Author: nielharper

2024 ISC2 Global Achievement Award

nielharper

I am pleased to announce that I am the recipient of the 2024 ISC2 Global Achievement Award in the Senior Professional (EMEA) category. The award recognises an individual regionally who has significantly contributed to the enhancement of the cybersecurity workforce by demonstrating a leadership role in their profession.

Cyberspace is only as secure, resilient, and prosperous as its weakest link. This is why I have committed over a decade of my life to developing the next generation of digital trust professionals across the globe. ‘Cyber capacity building’ is a vital need for every nation state in order for citizens to benefit from digitisation while ensuring that critical national infrastructure and digital assets are protected.

This award is testament to my work across the globe addressing the complex risks associated with cyberspace and pervasive digitisation, and ensuring that individuals, communities, corporations, and governments are equipped and empowered to mitigate these risks.

Let me also give a shoutout to Sametria McKinney from The Bahamas who won the same award in the Americas category 🙏🏾 She’s a superstar!!!

The Caribbean is WINNING!!!!!

You can explore the other recipients on the awards landing page.

Cyber firms need to centre their own resilience

nielharper

I recently authored a piece for the ComputerWeekly.com Security Think Tank discussing incident response in the wake of the July CrowdStrike incident, and articulating my viewpoint about what CrowdStrike got wrong, what it did right, and next steps

“Information security is essentially an information risk management discipline. By rendering many information systems inoperable, the global outage precipitated by Crowdstrike prevented several companies from accessing critical business information due to unplanned and extended downtime.

The unavailability was not only to information systems, but also to related information processing. It was not only an information risk event, but it was also an information security incident. And the impact of the risk event/information security incident was high from operational, financial, reputation, legal, technological and even regulatory perspectives.”

The full article can be found at this link.

Cybersecurity Risks and Solutions in Outsourcing

nielharper

Q: How can generative AI be leveraged to enhance defensive capabilities and support the work of cybersecurity professionals?

A: AI and related features such as machine learning, natural language processing, data mining, predictive analytics, behavioral analytics, and automated decision-making can be used to recognize patterns and learn from past incidents, interpreting human language and democratizing security decision-making across relevant teams, extracting valuable patterns and insights from large datasets, forecasting potential threats based on historical data, monitoring and analyzing user behavior to detect anomalies, and enabling quicker, data-driven responses to identified threats.

Still, AI has become a buzzword recently and is by no means a panacea or replacement for good security practices. Cybersecurity professionals must still develop competencies in delivering the core basics of day-to-day operations—risk assessment, asset management, vulnerability management, security architecture, secure software development, identity and access management, audit logging and monitoring, etc.”

I very much enjoyed this interview with Hugo on third-party risk management (TPRM), especially around clarifying how strong TPRM controls can allow businesses to reap significant benefits from outsourcing key business processes (e.g., cost savings, leveraging specialised talent, productivity, scalability, optimisation of of advanced technologies, strengthening data security, increased global footprint, etc.).

You can view the full interview at this link.

The Lacework Modern CISO Network: Board Book

nielharper

“When boards fail to adequately oversee a growing risk with potentially catastrophic consequences, it’s a serious issue.

Yet, the problem remains — and often goes undetected.

Cybersecurity-related discussions in boardrooms sometimes seem to offer great promise; but in reality, they are unproductive sessions that lead to unfulfilled hopes. On the flip side, sometimes important issues are raised and directors do not sufficiently comprehend the matter under discussion. When board members do have technical knowledge, but are unfamiliar with both cybersecurity at the strategic level and the process of security oversight, boards seem to make other time-sucking errors that can create dangerous failures of oversight.

Finding board members who can successfully blend cybersecurity know-how with business acumen is not an easy task. According to the IANS Research report, just 14% of Russell 3000 CISOs have at least four out of the five ideal board candidate traits.

It is this challenge that this publication seeks to reconcile.”

