Recent Tech Company Layoffs – Seeing Through the Dark Clouds

My LinkedIn, Twitter, Instagram and other social media feeds has been filled with comments from ex-Google, ex-Meta, ex-Microsoft, ex-Amazon, and other laid off tech employees.

First of all, I see you, I empathise with you, and I respect you immensely! Many of you have invested many years of your lives and made several personal sacrifices to make these companies successful. I acknowledge your hurt and your trauma, and feel your sense of loss.

Now that aside, going forward, don’t be surprised when businesses do business things. These companies ARE NOT your family and they definitely ARE NOT your friends. It’s a transactional business arrangement for them, and you should treat it similarly.

Now here’s what you do with your considerable knowledge and experience going forward… OWN IT!

1) Make sure that you enter into a ‘contract for service’ and never a ‘contract of service.’ Know the difference!

2) Always have multiple sources of income. Invest in an Airbnb revenue property. Seek out paid board roles. Find a gig teaching for extra income. Apply for that fractional/part-time or advisory role. There are a lot of options out there!

3) Always have an exit plan for your current employer, and a backup plan for that exit plan (I am so serious!).

4) There is nothing wrong with prospecting and interviewing for your next gig, even when you’re happy with your current gig, or even if you’ve just started a new gig.

5) In your next contract, if possible negotiate for 3-6 months of severance if you’re laid off.

6) Invest in a diversified skill set that prevents you from being ‘locked in.’ For example, I have qualifications and experience in telecoms engineering, IT management, digital law & policy, telecoms regulation, audit, privacy, cybersecurity, IoT and smart cities, sustainability, and risk management. And I am pimping the hell out of these skills!

7) Network, network, network! #nuffsaid

8) Tag me in your job search posts. I will repost for reach and visibility.

9) Feel free to reach out to me if you want to talk, need some advice on career planning, or just want to vent. I promise that I will listen (authentically) and be judgment free.

10) Breathe and live a little – It’s not the end of the world. And always remember, “These companies ain’t loyal!”

‘Barbadians To Train & Work in Cybersecurity’ – My Recommended Approach

I was recently quite critical about the Government of Barbados’ announcement of their participation in a pilot for the Cyber Nations Training Initiative, a programme created in Canada with a mission of training 100,000 people from the Caribbean and African countries as cybersecurity operations analysts, incident responders, and cyber literacy coordinators.

This initiative at face value is highly commendable as it addresses critical national workforce development needs for cybersecurity. Where I believe it goes off the rails is the expectation/objective that a 4-month crash course in cybersecurity will guarantee that the 200 persons trained will obtain remote jobs with Canadian or other foreign businesses making CDN$60k or more per year. This is simply out of touch with the realities of the cybersecurity profession and relevant workforce demands. Moreover, these unrealistic expectations coupled with a requirement that interested parties commit to a BBD$14k (USD$7k) student loan, basically sets individuals up for disappointment and frustration when the government’s promises don’t come to fruition.

All the above being said, I would like to use this blog post to recommend an alternative approach for cyber capacity building to the government. Hopefully, they’re willing to engage and cooperate with myself and across various stakeholder groups to effectively deliver.


  • Identify an executive sponsor in government for cybersecurity workforce development. This person should have authority, be empowered, possess advanced training and a strong understanding of the country’s multi-dimensional cyber workforce needs, and be afforded the necessary human and financial resources to execute.
  • Develop and publish a vision for the national ICT workforce, highlighting cybersecurity as a critical priority area.
  • Encapsulate cyber capacity building and workforce development into a refreshed national cybersecurity strategy.
  • Work with key stakeholder groups to undertake a cybersecurity workforce readiness assessment. Available tools like the Cybersecurity Workforce Planning Capability Maturity Model (CMM) can be used.
  • Engage and involve stakeholder groups such as academia, technical community, civil society, and the private sector (especially critical infrastructure providers). From the government perspective, key ministries with cyber-related and national security activities, law enforcement, military, and the judicial service should participate.


