Cybersecurity Leadership and Governance

As digital privacy concerns grow, businesses must rethink identity management to balance security with user control, reducing reliance on centralized databases. Embracing decentralized identities isn't just about compliance—it's about creating trust in a digital-first world. Decentralized identities (DCI) shift personal data control from organizations to individuals, reducing the risk of breaches while enhancing user privacy. Unlike traditional models that store identity information in centralized databases prone to cyberattacks, DCI leverages blockchain and cryptographic methods to validate credentials without exposing sensitive details. This approach benefits businesses by lowering regulatory risks and improving compliance with privacy laws such as GDPR. It also streamlines authentication, enabling seamless verification across platforms without constant data exposure. Interoperability challenges and regulatory adaptation remain critical factors for widespread adoption, requiring standardized frameworks and global cooperation to unlock its full potential. #DecentralizedIdentity #Blockchain #Cybersecurity #DataPrivacy #DigitalTransformation

AI in the Boardroom: What Charity Trustees Need to Do Now 🚨 Too many boards are sleepwalking into the risks, while missing the opportunities. I've just finished reading the new Institute of Directors (IoD)’s 'AI Governance in the Boardroom report' and it makes one thing clear: trustees can’t delegate this. AI is a board-level issue. Here are the key takeaways from the report every charity board should act on: 🧠 Stay Curious. Stay Learning. Boards don’t need to be technical experts, but they must understand enough to ask the right questions. Build a culture of digital curiosity at board level. ⚖️ AI = Risk AND Opportunity. Don’t just see AI as a shiny tool to save time. Trustees must weigh efficiency gains against bias, privacy, reputational harm, and compliance risks. ❓ Governance Starts with Questions. Who owns AI in your organisation? How is data being used? What safeguards are in place? Boards need simple checklists and regular oversight, not a one-off discussion. 📜 Know the Law. Regulation is tightening. - The EU AI Act is rolling out, with obligations on transparency, risk classification, and human oversight. - The UK is moving towards sector-led regulation, but trustees are still on the hook for data misuse under GDPR and the ICO’s guidance. - Trustees should be clear: ignorance won’t protect your charity from fines, reputational damage or, worst of all, harm to beneficiaries. 🎯 Impact Before Hype. Does this AI tool align with our mission, or is it just a gimmick? Focus on how tech helps people - service users, staff, and volunteers. 🛡️ Build Oversight Structures. Some boards are creating AI subcommittees or ethics groups. At the very least, AI should be a standing agenda item. Oversight isn’t optional anymore. 🔐 Data is Everything. AI governance is data governance. If your board isn’t confident on data protection, cybersecurity, and safeguarding sensitive information, that’s the place to start. The report is blunt: AI governance is now a fiduciary duty. Trustees don’t get a free pass. ✅ If you sit on a charity board, make AI part of your next meeting agenda. ✅ If you’re a Digital Trustee, help your board translate principles into practice. ✅ If you’re a CEO, empower your trustees to ask the hard questions. This is about safeguarding the people we serve, and making sure technology works for charities, not against them. 👉 If you need to find an AI, data or cyber expert for your board check out the funded Digital Trustees programme from Third Sector Lab. 👏 Thanks to all the authors of the report, including: Michael Ambjorn Phil Clare Paul Corcoran Pauline Norstrom LLB (Hons) FRSA FIoD FBCS Niran Olarinde Institute of Directors (IOD), India Institute of Directors (IoD) ❓What's your simple advice for boards looking to start their AI conversation?

Unfortunately, many organizations treat audits like a school exam they need to “pass”, not a tool to improve the security posture of the organization. The goal isn’t necessarily to fix the problems [ or keep ignoring until a real cyber-attack hits] but to tick boxes and get that stamp of “compliance” In some cases, auditors are handed a narrowly defined scope –while conveniently forgetting to mention messy departments, high-risk projects, personal data processing areas, or sketchy vendor deals. In my experience as well, often, unless I deep dive into questions, many organizations downplay risks and don’t acknowledge the personal data processing risks. Auditors can’t check everything, so some companies serve up carefully curated samples. Example – for a proof endpoint security, share a screenshot of EDR on one of the machines. This could be short-term win, long-term pain: These ignored risks can explode later as lawsuits, fines, or reputational disasters. When audits are rushed or superficial, trust in the system crumbles. Genuine audits demand transparency, empower whistleblowers, and actually fix what’s broken. Image courtesy: AI #audit #compliance #riskmanagement #cyberattack #databreach Rivedix CYTAD

