Mon - Sat8.00 - 18.00 Sunday CLOSED
Offices47 Trinidad Terrace New Kingston, Jamaica.
[email protected]
1876 9265210
 
AI Governance & Complianceboard cyber risk oversightCaribbean Risk HorizonContinuous Auditing / Continuous MonitoringContinuous GovernanceControls & Assurance ReadinessCybersecurity & Data RiskCybersecurity & TechnologyCybersecurity and Technology RiskDawgen TRUSTDawgen TRUST360™incident response readiness

Cyber Oversight Is a Board Sport | Dawgen TRUST360™

June 16, 2026by Dr Dawkins Brown

For too long, boards have treated cybersecurity as something to delegate to technical experts and review once a year. But cyber risk is now enterprise risk — and a board that watches from the sidelines is not governing it at all.

 

This series has built, article by article, toward a single idea: that the things which change continuously must be watched continuously. We have applied it to governance as a whole, to artificial intelligence, and to the vendors your operations now rest on. This time we turn to the domain that boards most often delegate and most badly need to own: cybersecurity. And I want to make an argument some directors will find uncomfortable. Cyber oversight is not a spectator activity. It is a board sport — and too many boards are still watching from the stands.

Why cyber became a board matter

For most of its history, cybersecurity was treated as a technical specialty: important, but firmly the domain of the IT or security function — to be resourced, trusted, and otherwise left alone. That delegation made a kind of sense when a breach meant an inconvenience. It makes no sense now. A serious cyber incident today is not a technical event; it is an enterprise event — operations halted, customer data exposed, money lost, regulators engaged, lawyers involved, and reputation damaged, sometimes irreparably. When the consequences of a risk are existential, oversight of that risk cannot sit two levels below the board. Regulators have reached the same conclusion: increasingly they expect to see boards actively engaged in cyber governance, not merely receiving an annual briefing. Cyber has become, unavoidably, a board matter.

The translation problem

And yet most boards struggle to govern it, for an understandable reason: cyber is reported to them in a language they cannot interrogate. The typical board cyber update is a dashboard of technical metrics — vulnerabilities patched, tools deployed, alerts triaged, projects on track. All of it is real work, and none of it answers the questions a director actually needs answered. Are we more or less exposed than we were last quarter? What is our single biggest cyber risk right now? If we were attacked tomorrow, could we respond and recover? A board cannot govern what it cannot understand, and a wall of technical green lights is not understanding. It is reassurance without comprehension — which is the most dangerous kind.

“Are we secure?” has no useful answer. “Are we more exposed than last quarter?” does.

The fragmented-controls problem

Underneath the reporting problem lies a deeper one. Most organisations have built their cyber defences the way a house accumulates furniture — piece by piece, over years, as needs and budgets allowed. A firewall here, endpoint protection there, multi-factor authentication added later, a monitoring contract signed, vendor assessments run occasionally. Each control is sensible on its own. But no one holds a continuous, integrated picture of whether they all still work — together, today — and where the gaps between them sit. Worse, each control is typically verified at a point in time and then assumed to keep working, when in reality controls decay continuously: a configuration change weakens one, a new integration bypasses another, an expired certificate silently disables a third, a departed administrator leaves access no one revoked. The result is a defence that looks complete on an inventory and is full of quiet holes in practice.

Why point-in-time fails here in particular

This is why the annual model fails cyber more completely than almost any other domain. A penetration test or a yearly assessment is a photograph of a battlefield that never stops moving. The threats evolve weekly; the controls drift continuously; the attack surface changes every time a system is added or a vendor is onboarded. An assessment that was accurate in March describes an organisation that no longer exists by September. And the adversary, of course, keeps no audit calendar.

What the board actually needs

The good news is that governing cyber well does not require directors to become technologists. It requires translating the technical reality into the three things a board can genuinely oversee, continuously. The first is exposure: a plain-language read on how exposed the organisation is, and crucially whether that exposure is rising or falling over time. The second is control health: not a list of tools owned, but evidence that the controls that matter most are actually working now. The third is readiness: confidence — tested, not assumed — that the organisation could detect, respond to and recover from an incident. Around these sits the discipline of regularly testing the response through tabletop exercises, and of watching the cyber posture of the critical vendors who can so easily be the source of your breach. None of this is technical jargon. All of it is governable.

The questions a board should ask

If cyber is a board sport, then the board’s role is to ask the questions that keep the organisation honest — and to ask them continuously, not once a year. “Are we secure?” is not one of them, because it has no truthful answer; no one is ever secure, and anyone who claims to be should not be believed. The useful questions are sharper. What are our top three cyber risks this quarter, and are they trending up or down? When did we last test our incident response, and what did we learn? Which of our critical vendors could take us down, and what would we do if one were compromised? If we were breached tonight, how quickly would we know? A board that asks these questions — and expects evidence-based answers — is governing cyber. A board that receives a technical deck and nods is not.

