Where’s The Blockchain Killer App? Maybe It’s Buried Underneath All the Hype!

Photo credit: University of Agder

“Our approach, as it turns out, echoes others in the field who question whether the benefits of Blockchain add value above and beyond existing technologies, or accrue to stakeholders beyond the donors that fund them.”

This article on ICTworks really brought all the feelings I’ve been having about distributed ledger technologies (DLTs) to the fore.

I’ve been struggling in recent times to see where Blockchain has demonstrated its immensely promised value, delivered true market or stakeholder value, or disrupted an existing ecosystem. And thus far, what I keep coming up with is that “Blockchain is a solution searching for a problem.” Most of all, many of its enthusiasts and proponents are generally conceptual thinkers and snake oil salespersons who have little to no experience delivering secure, integrated, complex systems.

My confidence in Blockchain is not low because Initial Coin Offerings (ICOs) started with so much promise as an innovative way to secure capital for startups, but quickly morphed into get rich quick scams that relieved thousands of ill-informed crypto enthusiasts of their collective wealth. My skepticism about Blockchain isn’t at an all-time high because Bitcoin seems like nothing more than a vastly inferior way to consume massive amounts of electricity in pursuit of an energy-wasting, climate changing, speculative investment commodity (and one which fails spectacularly as a payment system). I am actually willing to concede that the combination of immense capital and technical effort will ultimately yield results. At present, the space is just really noisy and solutions are painfully slow in coming.

I am not saying that Blockchain doesn’t potentially have real, valuable use cases. As previously stated, there some extremely bright individuals working on developing Blockchain solutions and oodles of capital funding their work. Hopefully while I still have breath in my lungs, I will see a Blockchain product or service that is truly life-altering. But so far, there’s enough evidence to state with confidence that Blockchain has been mostly bluster and little benefit. More specifically, 10 years in there is no industry where this technology has rendered its competitors obsolete. There have been thousands of great ideas (and thousands more that have been not so great), but where the rubber hits the road, execution has been poor.

What the Government of Barbados Needs to Do to Get Fintech Right

There’s a common misconception that IT governance, risk and control (GRC) professionals like myself impose unreasonable demands on those trying to innovate and deliver human, social and economic benefits to society. But this is the furthest thing from the truth – our role is to ensure that those who are delivering technological solutions understand the risks and impacts associated with their IT platforms, and mitigate them in an adequate, effective, and sustainable manner.

The aforementioned point is key as I will go on to explore the privacy, security, and socio-economic implications of two recent announcements by the Government of Barbados pertaining to the implementation of Blockchain-related technology in the country. In a September 19th article titled ‘E-currency pilot coming’, it was stated that Prime Minister Mia Mottley “did not give details of the planned mobile wallet pilot project or when it would begin but gave the assurance that it would not be done in a reckless manner.” Barbados Today published an article on September 25th which stated ‘BSE to begin crypto-trading’, essentially heralding the decision of the Barbados Stock Exchange to trade in security tokens or crypto assets.

Given my intimate knowledge of privacy and security weaknesses in both the public and private sectors, the PM’s words do not instill in me any great confidence around the robustness of the security controls that will accompany these projects. The implementation of e-currency is a complex undertaking, that if not done correctly, can have a material impact on the country’s already weakened economic position. Security tokens are an extremely nascent solution with a lot of potential, but that doesn’t exempt them from security and privacy deficiencies. As such, I want to delve into some of the key areas that must be addressed before these solutions are widely deployed across our beloved nation.

Contract management and due diligence

Before any contracts are signed to commence these projects, the government must understand where personal data of Barbadian citizens will be stored. To provision users onto these platforms, personal data will need to be collected for AML and KYC purposes such as name, address, phone number, driver’s license, passport details, etc.