2.5 million (!!!) personal records have been exposed following the cyberattack on ΕΕΤΑΑ [Hellenic Agency for Local Development and Government - "Ελληνική Εταιρεία Τοπικής Ανάπτυξης και Αυτοδιοίκησης"], making it one of the most damaging data breaches in Greece's digital history. This was not just a system failure. It was a direct hit on the privacy of families, infants, school children, teenagers, people with disabilities, and those working to support them. The compromised information includes full names, birthdates, nationalities, tax and social security numbers, bank account details, income levels, employment status, family relationships, residential addresses, and indicators of disability. These are deeply personal details collected over a decade through programs meant to provide care, protection, and access to education and community support. Now this data is out in the wild. On the dark web, it becomes a tool. It can be used to create hyper-targeted PERSONALISED cyberattacks. Scammers can launch phishing campaigns that reference real income or family status. Fraudsters can tailor social engineering schemes based on location, family connections, or public service use. Threat actors can impersonate individuals with alarming accuracy. Institutions must now move from reactive damage control to proactive digital resilience. Security can no longer be delegated or delayed. It must be embedded in the architecture, culture, and governance of every public system that handles sensitive data. You can read more here: https://lnkd.in/dZaEgidj #CyberSecurity #DataBreach #Infosec #DigitalResilience #Greece

In the U.S. alone, cybercrime caused $16 billion in damages in 2024 - a 33% increase from the year before. And most of these breaches weren’t due to complex hacks or advanced malware. They happened because of simple human errors: misconfigured systems, unsecured devices, careless behavior, or being tricked by a convincing phishing email. That’s why the human factor is often the weakest link in cybersecurity, but also where the biggest gains can be made. So how do we build a human-centered security culture? It’s about shaping behavior and habits. A proven approach is Neidert’s Core Motives Model, which helps leaders guide employees toward secure behavior through three stages: 🔹 Connect – Build trust and rapport. People follow leaders they like and feel connected to. Gamified training sessions, team bonding, and small acts of reciprocity go a long way. 🔹 Reduce Uncertainty – Show credibility and social proof. When senior leaders take part in security efforts, or when teams see peers taking security seriously, they’re more likely to follow suit. 🔹 Inspire Action – Reinforce commitments. Use nudges, timely reminders, and even friendly competitions to encourage continuous attention to cybersecurity practices. A collective mindset where everyone feels responsible for protecting company assets, and each other. Security doesn’t live in IT alone. It lives in everyone’s daily choices.

🎭  Decentralisation Theatre? 🎭 Saying the quiet part out loud: “We’re so decentralised… but our root of trust? A file on the webserver.” There’s been a quiet yet widespread acceptance of approaches like did:web and centralised trust lists in decentralised identity. Let’s be clear: these tools aren’t inherently bad. They can be practical and fit-for-purpose in many contexts (and especially when you're still in the POC phase). But here’s the key question: 👉 Are you consciously trading off decentralisation and security for convenience? If did:web works for you, that’s fine! But then ask yourself: 1️⃣ Do you actually need the rest of the DID stack? 2️⃣ Are you maximising other benefits of DID in your use case? 3️⃣ Do you have a plan for future DID method agility? On the other hand, if your goals truly require decentralised secure key management and trust minimisation, it might be worth considering alternatives: ⛓️ Ledger-based DID methods that leverage decentralised public infrastructure. 🔑 Self-certifying identifiers that remove reliance on central registries. The point isn’t to shame the use of centralised elements like did:web, which are often required to achieve pragmatic outcomes - it’s to advocate for intentionality. Understand the trade-offs, and design your solution to align with the level of decentralisation and trust you actually need. Decentralisation is a buzzword, but it is also a spectrum. Where does your root of trust live? 🌐

