News Opinion #BTColumn – Navigating the Cyber Storm: TSTT’s Data Breach and Cybersecurity in the Caribbean Barbados Today14/11/20230471 views Disclaimer: The views and opinions expressed by the author(s) do not represent the official position of Barbados TODAY. By Steven Williams To say that the last three weeks have been nothing short of tumultuous for the Telecommunications Services of Trinidad and Tobago (TSTT) would be an understatement. This statement particularly holds for those who may not be in the IT space or following what has been the biggest IT data breach in recent years. In November 2023, TSTT faced a significant cyberattack, where unauthorised access to its systems was attempted on October 9. The breach led to the theft and public leak of customer data. TSTT’s CEO Lisa Agard admitted to communication shortfalls during the crisis but also confirmed that, according to her assessment, the compromised data posed a low risk of fraudulent activity to customers. While we genuinely hope that the impact will be minimal, one can never be certain about how cybercriminals will use compromised data once it’s in their possession. As detailed in a Deloitte report published on February 23, 2023, in Barbados TODAY, the Caribbean, including Barbados, has seen a notable rise in cyberattacks. These attacks have impacted a wide range of industries, from healthcare and finance to retail, emphasising the urgent need for enhanced cybersecurity measures across all sectors. This surge in cyberattacks has heightened concerns over the security of digital information in Barbados and across the region. While these events underscore the urgent need for enhanced cybersecurity measures across various industries, it raises a pertinent question: Where are the chief information security officers (CISOs)? These officers, whose mandate is to protect the confidentiality and digital assets of a company and who typically report directly to the CEO or the board, are crucial in this context. It struck me that if these critical businesses lack CISOs, then accountability for cybersecurity may not be given the full priority and resources it requires, even with the best intentions to improve. In the constantly changing IT environment of Barbados and the Eastern Caribbean, roles need to transition from basic IT management to a more strategic focus. Initially, IT assistants managed technical tasks, but now they have evolved into IT managers who require a broader set of business and strategic skills. These managers increasingly focus on cybersecurity, which was once merely a subset of IT, as a central responsibility. This shift is in stark contrast to the role of a CISO who spearheads strategic cybersecurity initiatives with a focus on risk management and compliance and reports to top executives. CISOs operate in a more strategic capacity, unlike IT managers who are more hands-on. Establishing a CISO role requires careful consideration of several important factors. The need for a CISO becomes critical when a company manages significant amounts of sensitive data or expands beyond a small to medium-sized operation. Industries that are common targets for cyberattacks, such as finance and healthcare, or those operating in highly competitive sectors with sensitive data, should prioritise this position. Furthermore, a CISO plays a vital role in upholding the stringent data security standards that clients and partners expect, especially in business-to-business (B2B) environments. Companies that view cybersecurity not just as a compliance necessity but as a strategic asset should align their security approach with their overall business goals by appointing a CISO. Barbados’ future is undoubtedly digital and data-centric. With an economy reliant on services ranging from tourism to finance, the volume and types of information processed by companies and even government entities are highly attractive to cybercriminals. Now is the time for a new breed of business executive who sees data as a strategic asset and is primarily tasked with ensuring its integrity. This role should not be a secondary responsibility, but a dedicated and vital function, akin to that of other senior executives such as chief financial officers and chief operating officers. Steven Williams is the executive director of Sunisle Technology Solutions and the principal consultant at Data Privacy and Management Advisory Services. He is a former IT advisor to the Government’s Law Review Commission, focusing on the draft Cybercrime bill. He holds an MBA from the University of Durham and is certified as a chief information security officer by the EC Council and as a data protection officer by the Professional Evaluation and Certification Board (PECB). Steven can be reached at: Mobile: 246-233-0090 Email: steven@dataprivacy.bb