If the data is stored outside of Barbados, the privacy of Bajans may not be safeguarded as it will be subject to the laws and regulations of the jurisdiction in which the data resides (meaning that the legislation of a foreign country could permit them access to any and all data kept on Barbadian citizens). This is particularly concerning given the absence of data protection legislation in Barbados that would force any fintech company to ensure that transnational data flows must only occur where the destination country has an adequate legal framework in place to protect the rights of data subjects.

The lack of data protection legislation presents another problem in terms of imposing strict obligations on fintech providers to uphold the rights of data subjects. This includes setting requirements and fines for both data controllers and data processors as it pertains to protecting personal and sensitive data, obtaining consent to share personal/sensitive data, reporting data breaches to government and data subjects, among other rules. Hence, it would be in the best interests of Barbados citizens and foreign nationals if the 2018 Data Protection Bill was enacted into law before the launch of the new platforms.

In an ideal situation, the government should obtain 2-3 references from previous instances where the contracted parties have deployed solutions of this kind for other customers. However, it appears that Barbados will be the first country where the vendor will be deploying a ‘true’ e-currency platform, thus making the need for strong controls even more critical. As it pertains to tokenized securities, similar due diligence must be undertaken to protect our citizens.

The government must ensure that a qualified and independent security professional conducts a site visit to the vendors’ IT facilities to undertake a thorough assessment of their security controls. If this cannot be done, the vendor should be required to furnish government with a signed attestation from an independent and qualified third party that the IT facilities meet all the necessary best practice security requirements (e.g. physical security, grounding and lightning protection, environment monitoring, generators, etc.). Additionally, there should be a “right to audit” clause in the contract that allows the government to turn up at the vendors’ IT facilities at any time to conduct a security assessment.

The vendors’ financial statements should be reviewed by an independent auditing firm such as PwC, EY or Deloitte to ensure that they are in good standing and that they are able to remain going concerns for the foreseeable future. The viability of their business models should also be assessed as ‘feasible’. This would protect the country and its citizens from being left at the mercy of fintech service providers whose platforms enjoy massive uptake and integration into the socio-economic fabric of the country, and then they are quickly no longer in business.

With regards to PwC, EY, Deloitte, and other accounting firms (or any qualified professional services firm as a matter of fact), government should enlist one of them to have experienced IT auditors assigned full-time to both projects. This would ensure that IT governance, risk and control processes are embedded throughout the project lifecycles and don’t become an afterthought.

Another area of due diligence is assessment of the team who will be delivering and supporting the solutions. The government must obtain assurance that the right mix of skills is available to deliver and provide ongoing support for high performance, scalable and secure fintech platforms. Along with the technical positions, key roles that should be in place are Internal Audit (assurance), Privacy (compliance) and Information Security (availability, integrity and confidentiality).

Finally, a software escrow agreement that allows government access to the vendor’s proprietary code in the event they go out of business should be put into place.

Technical architecture

Undertaking a technical architecture assessment is critical to implementing both these projects. Once again, independent and qualified 3rd parties need to look at how the different elements of these platforms will integrate with each other and how they will be secured against cyber-attacks. A number of the questions that the selected fintech service providers need to answer and verify are as follows:

  • How will web and application servers be hardened against attacks?
  • How will database systems be hardened against malicious actors?
  • How will operating systems be hardened and secured from hackers?
  • How will Blockchain nodes be hardened and secured from hackers?
  • How will identity and access management (IAM) be delivered to manage privileged access to these platforms?
  • Will middleware and APIs have built-in authentication mechanisms?
  • Will all data transmitted over public networks be encrypted?
  • What encryption schemes will be used to protect sensitive data in storage?
  • Will network devices such as routers and switches be hardened and utilize strong authentication mechanisms?
  • Will there be separate firewall tiers to isolate and protect servers with higher risk profiles?
  • How will administrators and developers securely access the platforms remotely?
  • How strong will the controls be around disaster recovery/business continuity?
  • Will online or offline wallets be used and how will they be secured (e.g. passwords, passphrases, two-factor authentication, biometrics, etc.)?
  • How are mobile applications designed with security in mind (e.g. storage, communication, authentication, cryptography, etc.)?
  • How are web applications designed with security in mind (e.g. input/data validation, authentication, authorization, storage, communication, cryptography, etc.)?
  • Will private or public Blockchains be used? How will the Blockchain, smart contracts and related elements be secured?
  • If fintech companies are using cloud services, how are issues like multi-tenancy, distributed denial of service (DDoS) attacks, breach notification, malicious insiders, etc. being addressed?
  • How will integration with external systems be secured?