The Bank of Ghana Board Governance Directive to Payment Service Providers basically says , Time to Grow Up ! (and you have 6 months to do it) In June 2025, the Bank of Ghana ( Ghana's Central Bank) released its Corporate Governance Guidelines for Payment Service Providers. For me I think its a call to leadership. These guidelines don’t merely set minimum standards. They signal the central bank’s expectation that Ghana’s digital finance sector is no longer in its experimental phase. It is systemically important. And with that importance comes accountability, transparency, and—most importantly—governance maturity. If you’re a fintech founder, investor, or executive, here’s what’s now mandatory under the new rules: -Minimum of 3 board members, with at least two—including the CEO—ordinarily resident in Ghana. -Board majority must be non-executive directors. -At least one-third must be independent directors (for DEMIs and EPSPs). -No more than one-third can be related persons. -Separation of Chair and CEO roles—no one individual may serve as both. -Mandatory board subcommittees for Audit and Risk, each chaired by independent directors. -Annual board declarations of compliance, plus formal board evaluations. -External board evaluations every 3 years. -Director induction within 3 months of appointment and certification every 4 years. -Governance charters, succession planning, conflict of interest policies, and a fit-and-proper test for all key management personnel. Across Africa, we’re seeing similar shifts—Nigeria tightening capital rules, Kenya aligning consumer protection and data policy, South Africa requiring bank-level compliance from fintechs. For those of us who’ve worked at the intersection of innovation, digital policy, and board governance, this is a familiar inflection point. And it’s one I’ve been reflecting on, especially in conversations with founders and regulators across the continent. Why I’m Paying Attention As someone who has worked with fintechs, advised boards, and helped shape digital strategy across Africa, I believe we’re at a governance inflection point. The institutions that will thrive in this new era are not just the most agile—but the most accountable. Fintech boardrooms now need directors who can do more than approve strategy. They must understand risk, tech, regulation, and long-term resilience. This is also an opportunity. For women in tech leadership, for pan-African operators, and for experienced board advisors—this is the time to step forward. The ecosystem needs directors who are not just regulators of risk, but translators of innovation. FULL Article https://lnkd.in/dZnYPGQG

“Clicked the phishing link? Terminate the employee.” That’s the usual genius solution. Because of course, when someone falls for a well-crafted phishing email, it’s their fault. Not the security team’s. Not the leadership’s. Just the employee who was never trained, never supported, and working with systems built in 2012. Let’s call this what it is: Lazy, reactive blame culture. Phishing is not a user problem. It’s a leadership problem. You can’t dump every risk on the people who have zero control over: • MFA enforcement • Email filtering • Device hardening • Privileged access • Alerting systems • And basic incident response You want users to behave securely? Give them a secure environment to work in. If a phishing email can bring down your company, the problem isn’t the user. It’s the architecture. Instead of pointing fingers, do this: Reduce blast radius. Don’t give anyone access they don’t need. Isolate critical systems. Assume compromise. Make phishing boring. Block obvious stuff before it even lands. Train people with real scenarios, not cartoonish e-learning junk. Reward reports. Don’t shame mistakes. If leadership doesn’t own this, They don’t deserve the title. Security isn’t just tech. It’s culture. It’s design. It’s ownership. And if you’re still blaming your employees for falling for phishing emails in 2025… You’ve already failed. 📌 P.S. As a trusted cybersecurity specialist, I can help you assess your cybersecurity risks and recommend the right solutions for your business. Please feel free to contact me if you have any questions or need assistance. #cybersecurity

60% of directors say the candor of board-management discussions needs improvement. That finding, from the NACD 2025 Trends and Priorities Survey, should alarm every board member. Six out of ten directors believe management is not being straight with them about what is actually happening in their organizations. Without honest dialogue about where technology capabilities fall short, boards cannot ask the right questions. Without the right questions, management optimizes for what gets measured in quarterly reports rather than what actually protects the organization. The cycle continues until a material incident forces the conversation that should have happened years earlier. This matters because technology risk now sits at the top of most board agendas. With 41% of directors ranking cybersecurity threats and 30% ranking AI among their top concerns for 2025, the consequences of incomplete information have never been more severe. Boards that want better technology oversight do not need more dashboards. They need different conversations. The kind with additional context provided, where a shares CISO "we are making a calculated risk accepting this vulnerability because fixing it would require stopping three other initiatives which involves more risks to our clients and business" and the board understands the trade-off being made. Where a CTO can explain that the AI strategy being presented is six months behind what competitors have deployed, and everyone acknowledges the gap rather than pretending it does not exist. Technology governance is not a reporting problem. It is a trust problem. Until boards and executives create the conditions for candor, they will continue governing with incomplete information about their most material risks. What are you doing to ensure the conversations in your boardroom reflect reality?