  • Perform a cybersecurity workforce risk assessment to better understand risk exposures and risk tolerance, define mitigating actions, and assign owners and due dates.
  • Create an inventory of the existing cybersecurity workforce.
  • Determine existing/future needs and address the gaps. Key functional areas should include:
    • IT audit
    • Security management
    • Governance, risk & compliance (GRC)
    • Security awareness and training
    • Security education (e.g., University of the West Indies, Barbados Community College, and private training centres)
    • Judicial officers trained in handling cyber related cases
    • Cyber law and policy experts (e.g., privacy, cyber diplomacy, ethics & technology, emerging technologies, Internet governance, etc.)
    • Law enforcement and military officers trained in cybercrime prevention and cyber defensive/offensive capabilities
    • Incident response 
    • Threat intelligence
    • Penetration testing
    • Security operations
    • Security architecture
    • Application security
    • Computer forensics
  • Considerations need to be made for staffing the public sector and private sectors, exporting talent, attracting foreign direct investment (FDI), and creating local cyber-focused startups.


  • Develop and align positions in a national workforce framework, considering entry-level through advanced positions.
  • Ensure that non-technical traits for cyber professionals are also factored into training and development plans.
  • University of the West Indies (UWI) and Barbados Community College (BCC) should include mandatory cybersecurity courses in all IT and computer science diplomas and degrees. They should also develop undergraduate majors in cybersecurity and postgraduate specialist degrees in cybersecurity. The UWI Faculty of Law should develop postgraduate qualifications focusing on cyber law, Internet governance, and ICT policy.
  • UWI should seek to establish an international cybersecurity research centre and explore twinning with other centres led by world class institutions (e.g., Harvard Berkman Klein Centre, FGV School of Law – Sao Paulo, Stanford University Centre for Internet and Society, Internet Interdisciplinary Institute – Barcelona, Chatham House, Oxford Internet Institute, Strathclyde Center for Internet Law & Policy, etc.).
  • Prevailing cybersecurity requirements should be considered in the redevelopment of all general tertiary education curricula.
  • Foster private public partnerships (PPPs) to offer cybersecurity scholarships and/or fellowships to high potential students and professionals.
  • Collaborate with the Organization of American States (OAS), IDB (Inter-American Development Bank), Caribbean Development Bank (EDB), International Telecommunications Union (ITU), European Commission, and others to finance and deliver a broad range of capacity building trainings across key government agencies.
  • Accede to the Budapest Convention on Cybercrime to become a priority country for cyber capacity building programs, among other important benefits.
  • Train judicial officers (Supreme Court of Barbados) to better oversee computer crime cases and develop local and regional jurisprudence.
  • Commit to a dedicated annual cyber education and training budget for the public sector.


  • Public and private sector organizations must develop retention plans for critical cyber resources, and particularly to combat brain drain.
  • Create and implement a plan to attract foreign direct investment (FDI) in areas like managed security services, business process outsourcing, and to fund innovative local cybersecurity startups.
  • HR departments in public and private organizations should develop career paths to help cyber talent navigate their careers.
  • Formulate continuous development opportunities for existing cyber talent.

Privacy Breach? When ‘Trusted’ Academics Mislead Us

“Dean of the Faculty of Law at the Cave Hill Campus of the University of the West Indies, Professor Eddy Ventose told Barbados TODAY that “the mere possession by the Government of information that might be confidential or private does not of itself suggest any breach of the constitutional right to privacy”. “The Government, through its various departments, including the Queen Elizabeth Hospital, possesses confidential information on many persons. It cannot and could not be suggested that that alone means that there exists a constitutional breach,” he said. “In this context, any breach of a constitutional right to privacy can only be engaged if there is the disclosure by the information of persons. The information and private information of students. Only if that information is used in a way that discloses the identity of the students would a constitutional infringement be arguable.” The constitutional expert said while there students having to identify themselves in the survey, that was not a constitutional argument. “Questions relating to the propriety of certain questions posed on the questionnaire are similarly not constitutional questions,” the law professor argued.”