These questions and others need to be satisfactorily answered before these fintech solutions become live. A technical architecture review should be conducted to set a baseline of expectations with regards to the final solution. Bringing trusted, independent cybersecurity experts to the table will ensure that they are no controls gaps in the end-state architecture.

Testing

Testing is one of the best phases in software development to flesh out security issues. Hence, this is where government needs to double down on its due diligence. Below are a couple of questions that government should be asking and receiving answers/evidence for:

  • How are code repositories being used and secured?
  • What processes and tools are used to manage version control and to promote code from testing to live environments? Are these tools fit for purpose?
  • What secure coding standards are being used by developers and what tools are being used to force adherence to these standards?
  • How are static application security testing (SAST) and dynamic application security testing (DAST) being employed?
  • How are source code analyzers being used to detect security weaknesses in both non-compiled and compiled code?
  • Will stress testing be conducted to ensure the system design and resources can support transaction volumes?
  • Are dynamic scanners being used to simulate attacks during the quality assurance (QA) cycle?
  • Have threat modeling and risk assessment been conducted on the end-to-end solutions? Has an independent party verified the results?
  • Does the test environment mimic the production environment as much as possible?
  • Will an independent security architecture review be performed on the system before it goes live? Will all the material weaknesses found be remediated before the solutions go live?
  • Will independent penetration tests (externally looking inwards) and vulnerability scans (internally looking outward) be performed on the system before it goes live? Will all the material weaknesses found be remediated before the solutions go live?
  • What security-related scenarios will be included in user acceptance testing (UAT) or closed user group (CUG) testing (e.g. input/data validation, password quality rules, repudiation, roles-based access controls, path traversal, missing authorization, error handling, privilege elevation, etc.)?
  • What levels of audit logs are generated by the systems? Are audit logs properly secured?

The testing phase provides an opportunity to iron out most of the security issues before the live solution is released to the public. The importance of this stage should not be underestimated, and government must ensure that they are fully engaged and involved throughout.

Deployment and ongoing support

Deployment and ongoing support will be integral to delivering a truly disruptive fintech solution to the citizens of Barbados. Of course, the first step is deploying the exact system configuration that was thoroughly assessed and remediated during the architecture and testing phases. This can’t be emphasized enough – You don’t want to deploy a system full of security vulnerabilities. That being said, there are a number of questions relevant to supporting the environment on an ongoing basis:

  • What processes will be in place for identity and access management? How will day-to-day access for normal users and super users of the systems be managed (e.g. granting, revoking, and updating access)?
  • How will secure configurations be maintained throughout the system lifecycles (e.g. mobile security, desktop hardening, server hardening, switch and router hardening, etc.)?
  • What processes/solutions will be in place for managing system vulnerabilities?
  • What processes/solutions will be in place for managing system upgrades and patches?
  • What processes/solutions will be in place for making changes to production systems?
  • How will production systems be monitored for performance issues, normal and privileged account usage, network intrusions, unauthorized file changes, access to restricted systems, etc.?
  • How will malware be addressed on production systems (e.g. cloud services, virtual machines, nodes, clients, mobiles, etc.)?
  • How will security awareness for end-users of the systems be addressed (especially given that the intention is for the mobile wallet to be deployed widely to the public)?
  • What processes and systems will be in place for disaster recovery/business continuity?
  • How will government ensure that the right legal framework is in place to protect the country and its citizens (e.g. anti-money laundering, taxation, consumer protection, privacy, critical infrastructure protection, etc.)?
  • Who will be supporting the production systems on an ongoing basis – government or the fintech companies? Will there be sufficient knowledge transfer to government personnel if they are tasked with ongoing support and maintenance?
  • Has there been detailed assessment of ongoing costs? Will these costs be borne by the fintech provider or government? If by the fintech provider, what’s the business model that will be in place to sustain their operation in a profitable manner? If by the government, are the right staff in place to support and maintain the platform? Will the overall cost burden undertaken by government be sustainable (especially given the country’s existing financial situation)?

