Author: nielharper

Agents Unleashed: Can We Control What We’ve Created?

nielharper

Wrapped up Day 2 of Black Hat MEA participating in a Fireside Chat with two amazing security leaders Trina Ford and Priya Mouli.

The topic of our chat was “Agents Unleashed: Can We Control What We’ve Created?” We talked about the promise of agentic AI and the underlying risks that businesses and cyber professionals need to address.

This thought-provoking conversation explored areas such as:

  • Output Gates: Ensuring that final action requests by agents are mediated by a security-controlled API or service layer that checks the output against strict, predetermined enterprise policies.
  • Rate Limiting: Temporal controls to prevent infinite loops, rapid escalation, or denial-of-service, preventing misaligned or hallucinating agents from causing immediate, high-volume harm.
  • Reversibility: Autonomy is acceptable only when the agent’s actions can be immediately and easily undone without a system failure or data loss.
  • Identity and Access Management: Why agents should have unique service identities and must be restricted by controls such as PAM, least privilege, and zero wildcard permissions.
  • Governance: Subjecting agents to governance processes such as architecture reviews, threat modeling, risk classification, and incident response management (e.g., playbooks, tabletop exercises, etc.).
  • Shadow AI: Leveraging policy frameworks, identity governance, and network/data layer monitoring to protect against unauthorized or unmanaged agents.

Business leaders often view agents as highly efficient macros or bots. They fail to grasp that the agent’s autonomy and emergent behavior – its ability to reason, adapt, and combine tools – creates risks that are fundamentally different from traditional automation. 

The deployment of Agentic AI necessitates robust, layered security controls because it introduces unique, high-velocity risks that traditional perimeter and human-speed security models cannot handle.

Ransomware as a Service (RaaS) from code to cartel

nielharper

Yesterday at Black Hat MEA, my first deep dive session of the day focused on “Ransomware as a Service (RaaS) from code to cartel”.

I was privileged to share the stage with Ira Winkler, Patricia Titus, and Bjørn R. Watne.

We explored the evolution of ransomware into today’s organized, profit-centered, multi-disciplinary threat collectives, and delved into some key areas such as:

  • The affililiate model and how ransomware groups function like legitimate companies
  • Recruitment for capabilities (e.g., exploit developers, cloud security engineering, C2 servers, payment portals, compromise of trusted insiders, etc.)
  • The importance of business resilience as a risk response (e.g., disaster recovery testing, incident response planning, ransomware playbooks, tabletop exercises)
  • How the transition from double extortion to triple extortion is also manifesting as threats of bodily harm and targeting of family members
  • Emphasized that cyber insurance is not a replacement for robust security controls (e.g., air-gapped backups, MFA, PAM, EDR, security awareness, etc.)
  • How critical infrastructure protection (CIP) and operational resilience legislation factor into the overall industry response (e.g., DORA, NIS 2, CRA, etc.)
  • Detailed why software developers and their tooling are increasingly targeted by RaaS consortiums due to risks such as privileged access to sensitive environments (staging, production), API and cloud infrastructure key custodianship, DevSecOps weaknesses, trust injection across CI/CD pipelines, code repository theft, etc.
  • Addressing encryption-related risks like quantum computing and cryptographic agility
  • How both defenders and attackers are leveraging AI

Many thanks to my fellow panelists for their brilliant insights and a note of appreciation for all those who attended.

The Current Debate on the UK Digital ID (“BritCard”) is Misleading – Here’s Why!

nielharper

The current negative debate about the BritCard is misleading because it largely relies on outdated assumptions about technology and centralization, ignoring the fundamental privacy safeguards that several countries have proven work effectively. The central flaw in the critical narrative is that it assumes a 21st-century digital ID is equivalent to the 1950s physical paper card or a single, insecure database. As with any technology, there are pros and cons to digital ID, but to act like it’s mass surveillance or gratuitous privacy violating is just wrong. What’s even more concerning to me is that a lot of the misinformation is being peddled by “privacy experts”.

