ISACA Board Director Niel Harper Secures a Role on the Professional Standards Working Group of UK Cyber Security Council

nielharper

“The UK Cyber Security Council has announced that Niel Harper, a cybersecurity executive and member of the ISACA Board of Directors, has secured a role in its Professional Standards Working Group. This appointment is an important recognition of Harper’s expertise and contributions to the field of cybersecurity.”

Workforce development is critically important to the security and resilience of nation states (and organizations as a matter of fact). There is diversity in the breadth and depth of cyber security skills required across government. These include deep technical skills and the non-technical cyber security skills that are needed across other specialisms and professions, such as digital, policy, commercial and assurance.

Guided by the standards and pathways established by the UK Cyber Security Council, the UK government will develop its understanding of the range of cyber security skills and knowledge required across government and will respond accordingly, ensuring that its workforce is inclusive and diverse.

I am honoured to have been chosen to join the Professional Standards Working Group of the UK Cyber Security Council. Collaborating with top experts in the field to shape the future of cybersecurity standards in the UK is an exciting opportunity.

No, We Don’t Need Generative AI Meddling in Our CI/CD Pipelines!

nielharper

Infosecurity Magazine recent published an articled titled ‘ChatGPT Leveraged to Enhance Software Supply Chain Security.’

In the article, Neatsun Ziv, CEO and co-founder of OX Security, said that the utilisation of AI tools will provide faster and more accurate data to developers compared to other tools, allowing them to repair security issues far more easily. Harman Singh, managing director and consultant at Cyphere, said that he expects ChatGPT and other generative AI models to make accuracy, speed and quality improvements to the vulnerability management process.

In my opinion, we really don’t need ChatGPT or other generative AI models writing code or integrated into vulnerability management processes. These tools are way too rudimentary and unreliable for such important tasks.

We need to train software developers on secure coding, for example on general standards like Building Security in Maturity Model (BSIMM), OpenSAMM (Software Assurance Maturity Model), and Open Web Application Security Project (OWASP) and on specific frameworks they use such as Angular, Laravel, Flutter, Ruby on Rails, .NET, and others.

We need strong access controls for repos and pushing updates to repos. We need tooling that creates SBOMs, detects bugs and vulnerabilities in code, and analyses dependencies for vulnerabilities and excessive permissions, among other things. We need effective and repeatable security architecture, patch mgmt and vulnerability mgmt tools and processes. We need software developers who are competent in threat modelling as well as in security by design and privacy design principles.

We DO NOT need generative AI meddling in our CI/CD pipeline and SSDLC (particularly right now)!

Regulating AI Tech is No Longer an Option: It’s a Must!

nielharper

“Responsible, ethical use of AI is the key. From a corporate perspective, business leaders need to articulate why they are planning to use AI and how it will benefit individuals. Companies should develop policies and standards for monitoring algorithms and enhancing data governance and be transparent with the results of AI algorithms. Corporate leadership should establish and define company values and AI guidelines, creating frameworks for determining acceptable uses of AI technologies.

Achieving the delicate balance between innovation and human-centered design is the optimal approach for developing responsible technology and guaranteeing that AI delivers on its promise for this and future generations. Discussions of the risks and harms of artificial intelligence should always be front and center, so leaders can find solutions to deliver the technology with human, social and economic benefits as core underlying principles.”

I recently wrote a short piece on the ISACA Now Blog explaining why a robust framework of laws and regulations are needed for the potential of “AI” to be truly realised.

Check it out and let me know your thoughts!

Digital ID Explained: Pros, Cons, and “Should I get the Trident ID card?”

nielharper

PURPOSE

I continue to receive countless questions from various walks of Bajan society about the Trident ID card and the national digital ID program. This is stark evidence that the Government of Barbados HAS NOT done an adequate and effective job of alleviating the concerns of the public. As such, I wanted to clarify once and for all the pros and cons of digital ID systems, and answer the million dollar question I am repeatedly asked, “Should I get the Trident ID card?”

INTRODUCTION

Digital identity (ID) has become the topic of the moment in Barbados, given the government’s poor implementation, failure to address the fears and anxieties of the public, and generally ineffectual communication to the average person on the street as to why they need digital ID and what value it will bring to their lives. The government has set out to provide a single digital identity to all residents/citizens through the collection, storage, and use of their biographic data (e.g., name, address, date of birth, gender, national registration number, etc.) and possibly their biometrics (e.g., fingerprints, iris scans, facial scans, etc.) as the primary means of establishing and verifying their identity. They will achieve this through a legally mandated, centralised national digital ID system.

