Spotlight: Philip Aiwekhoe on Cybersecurity, Risk & Vision for Africa’s Finance Sector
Philip Aiwekhoe, Chief Information Security Officer (CISO) and Data Protection Officer at NPF Microfinance Bank Plc, is a visionary cybersecurity executive with over 15 years of experience spanning governance, risk, compliance, and digital transformation.
With a dual role as Cybersecurity Consultant to the Police Service Commission, Philip combines deep technical expertise with strategic foresight. He holds top industry credentials including Certified CISO and Certified Information Security Manager (CISM), and is an active member of professional bodies such as BCS (British Chartered Institute of IT), ISACA, EliteCISO, CyberEdBoard, EC-Council, and Microsoft communities.
In his professional journey, Philip has advised leading organizations across sectors on IT governance, GRC (Governance, Risk, and Compliance), cybersecurity strategy, and operational resilience. His passion for building secure digital ecosystems is evident in his focus on digital trust and risk-aware leadership.
Philip is also the Founder of Charistech Consulting, Co-Founder of Warelogtech, and Formerly Information Security Manager at Agora Labs, a European health-tech innovator.
A recognized thought leader, Philip has spoken at major industry forums including:
- CYfrica
- CISO Africa
- Africa Cyber Defense Forum
- CyberACON
- Digital Pay Expo
- Nigeria Cybersecurity Summit
- East Africa Hybrid Cloud & Cybersecurity Summit
- PAICTA Cybersecurity 4D Conference 2024
- International Risk Conference
In this exclusive CxOTrail feature, Philip discusses the need for executive alignment, security-by-design, and embedding cybersecurity within enterprise-wide risk governance frameworks to drive resilience and innovation.
If we don’t elevate cybersecurity to a boardroom priority, we’ll pay the price in losses, not just in data, but in trust, growth, and competitiveness.
Q&A with Philip Aiwekhoe
Q: You’ve held senior leadership roles across financial institutions and regulatory bodies. How has your experience shaped your approach to building resilient cybersecurity frameworks in both public and private sectors?
A: With over two decades of experience traversing senior leadership roles in both financial institutions and regulatory bodies, I’ve had the exclusive opportunity to understand cybersecurity from multiple vantage points. In financial institutions, the emphasis has often been on innovation, customer trust, and maintaining continuity in a rapidly evolving threat landscape. On the regulatory side, the focus shifts toward systemic risk, regulatory compliance, and building frameworks that promote sector-wide resilience.
These dual experiences have shaped my approach to cybersecurity in three core ways:
Strategic Alignment with Risk Appetite: I’ve learned that effective cybersecurity must align with an organization’s broader risk management strategy and business strategy. In financial institutions, where digital transformation is constant, this means embedding cybersecurity into leadership, product development, customer engagement, and third-party partnerships.
Public-Private Collaboration: Having worked across both sectors, I value the importance of fostering information sharing, joint threat intelligence, and coordinated incident response. Cyber threats are borderless, so fostering trust and cooperation between regulators, institutions, and international partners is vital in building a safe digital ecosystem.
Resilience Beyond Prevention: True cybersecurity resilience isn’t just about stopping threats, it’s about anticipating, withstanding, and recovering from them. I advocate for proactive testing through red-teaming, tabletop exercises, cyber drills and investing in capabilities like threat hunting, zero trust architecture, and business continuity planning.
My leadership journey has reinforced that cybersecurity is not just a technical challenge, it’s strategic, governance, operational, and cultural priority. Whether advising boards or shaping regulatory policy, I aim to ensure that cyber resilience is treated as a fundamental pillar of long-term institutional sustainability.
Q: As Chief Information Security Officer at NPF Microfinance Bank for nearly 5 years, what were some of the most significant data protection and cyber risk challenges you encountered and how did you navigate them?
A: Serving as Chief Information Security Officer at NPF Microfinance Bank for nearly five years, I encountered a range of data protection and cyber risk challenges, particularly given the evolving threat landscape and the unique nature of microfinance institutions operating within the Nigerian financial ecosystem.
Some of the most significant challenges included:
Legacy Infrastructure and Limited Resources:
Microfinance banks typically work within lean budgets and legacy infrastructures, presenting both challenges and opportunities for innovation in cybersecurity. This created a challenge in implementing modern security controls without disrupting critical operations. To address this, I developed a strategic roadmap in ensuring the establishment of a governance framework and prioritized risk-based investments, focusing first on high-impact vulnerabilities, implementing a multi-layered defense, and leveraging cost-effective security tools that delivered maximum protection with minimal complexity.
Data Privacy and Regulatory Compliance:
With the introduction of Nigeria’s Data Protection Act (NDPA), aligning internal processes with data privacy requirements became essential. I led a comprehensive data governance initiative, which included data governance framework, data mapping, classification, staff training, and implementing a robust Data Loss Prevention (DLP) strategy.
Insider Threat and User Awareness:
Human error and insider threats posed serious risks, especially in an environment with varying levels of digital literacy.
I developed a continuous security awareness program, incorporating phishing simulations, role-based training, performance evaluation for user training/policy compliance and clear incident reporting protocols to strengthen our human firewall.
