Cybersecurity pros are badly in need of MENTORS: And here’s why…

Finding and keeping cyber-talent is a top global concern for public- and private-sector organizations alike. Yet, the prevailing theory among industry analysts is that there is a talent crisis, with ‘experts’ predicting that by 2022 there will be more than 1.8 million unfilled jobs.

The above graphic highlights one of the industry’s most glaring shortcomings: Everyone wants to hire cybersecurity pros, but no one wants to develop, guide, instruct and enhance the career effectiveness of inexperienced/entry-level candidates. It’s a self-destructive, self-refuelling, self-fulfilling prophecy – And it NEEDS to STOP! We simply don’t have an assembly line of top-tier, experienced cyber pros to choose from.

So how do we develop the next generation of cybersecurity leaders? What are some of the individual actions veteran security leaders can take? How do we help those without the finances to obtain expensive security training and certifications? What role does the government have to play?

There are multiple dimensions to the institutionalisation of cyber capacity building. For example, there’s a national response and an enterprise response — and ideally the two should be coordinated (but most often are not).

There are established commercial training and certification programs, which can verify the capabilities of individuals. However, while these certifications can be used to get hired, organizations still have to continuously invest in their employees’ development. This is particular important given how rapidly the threat landscape changes.

From a national perspective, capabilities need to be developed to build trust in the online systems that underpin the digital economy. Part of building trust is creating a workforce of cyber pros to address key threats. Government should create a workforce development program as part of a national cybersecurity strategy, and it should address training at the college, university and professional certification levels.

But in the absence of such actions by corporations or countries, we cybersecurity leaders need to take up the charge. We need to commit to mentoring as many young professionals as we humanly can. It’s not only incumbent upon us to support their career progress, but also to give back to the profession as well as contribute to the overall trust model that underpins the global Internet. Let’s do our part!

What Do Great Airports and Great Cybersecurity Have In Common?

My 5 best airports are as follows:

  1. Singapore Changi Airport
  2. Tokyo International Airport – Haneda
  3. Seoul Incheon International Airport
  4. Hamad International Airport – Doha
  5. Hong Kong International Airport

Conversely, my 5 worst airports are:

  1. Newark Liberty International
  2. Berlin Schönefeld International
  3. Charles de Gaulle-Paris International
  4. Reykjavik International Airport
  5. London Gatwick International

Great airports are designed to manage high volumes of traffic while maintaining robust, granular security. They get the basic and advanced things right, while maintaining user friendliness and efficiency. They provide seamless connectivity, and are agile and responsive. They combine people, process and technology effectively. And they involve all stakeholders in continuous improvement plans. Great cybersecurity also does these things well!

Expert Insights on Cyber Threats and Security

It is only a matter of time before an organisation experiences some kind of cyber incident.

In this podcast conversation with ICT Pulse, I discussed, among other things, how the threat landscape is changing, what should be included in a good Cybersecurity Incident Response Plan, whether cyber insurance is a good idea, and what is the top cybersecurity concern businesses face today.

Check it out here!

What the Government of Barbados Needs to Do to Get Fintech Right

There’s a common misconception that IT governance, risk and control (GRC) professionals like myself impose unreasonable demands on those trying to innovate and deliver human, social and economic benefits to society. But this is the furthest thing from the truth – our role is to ensure that those who are delivering technological solutions understand the risks and impacts associated with their IT platforms, and mitigate them in an adequate, effective, and sustainable manner.

The aforementioned point is key as I will go on to explore the privacy, security, and socio-economic implications of two recent announcements by the Government of Barbados pertaining to the implementation of Blockchain-related technology in the country. In a September 19th article titled ‘E-currency pilot coming’, it was stated that Prime Minister Mia Mottley “did not give details of the planned mobile wallet pilot project or when it would begin but gave the assurance that it would not be done in a reckless manner.” Barbados Today published an article on September 25th which stated ‘BSE to begin crypto-trading’, essentially heralding the decision of the Barbados Stock Exchange to trade in security tokens or crypto assets.

Given my intimate knowledge of privacy and security weaknesses in both the public and private sectors, the PM’s words do not instill in me any great confidence around the robustness of the security controls that will accompany these projects. The implementation of e-currency is a complex undertaking, that if not done correctly, can have a material impact on the country’s already weakened economic position. Security tokens are an extremely nascent solution with a lot of potential, but that doesn’t exempt them from security and privacy deficiencies. As such, I want to delve into some of the key areas that must be addressed before these solutions are widely deployed across our beloved nation.

Contract management and due diligence

Before any contracts are signed to commence these projects, the government must understand where personal data of Barbadian citizens will be stored. To provision users onto these platforms, personal data will need to be collected for AML and KYC purposes such as name, address, phone number, driver’s license, passport details, etc.

