Pillar 1 of this series asked Caribbean boards to put their digital foundations in order. Pillar 2 begins from the assumption that they have, and asks the question that immediately follows: what is the firm actually defending those foundations against, and from what posture? “We have antivirus and the staff don’t open suspicious emails” is no longer a defensible answer to that question. It is, however, the answer most Caribbean firms would give if asked today.

The exit conversation that nobody expected

In late 2025 we completed a Foundations engagement for a Jamaican mid-market manufacturer with annual revenues in the upper hundreds of millions of JMD, two hundred staff, and a long-standing position as a respected employer in its parish. The engagement had been straightforward. The firm’s domain ownership was clean, the email infrastructure had been migrated to Microsoft 365 the year before, the founder had handed administrative access to a competent operations manager, and the SPF, DKIM and DMARC records had been published correctly within the first week of the engagement. By the standards of the twenty-four-question Caribbean Digital Foundations Check, the firm passed.

At the exit conversation — a closing meeting attended by the founder, the operations manager, the firm’s external accountant, and a senior Dawgen Global engagement partner — the operations manager asked a question the meeting had not anticipated. “Now that the foundations are clean,” he said, “can we talk about whether the firm is actually protected?”

The room went quiet for a moment. The founder, after a few seconds, gave the answer that almost every Caribbean SMB board would give if asked the same question without preparation. “We have antivirus on every machine,” he said. “And the staff have been told not to open suspicious emails. We’ve never had an incident.”

Our engagement partner asked a follow-up question that turned out to be the moment of the meeting. “If a piece of ransomware reached the firm’s file server this afternoon and encrypted everything on it,” he said, “how long would it take you to know that it had happened, and how long would it take to recover?” The founder, with characteristic honesty, said: “I don’t know.” The operations manager said: “I don’t know either.” The accountant said: “That would depend on the backups, and I’m not sure what state those are in.”

Three honest answers, all of them the same. None of the three people in the room had the information to answer the question. None of them knew who, by name, would be the first to know. None of them knew how the firm’s continuity-of-operations would be assessed if the answer was that recovery would take days rather than hours. The firm had antivirus. The firm had staff who did not, as a matter of routine practice, open suspicious emails. What the firm did not have was a cybersecurity posture — a documented, agreed, consciously-chosen position on what it was prepared for, what it had decided to accept, and what it did not yet know about itself.

This article exists because that exit conversation was not unusual. In our experience across Caribbean SMB engagements, the same three honest answers come back in the same order roughly seventy percent of the time. Antivirus is in place. Staff have been generally cautioned. Beyond that, the firm has not consciously chosen a posture, and the consequence is that the firm has one anyway — usually the wrong one, and usually without anyone in the room having named it.

1. What “cybersecurity posture” actually means

The term “cybersecurity posture” is used widely in the security industry and has, in our experience, almost never been clearly defined to a Caribbean board. The phrase has a technical-sounding ring that suggests it lives in the IT department, and so the board nods and moves on. The phrase is a governance concept, not a technical one, and the failure to translate it into board language is the reason most Caribbean firms operate without one consciously chosen.

A cybersecurity posture is, in plain language, the firm’s standing answer to three questions. Each question is a board-level question, and each question has consequences that the IT department alone cannot decide:

What is the firm prepared for?

This is the question of named threats. Not “cyber threats in general” — that is rhetorical. What specifically: ransomware reaching the file server, a Business Email Compromise targeting the finance team, an insider data export by a departing employee, a denial-of-service attack on the firm’s e-commerce platform during a high-volume sales period, a regulator’s enquiry asking the firm to demonstrate access controls on personal data under the Data Protection Act 2020. The board does not need to predict which threat will arrive. It does need to have decided which of these the firm is consciously prepared to handle, and which it is not.

What has the firm decided to accept?

Every firm accepts some level of cybersecurity risk, whether consciously or not. The Jamaican manufacturer in the opening anecdote had implicitly accepted that, in the event of a ransomware incident, the firm would discover its own state of preparedness through the incident itself. That was a decision — it had simply never been spoken aloud. A documented posture makes such decisions visible. The board can then either ratify them (“yes, we accept that risk”) or reverse them (“no, we don’t, and we need to invest to change it”). What the board cannot do is ratify a decision it has never been shown.

What does the firm not yet know about itself?