The above is an extract from an article titled “Privacy Breach?” that was published in Barbados Today on Thursday, 13th October. Several comments were made by the Dean of the Faculty of Law at the Cave Hill Campus of the University of the West Indies, Professor Eddy Ventose that were quite misleading. I want to address these comments, providing adequate clarifications.

Point #1

Ventose makes several mentions of the constitutional right to privacy, which are highly misleading.

The Constitution of Barbados does not explain in any meaningful way the legal framework surrounding privacy rights in Barbados. It briefly states that the right to private life is protected, so long as it does not infringe upon the rights and freedoms of others. It makes no mention whatsoever of data protection, which is a contemporary legal matter that focuses on large scale processing of personal data (often by corporations for whom personal data collection, analytics, and monetisation of said data is their underlying business model).

The Data Protection Act (Barbados) 2019, which is modelled after the EU’s General Data Protection Regulations (GDPR), provides standardised data protection regulations that reflect the modern world we live in with regards to large scale data processing. It seeks to make it easier for Barbadians to understand how their data is being used, have more control over their personal data, and allows for them to raise complaints and seek economic redress if their data is misused or abused by organizations or individuals. A key mistake that Ventose makes is that he conflates privacy and data protection; whereby the former defines who has access to information and the latter is concerned with laws and other mechanisms for restricting access to information. Consequently, while the constitutional right to privacy is a key element of data protection, any discussion pertaining to the lawfulness of the Ministry of Education-IDB survey should be undertaken in the context of the Data Protection Act (Barbados) 2019.

Point #2

Ventose stated, “The Government, through its various departments, including the Queen Elizabeth Hospital, possesses confidential information on many persons. It cannot and could not be suggested that that alone means that there exists a constitutional breach.”

I explained the following in a previous blog post: “As per the Barbados Data Protection Act (“the Act”) and similar laws around the world, there are six (6) lawful grounds on which data can be processed: explicit consent, contractual obligations, legal obligations, vital interests of the data subjects, public interests, or for purposes of legitimate interests of the data controller. The only lawful basis which the Ministry of Education can use for administering the subject questionnaire is legitimate interests. However, that lawful basis does not pass the three-part test which requires a positive answer to these three (3): Is there a legitimate interest behind the process? Is the processing necessary for that purpose? Is the legitimate interest overridden by the data subject’s interests, rights, or freedoms?” It’s quite simple; data controllers and data processors need to have a legal basis for data processing, and this includes government departments.

Furthermore, the Act does not provide a blanket exemption for the public service from data processing rules. Under the Act Part V paragraphs 29-49, there are clear exemptions for categories such as “National Security”, “Crime and taxation”, “Health, education, and social work”, and “Research, history, and statistics”, among others. With regards to education, the Minister would need to order a special exemption for a set of personal data processed by an education institution. If this is the case, the Minister of Education would need to provide evidence of this formalized exemption from the Act for educational institutions and explain to the public why it is necessary that this data is not processed lawfully, fairly and in a transparent manner. Otherwise, the Ministry of Education and the IDB have no lawful basis for processing the data in the survey.

Point #3

Ventose stated, “In this context, any breach of a constitutional right to privacy can only be engaged if there is the disclosure by the information of persons. The information and private information of students. Only if that information is used in a way that discloses the identity of the students would a constitutional infringement be arguable.”

This is again very misleading. The matter of constitutional infringement is a distraction from the strict requirements of the Data Protection Act. It is a breach of the Act if there is no legal basis for processing of data. It is a breach of the Act if the consent of parents is not obtained to process the data of an individual under 18 years old (the definition of a “child”). It is a breach of the Act to share sensitive data with a third party without the consent of data subjects. It is a breach of the Act for the data processor (IDB) to process data other than under the instructions of the data controller (Ministry of Education). It is a breach of the Act whereby a data processor (IDB) is not registered, has not paid the requisite fee, and does not have a valid certificate for data processing. It is a breach of the Act whereby processing of sensitive data is not done using online tools, does not employ pseudonymisation or de-identification, and where strong safeguards are not in place (e.g., access controls, encryption, physical security, etc.), among other protective mechanisms. In addition to those just mentioned, there were other breaches of the Act in the recent survey debacle.