Governments, international organizations, and multilateral banks (e.g., International Monetary Fund, World Bank, etc.) argue that digital ID systems provide benefits such as more effective and efficient delivery of government services; poverty reduction and welfare programs; financial inclusion through better access to banking and other products/services; minimise corruption; and preservation of national security interests. Multilateral banks are providing significant funding to developing countries to implement digital ID. In some cases, they’re even making the implementation of digital ID systems a ‘condition’ of loan agreements.

Critics maintain that digital ID systems may actually not guarantee more effective access to social and economic benefits, enhance service delivery, or improve governance, while at the same time, they raise serious issues, including worries about how they are developed and managed; social exclusion and discrimination; privacy and data protection; cybersecurity; and major risks for human rightsWith regards to human rights, they threaten the right to privacy, freedom of movement, freedom of expression, and other protected rights. Additionally, since they usually involve the creation and maintenance of centralised databases of sensitive personal data, they are also prone to breaches by hackers or abuse/misuse by government institutions. These issues may lead to digital IDs becoming widespread tools for identification, surveillance, persecution, discrimination, and control, especially where identities are linked to biometrics and made mandatory. 

For a more detailed explanation of both sides of the debate, please see below the PROS and CONS related to digital ID systems.

PROS

Easier access to services: digital ID systems can enable more efficient digital transformation across the local economy and increase Barbados’  participation in the global digital economy, especially given that many transactions – local and international – require personal identification. With Barbadians presented with less obstacles to prove their identity, commercial activities (including e-commerce) and government services (including e-government) become more accessible and effective.

Faster and cheaper transactions: the use of digital ID can allow for reductions in costs and response times, resulting in speedier execution, less red tape, and the availability of more responsive and relevant services. The quickness and trust with which a person’s identification can be verified allows for cheaper and more efficient interactions for all involved.

Fraud reduction: digital ID systems can offer several benefits in terms of online security, thus reducing the occurrence of online scams, fraud, and personal data breaches. A number of countries that have implemented digital ID have experienced significant decreases in fraud, saving them tens and even hundreds of millions of dollars.

The graphic below outlines several ways in which digital ID can be used based on the roles played by organizations and individuals (Source: McKinsey).

The four (4) main areas of direct economic value for individuals have been identified as increased access to financial services, improved employment opportunities, greater agricultural productivity, and time savings. The five (5) highest sources of value for institutions – both the private and public sectors – are cost savings, fraud prevention, increased revenues from goods and services, improved employee productivity, and higher tax revenues.

CONS

Privacy and security: digital ID systems process billions of data points of our private information, regularly without our consent or knowledge. This information can include biographic details (NGN, date of birth, gender), biometrics (facial recognition, iris scans, fingerprints), banking and transactional data, and location-based info when digital ID is used for example in public transportation (the government has expressed plans to use the Trident ID for cashless payments on buses). The centralisation of so much data, excessive sharing of personal data without user consent, inability to control your personal data, exposure to cyber attacks and data breaches, and in worst case scenarios – mass surveillance by corporations and governments – are all issues which show the potential negative impact of digital ID.

Discrimination, biases and exclusion: the Barbados Digital Identity Act has a number of clauses which generate concerns about discrimination and exclusion. The Act states in several places that the digital ID will be required for persons to be added to the register of voters, to vote in elections, to access public and private services, and to obtain a driver’s license. There are no provisions in the Act for mandatory accessibility features in the digital ID and related services. As such, persons with disabilities may be excluded (e.g., the Trident ID website currently DOES NOT have several accessibility features for the disabled). Digital ID technologies are also at the end of the day developed by humans, and through poorly designed algorithms and data analytics, can reinforce their biases. Discrimination against key communities such as immigrants, LGBTQ+, homeless, and the disabled, among others have been highlighted in many digital ID related studies globally.

Technical errors: unintended consequences can occur that lead to restricted access to critical services (e.g., failures in authentication at points of service with no redundancy; websites that aren’t user friendly or stable; duplicate or inaccurate records; inability to add essential information; or the lack of reliable technical support, etc.). The government must fully consider availability risks and identify user-centric and privacy-enabling solutions to mitigate them. In African and Asian countries, numerous instances of technical errors were uncovered which presented citizens with major challenges.

Deployment challenges: five key problems exist, which are the lack of funding to maintain secure cyber systems and to hire or retain critical human resources to administer them; unequal access to mobile Internet and smartphones – the technology with the most potential to drive the uptake of digital ID; dependency on a specific technology or vendor; low trust in government; and the difficulty of rolling out in rural areas.