𝗜𝗻𝗱𝘂𝘀𝘁𝗿𝘆 𝟱.𝟬: 𝗧𝗿𝘂𝘀𝘁 𝗮𝘀 𝘁𝗵𝗲 𝗖𝗼𝗿𝗻𝗲𝗿𝘀𝘁𝗼𝗻𝗲 𝗼𝗳 𝗔𝘂𝘁𝗼𝗻𝗼𝗺𝘆 As Industry 5.0 takes shape, trust becomes the defining factor in securing the future of industrial ecosystems. With the convergence of AI, digital twins, IoT, and decentralized networks, organizations must adopt a structured trust architecture to ensure reliability, resilience, and security. 𝗪𝗵𝘆 𝗶𝘀 𝘁𝗿𝘂𝘀𝘁 𝗰𝗿𝗶𝘁𝗶𝗰𝗮𝗹 𝗶𝗻 𝗜𝗻𝗱𝘂𝘀𝘁𝗿𝘆 𝟱.𝟬? With the rise of AI-driven decision-making, digital twins, and decentralized networks, industrial ecosystems need a robust trust architecture to ensure reliability, security, and transparency. 𝗧𝗵𝗲 𝗧𝗿𝘂𝘀𝘁 𝗔𝗿𝗰𝗵𝗶𝘁𝗲𝗰𝘁𝘂𝗿𝗲 𝗳𝗼𝗿 𝗜𝗻𝗱𝘂𝘀𝘁𝗿𝘆 𝟱.𝟬 J. Mehnen from the University of Strathclyde defines six progressive trust layers : 𝗦𝗺𝗮𝗿𝘁 𝗖𝗼𝗻𝗻𝗲𝗰𝘁𝗶𝘃𝗶𝘁𝘆 – The foundation of Industry 5.0 trust. This layer ensures secure IoT networks, smart sensors, and seamless machine-to-machine communication for industrial automation. 𝗗𝗮𝘁𝗮-𝘁𝗼-𝗜𝗻𝗳𝗼𝗿𝗺𝗮𝘁𝗶𝗼𝗻 – Moving beyond raw data, this layer integrates AI-driven analytics, real-time insights, and multi-dimensional data correlation to enhance decision-making. 𝗖𝘆𝗯𝗲𝗿 𝗟𝗲𝘃𝗲𝗹 – The backbone of digital security, incorporating digital twins, simulation models, and cyber-trust frameworks to improve system predictability and integrity. 𝗖𝗼𝗴𝗻𝗶𝘁𝗶𝗼𝗻 𝗟𝗲𝘃𝗲𝗹 – AI-powered diagnostics, decision-making, and remote visualization ensure predictive maintenance and self-learning systems that minimize operational disruptions. 𝗦𝗲𝗹𝗳-𝗔𝘂𝘁𝗼𝗻𝗼𝗺𝘆 – AI-driven systems that self-optimize, self-configure, self-repair, and self-organize, reducing dependency on human intervention. 𝗗𝗶𝘀𝘁𝗿𝗶𝗯𝘂𝘁𝗲𝗱 𝗔𝘂𝘁𝗼𝗻𝗼𝗺𝘆 – The highest level of trust, where decentralized computing, autonomous decision-making, and blockchain-based governance eliminate single points of failure and ensure system-wide resilience. 𝗕𝘂𝗶𝗹𝗱𝗶𝗻𝗴 𝗧𝗿𝘂𝘀𝘁 𝗶𝗻 𝗜𝗻𝗱𝘂𝘀𝘁𝗿𝗶𝗮𝗹 𝗔𝗜: 𝗧𝗵𝗲 𝗖𝗼𝗿𝗲 𝗣𝗶𝗹𝗹𝗮𝗿𝘀 To achieve a trusted Industry 5.0 ecosystem, organizations must embrace a structured framework : 𝗥𝗲𝘀𝗽𝗼𝗻𝘀𝗶𝗯𝗶𝗹𝗶𝘁𝘆 – Ensuring ethical AI, traceable decision-making, and accountable automation. 𝗥𝗲𝘀𝗶𝗹𝗶𝗲𝗻𝗰𝗲 – Withstanding cyberattacks and operational disruptions. 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 – Protecting data, IoT devices, and industrial networks from cyber threats. 𝗙𝘂𝗻𝗰𝘁𝗶𝗼𝗻𝗮𝗹𝗶𝘁𝘆 – Ensuring system performance across various conditions. 𝗩𝗲𝗿𝗶𝗳𝗶𝗮𝗯𝗶𝗹𝗶𝘁𝘆 – Enabling auditability, transparency, and regulatory compliance in automation. 𝗚𝗼𝘃𝗲𝗿𝗻𝗮𝗻𝗰𝗲 & 𝗥𝗲𝗴𝘂𝗹𝗮𝘁𝗶𝗼𝗻 – Implementing policy-driven AI and decentralized oversight mechanisms.  𝗧𝗵𝗲 𝗙𝘂𝘁𝘂𝗿𝗲 𝗼𝗳 𝗧𝗿𝘂𝘀𝘁 𝗶𝗻 𝗗𝗶𝗴𝗶𝘁𝗮𝗹 𝗠𝗮𝗻𝘂𝗳𝗮𝗰𝘁𝘂𝗿𝗶𝗻𝗴 As industries embrace AI, smart factories, and autonomous supply chains, trust becomes the new currency of industrial success. Ref :https://lnkd.in/dz998J_6