If the data is stored outside of Barbados, the privacy of Bajans may not be safeguarded as it will be subject to the laws and regulations of the jurisdiction in which the data resides (meaning that the legislation of a foreign country could permit them access to any and all data kept on Barbadian citizens). This is particularly concerning given the absence of data protection legislation in Barbados that would force any fintech company to ensure that transnational data flows must only occur where the destination country has an adequate legal framework in place to protect the rights of data subjects.

The lack of data protection legislation presents another problem in terms of imposing strict obligations on fintech providers to uphold the rights of data subjects. This includes setting requirements and fines for both data controllers and data processors as it pertains to protecting personal and sensitive data, obtaining consent to share personal/sensitive data, reporting data breaches to government and data subjects, among other rules. Hence, it would be in the best interests of Barbados citizens and foreign nationals if the 2018 Data Protection Bill was enacted into law before the launch of the new platforms.

In an ideal situation, the government should obtain 2-3 references from previous instances where the contracted parties have deployed solutions of this kind for other customers. However, it appears that Barbados will be the first country where the vendor will be deploying a ‘true’ e-currency platform, thus making the need for strong controls even more critical. As it pertains to tokenized securities, similar due diligence must be undertaken to protect our citizens.

The government must ensure that a qualified and independent security professional conducts a site visit to the vendors’ IT facilities to undertake a thorough assessment of their security controls. If this cannot be done, the vendor should be required to furnish government with a signed attestation from an independent and qualified third party that the IT facilities meet all the necessary best practice security requirements (e.g. physical security, grounding and lightning protection, environment monitoring, generators, etc.). Additionally, there should be a “right to audit” clause in the contract that allows the government to turn up at the vendors’ IT facilities at any time to conduct a security assessment.

The vendors’ financial statements should be reviewed by an independent auditing firm such as PwC, EY or Deloitte to ensure that they are in good standing and that they are able to remain going concerns for the foreseeable future. The viability of their business models should also be assessed as ‘feasible’. This would protect the country and its citizens from being left at the mercy of fintech service providers whose platforms enjoy massive uptake and integration into the socio-economic fabric of the country, and then they are quickly no longer in business.

With regards to PwC, EY, Deloitte, and other accounting firms (or any qualified professional services firm as a matter of fact), government should enlist one of them to have experienced IT auditors assigned full-time to both projects. This would ensure that IT governance, risk and control processes are embedded throughout the project lifecycles and don’t become an afterthought.

Another area of due diligence is assessment of the team who will be delivering and supporting the solutions. The government must obtain assurance that the right mix of skills is available to deliver and provide ongoing support for high performance, scalable and secure fintech platforms. Along with the technical positions, key roles that should be in place are Internal Audit (assurance), Privacy (compliance) and Information Security (availability, integrity and confidentiality).

Finally, a software escrow agreement that allows government access to the vendor’s proprietary code in the event they go out of business should be put into place […]

To view the remaining guidance on Technical Architecture, Deployment & Support, and Monitoring & Evaluation, you can read the entire blog here.

The Impact of the GDPR on the Hospitality Sector

Today I held a General Data Protection Regulations (GDPR) awareness seminar for members of the Barbados Hotel and Tourism Association (BHTA).

With regards to data security, there are few sectors more vulnerable to data-related threats than the hospitality sector. The volume of processed personal and credit card information being handed over to hotels, restaurants, etc. on a daily basis makes the sector extremely vulnerable. With the enforcement deadline having passed on 25 May, several companies in the sector have not updated their data protection processes, and are at risk for large financial penalties.

The seminar touched on key areas such as the following:

  1. Major Differences between the Data Protection Directive 95/46/EC and the GDPR
  2. Overall readiness across the hospitality sector
  3. Capturing and using personal data going forward
  4. Consent and contextual use of personal data
  5. How the GDPR affects repeat business and email marketing
  6. How the GDPR affects third-party data processors
  7. The rights of data subjects under the GDPR
  8. The difference between ‘personal data’ and ‘sensitive data’, and how they should be treated
  9. Other key aspects of the GDPR such as the Data Protection Officer (DPO), Data Protection Impact Assessments (DPIA) and ‘privacy by design’
  10. How to update strategies for websites, data governance, and marketing to become GDPR compliant

My takeaway from this session was that many businesses — small to large — have not made any steps to align their operations and processes with the requirements of the GDPR. Several others are defiantly refusing to address privacy and data protection within their organizations. However, what was gratifying is that I received a torrent of emails in the hours and days after from hoteliers, many of them eager to engage subject matter experts (SMEs) to assist in improving their control framework to meet the rigorous demands of the GDPR. Hopefully, this interest and willingness to improve is sustainable. There’s a lot of work to be done!