SHOULD YOU GET THE TRIDENT ID CARD?

As I have stated before, my concern is not particularly with the Trident ID card. The card is only one small piece of the overall digital ID ecosystem. My biggest concerns are as follows:

Poor legislation underpinning the digital ID system: Digital ID must be supported by a legal and regulatory framework that supports trust in the system, prevents abuse such as warrantless and disproportionate surveillance, guarantees data privacy and security, prevents discrimination, and maintains provider (government and corporations) accountability. This includes laws for digital ID management along with laws and regulations for e-government, privacy and data protection, computer misuse, data sovereignty/localisation, electronic transactions, limited-purpose ID systems, accreditation of participants, and freedom of information, among others. Unfortunately, a number of these laws are not available in Barbados at this time, and where they are, the language is problematic, enforcement is deeply lacking, or the legislation is outdated.

Government’s atrocious record in terms of protecting IT systems and the personal data privacy of individuals: The Government of Barbados DOES NOT have the resources (people, processes, or technologies) to secure complex IT systems and provide consistent privacy-enabling solutions. If they did, there would not be so many successful cyber-attacks and data breaches of government online systems in recent years (e.g., Queen Elizabeth Hospital, Ministry of Information and Smart Technology, Immigration Department, Barbados Police Service, and many others). Until government invests significantly in building their capacity in these areas, their IT systems and the personal data of Barbadians will be AT RISK.

The communication (or lack of) by government addressing the public angst around their digital ID program: Government has not effectively articulated the benefits of digital ID, its value to the average person on the street (in real and meaningful terms), its potential disadvantages and risks, what they are doing to manage these risks, and what Barbadians can do to protect themselves. Instead they have chosen to evade questions, avoid public discussion with experts involved, and turn their resources towards attacking private citizens who are expressing concerns.

In my 2018 European Union (EU) cybersecurity assessment report to the government, I clearly stated:

Trust in the Internet and in the use of online services is critical to developing a thriving local Internet economy and to participating widely in the global digital economy. Low trust in the Internet, e-government services, and e-commerce services hampers the government, businesses and consumers from fully taking advantage of all the economic benefits the Internet has to offer. Given the high fixed broadband and mobile data penetration rates in Barbados, this is especially concerning.

European Union Consultancy to Develop a Government Cybersecurity Assessment and Strategic Roadmap – Cybersecurity Assessment Report (Authored by Niel Harper)

From 2018 to this present day, they have failed to address the low levels of trust or their lack of expertise in delivering secure and privacy respecting IT solutions, all of which are undoubtedly preventing them from delivering their digital transformation and modernisation agenda.

Ultimately, Barbadians need to decide for themselves if the value of obtaining the Trident ID outweighs the associated risks. I cannot make this decision for anyone. All I can do is educate and build awareness, and try to put some pressure on the government to be more accountable and take greater responsibility for protecting citizens from the negative effects of digital ID, mass personal data processing, cyber attacks and data breaches, human rights violations, online fraud, and other harms resulting from widespread government use of information and communication technologies (ICTs).

ADDITIONAL RESOURCES

FACT CHECK: The Electoral and Boundaries Commission’s Response

Why the Barbados Election Least Data Leak is Problematic – And How It Could Have Been Prevented

Comments on the National Identity Management System Act

Too Many Unanswered Questions: The Barbados National Digital Identification

Creating a good ID system presents risks and challenges, but there are common success factors

What is a digital identity ecosystem?

Understanding the risks of Digital IDs

Will your incident response team fight or freeze when a cyberattack hits?

nielharper

“CISOs train their teams to fight hackers but often overlook the human tendency to freeze up during a crisis. Planning for the psychology of incident response can help prevent a team from seizing up at the wrong moment.”

The tendency for cyber professionals to freeze during incident response – especially those that have never actually experienced a cyber attack – is more prevalent than one would think. This occurs even in organizations that have well-drilled security awareness training, detailed incident playbooks, cyber-attack simulations, and red team exercises.

In this CSO Online article, myself and other security leaders discuss how to best prepare our teams and organisations to overcome the fear and freezing when faced with a real-time cyber-attack.

Recent Tech Company Layoffs – Seeing Through the Dark Clouds

nielharper

My LinkedIn, Twitter, Instagram and other social media feeds has been filled with comments from ex-Google, ex-Meta, ex-Microsoft, ex-Amazon, and other laid off tech employees.