The Modern CISO Network: Board Book offers boards a directory of experienced experts ready to advise and guide businesses as they navigate the complex world of cybersecurity. By arming companies with a diverse directory of CISOs and other cybersecurity leaders with relevant expertise both in terms of cybersecurity and business acumen, the board book will hopefully make it easier for companies to improve their resilience against modern-day threats.

Transitioning from a techie to a business leader is one the most valuable steps that a CIO or CISO can take, and provides immense value to both the individual in their professional journey and to the organization in terms of addressing pervasive business risks.

I am happy to be featured in the Board Book alongside some of the most outstanding board-ready CISOs in the world. I tip my hat to each and every one of them!

Essential skills for today’s threat analysts

nielharper

“Skilled threat hunters can play a dual role for organizations, hunting for threat actors as well as ensuring budget is directed at tools and technology that will bolster the hunting capabilities, according to the SANS 2023 Threat Hunting survey. However, a lack of skilled staff is hampering the success of threat hunting efforts, according to the global survey of 564 respondents drawn from SOC analysts, security managers and administrators.

Adding to the task, threat hunters themselves are seeking more training, education, and support from management, the survey has found. As CISOs look ahead to 2024 and the cybersecurity challenges it will bring, what do they need from threat hunting teams and how should threat hunters themselves look to strengthen their skill set?”

Threat analysts play crucial roles in cybersecurity. Without them, it is near impossible to obtain actionable intelligence on potential threats, and other security professionals like security architects and security engineers have no way to effectively focus their efforts.

Demand for threat analysts is also growing and many enterprises have decidedly made threat analysis one of their top security priorities.

It was great speaking to Rosalyn Page about the critical skills that threat analysts need to be successful. She asks the most probing questions and has brought together the insights of several professionals into a solid article.

Check out Rosalyn’s article here.

Comments on the Barbados Cybercrime Bill (2023)

nielharper

PART II – PROHIBITED CONDUCT

Illegal access

Part II (4) (1-2) is far too broad in its scope and can implicate innocent or well meaning individuals such as cybersecurity professionals, researchers, activists, and whistleblowers. It’s even more problematic where judicial officers aren’t trained to understand how to distinguish criminality from activities that serve the public interest, protect organizations, or advance the cybersecurity profession.* Certain guidance should be included with the legislation to distinguish between acceptable and criminal behaviours.

For example, the European Union (EU) General Data Protection Regulations (GDPR) includes 172 recitals – also known as preamble – that provides context and explains the reasons for the regulations. There was also an explanatory memorandum that provided further details on the proposed legislation.

Misuse of devices

Part II (9) (a-b) There are a number of dual use programmes and applications which can be and are used for both legitimate testing and protection of computer systems and conversely for malicious intent. There should be language here which acknowledges such and removes criminality in cases of ethical hacking for instance.

Disclosure of access codes

Part II (11) (1) There are several legitimate reasons for sharing access codes or credentials without authority, and this alone should not be illegal. The qualifier for criminality should be when the individual knowingly or has reason to believe that it is likely to cause loss, damage or injury to any person or property.

Critical information infrastructure system

Part II (12) (1) The list of critical information infrastructure (CII) systems is too limited in scope. A broader list should be published as an appendix or guidance note when the act is proclaimed (e.g., financial services, water utility, transportation, healthcare, hospitality, etc.). This should not be vague or left up to interpretation.

Note: Complementary critical infrastructure (CI) protection legislation is needed to ensure that:

  • There is a legal framework or a mechanism to identify operators of critical information infrastructure.
  • Operators of critical (information) infrastructure are required to assess and manage cyber risks and/or implement cybersecurity measures.
  • Public sector organizations are required to assess and manage cyber risks and/or implement cybersecurity measures.
  • A competent authority has been designated and allocated powers to supervise the implementation of cyber/information security measures.

Malicious communications

Part II (19) (3) This is deeply problematic and can be used to stifle freedom of expression or valuable public commentary. It can also be leveraged to prevent criticisms of politicians/public personalities or for the purpose of political persecution. This same vague language exists in the Computer Misuse Act 2005, and has been improperly used for the same abuses identified. There must be safeguards and/or independent supervision in place to ensure that such vague clauses are not abused. This applies to several other elements of this Bill.**

Cyber bullying

Part II (20) (1) – Same as the previous comment.

