Eighteen Months Later: The CEO Who Built a Programme

Eighteen months ago, the chief executive of a Caribbean financial services group with approximately US$280 million in assets under management, 165 employees, and operations across four territories sat in a board meeting and listened to a presentation that changed his understanding of his own enterprise. The presentation was not delivered by the CTO or the IT manager. It was delivered by the group’s external auditors, who had included a cybersecurity observations section in their management letter for the first time.

The observations were familiar to anyone who has read this series. The group had no board-approved cybersecurity policy. Email was protected by a basic spam filter that missed sophisticated phishing attacks. Endpoints were protected by traditional antivirus that could not detect fileless malware or behavioural anomalies. Employees had never received security awareness training. The group’s 165 employees used personal devices to access company systems with no mobile device management. Multi-factor authentication was not deployed on any system. The shared administrator password for the core financial platform had not been changed in fourteen months. No penetration test had ever been conducted. No incident response plan existed. And the group’s seven technology vendors had never been assessed for cybersecurity practices.

The auditors’ conclusion was measured but unmistakable: the group’s cybersecurity posture represented a material risk to its operations, its clients’ data, its regulatory standing, and its reputation. The board minutes recorded the CEO’s response: “This is not acceptable. We manage risk for our clients. We cannot fail to manage this risk for ourselves. I want a plan on my desk within thirty days.”

The CEO engaged Dawgen Global to conduct a cybersecurity readiness assessment — a comprehensive evaluation of the group’s security posture against the threats, vulnerabilities, and regulatory expectations that Caribbean financial services enterprises face. The assessment confirmed the auditors’ observations and quantified the gaps. The CEO and the board approved a phased cybersecurity programme with a total investment of approximately US$385,000 over eighteen months — an investment that the CEO described as “less than the cost of one ransomware incident, and less than the cost of one regulatory enforcement action.”

Eighteen months later, the transformation was complete. The CEO presented the programme’s results to the board with the same directness with which he had received the auditors’ original findings.

What Changed: The Results

Email Threat Defence (Article 2): The group deployed multi-layered email security: gateway filtering, SPF/DKIM/DMARC domain authentication, AI-powered business email compromise detection, and DNS-level protection. In the first twelve months of operation, the platform blocked 14,200 malicious emails that the previous spam filter would have delivered to employee inboxes — including 340 targeted phishing attempts and 23 business email compromise attempts that specifically targeted the finance team with fraudulent payment instructions. The CFO’s assessment: “Twenty-three BEC attempts in twelve months. Any one of them could have cost us six figures. We caught all twenty-three.”

Endpoint Protection and Recovery (Article 3): Traditional antivirus was replaced with extended detection and response across all 210 endpoints (workstations, laptops, and servers). The XDR platform detected and automatically contained four malware incidents in the first year — incidents that the previous antivirus did not detect because they used fileless techniques that signature-based detection cannot identify. Comprehensive backup with network isolation, automated verification, and quarterly restoration testing replaced the previous backup system, which had been a single external drive connected permanently to the file server. Recovery time objective: reduced from an estimated five to seven days to under eight hours.

Human Risk Management (Article 4): The group launched a continuous security awareness programme for all 165 employees. The baseline phishing assessment in month one revealed a thirty-two per cent click rate — meaning that roughly one in three employees clicked on a simulated phishing email. After twelve months of monthly training, contextualised simulated phishing campaigns, and behavioural risk scoring, the click rate had fallen to six per cent. The reporting rate — employees who identified and reported the simulated phishing email to IT — had risen from four per cent at baseline to thirty-eight per cent. The CISO’s observation: “We turned our people from our biggest vulnerability into our early warning system.”

Device and Infrastructure Management (Article 5): All employee devices accessing company systems — including the personal smartphones that 165 employees had been using without any security controls — were enrolled in the mobile device management platform. Security policies were enforced: mandatory screen lock, device encryption, application-level authentication, and remote wipe capability. Geofencing was configured for the group’s field operations. The unified IT monitoring platform provided visibility across the group’s servers, workstations, and network infrastructure across all four territories for the first time. The IT manager’s reflection: “For the first time, I can see every device and every system across every territory from one dashboard. Before this, I was managing four separate IT environments with spreadsheets and phone calls.”

