Tag: Cybersecurity

Security leaders shed light on their zero trust journeys

nielharper

Zero trust architecture (ZTA) implementations pose challenges due to the abundance of vendor and media hype surrounding this concept. Understanding the true essence of zero trust and its relevance to your specific company or IT environment is crucial.

Establishing trusted identities for devices is a foundational aspect of implementing a zero trust model. It is essential to navigate through decisions on scaling your zero trust ecosystem effectively, encompassing identity, authentication, network architecture, and endpoint detection and response technologies.

Transitioning to a “default/deny” architecture from the traditional “trust then verify” approach can introduce significant user friction and degrade their overall experience in utilizing enterprise systems. Hence, careful planning and constituent engagement is a necessity.

Moving towards a zero trust architecture is a progressive journey rather than a mere technological shift. Many enterprises will find themselves operating on a hybrid zero trust/perimeter-based model during this transition phase.

These insightful discussions with Mary K. Pratt from CSO Online and other security leaders provided valuable perspectives on the challenges and opportunities associated with implementing ZTA.

Explore the conversations and insights shared here: https://bit.ly/4cI2P2C

Mismanagement of the BRA Breach: Incompetence is Expensive

nielharper

In this year’s budget, the Ministry of Finance, Economic Affairs, and Investment is asking for $36.9 million to cover the costs associated with managing last year’s data breach at the Barbados Revenue Authority (BRA). Given that the average cost of responding to a data breach in 2024 was USD $4.88 million (BBD$9.94 million), this quoted figure is exceptionally high and warrants a detailed examination.

Here’s my breakdown of why such an amount is considered excessive:

1. Financial Strain:

  • Depletion of Public Funds: $36.9 million is a substantial amount that severely depletes the country’s financial resources at a time the nation is struggling with heavy debt obligations and underperformance in key sectors. It more than likely will require budget cuts in other critical areas, halt planned projects, or even threaten the country’s ability to service existing debts or meet its overall financial needs.
  • Opportunity Cost: The money spent on data breach response could be better used for investments in economic growth, innovation, social services, workforce development, or other strategic initiatives that contribute to Barbados’ long-term success.
  • Citizen Impact: This is at its core an erosion of trust in government’s effectiveness in managing cybersecurity and data protection, and can have a knock-on negative impact in terms of reduced quality and investment in citizen services (e.g., education, healthcare, transportation, sewage, housing, etc.), increased public debt, additional taxes, and hindered development.

2. Cost-Benefit Analysis:

  • Value of Data: It’s essential to compare the recovery cost with the actual value of the compromised data. I am certain no quantitative assessment was performed by the government to determine the cost of the data. In this case, the data might not be worth $36.9 million, making the recovery expenditure disproportionate.
  • Potential Losses: While data breaches can lead to financial losses, including regulatory fines, legal fees, and compensation to individuals harmed by their data being misused or abused, it’s crucial to estimate these potential losses accurately. A $36.9 million recovery cost in my opinion exceeds the estimated losses the government would have otherwise incurred.

3. Inefficiencies and Overcharging:

  • Vendor Pricing: Given my experience managing data breaches over the last 20+ years, unscrupulous vendors usually exploit the urgency and panic surrounding a breach to inflate their prices. This appears to be the case in this instance (given that the government has limited cybersecurity capabilities and little to no experience responding to breaches).
  • Scope Creep: Recovery efforts can sometimes expand beyond the initial scope, leading to unnecessary expenses. There’s no doubt in my mind that the government did not have defined security incident response procedures or objectives, which led to the recovery scope being too wide and unconstrained to avoid cost overruns.
  • Ineffective Strategies: The chosen security incident response strategies were poorly defined and inefficient, leading to prolonged recovery times and increased costs.

4. Failure of Prevention:

  • Security Gaps: As I have said numerous times, the government does not have the capabilities in place to secure the technologies that they have implemented, and this $36.9 million bill confirms these significant weaknesses in their cybersecurity infrastructure and practices. It raises questions about why they have failed to implement the numerous detailed security strategies provided to them over the last decade by the European Union (a project which I led), International Telecommunications Union (ITU), Organisation of American States (OAS), and others.
  • Missed Opportunities: Investing in robust cybersecurity measures, such as firewalls, intrusion detection systems, personnel training, and regular security audits, could have prevented the breach or minimized its impact, potentially saving millions of dollars in recovery costs. And while investments have been made in some of these areas, the implementation of the solutions have left a lot to be desired.