Cyber terrorism

Part II (21) (1-2) This is too limited in scope and should include any use of computer systems for terrorism or organized crime. It should also include preparatory acts for terrorism or organized crimes (these are not the crimes themselves but the precipitating actions).

PART III – INVESTIGATION AND ENFORCEMENT

Search and seizure

Part III (23) (1-2) gives law enforcement excessively broad powers when it comes to confiscation and access to computer systems (including smaller form factors such as tablets and mobile phones). These types of powers require independent and effective oversight functions (as does this entire Act).

Assisting a police officer

Part III (24) (1-5) Some of the provisions in this section are concerning and can be used to force individuals to grant access to their personal devices, especially in the event that the grounds for disclosure have not been met. Again, this requires independent and effective oversight functions, and the oath of a police officer shouldn’t be enough to obtain a warrant that grants such far reaching powers.

Production of data for criminal proceedings

Part III (26) (1) This gives law enforcement excessively broad and intrusive surveillance powers when it comes to intercepting Internet communications, compelling service providers to handover subscriber data and Internet activity, and other potentially disproportionate collection or interception of online communications. These types of powers require independent and effective oversight functions. Again, the oath of a police officer shouldn’t be enough to obtain a warrant that allows for such intrusive acts.

Preservation of data for criminal proceedings

Part III (28) (1-3) There is no discussion of the conditions and safeguards for adequate protection of human rights and liberties when collecting and storing (preservation) data for criminal proceedings. This includes maintaining the “chain of custody”, protection of personal data in line with the Data Protection Act, handling of sensitive data, retention periods, adequate security measures, automated decisions (e.g., use of AI), sharing personal or sensitive data with third-parties, records of how data is accessed and used, etc. The provisions should also include judicial or other independent supervision, grounds justifying application, and limitation of the scope and the duration of such power or procedure.

General observations – Part III

Part III (Investigation and enforcement) is missing key provisions related to:

  • Joint investigations or joint investigation teams
  • Expert witness testimony by video conferencing
  • Emergency mutual assistance (which is different to expedited disclosure)

ALIGNMENT WITH THE BUDAPEST CONVENTION

2nd Protocol of the Budapest Convention

It is clear that the Cybercrime Bill was patterned after the Council of Europe’s (CoE) Budapest Convention, which has been deemed as outdated or deficient for several reasons. The Additional Protocol and the Second Additional Protocol of the Budapest Convention treat additional issues around racism, xenophobia, enhanced cooperation, and access to electronic evidence (e-evidence). The drafters of this Bill do not appear to have integrated the substantive updates from the additional protocols or consider the protections and safeguards required by the Budapest Convention to protect human rights. So it looks like the government is essentially looking to enact legislation that is outdated and not in step with current technology developments or evolving jurisprudence.

* Training of judicial officers, especially with regards to technology law and privacy law, is a major problem in the country. Because these specialist areas of law are emerging, there is poor understanding of the issues by magistrates, judges, prosecutors, etc. and limited case law to refer to locally or in other regional jurisdictions. Consequently, many rulings / decisions have flawed bases, and individuals are often under- or over-penalised.

** The Budapest Convention, on which the Cybercrime Bill is based has an accompanying 60-page explanatory report that specifies the additional checks and balances and rule of law-based environment that countries like Barbados should have underpinning their cybercrime legislation. The explanatory report also covers the background, scope, objectives, and main provisions of the Convention, as well as the challenges and opportunities of cybercrime.

The current version of the Cybercrime Bill (2023) can be found here: https://bit.ly/3uLrSQC

UPDATE: On 6 May 2024, I presented a more detailed critique of the Cybercrime Bill to the Parliamentary Joint Select Committee. The presentation can be found HERE.