Progressive countries like Singapore, Belgium, Austria, Estonia, Sweden, Denmark, Canada, Australia, Poland, Netherlands, UAE, and Germany all have digital ID systems. Digital ID facilitates streamlined access to services, increased efficiency, financial inclusion, reduced fraud, and enhanced security. Regarding privacy, they actually allow for contextual data sharing, which privacy experts have asked for repeatedly.

Data protection legislation and digital identity legislation have been coupled together in many countries to establish standards for security, user consent, data protection, and independent regulation. Moreover, privacy and security controls like zero knowledge protocol, unique ID verification, secure storage, data minimization, decentralized data exchange, and biometric safeguards, among others are employed to protect the privacy of individuals.

I have digital IDs for Denmark, Estonia, and Germany, and they are nothing like what these negative arguments suggest.

NOTE: The proposed central use case for the BritCard of combating illegal immigration is ill conceived and distorts the debate around the pros and cons of digital ID.

Why the UK Government’s Loan Guarantee for JLR is a Cause for Concern

nielharper

A cyber-attack “severely disrupted” Jaguar Land Rover (JLR) vehicle production, particularly at its two main UK plants. JLR’s retail business was also significantly impacted for consumers ordering or taking delivery of new vehicles. To help the carmaker recover and protect jobs within its extensive supply chain, the UK government has decided to underwrite a £1.5 billion loan guarantee.

The government’s loan guarantee is concerning because it socializes corporate risk, essentially creating a taxpayer-funded safety net for private sector cybersecurity failures. While the goal of protecting 100,000 supply chain jobs is sympathetic, this decision undermines the core market incentive for all businesses to achieve robust security resilience.

1. Incentivizing Security Complacency

By being the first company to receive such significant government aid following a cyber-attack, JLR sets a worrisome precedent. It signals to other large, systemically important companies that serious investment in preemptive cyber-defenses is optional. If a major breach causes a costly production shutdown, the government may provide a financial parachute to protect the supply chain. This effectively lowers the cost of poor security planning for major corporations and shifts the financial burden of resilience onto the public purse.

2. Rewarding Inadequate Preparation

The scale of JLR’s shutdown (e.g., halting all production for weeks) suggests a critical failure in both cyber resilience and business continuity planning (BCP). Should a secure and resilient organization be able to isolate an attack and recover without weeks of total shutdown, minimizing impact on its supply chain? Do the loan guarantees reward the company for a recovery posture that was either slow, inadequate, or both? Is the public essentially paying for the gap between JLR’s security maturity and the highly disruptive level of the breach? Many questions arise and a deeper discourse is needed into whether or not the government should be bailing out private corporations for suboptimal cybersecurity posture.

3. Moral Hazard and Unintended Consequences

This action creates a significant moral hazard. The government is protecting the ultimate parent company, India’s Tata Motors, from the full financial consequences of the attack by backstopping a commercial loan via the Export Development Guarantee (EDG). Taxpayers assume the risk of JLR defaulting, shielding the multinational owner from a major cyber-loss event. This is especially controversial given that JLR’s massive profits would normally imply responsibility for maintaining its own cyber insurance and resilience fund.

In short, while the loan guarantee offers necessary short-term relief to small suppliers facing collapse, there is the potential long-term cost of the erosion of market pressure on large corporations to treat cybersecurity as a non-negotiable, self-funded business continuity imperative.

AuditBoard names 25 CISOs to watch in 2025

nielharper

In the rapidly evolving landscape of cybersecurity, innovative Chief Information Security Officers (CISOs) play a pivotal role in safeguarding organizations against AI-driven threats, ransomware attacks, and supply chain vulnerabilities. To acknowledge and applaud those leading the charge in tackling these challenges, AuditBoard has carefully chosen 25 CISOs who exemplify a dedication to enhancing cyber risk defenses and sharing their insights with the information security (infosec) community.

This curated list showcases the industry’s most resilient and forward-thinking cybersecurity experts. The 2025 selection highlights individuals who are at the forefront of navigating the ever-changing digital risk landscape, demonstrating resilience and innovation in their approach to cybersecurity leadership.

Thank you AuditBoard for your recognition alongside these amazing industry titans!

Each of these individuals has made a significant contribution to the profession, to industry, and to the organizations they work for. Massive respect goes out to each of them!