It is my opinion that the Data Protection Act was enacted under pressure from international partners and funders, as opposed to a commitment by the Government of Barbados to upholding the privacy rights of citizens and protecting their data – Otherwise the draft legislation would not have been lying in Parliament since 2005 (it took 16 years to pass data protection laws!). Successive governments have shown that the right to private life and the protection of individuals’ data is of little importance to them. A couple of examples in recent years would be the data leak of the full election list on to the global Internet during the 2022 elections and the numerous instances where hackers breached the online platforms of the 1-Year Welcome Stamp, Royal Barbados Police Force, Supreme Court of Barbados, Office of the Attorney General, Government Information Service, Small Business Development Unit, Immigration Department, and the National Insurance Scheme, among others.

Despite these numerous missteps, situations like the MoE-IDB “survey” continue to happen, the Office of the Data Protection Commissioner remains unable to fulfil its duties, and the government persists in barreling ahead with bringing more and more public services online without the requisite technical or legal talent to adequately and effectively protect the data of citizens. This should be of grave concern to everyone in Barbados.

Finally, It’s not surprising when government, whose apathy is clear and expertise is minimal, creates a legal mess as it pertains to matters of privacy and data protection. What is shocking and worrisome is when senior academics, whose careers are premised upon research, fail to engage in such or actively seek to mislead when commenting publicly.

The Ministry of Education-IDB Questionnaire Fiasco: The Legal and Human Rights (Privacy) Angle

Earlier this week, news broke that a questionnaire ‘sanctioned’ by the Ministry of Education (“MoE”) and overseen by the Inter-American Development Bank (“IDB”), was administered to mostly 11 year old children in Barbados. It has also come to light that a similar project was undertaken in Jamaica and Belize.

Misleadingly labelled as a “Computer Science Diagnostic Pre-Test”, it included questions on “social and emotional health” that were of a very sensitive nature. Below is a sampling of the more than 150 psycho-social questions:

  • I drink alcohol without parents’ approval.
  • I deliberately try to hurt or kill myself.
  • I hear sounds or voices that other people think aren’t there.
  • I am overweight.
  • I physically attack people.
  • I steal from home.
  • I steal from places other than home.
  • I think about killing myself.
  • I think about sex too much.
  • I wish I were of the opposite sex.
  • I use drugs for non-medical purposes.
  • I see things that other people think aren’t there.
  • Physical problems without known medical cause:
    • Aches of pains (not stomach or headache)
    • Headaches
    • Nausea, feels sick
    • Problems with eyes (not if corrected by glasses)
    • Rashes or other skin problems
    • Stomach aches
    • Vomiting, throwing up
    • Other

The questionnaire was delivered using a paper form and required that students provide personal information such as their name, sex, and ethnicity. Also included were detailed questions about the education level and work status of parents (e.g., type of job, unemployed, homemaker, etc.).

There was swift and comprehensive social commentary accompanied by widespread public condemnation of the decision to administer this questionnaire. The political public relations machinery quickly sprung into action to contain the damage to the public perceptions of the current Barbados Labour Party (BLP) administration. The IDB immediately took responsibility for the melee, trying in vain to absolve the Ministry of Education of any wrongdoing. The Chief Education Officer, Deputy Chief Education Officer, Permanent Secretary, and the Director of Education Reform all embarked on a public apology tour. The Prime Minister set about with her usual articulate flare and penchant for press conferences to assure the masses that she was deeply outraged (while praising the IDB for their prompt action in shifting the blame from her government). However, it must be noted that the Minister of Education has been conspicuously silent amidst this public relations storm.