Identity and Access Governance (Article 6): Multi-factor authentication was deployed across every system: the core financial platform, email, VPN, cloud applications, and administrative consoles. The shared administrator password was eliminated — replaced by individual privileged accounts with just-in-time access provisioning, session monitoring, and automatic password rotation. Identity lifecycle management automated the provisioning and termination process: when HR processed a new hire, system access was provisioned automatically based on the role; when HR processed a departure, all access was terminated within the hour. The quarterly access review identified and removed forty-seven instances of inappropriate access in its first cycle — former employees, role changes with accumulated permissions, and vendor accounts from completed projects that had never been deactivated.

Offensive Security and Vulnerability Management (Article 7): The group’s first penetration test identified nineteen vulnerabilities classified as critical or high severity across the group’s internet-facing systems and internal network. All nineteen were remediated within the sixty-day remediation window. The second penetration test, conducted twelve months later, identified three medium-severity findings and zero critical or high-severity findings. Continuous vulnerability scanning ran monthly, with critical findings remediated within seven days and high-severity findings within thirty days. The compliance officer’s summary: “We went from nineteen critical vulnerabilities we did not know existed to zero critical vulnerabilities with continuous monitoring. That is the difference between guessing and knowing.”

Data and Application Security (Article 8): The group’s client portal and web applications were protected with dynamic application security testing and API security monitoring. Data security posture management discovered sensitive client data in fourteen locations that the group’s IT team had not identified — including client portfolio data in a shared cloud drive that three former employees still had access to, and production database copies in the development environment with client personal data intact. Active Directory security monitoring was deployed, detecting and alerting on three misconfiguration issues that could have enabled privilege escalation. The CTO’s assessment: “We thought we knew where our data was. We were wrong. DSPM showed us fourteen locations we had missed — each one a potential breach waiting to happen.”

Cybersecurity Compliance Programme (Article 9): The board approved the cybersecurity policy framework in month two. The cybersecurity risk assessment was completed in month three and presented to the board with the risk register that prioritised the group’s control investments. The incident response plan was developed, and a tabletop exercise was conducted with the executive team in month five — the first time the group had ever rehearsed its response to a cybersecurity incident. Third-party cybersecurity due diligence was completed for all seven technology vendors; two vendors were required to remediate identified deficiencies, and contract provisions were updated to include cybersecurity requirements, breach notification, and audit rights. Quarterly cybersecurity reports were delivered to the board throughout the programme.

The Numbers That Matter

The CEO presented the programme’s quantified outcomes to the board at the eighteen-month review.

Investment: US$385,000 over eighteen months, covering technology deployment, managed services, professional services (policy, risk assessment, incident response planning, vendor assessments), and the penetration testing programme.

Threats Blocked: 14,200 malicious emails intercepted, 23 BEC attempts prevented, 4 malware incidents automatically contained, 19 critical vulnerabilities remediated, 47 instances of inappropriate access removed, and 14 unprotected sensitive data locations discovered and secured.

Phishing Resilience: Employee click rate reduced from 32% to 6%. Reporting rate increased from 4% to 38%.

Recovery Capability: Recovery time objective reduced from an estimated 5–7 days to under 8 hours. Backup verified quarterly with successful restoration tests.

Compliance Posture: Board-approved policy framework. Completed risk assessment. Incident response plan tested. All vendors assessed. Zero critical penetration test findings at twelve-month retest. Quarterly board reporting established.

Regulatory Outcome: The group’s subsequent regulatory examination — the first to include cybersecurity in its scope — produced two minor observations and zero findings requiring immediate remediation. The regulator commended the group’s cybersecurity governance framework as a model for the sector.

Business Impact: Two prospective institutional clients cited the group’s cybersecurity programme as a factor in their decision to award mandates. One international correspondent relationship that had been under de-risking review was retained after the group presented its cybersecurity governance documentation. The CEO’s estimate of revenue protected or generated by the programme: approximately US$1.2 million in the first eighteen months.

The CEO’s Blueprint: Lessons for Caribbean Leaders

The CEO distilled the eighteen-month programme into the lessons that he would share with any Caribbean enterprise leader considering the same journey.