Security leaders shed light on their zero trust journeys

nielharper

Zero trust architecture (ZTA) implementations pose challenges due to the abundance of vendor and media hype surrounding this concept. Understanding the true essence of zero trust and its relevance to your specific company or IT environment is crucial.

Establishing trusted identities for devices is a foundational aspect of implementing a zero trust model. It is essential to navigate through decisions on scaling your zero trust ecosystem effectively, encompassing identity, authentication, network architecture, and endpoint detection and response technologies.

Transitioning to a “default/deny” architecture from the traditional “trust then verify” approach can introduce significant user friction and degrade their overall experience in utilizing enterprise systems. Hence, careful planning and constituent engagement is a necessity.

Moving towards a zero trust architecture is a progressive journey rather than a mere technological shift. Many enterprises will find themselves operating on a hybrid zero trust/perimeter-based model during this transition phase.

These insightful discussions with Mary K. Pratt from CSO Online and other security leaders provided valuable perspectives on the challenges and opportunities associated with implementing ZTA.

Explore the conversations and insights shared here: https://bit.ly/4cI2P2C

Mismanagement of the BRA Breach: Incompetence is Expensive

nielharper

In this year’s budget, the Ministry of Finance, Economic Affairs, and Investment is asking for $36.9 million to cover the costs associated with managing last year’s data breach at the Barbados Revenue Authority (BRA). Given that the average cost of responding to a data breach in 2024 was USD $4.88 million (BBD$9.94 million), this quoted figure is exceptionally high and warrants a detailed examination.

Here’s my breakdown of why such an amount is considered excessive:

1. Financial Strain:

  • Depletion of Public Funds: $36.9 million is a substantial amount that severely depletes the country’s financial resources at a time the nation is struggling with heavy debt obligations and underperformance in key sectors. It more than likely will require budget cuts in other critical areas, halt planned projects, or even threaten the country’s ability to service existing debts or meet its overall financial needs.
  • Opportunity Cost: The money spent on data breach response could be better used for investments in economic growth, innovation, social services, workforce development, or other strategic initiatives that contribute to Barbados’ long-term success.
  • Citizen Impact: This is at its core an erosion of trust in government’s effectiveness in managing cybersecurity and data protection, and can have a knock-on negative impact in terms of reduced quality and investment in citizen services (e.g., education, healthcare, transportation, sewage, housing, etc.), increased public debt, additional taxes, and hindered development.

2. Cost-Benefit Analysis:

  • Value of Data: It’s essential to compare the recovery cost with the actual value of the compromised data. I am certain no quantitative assessment was performed by the government to determine the cost of the data. In this case, the data might not be worth $36.9 million, making the recovery expenditure disproportionate.
  • Potential Losses: While data breaches can lead to financial losses, including regulatory fines, legal fees, and compensation to individuals harmed by their data being misused or abused, it’s crucial to estimate these potential losses accurately. A $36.9 million recovery cost in my opinion exceeds the estimated losses the government would have otherwise incurred.

3. Inefficiencies and Overcharging:

  • Vendor Pricing: Given my experience managing data breaches over the last 20+ years, unscrupulous vendors usually exploit the urgency and panic surrounding a breach to inflate their prices. This appears to be the case in this instance (given that the government has limited cybersecurity capabilities and little to no experience responding to breaches).
  • Scope Creep: Recovery efforts can sometimes expand beyond the initial scope, leading to unnecessary expenses. There’s no doubt in my mind that the government did not have defined security incident response procedures or objectives, which led to the recovery scope being too wide and unconstrained to avoid cost overruns.
  • Ineffective Strategies: The chosen security incident response strategies were poorly defined and inefficient, leading to prolonged recovery times and increased costs.

4. Failure of Prevention:

  • Security Gaps: As I have said numerous times, the government does not have the capabilities in place to secure the technologies that they have implemented, and this $36.9 million bill confirms these significant weaknesses in their cybersecurity infrastructure and practices. It raises questions about why they have failed to implement the numerous detailed security strategies provided to them over the last decade by the European Union (a project which I led), International Telecommunications Union (ITU), Organisation of American States (OAS), and others.
  • Missed Opportunities: Investing in robust cybersecurity measures, such as firewalls, intrusion detection systems, personnel training, and regular security audits, could have prevented the breach or minimized its impact, potentially saving millions of dollars in recovery costs. And while investments have been made in some of these areas, the implementation of the solutions have left a lot to be desired.