But now to the main reason behind this author’s musings…

So far, the public discourse around this fiasco has centered on the incompetence of the Ministry of Education staff, the arrogance of the IDB, the inappropriateness of the questions, and the mental stress inflicted on the children. What has been glaringly missing are the legal elements. So let me break it down.

  • The subject questionnaire is for all intents and purposes scientific research. Questionnaires are popular in academic research for quick and easy collection of large amounts of data for analysis of subject behavior, preferences, intentions, attitudes, and opinions.
  • To meet ethical and legal standards, and to protect the rights of data subjects, informed consent is an important legal basis for data processing as required by the Data Protection Act (Barbados), General Data Protection Regulations (European Union), Data Protection Act (United Kingdom), Personal Information Protection and Electronics Data Act (Canada), and other privacy and data protection laws across the world.
  • As per the Barbados Data Protection Act (“the Act”) and similar laws around the world, there are six lawful grounds on which data can be processed: explicit consentcontractual obligationslegal obligationsvital interests of the data subjects, public interests, or for purposes of legitimate interests of the data controller. The only lawful basis which the MoE can use for administering the subject questionnaire is legitimate interests. However, that lawful basis does not pass the three-part test which requires a positive answer to these three (3) questions: Is there a legitimate interest behind the processing? Is the processing necessary for that purpose? Is the legitimate interest overridden by the data subject’s interests, rights, or freedoms?
  • As per the definitions in the Act (and the other aforementioned laws), the students whose personal data have been collected are data subjects.
  • As per the definitions in the Act, the Government of Barbados is the data controller who determines the purposes for which and the means by which personal data is processed. The Inter-American Development Bank (IDB) is the data processor who processes personal data only on behalf of the data controller.
  • As per the definitions in the Act, a ‘child’ is a person under the age of 18.
  • As per the Act Part II 8(1-2), “The processing of a child’s personal data shall be lawful only where and to the extent that consent is given or authorised by the parent or guardian of the child” and “The data controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the parent or guardian of a child, taking into consideration available technology.” From all accounts, neither the MoE nor the IDB obtained consent from parents to collect this personal data from children. This is a violation of the law.
  • As per the Act Part II 9(1-4), the data collected is personal sensitive data, which requires greater safeguards to protect the rights of the data subjects. Sensitive data includes data on ethnicity, health, and sexual orientation or sexual life. Collection of this type of personal data requires strong security and consent is required to share with third parties. From all accounts, the data controller (MoE) did not obtain consent from parents to share this sensitive personal data with a third party. This is a violation of the law.
  • As per the Act Part IV 58(1-10), the MoE (data controller) is required to have a Data Protection Agreement in place with the IDB (data processor) to ensure that the rights of the individual are being protected and that legal compliance with the Act is achieved. The public deserves to know whether a Data Protection Agreement exists between the two entities and to examine if it is fit for purpose.
  • As per the Act Part IV 55(1-6), the IDB must be registered as a data processor, pay a fee, be in possession of a certificate to conduct data processing activities, and nominate a representative who is resident in Barbados. Failing to do any of these things makes their representative liable for a “fine of $10,000 or to a term of imprisonment of 2 months or to both.” Is the IDB compliant with the law in this area? The government should present the general public with evidence to verify this compliance.
  • As per the Act Part IV 59(1-2), it is stated that “The data processor and any person acting under the authority of the data controller or of the data processor, who has access to personal data, shall not process those data except on instructions from the data controller, unless required to do so by any enactment” and “A person who contravenes subsection (1) is guilty of an offence and is liable on summary conviction to a fine of $500,000 or to a term of imprisonment of 3 years or to both.” In their public statement, the IDB asserts that their administering of the questionnaire was against the objections of the MoE. This is a violation of the law.
  • The Act Part IV 62 (1-3) requires that data processing of this sensitivity and high risk be conducted using online tools. Moreover, it states that the data is pseudonymized (not contain information that could identify a living person), which means that the names of individuals should not have been required on the document. Finally, it demands that strong security protections be in place to protect against unauthorized access. Given that the questionnaire was administered by paper, it is virtually impossible to guarantee that this very sensitive personal data on children was adequately protected from unauthorized access, misuse, and abuse. Moreover, it also attributed the sensitive and potentially harmful information to living, identifiable children and their parents. This is a violation of the law.
  • The Act Part IV 67(1-7) and 68(1-6) requires that both the data controller (MoE) and the data processor (IDB) designate an individual as a data privacy officer to advise them on the legal, technical, and administrative elements of processing personal data. A data privacy officer should be an individual qualified in privacy law and compliance. To the best of my knowledge, neither organization is compliant with this legal requirement with regards to data processing in Barbados. Given the number of violations of the law, this is not surprising.
  • One of the most alarming things about this matter is the eerie silence of the Data Protection Commissioner.As per the Act Part VII 70(1) and 71, the Data Protection Commissioner is “responsible for the general administration of this Act” and whose functions are to monitor and enforce the Act (including issue fines), organize activities to educate children (and parents) on the risks of processing their data, and monitor and audit data processing by data controllers and data processors, among other things. The individual in this role was equally silent during the February 2022 elections when the government leaked the entire voters’ list on the public Internet, which has, based on my discussions with officials at financial institutions in Barbados, resulted in several citizens being victims of fraud and identity theft. This seriously brings into the question the qualifications, capabilities, and independence of the Commissioner, and the ability of the individual to effectively serve in this important role.
  • As data protection laws are generally extraterritorial, the MoE and IDB have more than likely violated the General Data Protection Regulations (European Union) and other privacy/data protection laws from across the world. For example, there are many expats living in Barbados, and if European Union citizens were required to take the questionnaire, then that is a clear violation of EU laws. This also applies to citizens from other countries where robust data protection laws have been enacted.
  • There are numerous other areas of the Act that the MoE and IDB violate in their relationship (e.g., consultation with the Data Protection Commissioner, performing data protection impact assessments, records of data processing activities, etc.). Sadly, this is just the tip of the iceberg. There are several public agencies, educational institutions, financial organizations (including fintechs), retail companies, telecoms operators, and other businesses in Barbados who are in clear violation of privacy and data protection laws.