Monitoring and evaluation

For any system implementation to be truly successful, there must be a plan for realization of the benefits articulated at the beginning of the project. Here are some of the key questions to be answered:

  • What does success look like?
  • How will success be measured?
  • Will success metrics be shared with the public (they should be when taking into consideration the levels of risk and investment in these projects)?
  • Are the projects delivered on time and within budget?
  • Have technical objectives been achieved?
  • Have financial objectives been achieved?
  • Are socio-economic benefits being realized by the population?
  • Have human behaviors changed in terms of the use of mobile payments?
  • Has the Barbados Stock Exchange (BSE) become more liquid? Has there been a significant uptick in foreign direct investment (FDI) via the BSE? Are we seeing more security tokens being traded on the BSE?
  • Are there less underbanked or unbanked individuals in the country? Have financial inclusion statistics improved? Is the common man less burdened by the cost of banking? Is it now easier to send money overseas (money transfers) or send money back to Barbados (remittances)?
  • Has government reduced the costs of funding the fiat monetary system?
  • Have the substantial risks associated with correspondent bank de-risking been mitigated?

These questions and more need to be answered once the systems go live. More importantly, a benefits realization/monitoring & evaluation (M&E) plan needs to be in place up front. The government and its fintech partner should not be deciding what needs to be achieved and measured once the systems go live – these benefits should be stated up front to convey the value proposition and return on investment (ROI) for the systems, and to support the level of investment and risks undertaken.

Conclusion

These projects represent significant benefits for the country. Conversely, they also represent significant risks. I am not against technology; I have spent the last 10 years of my life committed to facilitating the use of ICTs for development (ICT4D) in emerging economies. However, I am of the firm belief that citizens have a right to know exactly what their leaders are getting them into (i.e. openness and transparency are of utmost importance). It is my hope that government will engage in a more transparent process as it pertains to the planned implementations of Blockchain and distributed ledger technologies (DLT). Moreover, if fintech is being done, it needs to be done RIGHT. One of the most basic, yet important, tenets of information systems auditing is “TRUST, BUT VERIFY”. All of the questions I have posed deserve answers. Not only answers, but verifiable evidence. Government is not known for strong expertise in IT law, policy and regulation; systems development; and cybersecurity. This is why the citizenry of Barbados cannot be expected to abide by only trust as it pertains to the implementation of Blockchain technologies across the country. The potential benefits, and the risks, are way too high!

Should it be mandatory for CISOs to be part of the Board of Directors?

More and more boards are scrutinizing the impact of security and privacy issues on their businesses. However, taken action to being CISOs on to the board has been way too slow. The main challenge is that they don’t grasp that information security issues are not simply IT issues. For clarity, take a look at my article on ‘8 Reasons Why Cybersecurity Strategy and Business Operations are Inseparable‘.

The urgency now being seen from many boards is more so a knee-jerk response to government pressures and increased regulations in lieu of several high profile breaches that have shaken public trust. The former head of the Securities and Exchange Commission (SEC) Luis Agulilar made the following comment back in 2014:

“Board oversight of cyber risk management is critical to ensuring that companies are taking adequate steps to prevent, and prepare for, the harms that can result from such attacks.” He also issued a clear warning that “boards that choose to ignore or minimize the importance of cybersecurity oversight responsibility do so at their own peril.”

