaller footprint sovereign data center hosting “mission critical” and “secret” data (e.g., Digital ID, Electronic Patient Records, BimPay, etc.) and leveraging the public cloud for non-sensitive, high-scale applications (e.g., public-facing websites, information portals).

Missing the “Human” in the Human Firewall

For a “GovTech” agency, there has been a glaring lack of focus on the digital literacy of the civil service. Digital transformation is 10% technology and 90% people.

While GovTech talks about “Digital Champions” within ministries, these individuals are often overstretched civil servants with no formal technical training and no authority to change the processes they are “championing.” Without a massive, nationwide upskilling program for the thousands of government workers who actually process the forms, GovTech’s tools will remain shiny toys that no one knows how to play with.

The Transparency Deficit

Meaningful digital transformation requires trust. Yet, GovTech Barbados must be questioned for its approach to:

  • Cybersecurity: Barbados continues to score poorly on the ITU Global Cybersecurity Index. Announcing “AI-powered” government services without a robust, transparent cybersecurity framework or government-wide AI governance standard is a recipe for a national data disaster.
  • Data Protection: As GovTech moves to “release public datasets” to spur local tech growth, there are unanswered questions about how citizen privacy is being protected under the Data Protection Act. Where is the Open Data Policy? What about Freedom of Information (FOI) legislation? What will be the overarching data governance framework? Is the Data Protection Commissioner being continuously engaged?
  • Procurement: Is GovTech empowering local startups, or is it becoming a middleman for expensive foreign “turnkey” solutions that don’t fit the local context?
  • Digital Identification: Considering the existence of the Trident ID system, why haven’t centralized and federated digital ID been prioritized? GovTech should have already built a “Single Sign-On (SSO)” for all government portals. Instead of having separate logins for Taxes (TAMIS), NIS, and the Land Registry, a citizen uses one verified Trident identity. GovTech can also act as a “Trust Broker.” For example, local banks should be mandated to use the Trident ID API to verify a new customer’s identity instantly, rather than requiring them to visit a branch with a passport. Banking customers should also be able to login to their Internet and mobile banking applications with the Trident digital ID.

Notwithstanding a clear lack of transparency, GovTech Barbados has been granted a multi-million dollar budgetary increase in the 2026–2027 Estimates. The public must now ask: how is this agency being held accountable for its results – or the evident lack thereof?

The Verdict: Is it Transformation or Decoration?

As of early 2026, GovTech Barbados has achieved Digital Decoration. It has made the government look more modern, but it hasn’t made it work more efficiently.

For GovTech to move from a PR success to a systemic success, it needs to stop focusing on “tangible prototypes” and start doing the “unsexy” work of:

  1. Legislative Reform: Working with the Attorney General to kill the “physical signature” requirement once and for all.
  2. Interoperability: Forcing ministries to share data through a central API, so citizens don’t have to provide their birth certificate to five different departments.
  3. Radical Transparency: Publishing real-time KPIs on service delivery times, not just “how many forms we digitized.”

If GovTech continues down its current path, it risks becoming just another “State-Owned Enterprise (SOE)” – a well-funded agency that produces beautiful reports and prototypes while the people of Barbados continue to wait in the sun for a service that should have been a website click years ago.

Cybersecurity & Data Privacy Virtual Summit 2026 

nielharper

It was my esteemed pleasure to have participated in the Cybersecurity & Data Privacy Virtual Summit 2026 these past 4 days.

I shared the “virtual floor” in 2 sessions with Dr. Bright Gameli Mawudor and Godphey Sterling and we discussed the various elements of a successful response to a cybersecurity breach, specifically looking at the Technical Response to neutralize the threat and a Strategic Response to manage business operations, legal obligations, and reputation damage.

We also touched on several topics of critical importance to cyber capacity building in the Global South (e.g., national cybersecurity strategy, CSIRTs, critical infrastructure protection, security awareness, privacy, public sector security standards, supply chain risk management, open-source as an alternative for cost containment, security in emerging technologies, international cooperation, etc.).