The “right to private life” is enshrined in the Constitution of Barbados and the Universal Declaration of Human Rights (UDHR). The rights of data subjects (including children) are legally protected by the Data Protection Act (Barbados). The Government of Barbados, its development partners, and private corporations need to do so much better as it pertains to upholding the rights of citizens. I shudder to think of what similar privacy rights abuses are happening in other Caribbean countries and across the broader developing world.

12 steps to building a top-notch vulnerability management program

Along with my peer CISOs, I recently added my $0.02 to a CSO Online article on how to get the best results out of an enterprise vulnerability management program.

I particularly wanted to zoom in on key performance indicators (KPIs), given this is an area where many security professionals don’t focus enough of their attention.

“He says organizations could use any of the commonly used key performance indicators—such as percentage of critical vulnerabilities remediated on time and percentage of critical vulnerabilities not remediated on time—to measure current state and track improvement over time.

Other KPIs to use could include percentage of assets inventoried, time to detect, mean time to repair, number of incidents due to vulnerabilities, vulnerability re-open rate and number of exceptions granted.”

What are some of your key focus areas?

Don’t get your wires crossed – The evolution of cyber risk and why more companies are considering captives

A captive is a licensed insurance company fully owned and controlled by the insured parties – a type of “self-insurance.”

Captives are essentially an alternative for organizations to retain and finance cyber risk via actuarial-determined premiums to be paid from the parent company to the captive. They’re becoming more popular due to an increasingly tough cyber insurance market.

Many thanks to Captive Insurance Times and to the amazing Rebecca Delaney for featuring me alongside other industry professionals on discussing this important topic.

The feature can be found on pages 18-22, and is now available to read in the latest online issue at this link:

Ransomware has “changed the game” of cyber insurance

I recently made a presentation on ransomware and cyber insurance at the Barbados Risk and Insurance Management (BRIM) conference.