Regulators across the globe are making it clear that organizations must have robust privacy and security controls in place to manage the risks associated with technology-enabled commerce. As such, it is critically important that boards regardless of their companies’ industries have a security expert among them to expertly lead the organization in such matters. It is clear that government regulators will hold the Board of Directors accountable and liable for not discharging their duty to prevent harm to the corporation, including damage occurring from cyber attacks and data breaches. Individual directors themselves can be subject to derivative shareholder lawsuits and class-action suits from the company’s banks, business partners, vendors, customers and their own employees.

That being said, not many CISOs have the knowledge and experience; the executive capabilities required to translate into meaningful business terms the impact a cyber incident has on the organization and the activities undertaken to mitigate such events. Many members of the board are not engineers or IT professionals, let alone possess an understanding of technology governance, risk and control. The average board is comprised of approximately nine individuals but some can be as many as 30 persons, so it is imperative that the CISO familiarize himself with his audience to effectively deliver a solid presentation that resonates with them. It is helpful to go into the details of presentations one-to-one with individual board members, as many of them love going into depth and that is an ideal approach to influence the board on an individual basis. For actual board meetings, there is a firm agenda and time limitations that can lessen the strength and impact of CISO presentations.

One of the most effective presentations is the use of risk metrics as most board members in a formal session do not want to be inundated with techno-jargon (do this and watch their eyes glaze over). They want a helicopter perspective of the issues and with clear impact on how the organization as a whole is affected. Board members want visual quantification of risks with the most relevant data in simple language. Using benchmarks designating the past, present and future allows the audience to clearly see how the situation has changed, see the progress and efforts necessary to achieve a benchmark goal.

It is an uphill journey for a CISO to acquire a seat on the board. It is not for the faint-hearted as one is burdened with enormous responsibilities and the board members are the apex of the organization tasked with guiding its ultimate success or failure. Consequently, board membership is a delicate process as much is at stake in terms of the organization remaining a going concern.

CISOs are a necessity to have on the board but they must be savvy, experienced and strategic-minded executive to serve in that capacity. They must have the vision, thought leadership, relationship building skills, and grit to demonstrate value to the organization in this role.

The Impact of the GDPR on the Hospitality Sector

Today I held a General Data Protection Regulations (GDPR) awareness seminar for members of the Barbados Hotel and Tourism Association (BHTA).

With regards to data security, there are few sectors more vulnerable to data-related threats than the hospitality sector. The volume of processed personal and credit card information being handed over to hotels, restaurants, etc. on a daily basis makes the sector extremely vulnerable. With the enforcement deadline having passed on 25 May, several companies in the sector have not updated their data protection processes, and are at risk for large financial penalties.

The seminar touched on key areas such as the following:

  1. Major Differences between the Data Protection Directive 95/46/EC and the GDPR
  2. Overall readiness across the hospitality sector
  3. Capturing and using personal data going forward
  4. Consent and contextual use of personal data
  5. How the GDPR affects repeat business and email marketing
  6. How the GDPR affects third-party data processors
  7. The rights of data subjects under the GDPR
  8. The difference between ‘personal data’ and ‘sensitive data’, and how they should be treated
  9. Other key aspects of the GDPR such as the Data Protection Officer (DPO), Data Protection Impact Assessments (DPIA) and ‘privacy by design’
  10. How to update strategies for websites, data governance, and marketing to become GDPR compliant

My takeaway from this session was that many businesses — small to large — have not made any steps to align their operations and processes with the requirements of the GDPR. Several others are defiantly refusing to address privacy and data protection within their organizations. However, what was gratifying is that I received a torrent of emails in the hours and days after from hoteliers, many of them eager to engage subject matter experts (SMEs) to assist in improving their control framework to meet the rigorous demands of the GDPR. Hopefully, this interest and willingness to improve is sustainable. There’s a lot of work to be done!

