Author: nielharper

Is your biggest security risk already inside your castle?

nielharper

I recently sat down with Mary K. Pratt (always wonderful to speak with her) to discuss “insider threats” for her CSO Online article.

My message was that the definition of an “insider” has fundamentally changed. It’s no longer just about disgruntled employees; it’s about a complex web of social engineering, digital savviness, and agentic AI.

Below are three critical takeaways from our discussion on “new” face of insider threats:

>> Social Media as a Recruitment Tool: Threat actors are using OSINT on social platforms to find “mercenaries”. By identifying employees under economic or personal pressure, they can bribe or blackmail insiders to do their dirty work.

>> The Rise of the “High-Risk” Average User: You don’t need to be a developer to be a threat. With modern digital tools and GenAI, the average staffer now has the capability to become a high-impact threat actor, intentionally or otherwise.

>> AI as the New Insider: We must start viewing AI agents as insiders. If an agent has privileged access and goes rogue — or is manipulated — it can exfiltrate data at machine speed. Essentially, AI has changed the paradigm of what constitutes an insider threat!

But what’s the solution? It’s time to move beyond “set and forget” background checks. Security pros must insist on regular, tiered background reinvestigations (especially for high-access roles), integrating behavioral signals with technical telemetry, and extending risk frameworks to include non-human/AI identities. In a world of remote work and outsourced contractors, trust must be continuous, not just a one-time onboarding event.

How is your organization adapting its Insider Risk Management framework for the AI era?

Check out the article here: https://lnkd.in/dkwhGMNE

DNS is the first line of defense for security and resilience

nielharper

On March 19, 2026, NIST finalized the SP 800-81r3 (Secure DNS Deployment Guide). This isn’t just a routine update; it is a fundamental shift in how we approach Internet resilience and organizational trust.

For years, DNS was the “quiet utility” in the background. In the modern threat landscape, NIST Revision 3 reimagines it as a proactive security control point.

Why does this matter for your 2026 security roadmap?

1️⃣ DNS as a Policy Enforcement Point (PEP): Moving beyond simple resolution, r3 integrates DNS into Zero Trust Architecture. By leveraging DNS as a PEP, organizations can neutralize threats such as malware, phishing, and command and control (C2) callbacks at the resolution stage, before a single packet of malicious data is exchanged.

2️⃣ Closing the Privacy Gap: For the first time, we have a definitive standard for deploying DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) at scale. This effectively encrypts the “digital breadcrumbs” of our network metadata, protecting against unauthorized surveillance and data harvesting.

3️⃣ Operational Resilience & Integrity: Through rigorous DNSSEC validation and the elimination of “dangling CNAME” exploits, r3 provides a fail-safe directory. In a world of automated attacks, your “Single Source of Truth” must be immutable.

NIST SP 800-81r3 ensures that DNS is no longer your weakest link, but your most resilient shield. Standardizing these protocols isn’t just about compliance, it’s about building an Internet that is secure by design.

Do you plan on auditing your DNS architecture against the new r3 standards?

Download the SP 800-81r3 (Secure DNS Deployment Guide) now!

Why CISOs Must Fight Back Against Scapegoating

nielharper

  • CISO ignores red flags in recruitment where business leaders repeatedly mention their “unique developer culture”.
  • CISO joins a major company which claims to be committed to cybersecurity.
  • CISO publishes 30-60-90 day plan and immediately performs a maturity assessment upon joining.
  • CISO meets with over 50 organizational leaders to outline their strategic vision and build support. Not a single person provides any meaningful input. The organization has no Internal Audit or Risk functions.
  • After completing the maturity assessment, CISO develops and publishes a draft cybersecurity strategy and multi-year roadmap for feedback. Not a single member of the executive management board reads the documents or provides feedback (including the CTO and CIO).
  • When asked about weak asset management (less than 35% of devices have EDR or MDM installed), the CIO states that developers don’t like being monitored. The CIO also states that cloud security posture management isn’t a priority (the organization employs a ‘multi-cloud strategy’ with a large footprint across multiple public clouds).
  • The organization’s CI/CD pipeline is fragmented with limited security controls. The CTO refuses to commit to robust security in the CI/CD pipeline because the organization is focused on code velocity and bringing new products/features to the market. CTO cannot explain why the Security Champions program failed.
  • The organization’s ecosystem is filled with thousands of vulnerable apps because there has literally been zero investment in relevant security controls. CISO develops a detailed plan addressing the people, process, and technology required to enhance security in the marketplace. The CISO is pretty much ignored.
  • The organization is obsessed with its annual SOC 2 audit (security theater).
  • CISO makes first presentation to executive management, addressing the security vision in accessible language such as business resilience, competitive advantage, market differentiation, regulatory compliance, collaborative risk management, etc. CISO highlights the “poor security culture” and asks that executive management make a formal statement about their commitment to security, authority to the CISO, and need for business leaders to own security in their domains and cooperate with the CISO. The executive management team is angry and criticizes the CISO for asking them to do what they see as his job.
  • A few weeks later, management and the CISO decide to part ways because of a “poor cultural fit”.