Many thanks to the Captive Insurance Times’ reporter Rebecca Delaney for so excellently capturing my session. In the intro section, she wrote:

“Cyber insurance is not an exhaustive replacement for robust security capabilities, warns Niel Harper […] He explained that ransomware is so disruptive because of the extensive network of paid services it has spawned, such as access brokers, malware packing, phishing kits, hosting and infrastructure, anonymity and encryption, and hardware for sale… In addition, distribution networks include social network spam, instant messaging spam, exploit kit development, spam email distribution, and traffic distribution systems.”

The full article can be found at:

12 CISO Resolutions for 2022

At the beginning of January, my peers and I shared our security and privacy resolutions for 2022 with CSO Online. The full article can be found here on their website.

However, I wanted to further elaborate here on my plans for privacy and security across the enterprise this year.

I have a couple of resolutions for the upcoming year. Firstly, I want to focus more energy and resources on privacy and data. My second resolution is to refine and enhance the control framework around third-party risk management. In third place, but definitely not of lesser importance, is improving my enterprise’s protection against ransomware. The next resolution on my list is continuing to advocate the importance of email security to every business leader I meet; I am specifically referring to Domain-based Message Authentication, Reporting and Conformance (DMARC), DomainKeys Identified Mail (DKIM), and Sender Policy Framework (SPF). Finally, I want to gain more control over ‘shadow IT.’

With regards to privacy and data, it’s not only about responding to growing demands from GDPR and other national and regional privacy regulations. It’s just good practice to get a solid handle on where business-critical data assets reside and how this data moves inside and outside of your organization, ensuring that you have adequate and effective controls to prevent data leakage and privacy rights violations (and of course avoid fines). Over 55% of data breaches are now caused by a third-party, so ensuring that I have an efficient, standardized approach for assessing third party risk will most definitely reduce privacy and security exposures from vendors, services providers and even contractors. Ransomware continues to increase in terms of prevalence and severity, so a strong prevention and response strategy is key to operational, financial, and reputation risk reduction. Email security in some form has been around since the early 2000s, and yet less than 35% of companies have implemented DMARC, DKIM and SPF. The value of these technologies in combating brand impersonation, reputation damage, and phishing attacks can’t be emphasized enough. Shadow IT in basic terms means that you’ve lost control and visibility into your IT environment, and if you can’t account for IT assets, you can’t protect them.

My approach to privacy and data governance is premised on user/cultural awareness, end-to-end risk assessment, detailed records of processing activities, effective incident response, strong security controls, and building capabilities to integrate ‘privacy by design’into the CI/CD. I plan to move away from using spreadsheets and manual processes to manage third-party risks, and instead leverage best-of-breed software tools that analyze, track, and minimize risks arising from supply chain exposures. With ransomware, my objective is to incorporate identity and access governance, multi-factor authentication (MFA), advanced honeypots, endpoint detection and response (EDR), and multi-tiered backups (3-2-1 strategy) into a cohesive ransomware prevention strategy. As it pertains to email security, my focus is less about my own shop (we’re already there) and more about assisting my peers and small to medium enterprises (SMEs) in properly setting up DMARC, DKIM, and SPF. Preventing shadow IT begins with enhancing usability and eliminating risky workarounds by removing the hindrances that foster them (i.e., being more agile in addressing discrete stakeholder requirements in close collaboration with the IT function).

The UK seeks to enforce tougher standards on MSPs

The UK government is proposing new regulations to strengthen cyber resilience in the private sector. Their intention is to expand cybersecurity rules for critical infrastructure (CI) operators to include managed service providers (MSPs), more stringent breach notification requirements, and legislation to establish the UK Cyber Security Council as the standards development organization for the cybersecurity profession. This is a welcomed development, but more details about implementation and enforcement are needed.