Top 25 leaders in cyber security

nielharper

“Cyber Security Hub is thrilled to present our top 25 leaders in cyber security for 2024

The list features people from all over the globe and from different specialisms, including fraud detection, corporate governance, cyber defense, ethical hacking and more. They all have extensive expertise, have made remarkable achievements towards advancing cyber safety, and use their public profiles to raise awareness of the importance of cyber security, both as a safety measure and a career.”

Thank you Cyber Security Hub for this recognition! Giving back to the industry and the profession means so very much to me, and recognition is often a secondary thought. But when it comes out of the blue, it is always deeply appreciated.

Being part of this list with my friend Jason Lau is also particularly special as well as sharing it with persons that I deeply admire and respect such as Tia (Yatia) HopkinsConfidence Staveley, and Jen Easterly. These individuals inspire me daily, and their contributions to the profession as well as to online security, resilience and stability are immeasurable. Biggest respect and congrats to all those persons on the ‘Top 25’ list – You’re simply amazing!

Finally, the role that ISACA has played in my career and continues to play in the careers of thousands of digital trust professionals across the world is phenomenal. I am beyond privileged to be a Board Director at the organization!

Thanks again!

You can see the full list here: https://ow.ly/yOvE50PYury

Alumni of Distinction Award (Technology) – Algonquin College

nielharper

I am proud to announce that I have been selected to receive the Alumni of Distinction Award (Technology) at my alma mater Algonquin College of Applied Arts and Technology.

“The hands-on learning environment of Algonquin College is what set Harper up for success in his early career. Lab work combined with theory ensured Harper was equipped with the necessary knowledge to excel in the telecommunications field. He credits his workforce readiness to his time spent working on technology systems in the College’s labs, noting how the practical skills acquired contributed to his early success.

He also remarked on how the professional connections made throughout the program ensured an easy transition into the work environment post-grad. College was the launch pad for Harper to explore his passions and determine his future pursuits — his time at College helped him foster his passion for telecommunications and sparked a lifelong career of improving people’s lives through Internet and ICT services.”

My time at Algonquin College has been a key factor in my career success, and I am beyond proud to be an alum of the institution!

I am very humbled and welcoming of their recognition.

Check out my story here: https://bit.ly/3LgR1b9

How international cybersecurity frameworks can help CISOs

nielharper

Cyber laws are more than just the actual statutes themselves. It’s the sum of all that a robust cyber-policy framework facilitates. This includes cybersecurity and cybercrime legislation, workforce development strategies, cyber information-sharing (threat intelligence), digital forensics, computer emergency response teams (CERTs), cyber diplomacy, and bilateral agreements, among other facets. “These cyber capabilities along with technology advancements have made us much better at cyber-incident attribution,” says Niel Harper, who’s part of the professional standards working group with the UK Cyber Security Council, member of the board of directors at ISACA, and World Economic Forum Cyber risk working group.

Organizations need to adopt and ‘live’ the right cybersecurity frameworks. “Policies and cyber insurance alone won’t cut it. Executive management and boards need to get smarter so they can ask the right questions about cyber risks and associated economic drivers, business leadership must encourage systemic resilience and collaboration, and ensure that organizational design and resource allocation supports cybersecurity,” Harper says.

For CISOs, everything needs to be framed around cyber-risk management and business strategy alignment, but external collaboration is critical. Public-private partnerships, especially as it pertains to critical national infrastructure protection, are crucial in the fight against cybercrime and so are sectoral and cross-sectoral CERTs and information-sharing mechanisms. “Collaboration allows for organizations to stay ahead of emerging threats and be more proactive on their cyber resilience,” he says.

Many thanks to CSO Online for engaging myself and other privacy and cybersecurity experts to discuss two of my absolute favourite topics – “cyber law” and “cyber policy”. I wanted to further expand on my comments that were quoted in the online article.