This is unfortunately a widespread scenario highlighting why the average CISO tenure is 18-24 months: poor tone from the top, unrealistic expectations, inadequate resources, accountability without authority, regulatory & legal pressure, and poor organizational culture.

It’s time for CISOs to pushback against these toxic situations!

Cybersecurity & Data Privacy Virtual Summit 2026 

nielharper

It was my esteemed pleasure to have participated in the Cybersecurity & Data Privacy Virtual Summit 2026 these past 4 days.

I shared the “virtual floor” in 2 sessions with Dr. Bright Gameli Mawudor and Godphey Sterling and we discussed the various elements of a successful response to a cybersecurity breach, specifically looking at the Technical Response to neutralize the threat and a Strategic Response to manage business operations, legal obligations, and reputation damage.

We also touched on several topics of critical importance to cyber capacity building in the Global South (e.g., national cybersecurity strategy, CSIRTs, critical infrastructure protection, security awareness, privacy, public sector security standards, supply chain risk management, open-source as an alternative for cost containment, security in emerging technologies, international cooperation, etc.).

Kudos to the other amazing professionals who delivered top-tier presentations and deep knowledge sharing with the captive audience: Grace Lindo, Jason Lau, Rory Ebanks, Greg Richards, Kellye-Rae Campbell, Ann Cavoukian, Karnika Seth, Rosalind Lake, and Deborah Hileman.

Special thanks to Douglas Davidson for the invitation to impart my knowledge and experience and to Andrea Chisholm Anglin for her expert hosting of the event.

The Dangers of Relying on Security Theater

nielharper

In 2026, phrases like “We take security seriously” or “Your security is important to us” have become the ultimate red flags.

When companies lead with these lines in their PR, it often signals the opposite: Security Theater 🎭

As a global digital trust and corporate governance professional, I see this daily. Theater is easy; resilience is hard. Theater is about “checking a box” for a board mandate, audit finding, or customer requirement; resilience is about an internal ethos that guides every business decision.

How do you spot the actors? Here are 6 signs of a “Theatrical” security posture:

  • Non-Existent or Weak “Tone at the Top”: The attitude and commitment of the Board and C-suite dictates the security culture that governs every employee’s daily actions. When the tone at the top is weak, the security program in most every case fails.
  • Compliance as a Destination: Treating a SOC 2 or ISO certification as the finish line rather than the baseline. Attackers don’t care if you passed an audit; they care about your unpatched edge devices and unsecured cloud assets.
  • “Shadow IT” Amnesia: Bragging about a new “AI Policy” while employees are quietly feeding sensitive intellectual property into unmanaged non-enterprise LLMs, leveraging third-party code with no security gates or approvals, and using unapproved plugins or add-ons in browsers / IDEs / issue-tracking platforms that are vastly insecure.
  • The “Culture” Conundrum: Forcing employees through 10 minutes of outdated, boring video slides once a year and calling it a “Security Culture.” Real culture is when people believe in security and live it each day in their actions and decisions. This also goes for the businesses whose “developer culture” requires security leadership to be ‘flexible’ and to ignore heinous security practices by software developers.
  • MFA Mirage: Having Multi-Factor Authentication (MFA) enabled, but allowing so many “exceptions” for executives or legacy systems that the front door is essentially unlocked.
  • Asset and Configuration Management: No accurate inventories exist for hardware / software / data assets, the majority of enterprise devices aren’t running unified endpoint management (UEM) or endpoint protection, cloud assets and their configuration status are unknown, an embarassingly low number of critical assets have logging enabled, and hardening templates don’t exist across virtual servers / microservices / network devices.