Lesson 1 — This Is a Board Issue, Not an IT Issue: “The single most important decision I made was to take cybersecurity out of the IT department and put it on the board agenda. When the board owns cybersecurity, it gets the governance rigour, the budget allocation, and the accountability that it requires. When it lives in IT, it competes with printer repairs and software updates for attention and funding. The board does not delegate financial risk management to the accounts payable clerk. It should not delegate cyber risk management to the IT help desk.”

Lesson 2 — Start with the Risk Assessment, Not the Technology: “Every vendor wanted to sell me their product first. Dawgen Global started with the risk assessment. The risk assessment told me where my actual risks were, not where a vendor’s product happened to fit. We invested based on evidence, not on fear or fashion. The risk assessment is the foundation. Without it, you are guessing.”

Lesson 3 — Layer the Controls: “No single product solves cybersecurity. Email security catches the phishing email. But if one gets through, endpoint protection catches the malware. If the malware compromises credentials, MFA blocks the authentication. If the attacker finds another way in, the XDR detects the behaviour. If data is accessed, DSPM alerts on the anomaly. Each layer catches what the previous layer missed. That is why the layered approach works and why buying one product does not.”

Lesson 4 — Your People Are the Multiplier: “The technology investment was necessary but insufficient. Training our people was the multiplier that made every technical control more effective. A phishing email that an employee reports never reaches the endpoint. A suspicious request that an employee questions never becomes a BEC loss. Six per cent click rate means ninety-four per cent of our people are now part of the defence. That is 155 human sensors that no technology can replace.”

Lesson 5 — Managed Services Are the Caribbean Reality: “We have 165 employees and a three-person IT team. We cannot staff a 24/7 security operations centre. We cannot retain penetration testing specialists, incident response teams, or threat intelligence analysts. The managed service model gives us enterprise-grade security capability without enterprise-grade security headcount. Dawgen Global manages the technology; my IT team manages the business. That division of responsibility is the only model that works for a Caribbean mid-market enterprise.”

Lesson 6 — Compliance Is the Floor, Not the Ceiling: “We built this programme to satisfy the regulator. But the programme delivered far more than compliance. It delivered operational resilience, client confidence, international market access, and board governance visibility. Compliance was the floor we started from. The programme we built is the competitive advantage we operate from.”

Lesson 7 — The Cost of Delay Is Real: “We invested US$385,000 over eighteen months. If we had suffered a ransomware attack like the one described in Article 1 of this series, the cost would have exceeded US$600,000. If a BEC attack had succeeded, the loss could have been US$340,000 in a single transaction. If a regulatory enforcement action had restricted our ability to write new business, the revenue impact would have been measured in millions. The programme was not a cost. It was the least expensive form of protection available to us.”

The Dawgen Global Engagement Model

Dawgen Global’s engagement with the financial services group illustrates the model that Dawgen Global provides to Caribbean enterprises across industries and stages of cybersecurity maturity.

Cybersecurity Readiness Assessment: The engagement begins with a comprehensive assessment of the enterprise’s current security posture: technical controls, governance framework, human factors, vendor relationships, and regulatory alignment. The assessment produces the risk-prioritised roadmap that guides every subsequent investment.

Phased Programme Implementation: The programme is implemented in phases aligned to the enterprise’s risk priorities, budget cycle, and operational capacity. The phasing ensures that the highest-priority risks are addressed first while managing the organisational change that a comprehensive programme requires.

Integrated Technology Deployment: Dawgen Global deploys the integrated suite of security capabilities documented throughout this series — email threat defence, endpoint protection and recovery, human risk management, device and infrastructure management, identity and access governance, offensive security and vulnerability management, and data and application security — as a unified, managed security ecosystem. The enterprise engages one partner for the entire security programme, not seven vendors for seven disconnected products.

Governance and Compliance Services: Dawgen Global provides the governance framework, policy development, risk assessment, incident response planning, vendor assessment, regulatory reporting, and certification support that the enterprise’s compliance obligations require. The governance services ensure that the technical controls are embedded in a framework that the board can oversee and the regulator can examine.