Kudos to the other amazing professionals who delivered top-tier presentations and deep knowledge sharing with the captive audience: Grace Lindo, Jason Lau, Rory Ebanks, Greg Richards, Kellye-Rae Campbell, Ann Cavoukian, Karnika Seth, Rosalind Lake, and Deborah Hileman.

Special thanks to Douglas Davidson for the invitation to impart my knowledge and experience and to Andrea Chisholm Anglin for her expert hosting of the event.

AuditBoard names 25 CISOs to watch in 2025

nielharper

In the rapidly evolving landscape of cybersecurity, innovative Chief Information Security Officers (CISOs) play a pivotal role in safeguarding organizations against AI-driven threats, ransomware attacks, and supply chain vulnerabilities. To acknowledge and applaud those leading the charge in tackling these challenges, AuditBoard has carefully chosen 25 CISOs who exemplify a dedication to enhancing cyber risk defenses and sharing their insights with the information security (infosec) community.

This curated list showcases the industry’s most resilient and forward-thinking cybersecurity experts. The 2025 selection highlights individuals who are at the forefront of navigating the ever-changing digital risk landscape, demonstrating resilience and innovation in their approach to cybersecurity leadership.

Thank you AuditBoard for your recognition alongside these amazing industry titans!

Each of these individuals has made a significant contribution to the profession, to industry, and to the organizations they work for. Massive respect goes out to each of them!

Security Magazine Top Cybersecurity Leaders for 2025

nielharper

I would like to express my sincere gratitude to Security Magazine for recognizing me as one of the Top Cybersecurity Leaders for 2025.

I have always been a fan of Security Magazine and their laser focus on providing information and solutions on risk management, cybersecurity, physical security & safety, and other related industry trends. So this recognition from them is particularly appreciated.

Heartiest congratulations to my good friend Jason Lau and the other awardees Anmol Agarwal, Jay Gonzales, Sandra Cavazos, and David Baker – Your commitment to digital trust and your service to the profession are mighty!

Many thanks as well go out to the amazing teams I have led at INTERPOL, Doodle, and other companies. You are the real champions!

Critical Infrastructure (CI) Protection – Are We Ready?

nielharper


Critical infrastructure (CI) are those assets, systems, and networks that provide functions necessary for our human, social, and economic wellbeing. There are key sectors that are part of a complex, interconnected ecosystem and any threat to these sectors could have far-reaching and destructive national security, economic, and public health or safety consequences. 

Despite their reliance on critical infrastructure, developing countries (and several developed nations) at-large have not implemented a nationally-coordinated framework to protect their vital information assets. Cyber attacks, such as distributed denial of service (DDoS), ransomware, advanced persistent threats (APTs), and others can severely affect all the CNI sectors. Cyber attacks differ greatly from traditional types of threats such as terrorism, criminal activities, natural disasters and industrial accidents, among others. Cyber attacks can now be initiated by any person with limited technical proficiency or resources, and these attacks can have a direct effect on overall wellbeing of modern societies.

Last week, I presented at the 2025 Guyana Energy Conference on CNI protection, particularly touching on real-world incidents and addressing the threat landscape, risk assessment, adversary categories, challenges, and opportunities. I also emphasized that a multi-stakeholder approach premised on mutual trust is optimal towards achieving CI protection outcomes.

Check out my presentation HERE.

New ISACA Research: 63 Percent of Privacy Professionals Find Their Jobs More Stressful Now Than Five Years Ago

nielharper

The ISACA State of Privacy 2025 survey report, which gathered responses from over 1,600 privacy professionals globally, revealed that 63% of these professionals find their roles more stressful than they were five years ago, with 34% reporting a significant increase in stress levels. The primary sources of stress identified in the survey were the rapid pace of technological advancements (63%), difficulties with compliance (61%), and a lack of resources (59%).