MSPs are deeply integrated into the supply chains of several businesses, especially those organisations categorised as CI providers. They not only have privileged access to their customer’s infrastructure and applications, but also to the personal data of millions of citizens. A single breach of a MSP can potentially allow threat actors to compromise hundreds, even thousands of organisations. Additionally, the accompanying fallout from personal data leakage would have a serious impact in terms of impersonation, fraud, and other identity-based crimes. Poor risk management practises and weak security controls in MSPs can have dire consequences to national security and the economic prosperity of the UK.

Better cyber incident reporting, especially where mandated by law, has several positive effects. For one, it ensures that regulations keep pace with the evolving threat landscape to better protect consumers by allowing them to respond quicker to leaks of their information. It also provides certain guarantees that law enforcement agencies (LEAs) receive timely information to better model threats, mitigate the risks, prevent or lessen harm from breaches, and take action to reduce the likelihood of future attacks.

At a macro level, the new regulations are focused on strengthening the country’s cyber-resilience in response to growing supply chain and critical infrastructure attacks – this is essentially a public safety matter. It can provide security to UK citizens against the negative impacts of attacks on critical infrastructure providers such as financial services, telecoms, energy, food & agriculture, defence, manufacturing, and others. It also protects businesses in these key industries where the incapacitation or destruction of their assets, networks and systems would have a paralysing effect on the UK’s national security, economic security, national public health or safety, or any combination thereof.

Cybersecurity is a risk management discipline, and improvements in the overall assessment of risks and development of effective risk responses leads to better security posture. For example, ransomware attacks are very much preventable, yet many businesses don’t invest the time or resources to understand their risks/exposures and implement relevant controls such as data recovery processes, isolated backups, encryption at rest, and routine backup testing. I believe these new regulations can most definitely enhance risk management capabilities in MSPs and other CI operators to counteract a broad range of cyber attacks, including ransomware.

It is imperative that companies develop stronger capabilities around risk management. For one, they need to view cyber risks as business risks and recognise that the impacts range from financial (loss of revenue or drop in share price) to operational (business disruption) to reputation (loss of customer and shareholder confidence) and ultimately regulatory (fines or other penalties). Consequently, they will need to embed a risk culture and build risk management capacity across their enterprises, or face punitive regulatory measures.

A shocking percentage of businesses routinely ignore growing cyber threats, thinking that “it won’t happen to them.” And this isn’t just small to medium enterprises (SMEs), but also large businesses across critical sectors. Several of these organisations don’t have a dedicated cybersecurity leader or functional information security department, refuse to invest in much needed controls and capabilities, and regularly hide breaches from staff, customers, and investors. Without specifically calling out any companies, there are more than enough examples of massive breaches at major businesses to validate my points. The price of failing to act is way too high, and the government would be negligent to not introduce these new regulations.

Why the humanitarian sector needs to make cybersecurity a priority

“In the not-too-distant past, international organizations (IOs) and non-governmental organizations (NGOs) working on humanitarian initiatives largely depended on landlines and fax machines to communicate and convey data back to their regional hubs or headquarters.

Now, like most businesses, NGOs and IOs have invested significant funds in information and communication technologies to enhance their crisis management capabilities. For example, better and faster decision-making is achieved through capturing and analysing demographic data to identify vulnerable groups, online surveys have proven critical for water, sanitation, and hygiene teams in the delivery of population health services, and biometric-enabled digital vouchers have been instrumental in reducing errors and fraud in the payment of traders.

These changes make humanitarian aid faster and more efficient. Picking up these digital tools helps save lives. However, digital transformation has also made IOs and NGOs enticing targets for cyber attacks by criminals, terrorists, and authoritarian regimes. The reasons for this range from the purely financial – people in crisis make easy targets for scams and theft – to the political – digital is becoming another avenue to attack a regime’s perceived enemies.”

I recently joined with the World Economic Forum’s Centre for Cybersecurity to author this piece for the Davos Agenda.

This article examines the cybersecurity threats being faced by international organizations (IOs) and non-governmental organizations (NGOs), outlines some key steps they should take to counteract these threats, and touches on what the private sector can do to support IOs and NGOs in responding to these risks & challenges.

You can read the full article on the World Economic Forum website.