5. Reputation Damage:

  • Public Perception: While the financial cost is significant, the reputation damage from the BRA data breach doesn’t seem to be substantial. While the breach was severe, involved sensitive data, and came on the heels of the cyber-attacks against the Queen Elizabeth Hospital and many other government departments, there are many residents who still don’t seem to understand how dire the government’s cybersecurity situation really is.
  • Public Trust: The constant data breaches impacting public services and citizens’ data have a detrimental effect on public trust (which is already low). This will prevent the uptake of digital services being implemented by the government as well as reduce the confidence in e-commerce as a whole. Basically, it jeopardises the entire digital transformation agenda of this administration and the ability of Barbadians to reap the associated benefits.

In conclusion, while data breach recovery is a necessary expense, $36.9 million is an exorbitant amount that warrants careful scrutiny. It’s crucial that the Public Accounts Committee (PAC) and the Office of the Auditor General conduct a thorough investigation, evaluating vendor pricing, identifying inefficiencies, and addressing underlying security vulnerabilities to ensure that recovery efforts in the future are effective and cost-efficient.

He Said Security / She Said Privacy Podcast – ISACA 2025 State of Privacy Survey Findings

nielharper

I thoroughly enjoyed tag teaming with Safia Kazi to discuss the key findings of the ISACA State of Privacy Survey with Jodi Daniels and Justin Daniels on the ‘He Said Security / She Said Privacy’ podcast.

We touched on some important topics such as:

  • How companies are handling privacy staffing shortages
  • The growing demand for technical privacy expertise and how privacy pros can adapt
  • AI’s role in transforming privacy operations and its risks
  • The impact of shrinking privacy budgets
  • How board-level buy-in impacts company-wide privacy programs
  • Why privacy by design remains a challenge for many organizations
  • Safia’s and my personal privacy tips

Check out the podcast and let us know what you think!

Security Magazine Top Cybersecurity Leaders for 2025

nielharper

I would like to express my sincere gratitude to Security Magazine for recognizing me as one of the Top Cybersecurity Leaders for 2025.

I have always been a fan of Security Magazine and their laser focus on providing information and solutions on risk management, cybersecurity, physical security & safety, and other related industry trends. So this recognition from them is particularly appreciated.

Heartiest congratulations to my good friend Jason Lau and the other awardees Anmol Agarwal, Jay Gonzales, Sandra Cavazos, and David Baker – Your commitment to digital trust and your service to the profession are mighty!

Many thanks as well go out to the amazing teams I have led at INTERPOL, Doodle, and other companies. You are the real champions!

Critical Infrastructure (CI) Protection – Are We Ready?

nielharper


Critical infrastructure (CI) are those assets, systems, and networks that provide functions necessary for our human, social, and economic wellbeing. There are key sectors that are part of a complex, interconnected ecosystem and any threat to these sectors could have far-reaching and destructive national security, economic, and public health or safety consequences. 

Despite their reliance on critical infrastructure, developing countries (and several developed nations) at-large have not implemented a nationally-coordinated framework to protect their vital information assets. Cyber attacks, such as distributed denial of service (DDoS), ransomware, advanced persistent threats (APTs), and others can severely affect all the CNI sectors. Cyber attacks differ greatly from traditional types of threats such as terrorism, criminal activities, natural disasters and industrial accidents, among others. Cyber attacks can now be initiated by any person with limited technical proficiency or resources, and these attacks can have a direct effect on overall wellbeing of modern societies.

Last week, I presented at the 2025 Guyana Energy Conference on CNI protection, particularly touching on real-world incidents and addressing the threat landscape, risk assessment, adversary categories, challenges, and opportunities. I also emphasized that a multi-stakeholder approach premised on mutual trust is optimal towards achieving CI protection outcomes.

Check out my presentation HERE.

