Tag: cybercrime

Why CISOs Must Fight Back Against Scapegoating

nielharper

  • CISO ignores red flags in recruitment where business leaders repeatedly mention their “unique developer culture”.
  • CISO joins a major company which claims to be committed to cybersecurity.
  • CISO publishes 30-60-90 day plan and immediately performs a maturity assessment upon joining.
  • CISO meets with over 50 organizational leaders to outline their strategic vision and build support. Not a single person provides any meaningful input. The organization has no Internal Audit or Risk functions.
  • After completing the maturity assessment, CISO develops and publishes a draft cybersecurity strategy and multi-year roadmap for feedback. Not a single member of the executive management board reads the documents or provides feedback (including the CTO and CIO).
  • When asked about weak asset management (less than 35% of devices have EDR or MDM installed), the CIO states that developers don’t like being monitored. The CIO also states that cloud security posture management isn’t a priority (the organization employs a ‘multi-cloud strategy’ with a large footprint across multiple public clouds).
  • The organization’s CI/CD pipeline is fragmented with limited security controls. The CTO refuses to commit to robust security in the CI/CD pipeline because the organization is focused on code velocity and bringing new products/features to the market. CTO cannot explain why the Security Champions program failed.
  • The organization’s ecosystem is filled with thousands of vulnerable apps because there has literally been zero investment in relevant security controls. CISO develops a detailed plan addressing the people, process, and technology required to enhance security in the marketplace. The CISO is pretty much ignored.
  • The organization is obsessed with its annual SOC 2 audit (security theater).
  • CISO makes first presentation to executive management, addressing the security vision in accessible language such as business resilience, competitive advantage, market differentiation, regulatory compliance, collaborative risk management, etc. CISO highlights the “poor security culture” and asks that executive management make a formal statement about their commitment to security, authority to the CISO, and need for business leaders to own security in their domains and cooperate with the CISO. The executive management team is angry and criticizes the CISO for asking them to do what they see as his job.
  • A few weeks later, management and the CISO decide to part ways because of a “poor cultural fit”.

This is unfortunately a widespread scenario highlighting why the average CISO tenure is 18-24 months: poor tone from the top, unrealistic expectations, inadequate resources, accountability without authority, regulatory & legal pressure, and poor organizational culture.

It’s time for CISOs to pushback against these toxic situations!

Cybersecurity & Data Privacy Virtual Summit 2026 

nielharper

It was my esteemed pleasure to have participated in the Cybersecurity & Data Privacy Virtual Summit 2026 these past 4 days.

I shared the “virtual floor” in 2 sessions with Dr. Bright Gameli Mawudor and Godphey Sterling and we discussed the various elements of a successful response to a cybersecurity breach, specifically looking at the Technical Response to neutralize the threat and a Strategic Response to manage business operations, legal obligations, and reputation damage.

We also touched on several topics of critical importance to cyber capacity building in the Global South (e.g., national cybersecurity strategy, CSIRTs, critical infrastructure protection, security awareness, privacy, public sector security standards, supply chain risk management, open-source as an alternative for cost containment, security in emerging technologies, international cooperation, etc.).

Kudos to the other amazing professionals who delivered top-tier presentations and deep knowledge sharing with the captive audience: Grace Lindo, Jason Lau, Rory Ebanks, Greg Richards, Kellye-Rae Campbell, Ann Cavoukian, Karnika Seth, Rosalind Lake, and Deborah Hileman.

Special thanks to Douglas Davidson for the invitation to impart my knowledge and experience and to Andrea Chisholm Anglin for her expert hosting of the event.

Ransomware as a Service (RaaS) from code to cartel

nielharper

Yesterday at Black Hat MEA, my first deep dive session of the day focused on “Ransomware as a Service (RaaS) from code to cartel”.

I was privileged to share the stage with Ira Winkler, Patricia Titus, and Bjørn R. Watne.