5. Reputation Damage:

  • Public Perception: While the financial cost is significant, the reputation damage from the BRA data breach doesn’t seem to be substantial. While the breach was severe, involved sensitive data, and came on the heels of the cyber-attacks against the Queen Elizabeth Hospital and many other government departments, there are many residents who still don’t seem to understand how dire the government’s cybersecurity situation really is.
  • Public Trust: The constant data breaches impacting public services and citizens’ data have a detrimental effect on public trust (which is already low). This will prevent the uptake of digital services being implemented by the government as well as reduce the confidence in e-commerce as a whole. Basically, it jeopardises the entire digital transformation agenda of this administration and the ability of Barbadians to reap the associated benefits.

In conclusion, while data breach recovery is a necessary expense, $36.9 million is an exorbitant amount that warrants careful scrutiny. It’s crucial that the Public Accounts Committee (PAC) and the Office of the Auditor General conduct a thorough investigation, evaluating vendor pricing, identifying inefficiencies, and addressing underlying security vulnerabilities to ensure that recovery efforts in the future are effective and cost-efficient.

He Said Security / She Said Privacy Podcast – ISACA 2025 State of Privacy Survey Findings

nielharper

I thoroughly enjoyed tag teaming with Safia Kazi to discuss the key findings of the ISACA State of Privacy Survey with Jodi Daniels and Justin Daniels on the ‘He Said Security / She Said Privacy’ podcast.

We touched on some important topics such as:

  • How companies are handling privacy staffing shortages
  • The growing demand for technical privacy expertise and how privacy pros can adapt
  • AI’s role in transforming privacy operations and its risks
  • The impact of shrinking privacy budgets
  • How board-level buy-in impacts company-wide privacy programs
  • Why privacy by design remains a challenge for many organizations
  • Safia’s and my personal privacy tips

Check out the podcast and let us know what you think!

Security Magazine Top Cybersecurity Leaders for 2025

nielharper

I would like to express my sincere gratitude to Security Magazine for recognizing me as one of the Top Cybersecurity Leaders for 2025.

I have always been a fan of Security Magazine and their laser focus on providing information and solutions on risk management, cybersecurity, physical security & safety, and other related industry trends. So this recognition from them is particularly appreciated.

Heartiest congratulations to my good friend Jason Lau and the other awardees Anmol Agarwal, Jay Gonzales, Sandra Cavazos, and David Baker – Your commitment to digital trust and your service to the profession are mighty!

Many thanks as well go out to the amazing teams I have led at INTERPOL, Doodle, and other companies. You are the real champions!

Critical Infrastructure (CI) Protection – Are We Ready?

nielharper


Critical infrastructure (CI) are those assets, systems, and networks that provide functions necessary for our human, social, and economic wellbeing. There are key sectors that are part of a complex, interconnected ecosystem and any threat to these sectors could have far-reaching and destructive national security, economic, and public health or safety consequences. 

Despite their reliance on critical infrastructure, developing countries (and several developed nations) at-large have not implemented a nationally-coordinated framework to protect their vital information assets. Cyber attacks, such as distributed denial of service (DDoS), ransomware, advanced persistent threats (APTs), and others can severely affect all the CNI sectors. Cyber attacks differ greatly from traditional types of threats such as terrorism, criminal activities, natural disasters and industrial accidents, among others. Cyber attacks can now be initiated by any person with limited technical proficiency or resources, and these attacks can have a direct effect on overall wellbeing of modern societies.

Last week, I presented at the 2025 Guyana Energy Conference on CNI protection, particularly touching on real-world incidents and addressing the threat landscape, risk assessment, adversary categories, challenges, and opportunities. I also emphasized that a multi-stakeholder approach premised on mutual trust is optimal towards achieving CI protection outcomes.

Check out my presentation HERE.