“In an increasingly complex international regulatory environment, often with lacklustre resources, it is understandable that many privacy professionals are feeling strain from their efforts to stay compliant and keep their organizations’ data safe. Addressing these challenges and getting practitioners the support they need will be vital to not only ensure a healthy privacy workforce, but also to maintain data integrity and security, and avoid potential harm to data subjects.” I made these comments via BusinessWire on the report to emphasize not only the challenges associated with implementing privacy programs, but also the importance of organizations demonstrating their commitment to data governance, data ethics, privacy rights, and overall digital trust.

With AI, the privacy landscape has changed dramatically, including the regulatory burdens for companies. Continued leadership in the boardroom, at the executive level, as well as embedding privacy principles in organizational values is integral to nurturing the trust relationship between enterprises, their customers, and society at large.

Five Ways Security Professionals Can Start the New Year Strong

nielharper

As we step into the new year, it’s crucial for cybersecurity professionals to gear up for a more secure future. Beyond just looking ahead, it’s essential to consider how our personal and professional efforts can enhance #DigitalTrust.

Thanks to ISACA for featuring my latest blog post that outlines five impactful ways to kickstart 2025 and sustain momentum throughout the year. Let’s make 2025 a milestone year for cybersecurity!

You can read the full article here: https://bit.ly/4j7qCfj

Cybersecurity: A Dynamic and Impactful Career Field

nielharper

Strengthening the cybersecurity workforce has become one of the most urgent – and universal – needs for both corporations and nation-states in recent years. Cyber capacity building is also my passion, and I have dedicated the last decade of my life to supporting the next generation of cybersecurity professionals through my work with ISACA, European Commission, and the Internet Society.

The demand for cybersecurity professionals continues to grow. As technology becomes more pervasive in our lives, so does the complexity and frequency of cyber threats. Corporations and governments are constantly seeking to bolster their cyber defenses, increasing the need for more skilled cybersecurity experts.

I wrote this article for Media Planet outlining why cybersecurity is such a dynamic and impactful career path.

Check it out: https://bit.ly/41tZT6e

Human Resources and Cybersecurity (The Dynamic Duo)

nielharper

The human resources (HR) function has become integral to cyber risk management in recent years.

In this CYBER CONNECT podcast, my amazing colleague Jessie Lajoie (Chief of People Ops & Culture) and I discuss how we effectively model our organizational value of collaboration towards achieving the optimal security culture at Doodle.

Our ongoing cooperation spans across the areas of identity and access management (IAM), incident response, security awareness training, data governance, asset management, privacy compliance, and third-party risk management (TPRM), among others.

You can view the full session on YouTube!

The Caribbean Cybersecurity Pandemic – Building a Digital Trust Model

nielharper

Citizens and customers are increasingly losing confidence and trust in their governments and the corporations that develop and deliver online services. From AI to crypto marketplaces to the Internet of Things (IoT), personal data leaks to unethical use of data analytics to supply chain breaches, technology vendors’ and digital service providers’ repeated failures have severely damaged the trust model at the core of their relationships with their customers. There’s no doubt that digitalisation can drive human, social, and economic development. Simultaneously, surveys and research have shown a concerning decrease in trust in online platforms and associated social institutions.

Today, I presented at the Development Dialogue Seminar of the Caribbean Development Bank (CDB) on the topic of building a digital trust model. The backdrop for the discussion was what many see as the ‘Caribbean Cybersecurity Pandemic’ – The avalanche of cyberattacks that have impacted private and public sector entities across the region – and how this correlates to the decrease in trust and limited uptake by citizens of online services (e.g., e-commerce, e-government, social media, fintech, and others).

Leveraging the World Economic Forum’s Digital Trust Framework, I discussed the key goals and dimensions (e.g., security, reliability, accountability, oversight, ethical use, privacy, fairness, redressability, etc.) underpinning digital trust as well as the capabilities needed to operationalise them.

Check out my presentation and let me know your thoughts!