This is the question security professionals call “unknown unknowns,” and it is the question Caribbean boards most often refuse to engage with — because it has no clean answer and feels like a confession of incompetence to admit. It is, in fact, the opposite. A firm that knows what it does not yet know about itself is operating from a far stronger posture than a firm that believes it knows everything. The simplest example: most Caribbean SMBs cannot, today, produce a list of every device connected to their network, every cloud service their staff use to do firm business, or every external party with credentialled access to their systems. They believe they have these lists. They do not. The first honest finding of any cybersecurity posture review is the gap between what the firm believes it knows about itself and what it actually does.

Together these three questions define the firm’s posture. They are governance questions. They cannot be answered by the IT department alone, and they cannot be answered by the board alone. They must be answered by the board and the firm’s most senior security-accountable person together — which, in most Caribbean firms, immediately surfaces a different question: who is that person, and do they know it is them?

 

2. The four Caribbean firm postures

Across the engagements where we have reviewed cybersecurity posture at Caribbean SMBs, four patterns recur with roughly equal frequency. The classification below is the diagnostic device we use in board-level conversations. Three of the four are not where any Caribbean firm should want to be. Only the fourth is the conscious posture; the other three describe firms that have one by default.

Posture A — Default Antivirus

The firm has antivirus on every endpoint, has paid for it for years, and considers cybersecurity to be substantially handled by that fact. Email is filtered by whatever spam protection came with the mail platform. Staff have been told, at some point, not to open suspicious attachments. There is no named senior person responsible for security at board level, because the matter has been delegated implicitly to whoever handles IT. Backups exist on the file server in some form, but no one has restored from them in living memory.

Posture A was a defensible position for a Caribbean SMB in 2010. It is not in 2026. Antivirus addresses one specific category of threat (file-based malware delivered to endpoints) and is largely ineffective against the threats that actually cost Caribbean firms money today (Business Email Compromise, ransomware delivered through phishing, credential theft, supply-chain compromise). A firm operating in Posture A is, in practice, accepting all of the risks above without having named them — and is one well-crafted phishing email away from discovering the limits of the position.

Posture B — Compliance-Driven

The firm has put cybersecurity controls in place because a counterparty, a regulator, or an insurer required them. The Jamaican Data Protection Act 2020, a banking-sector cyber-resilience guideline, a large customer’s vendor-assessment questionnaire, or a cyber-insurance renewal application has produced a list of controls that the firm has implemented to satisfy the asking party. Encryption is enabled because the questionnaire asked about it. Multi-factor authentication is enforced on email because the insurer demanded it. A cybersecurity policy document exists because a customer required one.

Posture B is materially better than Posture A. The firm has controls in place that genuinely reduce risk. But the controls are organised around what the asking party wanted to see, rather than around the threats the firm actually faces. The result is a firm that can produce documentation in response to any reasonable enquiry, but cannot — in the absence of a fresh enquiry — name what its actual exposures are. Posture B firms tend to fail at the moment the compliance-driver disappears: the insurer drops the requirement, the customer accepts another supplier, the regulator’s audit cycle closes, and the controls quietly stop being maintained because nobody internally was the one demanding them in the first place.

Posture C — Incident-Reactive

The firm has had at least one cybersecurity incident — a ransomware event, a Business Email Compromise, a customer-data exposure, a denial-of-service attack — and has invested significantly in cybersecurity controls afterwards. The investments are real and the controls are usually well-targeted at the specific category of incident that occurred. Senior management speaks publicly about cybersecurity. The board agenda includes a cybersecurity update every quarter.

Posture C is the most expensive way to arrive at a serious cybersecurity programme, and the firm has paid for the lesson in a currency it would not have chosen. The risk in Posture C is that the controls are over-fitted to the specific incident the firm has experienced. The next incident will, by the historical pattern of these things, be a different category — and the firm’s investments will not have addressed it. A Posture C firm that survived a ransomware event is rarely well-defended against a Business Email Compromise; a firm that survived a BEC is rarely well-defended against an insider data exfiltration. The lesson the firm took was: “this category of incident is real, we must defend against it.” The lesson it needed to take was: “our overall posture was inadequate; we must define, defend, and review it deliberately.”