 

 

ICT PULSE: Cyber threats and security in the Caribbean 2018 update – Interview with Niel Harper

ICT Pulse:  Niel, thank you again for taking the time to share your insights with us. To start, give us a quick recap of what have been the most prevalent types of incidents in the Barbados and/or in the wider Caribbean region over the past year or so?

Niel Harper:  Over the past year, there has been a substantive increase in ransomware attacks in Barbados and across the Caribbean. This is pretty much in line with the global trend, where we saw massive ransomware attacks such as NotPetya and WannaCry that impacted over 500,000 organizations and resulted in damages and losses in excess of USD$400 million. Barbados and the rest of the Caribbean were not spared from the wrath of these attacks.

ICTP:  Has the threat landscape changed over the past year? Are there any particular areas of concern that you have for Caribbean organizations, or the region as a whole?

NH:  Yes, most definitely the threat landscape has changed over the last year. Firstly, there has been a shift towards attacks on the underlying Internet infrastructure. Hence, Caribbean service providers need to implement protections in their networks to address core routing and DNS security, among others. Additionally, we are seeing hackers using social media platforms as an attack vector, and such attacks are routinely compromising mobile phones. Last but perhaps most significant, state-sponsored threat actors have become more and more active. We are seeing increasing attacks against critical infrastructure and supply chains. For example, cyberwar actors will seek to attack targets that result in maximum disruption, economic upheaval, and even public safety issues (e.g. airports, public transit, power grids, nuclear facilities, smart cities, etc.). There will be continued attacks targeting democratic processes such as electronic voting machines, online voter registration, party or politician websites, and other such platforms. Sadly, Caribbean (and global) enterprises will get caught up in state-led or state-sponsored attacks, and with far-reaching economic impacts.

ICTP:  Over the past year, ransomware incidents still appeared to be occurring across the region. Are they still as huge a threat?

NH:  As stated in my earlier comment, ransomware is most definitely still a threat, and there are a couple of reasons for this. For one, there are numerous techniques available to hackers for initiating ransomware attacks such as spam, phishing, rootkits on legitimate website, traffic redirection, and others. Ransomware also remains a lucrative business for hackers. There’s also no shortage of targets for ransomware attackers, specifically when you consider that many healthcare providers, government agencies and educational institutions simply don’t have the resources to adequately respond to cyber threats.

ICTP:  Bitcoin (cryptocurrencies) and blockchain are concepts of which mass consumers are becoming increasingly aware. Are you excited or concerned about these technologies?

NH:  I am both excited and concerned about blockchain and cryptocurrencies. Blockchain provides numerous options and possibilities for changing how we work, communicate and do business. As adoption of both technologies skyrockets across the globe and throughout the Caribbean, I expect that there will be a corresponding increase in attacks. More specifically, these attacks will be mostly focused on cryptocurrency marketplaces and end user applications such as crypto wallets and crypto trading apps. Early in 2018, Japanese crypto exchange Coincheck was hacked and lost USD$500 million in assets due to poor security mechanisms in their hot wallets. We’re also seeing crypto mining malware which essentially compromises PCs and laptops and uses their resources to mine cryptocurrencies. A consequence of these attacks will be increased regulation of cryptocurrencies by governments, and there is the potential for this to stifle innovation and the network benefits of blockchaintechnologies.

ICTP:  Towards the end of 2017, we became aware of some new threats: Meltdown and Spectre, which seem to be shaking the computing and tech industry to its core. In layman’s terms, can you briefly give us a sense of what Meltdown and Spectre are about, what harm they do, and what steps (if any) we can take to better protect ourselves?

NH:  Meltdown and Spectre exploit critical vulnerabilities in system processors. These hardware-based vulnerabilities allow programs to steal data that is being processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to obtain data stored in the memory of other running programs. Desktops, laptops, and cloud platforms are affected. More technically, every Intel processor which implements out-of-order execution is potentially affected, which is effectively every processor since 1995. There are patches against Meltdown for Linux, Windows, and OS X. There is also work being done to harden software against future Spectre exploits, as well as to patch software after exploitation through Spectre. Details for these solutions can be found on most all the security-focused web sites.

