Niel Harper

More and more boards are scrutinizing the impact of security and privacy issues on their businesses. However, taken action to being CISOs on to the board has been way too slow. The main challenge is that they don’t grasp that information security issues are not simply IT issues. For clarity, take a look at my article on ‘8 Reasons Why Cybersecurity Strategy and Business Operations are Inseparable‘.

The urgency now being seen from many boards is more so a knee-jerk response to government pressures and increased regulations in lieu of several high profile breaches that have shaken public trust. The former head of the Securities and Exchange Commission (SEC) Luis Agulilar made the following comment back in 2014:

“Board oversight of cyber risk management is critical to ensuring that companies are taking adequate steps to prevent, and prepare for, the harms that can result from such attacks.” He also issued a clear warning that “boards that choose to ignore or minimize the importance of cybersecurity oversight responsibility do so at their own peril.”

Regulators across the globe are making it clear that organizations must have robust privacy and security controls in place to manage the risks associated with technology-enabled commerce. As such, it is critically important that boards regardless of their companies’ industries have a security expert among them to expertly lead the organization in such matters. It is clear that government regulators will hold the Board of Directors accountable and liable for not discharging their duty to prevent harm to the corporation, including damage occurring from cyber attacks and data breaches. Individual directors themselves can be subject to derivative shareholder lawsuits and class-action suits from the company’s banks, business partners, vendors, customers and their own employees.

That being said, not many CISOs have the knowledge and experience; the executive capabilities required to translate into meaningful business terms the impact a cyber incident has on the organization and the activities undertaken to mitigate such events. Many members of the board are not engineers or IT professionals, let alone possess an understanding of technology governance, risk and control. The average board is comprised of approximately nine individuals but some can be as many as 30 persons, so it is imperative that the CISO familiarize himself with his audience to effectively deliver a solid presentation that resonates with them. It is helpful to go into the details of presentations one-to-one with individual board members, as many of them love going into depth and that is an ideal approach to influence the board on an individual basis. For actual board meetings, there is a firm agenda and time limitations that can lessen the strength and impact of CISO presentations.

One of the most effective presentations is the use of risk metrics as most board members in a formal session do not want to be inundated with techno-jargon (do this and watch their eyes glaze over). They want a helicopter perspective of the issues and with clear impact on how the organization as a whole is affected. Board members want visual quantification of risks with the most relevant data in simple language. Using benchmarks designating the past, present and future allows the audience to clearly see how the situation has changed, see the progress and efforts necessary to achieve a benchmark goal.

It is an uphill journey for a CISO to acquire a seat on the board. It is not for the faint-hearted as one is burdened with enormous responsibilities and the board members are the apex of the organization tasked with guiding its ultimate success or failure. Consequently, board membership is a delicate process as much is at stake in terms of the organization remaining a going concern.

CISOs are a necessity to have on the board but they must be savvy, experienced and strategic-minded executive to serve in that capacity. They must have the vision, thought leadership, relationship building skills, and grit to demonstrate value to the organization in this role.

ICT Pulse:  Niel, thank you again for taking the time to share your insights with us. To start, give us a quick recap of what have been the most prevalent types of incidents in the Barbados and/or in the wider Caribbean region over the past year or so?

Niel Harper:  Over the past year, there has been a substantive increase in ransomware attacks in Barbados and across the Caribbean. This is pretty much in line with the global trend, where we saw massive ransomware attacks such as NotPetya and WannaCry that impacted over 500,000 organizations and resulted in damages and losses in excess of USD$400 million. Barbados and the rest of the Caribbean were not spared from the wrath of these attacks.

ICTP:  Has the threat landscape changed over the past year? Are there any particular areas of concern that you have for Caribbean organizations, or the region as a whole?