Posture D — Risk-Managed

The firm has named a senior person — at board level or reporting directly to it — who is accountable for cybersecurity. That person owns a documented cybersecurity posture statement that names what the firm is prepared for, what it has decided to accept, and what it does not yet know about itself. The posture is reviewed at a defined cadence — annually at minimum, more often if the firm’s circumstances change materially. Controls are mapped to threats, not to questionnaires. Incidents, when they happen, are treated as inputs to the posture review, not as triggers for the next round of reactive investment.

Posture D is the position every Caribbean SMB serious about its own continuity should be working toward. It is not the position most Caribbean SMBs are in today, and the gap from Posture A, B, or C to Posture D is the substantive work that the rest of Pillar 2 of this series will address. The good news is that the gap is closeable in the medium term for almost every Caribbean firm of meaningful size. The first step is to name the firm’s current posture honestly, which is what the audit in §4 below is for.

 

3. Why “we have antivirus” is not a posture

The title of this article promises “beyond antivirus.” The promise needs to be kept directly. Antivirus is a useful tool for a narrow category of threat, and its uselessness against most of the threats that actually cost Caribbean firms money is worth naming clearly. Three points the board needs to hold.

Antivirus catches file-based malware on endpoints. Most attacks are no longer that.

The Business Email Compromise that took JMD 4.7 million from a Jamaican retail group (told at board level in Article 1.2 of this series, and in forensic detail in Article 1.5) did not involve any malware. There was no file to scan. There was an email purporting to come from the managing director, paid by a bookkeeper who believed it was genuine. Antivirus would not have prevented the loss. The three records described in Article 1.5 — SPF, DKIM, and DMARC — would have, or would at least have made the impersonation visible. The firm had antivirus. It did not have authentication. The loss reflected the gap.

Antivirus protects machines. Most modern attacks target people, services, or both.

Phishing targets the user, not the machine. Credential theft targets the user’s behaviour, not the device. Cloud-service compromise (a misconfigured Microsoft 365 tenant, a SaaS application with weak access controls, a public file-sharing link that was never meant to be public) targets services the firm uses, not endpoints the firm owns. A firm that has invested entirely in endpoint antivirus has defended one category of risk and left several others structurally exposed.

Antivirus is a tactical control. A posture is a strategic position.

Even if antivirus were perfectly effective against every modern threat, having antivirus would not constitute a cybersecurity posture. A posture is the strategic position from which the firm decides which tactical controls it deploys, in what combination, against which named threats. Antivirus is one tactical control. The firm needs more — but more importantly, the firm needs the strategic framework in which it decides how many controls, which controls, and against what. Without the strategic framework, the firm is buying tools in response to whichever vendor’s marketing email arrived most recently, or whichever incident appeared in the regional news this quarter. Tools without posture is the most common failure mode of Caribbean SMB cybersecurity investment.

 

4. The Six-Question Cybersecurity Posture Audit

This is the first audit of Pillar 2. The structure is identical to the audits that closed the Foundations articles, but the audience is wider: these questions should be put to the board and the firm’s most senior security-accountable person together. If question 1 cannot be answered — if there is no such named individual — the audit pauses there and the firm has its first action item from the article.

 

#	Question for the Board	What “Pass” Looks Like
1	Can the board name, today, the single most senior individual at the firm who is accountable for cybersecurity — and does that individual know it is them?	Yes — name spoken from memory, accountability acknowledged in writing.
2	Which of the four postures (A, B, C, D) most accurately describes the firm today, when answered honestly?	Posture named with conviction; “D, but with these gaps” is an acceptable answer. “We’re not sure” is the failure mode.
3	Can the firm produce, on twenty-four hours’ notice, an accurate inventory of every device on its network, every cloud service its staff use to do firm business, and every external party with credentialled access to its systems?	Yes — three documented inventories, last updated within 90 days.
4	If ransomware reached the firm’s file server this afternoon and encrypted everything on it, how long would it take to know, and how long would it take to recover — and does the board know the answer?	Both answers known to the hour, last tested by restoration drill within 12 months.
5	Is there a written cybersecurity posture statement — naming what the firm is prepared for, what it has decided to accept, and what it does not yet know about itself — that the board has reviewed within the last twelve months?	Yes — document exists, dated, minuted board review within the year.
6	When was the last cybersecurity tabletop exercise or simulated incident at the firm, and what did it surface that the firm has since fixed?	Within twelve months, with at least one specific fix the board can name.