We explored the evolution of ransomware into today’s organized, profit-centered, multi-disciplinary threat collectives, and delved into some key areas such as:

  • The affililiate model and how ransomware groups function like legitimate companies
  • Recruitment for capabilities (e.g., exploit developers, cloud security engineering, C2 servers, payment portals, compromise of trusted insiders, etc.)
  • The importance of business resilience as a risk response (e.g., disaster recovery testing, incident response planning, ransomware playbooks, tabletop exercises)
  • How the transition from double extortion to triple extortion is also manifesting as threats of bodily harm and targeting of family members
  • Emphasized that cyber insurance is not a replacement for robust security controls (e.g., air-gapped backups, MFA, PAM, EDR, security awareness, etc.)
  • How critical infrastructure protection (CIP) and operational resilience legislation factor into the overall industry response (e.g., DORA, NIS 2, CRA, etc.)
  • Detailed why software developers and their tooling are increasingly targeted by RaaS consortiums due to risks such as privileged access to sensitive environments (staging, production), API and cloud infrastructure key custodianship, DevSecOps weaknesses, trust injection across CI/CD pipelines, code repository theft, etc.
  • Addressing encryption-related risks like quantum computing and cryptographic agility
  • How both defenders and attackers are leveraging AI

Many thanks to my fellow panelists for their brilliant insights and a note of appreciation for all those who attended.

Why the UK Government’s Loan Guarantee for JLR is a Cause for Concern

nielharper

A cyber-attack “severely disrupted” Jaguar Land Rover (JLR) vehicle production, particularly at its two main UK plants. JLR’s retail business was also significantly impacted for consumers ordering or taking delivery of new vehicles. To help the carmaker recover and protect jobs within its extensive supply chain, the UK government has decided to underwrite a £1.5 billion loan guarantee.

The government’s loan guarantee is concerning because it socializes corporate risk, essentially creating a taxpayer-funded safety net for private sector cybersecurity failures. While the goal of protecting 100,000 supply chain jobs is sympathetic, this decision undermines the core market incentive for all businesses to achieve robust security resilience.

1. Incentivizing Security Complacency

By being the first company to receive such significant government aid following a cyber-attack, JLR sets a worrisome precedent. It signals to other large, systemically important companies that serious investment in preemptive cyber-defenses is optional. If a major breach causes a costly production shutdown, the government may provide a financial parachute to protect the supply chain. This effectively lowers the cost of poor security planning for major corporations and shifts the financial burden of resilience onto the public purse.

2. Rewarding Inadequate Preparation

The scale of JLR’s shutdown (e.g., halting all production for weeks) suggests a critical failure in both cyber resilience and business continuity planning (BCP). Should a secure and resilient organization be able to isolate an attack and recover without weeks of total shutdown, minimizing impact on its supply chain? Do the loan guarantees reward the company for a recovery posture that was either slow, inadequate, or both? Is the public essentially paying for the gap between JLR’s security maturity and the highly disruptive level of the breach? Many questions arise and a deeper discourse is needed into whether or not the government should be bailing out private corporations for suboptimal cybersecurity posture.

3. Moral Hazard and Unintended Consequences

This action creates a significant moral hazard. The government is protecting the ultimate parent company, India’s Tata Motors, from the full financial consequences of the attack by backstopping a commercial loan via the Export Development Guarantee (EDG). Taxpayers assume the risk of JLR defaulting, shielding the multinational owner from a major cyber-loss event. This is especially controversial given that JLR’s massive profits would normally imply responsibility for maintaining its own cyber insurance and resilience fund.

In short, while the loan guarantee offers necessary short-term relief to small suppliers facing collapse, there is the potential long-term cost of the erosion of market pressure on large corporations to treat cybersecurity as a non-negotiable, self-funded business continuity imperative.

AuditBoard names 25 CISOs to watch in 2025

nielharper

In the rapidly evolving landscape of cybersecurity, innovative Chief Information Security Officers (CISOs) play a pivotal role in safeguarding organizations against AI-driven threats, ransomware attacks, and supply chain vulnerabilities. To acknowledge and applaud those leading the charge in tackling these challenges, AuditBoard has carefully chosen 25 CISOs who exemplify a dedication to enhancing cyber risk defenses and sharing their insights with the information security (infosec) community.

This curated list showcases the industry’s most resilient and forward-thinking cybersecurity experts. The 2025 selection highlights individuals who are at the forefront of navigating the ever-changing digital risk landscape, demonstrating resilience and innovation in their approach to cybersecurity leadership.

Thank you AuditBoard for your recognition alongside these amazing industry titans!

Each of these individuals has made a significant contribution to the profession, to industry, and to the organizations they work for. Massive respect goes out to each of them!

Security Magazine Top Cybersecurity Leaders for 2025

nielharper

I would like to express my sincere gratitude to Security Magazine for recognizing me as one of the Top Cybersecurity Leaders for 2025.

I have always been a fan of Security Magazine and their laser focus on providing information and solutions on risk management, cybersecurity, physical security & safety, and other related industry trends. So this recognition from them is particularly appreciated.