Third-Party Risk Management:
As the bank expanded its digital services, ensuring the security of third-party vendors and fintech partners became critical.
I introduced a third-party risk assessment framework and third party evaluation process requiring all vendors to meet minimum cybersecurity standards, including regular audits and secure API integrations.
Incident Detection and Response:
Detecting and responding quickly to threats was a challenge, especially with limited SOC capabilities.
I implemented centralized logging and monitoring solutions, built a lean but capable incident response team, and engaged with external threat intelligence providers to improve our detection and response posture.
Through these initiatives, we significantly improved our cybersecurity maturity, reduced our exposure to threats, and positioned the bank as a trusted institution in Nigeria’s digital financial services space. More importantly, we cultivated a security-conscious culture, which is the foundation of any resilient organization.
Q: In your current role advising the Police Service Commission, you’re driving cybersecurity awareness and curriculum development. What strategies are proving most effective in elevating security consciousness across government bodies?
A: In my advisory role with the Police Service Commission, where I lead efforts to elevate cybersecurity awareness and develop curriculum for government bodies, I’ve seen firsthand how crucial it is to build a foundational understanding of cybersecurity across all levels of government, from senior leadership to operational teams. There are several strategies that have proven highly effective in fostering security consciousness within public institutions:
Tailored Training and Role-Specific Curriculum:
One size does not fit all when it comes to cybersecurity education, especially in government institutions. Security needs vary by role, firstly I develop a program for training across the commission and started the implementation of role-specific training that focuses on the most relevant risks and best practices for different departments.
Executive Engagement and Ownership:
At the leadership level, cybersecurity needs to be seen as a business priority, not just an IT issue. I’ve worked closely with the PSC to ensure senior officials understand cyber risks in a strategic context, emphasizing how security breaches can affect public trust, data integrity, and national security.
Scenario-Based Training and Simulations:
In addition to theoretical training, I’ve introduced hands-on, scenario-based exercises, such as tabletop drills and simulated cyber-attacks. These drills help employees at all levels react more effectively during an actual breach, fostering a deeper understanding of what’s at stake.
Building a Culture of Cyber Hygiene:
A recurring challenge in government institutions is ingraining good cyber hygiene practices, such as secure password management, recognizing phishing attempts, and reporting suspicious activities.
Cross-Agency Collaboration:
Cybersecurity in government isn’t just about protecting one agency, it’s about securing the entire ecosystem. I’ve encouraged greater collaboration between different government bodies, sharing threat intelligence, best practices, and lessons learned from incidents.
Incentives for Cybersecurity Excellence:
To motivate and sustain engagement, I’ve helped establish a rewards and recognition system that highlights employees or departments showing exemplary cybersecurity practices.
Q: You’re one of the few leaders balancing roles as both a Data Protection Officer and a CISO. How do you harmonize regulatory compliance (like NDPR) with proactive threat mitigation?
A: Rather than treating regulatory compliance (like NDPR, GDPR, etc.) as a checkbox activity, I ensured these frameworks are embedded directly into the Information Security Management System (ISMS). This ensures that compliance isn’t separate from security; it enhances it.
As both DPO and CISO, I have been able to streamline governance structures, ensuring policies around data access, encryption, breach notification, and third-party risk management satisfy both legal requirements and technical defenses. One harmonized policy reduces conflict and boosts accountability.
I instituted regular dashboards likely track: Regulatory KPIs (e.g., SAR response times, consent management), Security KPIs (e.g., MTTR, vulnerability patching rates); that ensures a single view of risk and more effective board-level reporting.
Most importantly is maintaining a proactive role with regulators, auditors, and internal stakeholders, ensuring transparency and confidence that security posture aligns with data protection laws and regulations.
Q: With the rise in cyberattacks across Africa, what threat trends are you currently observing in Nigeria’s financial and government sectors that concern you most?
A: One of the most concerning trends we’re observing in Nigeria, particularly within the financial and government sectors, is the convergence of three critical threat vectors: advanced social engineering, supply chain compromise, and ransomware-as-a-service (RaaS).
Social engineering attacks are growing more sophisticated with the advancement of AI. Threat actors are no longer relying solely on phishing emails; they’re leveraging voice phishing (vishing), deepfakes, and real-time manipulation tactics, targeting employees at all levels, including privileged users in banks and public service agencies.
Secondly, we’re seeing a marked rise in third-party and supply chain vulnerabilities. With the rapid digital transformation of public services and fintech integrations, attackers are now targeting weaker links, such as outsourced IT providers, local fintech startups, or under-secured payment gateways, to gain lateral access into more secure environments.
Motivations range from financial gain to political disruption, especially around election periods or economic reform initiatives. Ultimately, what concerns me most isn’t just the rise in attacks, it’s the gap in proactive readiness.
Q: Through your mentorship initiative, Future Cyber Leaders Mentorship Initiatives, what skill or mindset gaps do you see in Nigeria’s next generation of cybersecurity professionals and how are you addressing them?