Digital Trust isn’t a marketing slogan. It is a measurable KPI. In 2026, the market must shift to rewarding candor and specificity over “vague invulnerability.”

The companies that thrive won’t be the ones that never get hit – they’ll be the ones that had the integrity to build real defenses before the curtain went up.

Stop the performance. Start the protection.

Agents Unleashed: Can We Control What We’ve Created?

nielharper

Wrapped up Day 2 of Black Hat MEA participating in a Fireside Chat with two amazing security leaders Trina Ford and Priya Mouli.

The topic of our chat was “Agents Unleashed: Can We Control What We’ve Created?” We talked about the promise of agentic AI and the underlying risks that businesses and cyber professionals need to address.

This thought-provoking conversation explored areas such as:

  • Output Gates: Ensuring that final action requests by agents are mediated by a security-controlled API or service layer that checks the output against strict, predetermined enterprise policies.
  • Rate Limiting: Temporal controls to prevent infinite loops, rapid escalation, or denial-of-service, preventing misaligned or hallucinating agents from causing immediate, high-volume harm.
  • Reversibility: Autonomy is acceptable only when the agent’s actions can be immediately and easily undone without a system failure or data loss.
  • Identity and Access Management: Why agents should have unique service identities and must be restricted by controls such as PAM, least privilege, and zero wildcard permissions.
  • Governance: Subjecting agents to governance processes such as architecture reviews, threat modeling, risk classification, and incident response management (e.g., playbooks, tabletop exercises, etc.).
  • Shadow AI: Leveraging policy frameworks, identity governance, and network/data layer monitoring to protect against unauthorized or unmanaged agents.

Business leaders often view agents as highly efficient macros or bots. They fail to grasp that the agent’s autonomy and emergent behavior – its ability to reason, adapt, and combine tools – creates risks that are fundamentally different from traditional automation. 

The deployment of Agentic AI necessitates robust, layered security controls because it introduces unique, high-velocity risks that traditional perimeter and human-speed security models cannot handle.

Ransomware as a Service (RaaS) from code to cartel

nielharper

Yesterday at Black Hat MEA, my first deep dive session of the day focused on “Ransomware as a Service (RaaS) from code to cartel”.

I was privileged to share the stage with Ira Winkler, Patricia Titus, and Bjørn R. Watne.

We explored the evolution of ransomware into today’s organized, profit-centered, multi-disciplinary threat collectives, and delved into some key areas such as:

  • The affililiate model and how ransomware groups function like legitimate companies
  • Recruitment for capabilities (e.g., exploit developers, cloud security engineering, C2 servers, payment portals, compromise of trusted insiders, etc.)
  • The importance of business resilience as a risk response (e.g., disaster recovery testing, incident response planning, ransomware playbooks, tabletop exercises)
  • How the transition from double extortion to triple extortion is also manifesting as threats of bodily harm and targeting of family members
  • Emphasized that cyber insurance is not a replacement for robust security controls (e.g., air-gapped backups, MFA, PAM, EDR, security awareness, etc.)
  • How critical infrastructure protection (CIP) and operational resilience legislation factor into the overall industry response (e.g., DORA, NIS 2, CRA, etc.)
  • Detailed why software developers and their tooling are increasingly targeted by RaaS consortiums due to risks such as privileged access to sensitive environments (staging, production), API and cloud infrastructure key custodianship, DevSecOps weaknesses, trust injection across CI/CD pipelines, code repository theft, etc.
  • Addressing encryption-related risks like quantum computing and cryptographic agility
  • How both defenders and attackers are leveraging AI

Many thanks to my fellow panelists for their brilliant insights and a note of appreciation for all those who attended.

The Current Debate on the UK Digital ID (“BritCard”) is Misleading – Here’s Why!

nielharper

The current negative debate about the BritCard is misleading because it largely relies on outdated assumptions about technology and centralization, ignoring the fundamental privacy safeguards that several countries have proven work effectively. The central flaw in the critical narrative is that it assumes a 21st-century digital ID is equivalent to the 1950s physical paper card or a single, insecure database. As with any technology, there are pros and cons to digital ID, but to act like it’s mass surveillance or gratuitous privacy violating is just wrong. What’s even more concerning to me is that a lot of the misinformation is being peddled by “privacy experts”.