NH:  Yes, most definitely the threat landscape has changed over the last year. Firstly, there has been a shift towards attacks on the underlying Internet infrastructure. Hence, Caribbean service providers need to implement protections in their networks to address core routing and DNS security, among others. Additionally, we are seeing hackers using social media platforms as an attack vector, and such attacks are routinely compromising mobile phones. Last but perhaps most significant, state-sponsored threat actors have become more and more active. We are seeing increasing attacks against critical infrastructure and supply chains. For example, cyberwar actors will seek to attack targets that result in maximum disruption, economic upheaval, and even public safety issues (e.g. airports, public transit, power grids, nuclear facilities, smart cities, etc.). There will be continued attacks targeting democratic processes such as electronic voting machines, online voter registration, party or politician websites, and other such platforms. Sadly, Caribbean (and global) enterprises will get caught up in state-led or state-sponsored attacks, and with far-reaching economic impacts.

ICTP:  Over the past year, ransomware incidents still appeared to be occurring across the region. Are they still as huge a threat?

NH:  As stated in my earlier comment, ransomware is most definitely still a threat, and there are a couple of reasons for this. For one, there are numerous techniques available to hackers for initiating ransomware attacks such as spam, phishing, rootkits on legitimate website, traffic redirection, and others. Ransomware also remains a lucrative business for hackers. There’s also no shortage of targets for ransomware attackers, specifically when you consider that many healthcare providers, government agencies and educational institutions simply don’t have the resources to adequately respond to cyber threats […]

The entire interview can be found on the ICT Pulse website at: https://bit.ly/2JzAFce

Chief information security officers (CISOs) are increasingly in-demand, and the very good ones are expensive and difficult to lock down. As more and more organizations who are without CISOs suffer breaches, how should they go about bringing such talent into their businesses?

Could an on-demand virtual CISO (vCISO) be the appropriate solution for them? A vCISO is essentially a security practitioner who provides their advice and insights to an organization on an outsourced and ongoing basis, usually part-time and remotely.

But why would a business engage a vCISO when they can hire a full-time CISO? The answer to this is not a simple one. Firstly, a vCISO is not a good fit for all organizations. Secondly, highly-regarded, experienced CISOs are not easily found, generally stay in a role for 2-3 years, and most importantly, come with a salary that is prohibitive for small to medium enterprises (SMEs).

vCISOs usually cost around 40% – 60% of what you would pay a full-time CISO, and their services can be delivered on-demand. Their benefits usually way exceed their costs. Virtual CISOs are highly experienced, knowledgeable, don’t have learning curve challenges, can integrate easily into a business, and won’t see the need to tiptoe or play nice when it comes to corporate politics. With this approach, it is strictly about outcomes, and a top-tier vCISO will provide critical board and executive engagement, metrics, and high-level reporting.

While different vCISOs come with varying skillsets, most should be able to deal with a plethora of activities from strategic to tactical. They can develop your information risk assessment methodology. They can create a robust framework of policies, procedures, standards, and guidelines. They can help your organization come to terms with GDPR, PCI-DSS and other compliance issues. They can address outsourced vendor risks, for example around cloud computing and IoT services. They can also assist with recruitment and establishing a high-performance team, devising the security vision and strategy, leading the RFP process for security solutions, refining incident response processes, and implementing COBIT 5.0 and ISO/IEC 27000. They might also support the coaching and training needs of newly hired CISOs and conduct awareness training and reporting to the Board of Directors.

Virtual CISOs are best suited to startups and growing companies, and are an ideal approach for bolstering the already in-place management team or basically leveraged as a short-term solution. The best vCISOs must be good communicators – vertically and horizontally, and especially at the board level. They must be able to work with companies across diverse industries and with varying risk profiles and backgrounds. They must be capable of communicating clearly what business risks companies are exposed to as it relates to cybersecurity. An effective vCISO must also be adaptable and quickly learn about the unique business environment their customer operates in. And once these things are known, the vCISO needs to bring their knowledge and skills to bear in terms of aligning the cybersecurity strategy with the business’ strategic objectives.

As they generally operate without budgets or responsibility for implementation, it is best if vCISOs are viewed as advisors and not as auditors or change managers. Cybersecurity is largely a business of relationship management, and traditional CISOs must win the hearts and minds of the executives and organizational leaders if they’re to move the enterprise forward. vCISOs don’t necessarily need to do this, as they are not visible and likely won’t be around for the long-term.