A: Through the Future Cyber Leaders Mentorship Initiative (FCLMI), our vision is to build a secure digital future by nurturing skilled professional, one of the clearest gaps I see among emerging cybersecurity professionals in Nigeria is not just technical, it’s mindset.”
Through the FCLMI initiatives we have reached 600 students in two major universities and some of our mentees who are undergraduates are gainfully employed in Charistech Consulting Limited.
Many young talents are highly enthusiastic, which is great. But there’s often a misconception that cybersecurity is purely about hacking tools or certifications. What’s missing is a strategic, problem-solving mindset, a deep understanding of risk, and the ability to connect cybersecurity to business outcomes.
At FCLMI, we address these gaps through a three-part approach:
Mentorship Beyond the Screen – We pair mentees with seasoned professionals across sectors to give them real-world exposure, not just labs or online content.
Soft Skills Development – We run workshops on cyber ethics, presentation, stakeholder reporting, and incident response communication.
Hands-on Problem Solving – We don’t spoon-feed. We present real-world scenarios and guide mentees through thinking like defenders — not just tool users.
Q: From founding Charistech Consulting to co-founding Warelogtech, you’ve been at the intersection of entrepreneurship and cybersecurity. How do you embed security thinking into product and platform innovation from Day 1?
A: For me, security isn’t an afterthought, it’s a design principle. Whether at Charistech or Warelogtech, I’ve always believed that if innovation moves fast, security must move faster and in lockstep.
When you’re building platforms or digital products in today’s environment, especially in fintech or logistics tech like we do at Warelogtech, you can’t afford to ‘bolt on’ security later. That’s why we embed security-by-design principles from Day 1.
It starts with the mindset: our product and engineering teams are trained to think like attackers and defenders, not just coders. Before a single line of code is written, we conduct threat modeling workshops. We ask: what are the data flows, who are the threat actors, where are the trust boundaries?
Charistech Consulting is a premier cybersecurity advisory company, where we support enterprises in governance, risk, and compliance, we’ve helped clients realize that innovation without guardrails leads to reputational and financial risk. At Warelogtech, that philosophy is lived internally, from secure DevOps pipelines (DevSecOps) to automated code reviews and continuous security testing.
We maintain a culture of shared responsibility. Security isn’t “Philip’s department. It belongs to every designer, developer, product owner, and business leader. That’s how we align innovation with resilience and scale securely.
Q: Many African institutions struggle with aligning global standards like ISO 27001 to local realities. As a Senior Lead Implementer, how do you balance international best practices with operational feasibility in Nigerian environments?
A: “Implementing ISO 27001 in Nigeria or anywhere in Africa, isn’t just about ticking boxes; it’s about translating global standards into something that actually works within local constraints.”
One major challenge I’ve seen is that many organizations try to copy-paste the ISO 27001 framework without adapting it to local realities, limited budgets, fragmented infrastructure, leadership buying, or skill gaps. That approach fails.
Firstly, we start with contextual risk assessment not theoretical. I help organizations define their risk appetite in terms they understand: “What can we afford to lose? What would shut us down?” That makes the controls real, not abstract.
Secondly, I emphasize scalable implementation. You don’t need an enterprise-grade SIEM on Day 1.
Thirdly, I prioritize process ownership. In many Nigerian institutions, roles are blurred. So, I tailor policies to match the actual workflow not an idealized one.
And finally, I invest in capacity building.That way, they don’t just get certified; they can sustain and evolve their ISMS long after the audit. ISO 27001 is a powerful tool but only when it’s localized, humanized, and aligned with purpose. That’s how I turn standards into strategy.
Over the last decades I had the opportunity of implementing ISO 27001 standards for three major financial companies locally in Nigeria and one big tech company based in Europe.
Q: Lastly, what advice would you give to C-level executives in Nigeria and across Africa who are still treating cybersecurity as an IT issue rather than a business-critical imperative?
A: My advice to executives is modest and clear: if you’re still treating cybersecurity as an IT problem, you’re already behind and your business is at risk.
A single breach can shut down operations, erode customer confidence, attract legal penalties, and destroy shareholder value all in one blow.
I often tell boards and CEOs: cyber risk is a business risk and managing it should sit squarely at the executive table, not in a back-office IT department. The same way you monitor financial exposure, you must monitor cyber exposure including your people, your vendors, your data assets, and your crisis readiness.
Cybersecurity needs to be built into your strategy, not layered on top of it. That means:
Making it part of enterprise risk management.
Allocating real budgets not leftovers.
Empowering CISOs to report independently and influence decisions.
And creating a culture where everyone, from receptionist to CEO, owns security.
Africa is digitizing rapidly. Our markets, our data, and our infrastructure are now targets. If we don’t elevate cybersecurity to a boardroom priority, we’ll pay the price in losses — not just in data, but in trust, growth, and competitiveness.
Cybersecurity isn’t just protection. It’s a business enabler, a competitive advantage when done right. That’s the mindset shift we need.
Are you a tech leader driving change in Africa?
If you’re leading in cybersecurity, AI, or digital transformation across the continent, we’d love to share your story. To be featured on CxOTrail, email us at editorial@cxotrail.com.
