Governments and vital sectors, including those in the Caribbean part of the Kingdom, are increasingly under fire. Cyberattacks are growing more targeted, and their impact is becoming more severe. For Juri Nicolaas, Director of Aruba’s Security Service, cyber resilience is not just a technical matter but a core component of national security.
“Digitalisation drives our economy and modernisation,” Nicolaas explains. “If Aruba wants to safeguard its social stability and economic growth, cyber resilience can no longer be treated solely as an IT issue; it must be treated as a governance challenge.” That’s why Aruba’s Security Service (Veiligheidsdienst Aruba or VDA, in Dutch) is focusing more on early warning, strategic advice, and policy priority, helping governments and leaders understand digital risks and translate them into policies, priorities, and investments. Nicolaas: “The key question remains: how do we keep society running when digital systems fail?”
Rise of ‘vital’ processes
Cyber resilience isn’t just the government’s responsibility; vital organisations and private sector partners must also play their part. “Public-private collaboration starts with jointly acknowledging risks,” Nicolaas emphasises. Digital dependency is growing rapidly, even in Aruba, where more and more processes are becoming ‘vital’ in nature. “What was once an administrative task, like population registration, is now digitally intertwined with passports, healthcare, taxation, and social services,” Nicolaas notes. “A single disruption can have immediate societal consequences.”
“Whether it’s day-to-day operations, service continuity, or national security,” Nicolaas says, “leaders must understand the impact level of incidents. Total security can never be guaranteed,” he stresses. “But if we acknowledge that, we must also be able to justify why we prioritise some risks over others, knowing we’ll have to accept certain vulnerabilities.”
Agile yet vulnerable due to small scale
Aruba’s small scale is both an advantage and a risk. “Short lines of communication and personal connections make us agile,” Nicolaas explains. Yet, reliance on imports makes the island vulnerable. “Everyone understands there is chaos if booking systems, passenger flows, or payment systems fail. That vulnerability is exactly why we need structure.” Improvised, on-the-spot solutions no longer suffice in a digital crisis. That’s why Aruba is now establishing clear agreements, responsibilities, and exercise frameworks.
At Aruba’s request, TNO has developed an initial ‘cyber resilience roadmap’, while Letters of Intent have been signed with key partners. A governance structure is also being built to define roles and responsibilities per sector during a cyber crisis. “Formalising this framework is crucial as it removes ambiguity,” Nicolaas emphasises.
Steering resilience
Digital expertise is often outsourced on an organisational or project basis, leading to fragmented quality and solutions. “In a free market, that makes sense, but the government must take the lead,” Nicolaas argues. “With clear frameworks, procurement principles, and minimum expertise standards, we can raise the bar without imposing stifling top-down control.” He adds that tailored approaches are needed for European regulations: “Aruba isn’t a tech-developing nation; we are primarily tech users. Blindly adopting EU rules for sectors we don’t even have makes little sense. We must focus on our own risks, infrastructure, and vital processes.”
Connecting to regional structures
Though the Kingdom’s countries share a language, they don’t share the same risk profile. Internationally, Aruba is classified as a Small Island Developing State (SIDS), where digitalisation is explicitly part of development policy. Nicolaas advocates for a unified ‘Kingdom framework’ where each territory shares its vulnerabilities and expertise. “It’s pointless for every island to establish its own 24/7 CERT. Instead, we should utilise existing regional structures, European partners, LAC countries (Latin America and the Caribbean), and blocs such as CARICOM (Caribbean Community) to strengthen each other. We can’t do this alone.”
From awareness to resilience
Nicolaas believes true resilience rests on 3 pillars: governance ownership, a robust yet straightforward foundation (clear roles, access rights, reporting procedures) and practising within existing crisis structures.
“Thanks to our agility, we know exactly how to scale up during a hurricane. We must apply the same approach to cyber incidents,” Nicolaas notes. Aruba is now taking steps toward a digital resilience cluster, where responsibilities are clear, sectors collaborate more efficiently, and cooperation becomes second nature. “Only when everyone understands their role does awareness turn into real resilience.”
Translating awareness into policy
“Leaders must translate threats into policy; only then can they make and justify decisions,” Nicolaas observes. More organisations are taking societal responsibility: banks now warn citizens, schools teach digital behaviour, and internal phishing drills are being conducted. During phishing attacks, the VDA and police: “Not to instil fear, but to offer actionable solutions.”
Caribbean Cyber Resilience Programme
This is the second interview in a series, part of the Caribbean Cyber Programme, linked to the Government-Wide Cyber Exercise.