Ongoing Managed Security: Dawgen Global provides the continuous managed security service: 24/7 monitoring, threat detection and response, vulnerability management, security awareness programme management, access governance, and the ongoing optimisation that keeps the programme effective as threats evolve, as the enterprise’s technology environment changes, and as regulatory expectations increase.

The Series in Review: Eight Services, One Programme

This series has documented the cybersecurity challenges that Caribbean enterprises face and the services that Dawgen Global provides to address them. Each article addressed a specific dimension of the cybersecurity challenge. Together, they form the integrated programme that the financial services group’s CEO described as his enterprise’s transformation.

Article 1 — The Breach That Cost More Than Money: The ransomware attack that shut down a professional services firm for four days and cost US$600,000. Why traditional defences fail. The case for a comprehensive cybersecurity programme.

Article 2 — Email Is the Front Door: The BEC attack that cost a financial institution US$340,000 in a single wire transfer. Five layers of email threat defence. Dawgen Global’s Email Threat Defence service.

Article 3 — When the Endpoint Is the Battleground: The fileless malware attack that encrypted a manufacturer’s systems across three facilities. XDR, comprehensive backup, and disaster recovery. Dawgen Global’s Endpoint Protection and Recovery service.

Article 4 — Your People Are Your Weakest Link and Your Strongest Defence: The hotel group receptionist who opened a spoofed email and triggered a US$1.2 million incident. Continuous training, simulated phishing, behavioural risk scoring. Dawgen Global’s Human Risk Management service.

Article 5 — Managing Every Device, Everywhere: The distribution company with forty-five unmanaged phones and a customer database in the back seat of a taxi. MDM, BYOD framework, geofencing, infrastructure monitoring. Dawgen Global’s Device and Infrastructure Management service.

Article 6 — Who Has Access and Why: The former credit union administrator who accessed 22,000 member records for three months after his departure. MFA, PAM, identity lifecycle, access reviews. Dawgen Global’s Identity and Access Governance service.

Article 7 — Testing Before the Attackers Do: The e-commerce company with fourteen critical vulnerabilities that had existed for six years. Penetration testing, vulnerability assessment, digital forensics, SOC monitoring. Dawgen Global’s Offensive Security and Vulnerability Management service.

Article 8 — Protecting the Data That Matters: The retail group’s website that was quietly stealing customer card data for eleven weeks through a vulnerable plugin. DAST, API security, DSPM, AD security, CMS protection. Dawgen Global’s Data and Application Security service.

Article 9 — Cybersecurity for Regulated Enterprises: The insurance company that received seventeen regulatory findings because it had treated cybersecurity as an IT issue. Six-phase compliance programme, four-stage maturity model. Dawgen Global’s Cybersecurity Compliance Programme.

From Vulnerable to Vigilant

The financial services group’s CEO began this journey with a management letter observation and a thirty-day deadline for a plan. Eighteen months later, his enterprise operates with layered security controls, trained employees, governed access, tested systems, protected data, and a compliance framework that the regulator commended.

The journey from vulnerable to vigilant is not theoretical. It is the documented experience of a Caribbean enterprise that made the decision to invest in cybersecurity as a governance priority, engaged a partner to design and manage the programme, and achieved measurable results that protected its operations, its clients, and its future.

Every Caribbean enterprise that holds customer data, processes transactions, operates digital systems, or serves regulated markets faces the same choice that this CEO faced eighteen months ago. The threats documented in this series — ransomware, business email compromise, fileless malware, lost devices, former employees with active access, unpatched vulnerabilities, web skimming, and regulatory findings — are not hypothetical. They are the incidents that Caribbean enterprises are experiencing today.

The question is not whether to invest in cybersecurity. The question is whether to invest before the incident or after it.

Dawgen Global is ready when you are.

Begin Your Cybersecurity Journey

Dawgen Global invites Caribbean enterprise leaders to take the first step: the Cybersecurity Readiness Assessment that reveals where you stand and what your programme should look like.

Request a Dawgen Global Cybersecurity Readiness Assessment. Email [email protected] or visit www.dawgen.global to begin the conversation.

DAWGEN GLOBAL | Big Firm Capabilities. Caribbean Understanding.

Request a Dawgen Global Cybersecurity Readiness Assessment to begin your journey.

Email: [email protected]

Web: www.dawgen.global

About Dawgen Global