ICTP:  After all of what we have discussed so far, are there still new and emerging threats of which we should be more aware?

NH:  Yes, I think everyone should be aware about threats associated with the Internet of Things (IoT), connected vehicles, weaponization of AI, and cyber-physical attacks. For example, AI can make spearphishing attacks cheaper, faster and more effective, and also help attackers to design malware that is more stealth and harder to discover using traditional endpoint protection tools. Another example is that researchers – and hackers – are uncovering more vulnerabilities in the onboard systems of older airplanes, trains, ships, and other transport modes that render them vulnerable. I expect to see more attacks involving ransomware that hijacks these vital systems and threatens chaotic results if owners don’t pay to regain control.

ICTP:  Finally, what are the top three (3) things businesses should be doing this year, 2018, to improve theirICTP:  network/IT security?

NH:  One of the most important countermeasures against cyber threats is greater awareness. Governments need to engage various national stakeholder groups in developing awareness programs. Such programs should incorporate information on common attack techniques/vectors, recommendations on how to put better protection measures in place (including data protection), and best practices for improved online hygiene. Businesses are key stakeholders, and they should see themselves as playing an important role in building awareness both internally to their organizations and on the broader national scale.

All businesses need to to develop cybersecurity strategies, including in key areas such as risk assessment, vulnerability management, legal & regulatory compliance, and capacity building. They need to have the right people, process and technology in place to combat cyber threats. For SMEs who have challenges with resources, there are security companies like mine who are willing to work with them to develop flexible, cost-effective solutions for cybersecurity.

As it relates to improving users’ control of their data and increasing accountability for data handlers, it is likely that legislation will be needed because corporations have not yet proven to be good data stewards. Hence, legislative instruments like the EU’s General Data Protection Regulations (GDPR) are likely to be replicated across national jurisdictions. More specifically, the roles and responsibilities of those handling data should be clarified, penalties for misuse and abuse should be outlined, and mechanisms should be put in place to reward adequate data protection and implementation of security best practices. I would advise all Caribbean nations to look at implementing data protection legislation in the very near future.

The original interview can be found on the ICT Pulse website at: https://bit.ly/2JzAFce

What is a virtual CISO? When and why should you hire one?

Chief information security officers (CISOs) are increasingly in-demand, and the very good ones are expensive and difficult to lock down. As more and more organizations who are without CISOs suffer breaches, how should they go about bringing such talent into their businesses?

Could an on-demand virtual CISO (vCISO) be the appropriate solution for them? A vCISO is essentially a security practitioner who provides their advice and insights to an organization on an outsourced and ongoing basis, usually part-time and remotely.

But why would a business engage a vCISO when they can hire a full-time CISO? The answer to this is not a simple one. Firstly, a vCISO is not a good fit for all organizations. Secondly, highly-regarded, experienced CISOs are not easily found, generally stay in a role for 2-3 years, and most importantly, come with a salary that is prohibitive for small to medium enterprises (SMEs).

vCISOs usually cost around 40% – 60% of what you would pay a full-time CISO, and their services can be delivered on-demand. Their benefits usually way exceed their costs. Virtual CISOs are highly experienced, knowledgeable, don’t have learning curve challenges, can integrate easily into a business, and won’t see the need to tiptoe or play nice when it comes to corporate politics. With this approach, it is strictly about outcomes, and a top-tier vCISO will provide critical board and executive engagement, metrics, and high-level reporting.

While different vCISOs come with varying skillsets, most should be able to deal with a plethora of activities from strategic to tactical. They can develop your information risk assessment methodology. They can create a robust framework of policies, procedures, standards, and guidelines. They can help your organization come to terms with GDPR, PCI-DSS and other compliance issues. They can address outsourced vendor risks, for example around cloud computing and IoT services. They can also assist with recruitment and establishing a high-performance team, devising the security vision and strategy, leading the RFP process for security solutions, refining incident response processes, and implementing COBIT 5.0 and ISO/IEC 27000. They might also support the coaching and training needs of newly hired CISOs and conduct awareness training and reporting to the Board of Directors.

