Institute of Advanced Technology (IAT)Institute of Advanced Technology (IAT)Institute of Advanced Technology (IAT)

WHAT HAPPENS TO YOUR CAREER WHEN YOUR EMPLOYER GETS HACKED AND YOU ARE THE IT PERSON?

Article Description: Working in IT in Kenya? Under the Data Protection Act 2019, your organization has 72 hours to report a breach from the moment it becomes aware. The person who determines whether that window is met — or missed — is you. Here is what that means for your career and your liability.

Seventy-two hours! That is the window Kenya’s Data Protection Act, No. 24 of 2019, gives an organization to notify the Office of the Data Protection Commissioner after becoming aware of a personal data breach, as stipulated in Section 43 of the Act. Note that is not 72 hours from when the breach happened but from when the organization becomes aware. The person who decides when the organization becomes aware is, in most cases, the IT professional managing the systems. That single fact turns a technical role into a legal one — and most IT professionals in Kenya are not yet equipped for both.

What the Law Actually Says About Responsibility

The Data Protection Act defines IT and security teams as explicitly responsible for implementing the technical safeguards that protect personal data, according to compliance analysis published by Njaga Advocates in April 2025. The penalties for failing to meet those obligations are not light. A general penalty under the Act can reach KES 3 million, or imprisonment for up to ten years, or both — and directors and company officers can face criminal prosecution for willful violations, as confirmed by legal analysis published on KKCo East Africa’s compliance guide in March 2026. What this means in practical terms is that a data breach which goes undetected for days before the IT team notices is not just a technical failure. Under Kenyan law, it is a compliance failure with financial and criminal consequences that can travel up the organization to the people whose names are on the systems.

The Office of the Data Protection Commissioner is not waiting for organizations to self-report. The ODPC announced nationwide compliance inspections across multiple sectors in early 2025, and the January 2025 ruling in Complaint No. 1618 of 2024 — where an employer was found in violation simply for using an employee’s photograph without documented consent — signals that active enforcement is no longer theoretical. An IT professional who cannot demonstrate structured, documented incident detection and response capability is now a liability, not just a gap in a job description.

What CySA+ Actually Trains You to Do

CompTIA Cybersecurity Analyst, CySA+, is an intermediate-level, vendor-neutral certification validated against four domains directly relevant to the 72-hour problem. Security Operations, covering 33% of the exam, trains professionals to monitor environments, detect threats, and identify indicators of malicious activity across networks, endpoints, and cloud systems. Vulnerability Management, covering 30%, trains professionals to scan for vulnerabilities, prioritize them using risk-based frameworks, and act on them before they become breaches. Incident Response trains professionals to contain, investigate, and recover from security events using structured processes — including evidence handling, root cause identification, and escalation. Reporting and Communication, the fourth domain, trains professionals to present security findings to technical and business stakeholders in language that drives decisions rather than confusion.

According to CompTIA’s own exam documentation, updated for the CySA+ V4 release in 2025, the certification now also covers AI-driven security operations and advanced threat-hunting techniques — the same capabilities Kenyan organizations need as the Communications Authority of Kenya recorded 4.5 billion cyber threat events between April and June 2025 alone. The Bureau of Labour Statistics projects that information security analyst roles globally will grow by 29% between 2024 and 2034, cited in Coursera’s CySA+ certification guide published February 26, 2026 — a growth rate far exceeding almost any other professional category in the sector.

What This Means for Your Career Specifically

An IT professional with CySA+ is no longer the person management looks at when something goes wrong. They are the person management calls before something goes wrong. The certification creates a documented record that the holder has been trained to detect threats before they escalate, respond to incidents within structured timeframes, and communicate what happened — and what was done about it — in a way that satisfies both technical and regulatory scrutiny. In a Kenyan employment environment where the ODPC is conducting active inspections and where criminal liability extends to company officers, that documented record is not a career enhancement. It is career protection.

What Happens to Your Career When Your Employer Gets Hacked

The question in the title has a specific answer now. If the breach was detected quickly, contained properly, documented accurately, and reported to the ODPC within 72 hours, the IT professional involved becomes indispensable. If it wasn’t, the law has a name for who is responsible — and it is not the CEO who never looked at the firewall logs. The difference between those two outcomes is not luck or seniority. It is whether the IT professional in that organization was trained to the level that CySA+ certifies.

 

Explore IAT’s CompTIA Cybersecurity Analytics (CySA+) programme directly. For questions about intake, format — physical, online, day, evening, or private — and how the programme maps to your current experience level, call +254 725 040 588 or email registrar@iat.ac.ke. Pricing is customised based on study format — contact the team for a specific figure. If this course is part of a broader cybersecurity path, our Cyber Security programme and Certified Ethical Hacking course cover adjacent and complementary ground.

 

Blog Writer: James Gitonga

About the Author: James Gitonga is a cybersecurity and technology writer specializing in information security, data privacy, digital transformation and emerging IT trends. He produces practical, research-driven content that helps professionals and organizations understand complex cybersecurity concepts, regulatory requirements and industry certifications, enabling them to make informed decisions and build resilient digital environments.