 

A firm that passes all six questions is operating in Posture D. A firm that passes three or four is in transition — usually from Posture B (Compliance-Driven) toward Posture D. A firm that passes one or two is in Posture A or C, and the path to Posture D is a defined twelve-month programme. The audit does not produce a grade; it produces an honest map of where the firm currently is, and that map is the starting point for the rest of Pillar 2.

 

5. What Pillar 2 will cover, and why this is the right order

This article opens Pillar 2 of The Caribbean Digital Foundations Series. Where Pillar 1 dealt with the firm’s digital identity and how it is established, Pillar 2 deals with what is built on top of that identity once the foundations are in place — the controls, the posture, and the disciplines that allow the firm to defend what it now owns.

The pillar’s articles will address, in sequence, what we believe to be the right order for a Caribbean SMB working from Posture A, B, or C toward Posture D. Article 2.2 will examine identity and access management — who has credentialled access to which systems, how that access is provisioned, reviewed, and removed, and why this is the single highest-leverage area of investment for most Caribbean SMBs. Article 2.3 will examine data protection in operational practice — what the Jamaican Data Protection Act 2020 actually requires when translated from legal language into operational controls. Article 2.4 will address backup, recovery, and continuity — what “we have backups” actually means in practice, and what good looks like. Article 2.5 will examine third-party and supply-chain risk — the suppliers, the cloud services, and the contractors whose security posture is now part of the firm’s own. And Article 2.6 will close the pillar with the Caribbean Cyber Hygiene Scorecard, an annual instrument that converts the postures named in this article into measurable controls the firm can track over time.

This is a different ordering from most cybersecurity literature, which typically begins with technical controls and works outward to governance. Pillar 2 reverses that order deliberately. The board’s question is not which tools to buy. The board’s question is which posture to occupy. The tools follow.

 

6. Where to go from here

The right starting move, after reading this article, is not to invest in new cybersecurity tools. The right starting move is to convene the board and the firm’s most senior security-accountable person — naming them first, if necessary — and to work through the six questions in §4 honestly. The result of that conversation is the firm’s current posture, named explicitly, and a short list of the most material gaps.

From that starting point, the rest of Pillar 2 of this series is the substantive work that follows. A firm that has named its posture is ready to engage with the controls. A firm that has not is buying tools it has not chosen, in response to threats it has not named, from a posture it has not consciously occupied.

 

WHERE TO GO FROM HERE Name the posture. Map the gaps. Design the road to Posture D. Through Dawgen Global Technologies, the firm offers a structured Cybersecurity Posture Review engagement that does three things in sequence: it maps the firm against the four postures described in this article, it produces a documented posture statement aligned with the Data Protection Act 2020 and other relevant Caribbean regulatory frameworks, and it delivers a twelve-month roadmap from the firm’s current posture to its target posture. The engagement is fixed-price, fixed-duration, led by a senior consultant, and designed to leave the firm with a working artefact — not a binder. Billing in USD or JMD, Caribbean-based support, with engagement-partner oversight from Dawgen Global throughout. Visit our webservices solution at : dawgentechnologies.com Or write to [email protected] to arrange a Cybersecurity Posture Review through your Dawgen Global engagement team.

Author

Dr. Dawkins Brown is the Executive Chairman and Founder of Dawgen Global, an independent integrated multidisciplinary professional services firm headquartered in New Kingston, Jamaica, operating across 15+ Caribbean territories. Dawgen Global Technologies is the firm’s web-services line, delivering domains, hosting, professional email, Microsoft 365, SSL, websites, security and backups across the region.

 

About The Caribbean Digital Foundations Series

The Caribbean Digital Foundations Series is a 30-article thought leadership programme published by Dawgen Global on its blog (dawgen.global/blog) through 2026. The series is organised into five pillars — Foundations, Trust & Security, Presence & Performance, Productivity & Collaboration, and Commerce & Growth — and is designed to bring the same governance lens Dawgen Global applies to audit, tax and advisory engagements to the web-services decisions every Caribbean SMB must now make.

This is Article 2.1, the opening article of Pillar 2 (Trust & Security). Pillar 1 (Foundations) was completed in Article 1.6, “From Personal Inbox to Professional Brand,” and the six articles of that pillar form the assumed starting point of this one. Articles 2.2 through 2.6 will follow, completing the pillar with the Caribbean Cyber Hygiene Scorecard.

© 2026 Dawgen Global  |  Big Firm Capabilities. Caribbean Understanding.

About Dawgen Global