Virtual CISOs are best suited to startups and growing companies, and are an ideal approach for bolstering the already in-place management team or basically leveraged as a short-term solution. The best vCISOs must be good communicators – vertically and horizontally, and especially at the board level. They must be able to work with companies across diverse industries and with varying risk profiles and backgrounds. They must be capable of communicating clearly what business risks companies are exposed to as it relates to cybersecurity. An effective vCISO must also be adaptable and quickly learn about the unique business environment their customer operates in. And once these things are known, the vCISO needs to bring their knowledge and skills to bear in terms of aligning the cybersecurity strategy with the business’ strategic objectives.

As they generally operate without budgets or responsibility for implementation, it is best if vCISOs are viewed as advisors and not as auditors or change managers. Cybersecurity is largely a business of relationship management, and traditional CISOs must win the hearts and minds of the executives and organizational leaders if they’re to move the enterprise forward. vCISOs don’t necessarily need to do this, as they are not visible and likely won’t be around for the long-term.

Why Bitcoin Will Not Solve the Caribbean’s Financial Inclusion Woes

What is Bitcoin? Is it electronic money?

There’s a deluge of hype around Bitcoin and blockchain technologies right now, and policymakers and regulators in the Caribbean are doing their best to wrap their heads around the advantages and disadvantages of this virtual currency. Similar questions are being contemplated in the ICTs for development (ICT4D) community, taking into account that electronic money (e-money) platforms such as Safaricom’s M-PESA have essentially solved the financial inclusion quandary for millions of people in Kenya. The service has now even expanded to Eastern Europe, Afghanistan, and India.

Besides sharing the characteristic of being digital, how do Bitcoin and e-money compare, especially with regards to reaching individuals who have previously been unable to access traditional financial services? Presently, there appear to be more differences than similarities between the two, and it’s critical not to confuse virtual currency with e-money.

Blockchain, in brief, is a record of digital events, distributed across multiple participants. It can only be updated by consensus between participants in the system, and when new data is entered, it can never be erased. The blockchain contains a true and verifiable record of each and every transaction ever made in the system. Launched in 2009, Bitcoin is a virtual, private currency that uses blockchain as an underlying, immutable public ledger. Bitcoins are ‘mined’ using distributed processing power across a global network of volunteer software enthusiasts. The supply mechanism is designed to grow slowly and has an upper limit of 21 million units as determined by a built-in algorithm. There is no central authority that controls blockchain or Bitcoin. There are no central banks that can be politically manipulated; and no way to inflate the value of a national currency by simply printing more money. Economic libertarians are ecstatic at the very thought of this. However, competing virtual currencies can be created that could have the net effect of devaluing the original.

Contrastingly, e-money is not a separate currency and is overseen by the same national regulatory authority that governs the printing of fiat money – as is the case with M-PESA and the Central Bank of Kenya. It’s an extension of a national currency like Jamaican dollars or Netherland Antilles guilders for use over digital networks to reduce the costs associated with handling physical cash. More specifically, it’s a one-to-one electronic store of value pegged to the cash receipt of the equivalent amount. To mitigate against risks like money laundering, terrorist financing, consumer protection, etc., the cash against which e-money is issued most often has to be deposited with fully regulated financial institutions.

The issue of financial exclusion

The issue of financial exclusion can be summarized into 2 categories: unbanked and underbanked. Unbanked individuals do not have an account at a regulated financial institution, while underbanked individuals have accounts, but frequently use alternative or unregulated financial services.

Before elaborating on the key factors behind financial exclusion, it is important to detail the effects of being unbanked to illustrate the severity of the problem. Unbanked individuals are faced with a heavy economic burden […]

The full article can be found on the CircleID website at: https://goo.gl/zn7Yg9