The Caribbean dimension

For Caribbean organisations, none of this is theoretical. Our financial institutions, public bodies and mid-market firms are attractive targets precisely because attackers assume — too often correctly — that defences are thinner and oversight lighter than in larger markets. Regional regulators, including the Bank of Jamaica and the Financial Services Commission, are raising their expectations of cyber governance accordingly. And for a mid-market Caribbean organisation, the financial and reputational cost of a serious breach is not a line item to absorb; it can be existential. That combination — rising threat, rising regulatory expectation, limited resources — is precisely the case for continuous, board-visible cyber oversight that does not require building a large internal security function to achieve.

What good looks like

This is why cybersecurity is one of the six domains Dawgen TRUST360™ monitors continuously — turning fragmented technical signals into a board-level read on exposure, control health and readiness; keeping watch on vendor cyber risk; and exercising incident response before an incident tests it for you. The aim is simple: to give the board not more data, but genuine, current cyber confidence it can stand behind.

Time to get off the bench

So let me put the question directly to the directors reading this. Your security team is, in all likelihood, capable and committed; that was never in doubt. The question is whether the board is in the game alongside them — asking sharp questions on a continuous read, rather than accepting an annual report it cannot interrogate. Cyber risk will not wait for your next assessment, and it will not respect the boundary between “technical” and “governance.” It is a board sport. The only choice you have is whether to play.

About the author

Dr. Dawkins Brown is Executive Chairman and Founder of Dawgen Global, an independent, integrated multidisciplinary professional services firm operating across the Caribbean, and Founding Editor of Caribbean Boardroom Perspectives.

Continue the conversation: dawgen.global  ·  [email protected]

Next in the series — Article 8: “ESG Without the Greenwashing.”

About Dawgen Global

Dawgen Global is an independent, integrated multidisciplinary professional services firm headquartered at 47 Trinidad Terrace, New Kingston, Jamaica, serving more than 15 territories across the Caribbean. Founded and led by Dr. Dawkins Brown, Executive Chairman, the firm is independent and not affiliated with any international network. It delivers a full suite of professional services under one roof: audit and assurance; tax advisory; IT and digital transformation; risk management; cybersecurity; actuarial and insurance regulatory advisory; HR advisory; mergers and acquisitions; corporate recovery; business advisory and strategy; accounting BPO and virtual CFO services; and legal process outsourcing.

The proposition is simple: big-firm capability without the big-firm price. Dawgen Global’s integrated approach is built for the specific complexities and opportunities of the Caribbean market, helping organizations make sharper, better-informed decisions that drive measurable progress.

To explore a partnership, reach out:

by Dr Dawkins Brown

Dr. Dawkins Brown is the Executive Chairman of Dawgen Global , an integrated multidisciplinary professional service firm . Dr. Brown earned his Doctor of Philosophy (Ph.D.) in the field of Accounting, Finance and Management from Rushmore University. He has over Twenty three (23) years experience in the field of Audit, Accounting, Taxation, Finance and management . Starting his public accounting career in the audit department of a “big four” firm (Ernst & Young), and gaining experience in local and international audits, Dr. Brown rose quickly through the senior ranks and held the position of Senior consultant prior to establishing Dawgen.

previous
Your Vendors Change Faster Than Your Controls | Dawgen TRUST360™

https://www.dawgen.global/wp-content/uploads/2023/07/Foo-WLogo.png

Dawgen Global is an integrated multidisciplinary professional service firm in the Caribbean Region. We are integrated as one Regional firm and provide several professional services including: audit,accounting ,tax,IT,Risk, HR,Performance, M&A,corporate recovery and other advisory services

Where to find us?
https://www.dawgen.global/wp-content/uploads/2019/04/img-footer-map.png
Dawgen Social links
Taking seamless key performance indicators offline to maximise the long tail.
https://www.dawgen.global/wp-content/uploads/2023/07/Foo-WLogo.png

Dawgen Global is an integrated multidisciplinary professional service firm in the Caribbean Region. We are integrated as one Regional firm and provide several professional services including: audit,accounting ,tax,IT,Risk, HR,Performance, M&A,corporate recovery and other advisory services

Where to find us?
https://www.dawgen.global/wp-content/uploads/2019/04/img-footer-map.png
Dawgen Social links
Taking seamless key performance indicators offline to maximise the long tail.

© 2023 Copyright Dawgen Global. All rights reserved.

© 2024 Copyright Dawgen Global. All rights reserved.