First of all, I see you, I empathise with you, and I respect you immensely! Many of you have invested many years of your lives and made several personal sacrifices to make these companies successful. I acknowledge your hurt and your trauma, and feel your sense of loss.

Now that aside, going forward, don’t be surprised when businesses do business things. These companies ARE NOT your family and they definitely ARE NOT your friends. It’s a transactional business arrangement for them, and you should treat it similarly.

Now here’s what you do with your considerable knowledge and experience going forward… OWN IT!

1) Make sure that you enter into a ‘contract for service’ and never a ‘contract of service.’ Know the difference!

2) Always have multiple sources of income. Invest in an Airbnb revenue property. Seek out paid board roles. Find a gig teaching for extra income. Apply for that fractional/part-time or advisory role. There are a lot of options out there!

3) Always have an exit plan for your current employer, and a backup plan for that exit plan (I am so serious!).

4) There is nothing wrong with prospecting and interviewing for your next gig, even when you’re happy with your current gig, or even if you’ve just started a new gig.

5) In your next contract, if possible negotiate for 3-6 months of severance if you’re laid off.

6) Invest in a diversified skill set that prevents you from being ‘locked in.’ For example, I have qualifications and experience in telecoms engineering, IT management, digital law & policy, telecoms regulation, audit, privacy, cybersecurity, IoT and smart cities, sustainability, and risk management. And I am pimping the hell out of these skills!

7) Network, network, network! #nuffsaid

8) Tag me in your job search posts. I will repost for reach and visibility.

9) Feel free to reach out to me if you want to talk, need some advice on career planning, or just want to vent. I promise that I will listen (authentically) and be judgment free.

10) Breathe and live a little – It’s not the end of the world. And always remember, “These companies ain’t loyal!”

‘Barbadians To Train & Work in Cybersecurity’ – My Recommended Approach

nielharper

I was recently quite critical about the Government of Barbados’ announcement of their participation in a pilot for the Cyber Nations Training Initiative, a programme created in Canada with a mission of training 100,000 people from the Caribbean and African countries as cybersecurity operations analysts, incident responders, and cyber literacy coordinators.

This initiative at face value is highly commendable as it addresses critical national workforce development needs for cybersecurity. Where I believe it goes off the rails is the expectation/objective that a 4-month crash course in cybersecurity will guarantee that the 200 persons trained will obtain remote jobs with Canadian or other foreign businesses making CDN$60k or more per year. This is simply out of touch with the realities of the cybersecurity profession and relevant workforce demands. Moreover, these unrealistic expectations coupled with a requirement that interested parties commit to a BBD$14k (USD$7k) student loan, basically sets individuals up for disappointment and frustration when the government’s promises don’t come to fruition.

All the above being said, I would like to use this blog post to recommend an alternative approach for cyber capacity building to the government. Hopefully, they’re willing to engage and cooperate with myself and across various stakeholder groups to effectively deliver.

STEP 1: PREPARE

  • Identify an executive sponsor in government for cybersecurity workforce development. This person should have authority, be empowered, possess advanced training and a strong understanding of the country’s multi-dimensional cyber workforce needs, and be afforded the necessary human and financial resources to execute.
  • Develop and publish a vision for the national ICT workforce, highlighting cybersecurity as a critical priority area.
  • Encapsulate cyber capacity building and workforce development into a refreshed national cybersecurity strategy.
  • Work with key stakeholder groups to undertake a cybersecurity workforce readiness assessment. Available tools like the Cybersecurity Workforce Planning Capability Maturity Model (CMM) can be used.
  • Engage and involve stakeholder groups such as academia, technical community, civil society, and the private sector (especially critical infrastructure providers). From the government perspective, key ministries with cyber-related and national security activities, law enforcement, military, and the judicial service should participate.

STEP 2: PLAN

  • Perform a cybersecurity workforce risk assessment to better understand risk exposures and risk tolerance, define mitigating actions, and assign owners and due dates.
  • Create an inventory of the existing cybersecurity workforce.
  • Determine existing/future needs and address the gaps. Key functional areas should include:
    • IT audit
    • Security management
    • Governance, risk & compliance (GRC)
    • Security awareness and training
    • Security education (e.g., University of the West Indies, Barbados Community College, and private training centres)
    • Judicial officers trained in handling cyber related cases
    • Cyber law and policy experts (e.g., privacy, cyber diplomacy, ethics & technology, emerging technologies, Internet governance, etc.)
    • Law enforcement and military officers trained in cybercrime prevention and cyber defensive/offensive capabilities
    • Incident response 
    • Threat intelligence
    • Penetration testing
    • Security operations
    • Security architecture
    • Application security
    • Computer forensics
  • Considerations need to be made for staffing the public sector and private sectors, exporting talent, attracting foreign direct investment (FDI), and creating local cyber-focused startups.