Progressive countries like Singapore, Belgium, Austria, Estonia, Sweden, Denmark, Canada, Australia, Poland, Netherlands, UAE, and Germany all have digital ID systems. Digital ID facilitates streamlined access to services, increased efficiency, financial inclusion, reduced fraud, and enhanced security. Regarding privacy, they actually allow for contextual data sharing, which privacy experts have asked for repeatedly.

Data protection legislation and digital identity legislation have been coupled together in many countries to establish standards for security, user consent, data protection, and independent regulation. Moreover, privacy and security controls like zero knowledge protocol, unique ID verification, secure storage, data minimization, decentralized data exchange, and biometric safeguards, among others are employed to protect the privacy of individuals.

I have digital IDs for Denmark, Estonia, and Germany, and they are nothing like what these negative arguments suggest.

NOTE: The proposed central use case for the BritCard of combating illegal immigration is ill conceived and distorts the debate around the pros and cons of digital ID.

Why the UK Government’s Loan Guarantee for JLR is a Cause for Concern

nielharper

A cyber-attack “severely disrupted” Jaguar Land Rover (JLR) vehicle production, particularly at its two main UK plants. JLR’s retail business was also significantly impacted for consumers ordering or taking delivery of new vehicles. To help the carmaker recover and protect jobs within its extensive supply chain, the UK government has decided to underwrite a £1.5 billion loan guarantee.

The government’s loan guarantee is concerning because it socializes corporate risk, essentially creating a taxpayer-funded safety net for private sector cybersecurity failures. While the goal of protecting 100,000 supply chain jobs is sympathetic, this decision undermines the core market incentive for all businesses to achieve robust security resilience.

1. Incentivizing Security Complacency

By being the first company to receive such significant government aid following a cyber-attack, JLR sets a worrisome precedent. It signals to other large, systemically important companies that serious investment in preemptive cyber-defenses is optional. If a major breach causes a costly production shutdown, the government may provide a financial parachute to protect the supply chain. This effectively lowers the cost of poor security planning for major corporations and shifts the financial burden of resilience onto the public purse.

2. Rewarding Inadequate Preparation

The scale of JLR’s shutdown (e.g., halting all production for weeks) suggests a critical failure in both cyber resilience and business continuity planning (BCP). Should a secure and resilient organization be able to isolate an attack and recover without weeks of total shutdown, minimizing impact on its supply chain? Do the loan guarantees reward the company for a recovery posture that was either slow, inadequate, or both? Is the public essentially paying for the gap between JLR’s security maturity and the highly disruptive level of the breach? Many questions arise and a deeper discourse is needed into whether or not the government should be bailing out private corporations for suboptimal cybersecurity posture.

3. Moral Hazard and Unintended Consequences

This action creates a significant moral hazard. The government is protecting the ultimate parent company, India’s Tata Motors, from the full financial consequences of the attack by backstopping a commercial loan via the Export Development Guarantee (EDG). Taxpayers assume the risk of JLR defaulting, shielding the multinational owner from a major cyber-loss event. This is especially controversial given that JLR’s massive profits would normally imply responsibility for maintaining its own cyber insurance and resilience fund.

In short, while the loan guarantee offers necessary short-term relief to small suppliers facing collapse, there is the potential long-term cost of the erosion of market pressure on large corporations to treat cybersecurity as a non-negotiable, self-funded business continuity imperative.

AuditBoard names 25 CISOs to watch in 2025

nielharper

In the rapidly evolving landscape of cybersecurity, innovative Chief Information Security Officers (CISOs) play a pivotal role in safeguarding organizations against AI-driven threats, ransomware attacks, and supply chain vulnerabilities. To acknowledge and applaud those leading the charge in tackling these challenges, AuditBoard has carefully chosen 25 CISOs who exemplify a dedication to enhancing cyber risk defenses and sharing their insights with the information security (infosec) community.

This curated list showcases the industry’s most resilient and forward-thinking cybersecurity experts. The 2025 selection highlights individuals who are at the forefront of navigating the ever-changing digital risk landscape, demonstrating resilience and innovation in their approach to cybersecurity leadership.

Thank you AuditBoard for your recognition alongside these amazing industry titans!

Each of these individuals has made a significant contribution to the profession, to industry, and to the organizations they work for. Massive respect goes out to each of them!