Heartiest congratulations to my good friend Jason Lau and the other awardees Anmol Agarwal, Jay Gonzales, Sandra Cavazos, and David Baker – Your commitment to digital trust and your service to the profession are mighty!

Many thanks as well go out to the amazing teams I have led at INTERPOL, Doodle, and other companies. You are the real champions!

Critical Infrastructure (CI) Protection – Are We Ready?

nielharper


Critical infrastructure (CI) are those assets, systems, and networks that provide functions necessary for our human, social, and economic wellbeing. There are key sectors that are part of a complex, interconnected ecosystem and any threat to these sectors could have far-reaching and destructive national security, economic, and public health or safety consequences. 

Despite their reliance on critical infrastructure, developing countries (and several developed nations) at-large have not implemented a nationally-coordinated framework to protect their vital information assets. Cyber attacks, such as distributed denial of service (DDoS), ransomware, advanced persistent threats (APTs), and others can severely affect all the CNI sectors. Cyber attacks differ greatly from traditional types of threats such as terrorism, criminal activities, natural disasters and industrial accidents, among others. Cyber attacks can now be initiated by any person with limited technical proficiency or resources, and these attacks can have a direct effect on overall wellbeing of modern societies.

Last week, I presented at the 2025 Guyana Energy Conference on CNI protection, particularly touching on real-world incidents and addressing the threat landscape, risk assessment, adversary categories, challenges, and opportunities. I also emphasized that a multi-stakeholder approach premised on mutual trust is optimal towards achieving CI protection outcomes.

Check out my presentation HERE.

Cybersecurity: A Dynamic and Impactful Career Field

nielharper

Strengthening the cybersecurity workforce has become one of the most urgent – and universal – needs for both corporations and nation-states in recent years. Cyber capacity building is also my passion, and I have dedicated the last decade of my life to supporting the next generation of cybersecurity professionals through my work with ISACA, European Commission, and the Internet Society.

The demand for cybersecurity professionals continues to grow. As technology becomes more pervasive in our lives, so does the complexity and frequency of cyber threats. Corporations and governments are constantly seeking to bolster their cyber defenses, increasing the need for more skilled cybersecurity experts.

I wrote this article for Media Planet outlining why cybersecurity is such a dynamic and impactful career path.

Check it out: https://bit.ly/41tZT6e

AI Under Control: Protecting Your Business from Emerging AI Risks

nielharper

Earlier today, I participated in a panel discussion hosted by Baruch College (City University of New York) titled, ‘AI Under Control: Protecting Your Business from Emerging AI Risks.’

Our exchanges touched on critical challenges in evaluating AI system risks, adversarial attacks, data privacy, and bias in AI models, among other challenges. We also shared practical controls for ensuring AI fairness, governance, and security, along with risk mitigation strategies. The overall focus was on offering the attendees practical solutions to managing AI risk.

Many thanks to Professor Patrick Slattery for the invitation to participate.

Also, much appreciation to the other panelists (Dr. Yogesh Malhotra, Patricia Voight, and Benjamin Dynkin) for sharing their experiences and ideas!

The Caribbean Cybersecurity Pandemic – Building a Digital Trust Model

nielharper

Citizens and customers are increasingly losing confidence and trust in their governments and the corporations that develop and deliver online services. From AI to crypto marketplaces to the Internet of Things (IoT), personal data leaks to unethical use of data analytics to supply chain breaches, technology vendors’ and digital service providers’ repeated failures have severely damaged the trust model at the core of their relationships with their customers. There’s no doubt that digitalisation can drive human, social, and economic development. Simultaneously, surveys and research have shown a concerning decrease in trust in online platforms and associated social institutions.

Today, I presented at the Development Dialogue Seminar of the Caribbean Development Bank (CDB) on the topic of building a digital trust model. The backdrop for the discussion was what many see as the ‘Caribbean Cybersecurity Pandemic’ – The avalanche of cyberattacks that have impacted private and public sector entities across the region – and how this correlates to the decrease in trust and limited uptake by citizens of online services (e.g., e-commerce, e-government, social media, fintech, and others).

Leveraging the World Economic Forum’s Digital Trust Framework, I discussed the key goals and dimensions (e.g., security, reliability, accountability, oversight, ethical use, privacy, fairness, redressability, etc.) underpinning digital trust as well as the capabilities needed to operationalise them.

Check out my presentation and let me know your thoughts!