STEP 3: BUILD

  • Develop and align positions in a national workforce framework, considering entry-level through advanced positions.
  • Ensure that non-technical traits for cyber professionals are also factored into training and development plans.
  • University of the West Indies (UWI) and Barbados Community College (BCC) should include mandatory cybersecurity courses in all IT and computer science diplomas and degrees. They should also develop undergraduate majors in cybersecurity and postgraduate specialist degrees in cybersecurity. The UWI Faculty of Law should develop postgraduate qualifications focusing on cyber law, Internet governance, and ICT policy.
  • UWI should seek to establish an international cybersecurity research centre and explore twinning with other centres led by world class institutions (e.g., Harvard Berkman Klein Centre, FGV School of Law – Sao Paulo, Stanford University Centre for Internet and Society, Internet Interdisciplinary Institute – Barcelona, Chatham House, Oxford Internet Institute, Strathclyde Center for Internet Law & Policy, etc.).
  • Prevailing cybersecurity requirements should be considered in the redevelopment of all general tertiary education curricula.
  • Foster private public partnerships (PPPs) to offer cybersecurity scholarships and/or fellowships to high potential students and professionals.
  • Collaborate with the Organization of American States (OAS), IDB (Inter-American Development Bank), Caribbean Development Bank (EDB), International Telecommunications Union (ITU), European Commission, and others to finance and deliver a broad range of capacity building trainings across key government agencies.
  • Accede to the Budapest Convention on Cybercrime to become a priority country for cyber capacity building programs, among other important benefits.
  • Train judicial officers (Supreme Court of Barbados) to better oversee computer crime cases and develop local and regional jurisprudence.
  • Commit to a dedicated annual cyber education and training budget for the public sector.

STEP 4: ADVANCE

  • Public and private sector organizations must develop retention plans for critical cyber resources, and particularly to combat brain drain.
  • Create and implement a plan to attract foreign direct investment (FDI) in areas like managed security services, business process outsourcing, and to fund innovative local cybersecurity startups.
  • HR departments in public and private organizations should develop career paths to help cyber talent navigate their careers.
  • Formulate continuous development opportunities for existing cyber talent.

12 steps to building a top-notch vulnerability management program

nielharper

Along with my peer CISOs, I recently added my $0.02 to a CSO Online article on how to get the best results out of an enterprise vulnerability management program.

I particularly wanted to zoom in on key performance indicators (KPIs), given this is an area where many security professionals don’t focus enough of their attention.

“He says organizations could use any of the commonly used key performance indicators—such as percentage of critical vulnerabilities remediated on time and percentage of critical vulnerabilities not remediated on time—to measure current state and track improvement over time.

Other KPIs to use could include percentage of assets inventoried, time to detect, mean time to repair, number of incidents due to vulnerabilities, vulnerability re-open rate and number of exceptions granted.”

What are some of your key focus areas?

Don’t get your wires crossed – The evolution of cyber risk and why more companies are considering captives

nielharper

A captive is a licensed insurance company fully owned and controlled by the insured parties – a type of “self-insurance.”

Captives are essentially an alternative for organizations to retain and finance cyber risk via actuarial-determined premiums to be paid from the parent company to the captive. They’re becoming more popular due to an increasingly tough cyber insurance market.

Many thanks to Captive Insurance Times and to the amazing Rebecca Delaney for featuring me alongside other industry professionals on discussing this important topic.

The feature can be found on pages 18-22, and is now available to read in the latest online issue at this link: https://bit.ly/3KMnX8j

Ransomware has “changed the game” of cyber insurance

nielharper

I recently made a presentation on ransomware and cyber insurance at the Barbados Risk and Insurance Management (BRIM) conference.

Many thanks to the Captive Insurance Times’ reporter Rebecca Delaney for so excellently capturing my session. In the intro section, she wrote:

“Cyber insurance is not an exhaustive replacement for robust security capabilities, warns Niel Harper […] He explained that ransomware is so disruptive because of the extensive network of paid services it has spawned, such as access brokers, malware packing, phishing kits, hosting and infrastructure, anonymity and encryption, and hardware for sale… In addition, distribution networks include social network spam, instant messaging spam, exploit kit development, spam email distribution, and traffic distribution systems.”

The full article can be found at: https://bit.ly/3MMs71t