There are currently 68 parties to the Budapest Convention and 21 observer countries which are signatories and have been invited to accede. There’s vital international cooperation and collaboration on cybercrime that occurs via mutual legal assistance treaties (MLATs) and through organizations such as INTERPOL, AFRIPOL, ASEANAPOL, EUROPOL, UNODC, and others. But due to the complexity, scale and scope of cybercrime, a lot more can be done. The problem often comes down to the capabilities (or lack thereof) in nation states to effectively participate in international cooperation activities. And frankly, many countries are simply not equipped, hence why we are seeing these safe havens as it pertains to cybercrime. This is the purpose of the Budapest Convention along with several global capacity building initiatives such as GLACY / GLACY+, SIRIUS, EU Cyber Direct, GFCE, and others – To assist nation states in building capacity in areas such as national cyber security strategy, cybercrime legislative reform, computer emergency response teams (CERTs), digital forensics, and access to cross-border electronic evidence (e-evidence), just to name a few.

There’s also the work being done via the UN’s Open Ended Working Group (OEWG) and the Ad Hoc Committee towards a global Cybercrime Convention. The current approach through the Budapest Convention has created a patchwork quilt of cybercrime laws and different levels of maturity across the 195 UN Member States. A global Cybercrime Convention is intended to comprehensively harmonise cyber laws and enable agile multilateralism to better tackle cybercrime and enhance coordination and cooperation among nation states.

The Budapest Convention also has several notable limitations. Besides the areas you mentioned, there are material flaws in that it lacks privacy and civil liberties protections; it’s far too broad in its scope and can often implicate innocent individuals such as researchers, activists, and whistleblowers; it’s missing certain protections to prevent it being deployed for political persecution; it fails to require “dual criminality” as a prerequisite for mutual legal assistance (i.e., acts must be illegal in both countries); it gives law enforcement wide and intrusive surveillance powers; and it distorts existing intellectual property regimes by moving away from fair use and public interest objectives. The new UN Cybercrime Convention must resolve these and other issues – if there’s ever consensus across Member States – especially narrowing of the scope, building capacity across Member States, and the inclusion of human rights safeguards.

Cybercrime prevention requires cooperation at many levels – legal as well as technical and political. Many countries have cybercrime laws in place, but the technical skills required to enforce them are missing, and this is across areas such as operational law enforcement, law enforcement administration, support services, and judicial officers. Additionally, in many nations, law enforcement officers (LEOs), police administrators, politicians, and court officers are corrupt, underpaid/overworked, or simply lack the motivation to properly enforce the laws on the books. They are also often bribed or intimidated by criminals. Remember the famous quote by Peter Drucker, “Culture eats strategy for breakfast?” The same applies to effective cybercrime prevention.

How municipalities are dealing with being low-hanging targets for hackers

nielharper

“On cybersecurity veteran Niel Harper’s first day as virtual CISO at a municipal agency, he was thrown immediately into the reality in which cities and town administrations find themselves today — under threat and scrambling to find the resources to fight back.

The new organization, which he asked not to be named for security reasons, came under a massive ransomware attack that encrypted the entire production environment in a matter of hours. The attackers compromised the network via a weak administrative password, encrypted all servers and storage systems, and reset the backup servers to factory settings. “The client had no response plan in place, so I had to build one on the fly,” he says. “I used that experience to create a detailed incident response plan with roles and responsibilities, and then followed up with annual desktop attack simulations.””

Local governments, much like hospitals, schools, and municipal water authorities, are “low-hanging fruit” – organizations that lack the resources to effectively defend themselves against routine cyberattacks, never mind an advanced persistent threat (APT). For threat actors targeting under-resourced local governments, the goal is not necessarily financial reward but instead to broadly disrupt society at the municipal level. A number of successful cyberattacks have severely impacted local governments in recent years. These include attacks on targets ranging from 911 call centres to public school systems to community clinics. The consequences of a successful cyberattack against local government can be debilitating.

Myself and other cybersecurity leaders recently spoke to Deb Radcliff at CSO Online about what local governments can do to better defend themselves against online threat actors, including enhancing recruitment, leveraging available resources from national cybersecurity agencies, and building incident response capabilities, among others.

Check it out!