“Cybersecurity is a constant challenge for businesses. Niel Harper, Managing Director of Octave Consulting Group, shares tips to protect your company’s infrastructure from security threats, and offers ways to stay a step ahead of malware, hacking, and other attacks.”

I recently sat down with the Economist Group and Laserfiche (Simplicity 2.0 Podcast) to discuss the management of cybersecurity risks. These types of interviews tend to get very abstract, so I purposely wanted to touch on topics that would resonate with both corporations and end users.

The podcast in its entirety can be found here.

In modern society, there is one fact that is unquestionable: The hyper-connectivity of the digital economy is inescapable. A financial institution without an online presence or omni-channel strategy will cease to be competitive. Universities (for-profit or non-profit) must develop and continuously evolve their online learning capabilities if they are to stay relevant. Online retailers are quickly outpacing and rendering their ‘brick-and-mortar’ counterparts irrelevant. Travel agents have been largely relegated to dinosaur status in this era of online travel search aggregators and booking portals. A payments ecosystem mostly dominated by major card networks and processors now includes closed loop systems such as Apple Pay, Google Wallet and others. When we add the Internet of Things (IoT), robotics and artificial intelligence (AI) to the mix, the networked society has become a monolith that we simply cannot ignore.

What is most concerning about the ubiquity of technology is the multitude of cyber threats which organizations and individuals have to contend with. While the risks to individuals are relatively high as it relates to invasion of privacy, identity theft and financial loss, cyber-attacks can have a particularly critical impact on businesses. Depending on market and jurisdictional realities, the consequences can include heavy regulatory penalties, plummeting stock prices, lawsuits or mass layoffs — The effect on a company’s bottom line can be catastrophic.

But how are corporations responding to this ever-evolving threat landscape? The resulting strategies fall mostly into the following categories. There are the large organizations which employ the ‘3 lines of defense’ approach where an IT department owns and manages cyber risks, the operational risk and/or compliance departments specialize in risk management (including cyber), and the internal audit function provides independent assurance that cyber risks are being effectively managed. This approach is resource intensive and demands highly specialized (and costly) personnel. There are the generally under-staffed companies that limp along from day-to-day reacting to cyber-attack after cyber-attack, many of them not even aware that their systems and networks have been compromised. And finally, there are the SMEs that basically stick their heads in the sand and pretend that their operation is too small or insignificant to be the target of cyber criminals.

More often than not, business leaders across the board fail to recognize that cybersecurity is no longer the domain of the IT organization. Cybersecurity strategy is now business strategy, and the response to cyber threats is the responsibility of every individual that works for or runs a company. And here are 8 key reasons why this is undeniably the case:

1. Corporate governance – A 2016 survey by Goldsmiths that included responses from 1,530 non-executive directors and C-level executives in the United States, United Kingdom, Germany, Japan and Nordic countries showed that 90% of respondents admitted to not being able to read a cybersecurity report and were not prepared to respond to a major attack. Even more worrisome was the fact that over 40% of executives did not feel that cybersecurity or protection of customer data was their responsibility. Let that sink in for a moment. This is why ensuring that cybersecurity is a running topic at executive and board level meetings is imperative for organizations. Even more, greater ownership should be ascribed to all levels of personnel for cyber risks. Cybersecurity culture is a collective effort that starts at the top and works its way down through the organization.
2. Regulatory and legal compliance – Certain industries like banking, healthcare and energy are subjected to heavy regulatory burdens. And many of these regulations include requirements pertaining to privacy, data protection, and network security. In the US there are HIPAA, Gramm-Leach-Bliley, and FISMA. The EU has the NIS Directive and the GDPR. To address cross-border data flows between the EU and the US, there is Privacy Shield. To comply with this multitude of regulations, deep cyber and risk management capabilities must be embedded across organizations. Failure to do so can affect a company’s ability to stay in business. Period.
3. Competitive advantage – Developing robust and effective internal controls to safeguard against cyber-attacks can equate to market leadership, brand strengthening, and product / service differentiation. For example, as more businesses look to AI, IoT and robotics to streamline processes and improve business performance, ensuring that these technologies are secure […]

The full article can be found on the CircleID website at: https://goo.gl/zn7Yg9