New ISACA Research: 63 Percent of Privacy Professionals Find Their Jobs More Stressful Now Than Five Years Ago

nielharper

The ISACA State of Privacy 2025 survey report, which gathered responses from over 1,600 privacy professionals globally, revealed that 63% of these professionals find their roles more stressful than they were five years ago, with 34% reporting a significant increase in stress levels. The primary sources of stress identified in the survey were the rapid pace of technological advancements (63%), difficulties with compliance (61%), and a lack of resources (59%).

“In an increasingly complex international regulatory environment, often with lacklustre resources, it is understandable that many privacy professionals are feeling strain from their efforts to stay compliant and keep their organizations’ data safe. Addressing these challenges and getting practitioners the support they need will be vital to not only ensure a healthy privacy workforce, but also to maintain data integrity and security, and avoid potential harm to data subjects.” I made these comments via BusinessWire on the report to emphasize not only the challenges associated with implementing privacy programs, but also the importance of organizations demonstrating their commitment to data governance, data ethics, privacy rights, and overall digital trust.

With AI, the privacy landscape has changed dramatically, including the regulatory burdens for companies. Continued leadership in the boardroom, at the executive level, as well as embedding privacy principles in organizational values is integral to nurturing the trust relationship between enterprises, their customers, and society at large.

Five Ways Security Professionals Can Start the New Year Strong

nielharper

As we step into the new year, it’s crucial for cybersecurity professionals to gear up for a more secure future. Beyond just looking ahead, it’s essential to consider how our personal and professional efforts can enhance #DigitalTrust.

Thanks to ISACA for featuring my latest blog post that outlines five impactful ways to kickstart 2025 and sustain momentum throughout the year. Let’s make 2025 a milestone year for cybersecurity!

You can read the full article here: https://bit.ly/4j7qCfj

Cybersecurity: A Dynamic and Impactful Career Field

nielharper

Strengthening the cybersecurity workforce has become one of the most urgent – and universal – needs for both corporations and nation-states in recent years. Cyber capacity building is also my passion, and I have dedicated the last decade of my life to supporting the next generation of cybersecurity professionals through my work with ISACA, European Commission, and the Internet Society.

The demand for cybersecurity professionals continues to grow. As technology becomes more pervasive in our lives, so does the complexity and frequency of cyber threats. Corporations and governments are constantly seeking to bolster their cyber defenses, increasing the need for more skilled cybersecurity experts.

I wrote this article for Media Planet outlining why cybersecurity is such a dynamic and impactful career path.

Check it out: https://bit.ly/41tZT6e

How the ISACA Board and Executive Management Address Cyber Risk

nielharper

“Notes from the Boardroom” is a series of blog posts from ISACA board directors providing transparency, context and perspective on how the ISACA board is carrying out its governance responsibilities.

“Cyber risk is a major risk facing virtually all organizations, including ISACA, and the ISACA Board of Directors and executive management, particularly, acknowledge their fiduciary duty to govern cyber risks effectively. ISACA leadership realizes that our management of the broader portfolio of risks, including cyber, demonstrates to our members, customers, staff and partners that digital trust is not only a commitment that we promote commercially, but it’s also an internal ethos that guides our business.”

Check out my recent blog which discusses the various ways in which we – the Board of Directors and executive management – address cyber risk and corporate governance within ISACA.

Dispelling the Myths of Defense-Grade Cybersecurity

nielharper

Defense-grade cybersecurity solutions are specifically designed to provide advanced protection against sophisticated threats but there are many misunderstandings about this level of protection. 

Sectors like finance, healthcare and critical infrastructure can use battle hardened defense-grade cybersecurity to tackle today’s cyber threats.  

In this webinar hosted by Infosecurity Magazine, I joined an expert group of panelists to uncover the truth behind common misconceptions about defense-grade cybersecurity, demonstrating its relevance, affordability, adaptability and effectiveness for organizations beyond the military or government.

We tackled myths such as, “defense-grade cybersecurity can’t stop APTs”, “it’s only for the government” and “it’s too complex and difficult to deploy”, providing insights into how modern defense-grade measures are accessible, scalable and essential for critical sectors.

We also discussed real-world applications of defense-grade principles, explaining how these solutions address today’s advanced threats.

Register to watch the on-demand recording at this link.