Ransomware: To Pay or Not to Pay? And… How Not to Pay!

I very much enjoyed this amazing panel discussion with the brilliant Larry Whiteside Jr. and the thoughtful and engaging Andrew Hay. I also have to mention the excellent moderation by James Coker.

We discussed a range of topics from ransomware trends to cyber insurance to holistic incident response/disaster recovery to public-private partnerships in support of better overall industry response to ransomware attacks.

I hope the audience participants had as great a time as I did.

Finally, I want to extend my humblest thanks to Infosecurity Magazine for inviting me to speak at their Online Summit!

The on-demand video of the session can be found here. Check it out!

8 Pitfalls That Undermine Security Program Success

“Some of the biggest breaches have come down to small mistakes.

Hackers used a compromised password to access the company network via a virtual private network in the May 2021 Colonial Pipeline attack. A widely known vulnerability that hadn’t yet been patched was the entry point for the 2017 Equifax attack. And a bitcoin scam on Twitter started with spear phishing attacks on Twitter employees.

Of course, there’s no such thing as a perfect security program, but such events show that cybersecurity teams can’t afford to overlook anything.”

In this CSO Online article, I joined a number of security leaders to discuss eight easy-to-overlook pitfalls that can undermine an otherwise successful security strategy.

You can access the full article here!

ARIN/CaribNOG Technical Community Forum

The COVID-19 pandemic continues to impact networks, economies and societies across the Caribbean. More than ever, keeping critical systems secure, resilient, and accessible is a collective responsibility. This year’s Forum presented the opportunity for participants to understand the role the American Registry for Internet Numbers (ARIN) and other Internet development focused organizations play in supporting critical Internet Infrastructure in the Caribbean. It also facilitated the networking of people necessary to truly support and strengthen our technical community in the region.

ARIN has been collaborating closely with CaribNOG, a volunteer-based network operators’ community, to strengthen technical capacity in the region. This forum assembled some of the leading experts in the region and from around the world to address the fourth staging of our Technical Community Forum.

As the first featured speaker, the topic of my address was ‘Global Cybersecurity Trends and Implications.’ I first discussed the global shortage of cyber security personnel and encouraged the Caribbean to focus on the development of cybersecurity experts to support local, regional, and global demand (and also as a key element of national cyber workforce development). I also touched on other topics such as developing cybersecurity programs with constrained budgets, coordination and cooperation towards increase security resilience, and how to stay on top of developments in an increasingly complex threat landscape.

Many thanks to ARIN and CaribNOG for their invitation to speak!

Cloud Fundamentals Study Guide

The Information Systems Audit and Control Association (ISACA) just released the ‘Cloud Fundamentals Study Guide’ publication.

“The ‘Cloud Fundamentals Study Guide’ works through each aspect of cloud computing, its characteristics, common decision points, gaps and security vulnerabilities. It helps individuals prepare for the ISACA Fundamentals certificate exams, one of the components of the ISACA Certified in Emerging Technology certification program. I served as an Expert Reviewer on this project.

As a member of ISACA’s Emerging Technology Advisory Group, I served as an Expert Reviewer of this document.

I can’t fully explain the distinct pleasure that I derive from working with so many recognised and respected subject matter experts (SMEs) in the development of this type of content. We owe it to the next generation of IT risk management, audit & assurance, information security, and privacy professionals to provide them with the tools needed to aid their success. This is why we do what we do as ISACA volunteers!

You can access the ‘Cloud Fundamentals Study Guide’ through ISACA’s Bookstore.

Feature Address at the AFRALTI ‘Child Online Protection (COP) Virtual Workshop’

It was my distinct pleasure to be the featured speaker at today’s opening of AFRALTI’s ‘Child Online Protection (COP) Virtual Workshop.’

My presentation briefly touched on the importance of the following activities:

  1. Bringing multiple stakeholders together to create a safe and empowering online experience for children and young people
  2. Educating parents and educators to keep children safe online
  3. Ensuring that policymakers elaborate a legal framework that is adaptive, inclusive, and fit for purpose with regards to a fast-changing digital age to protect children online
  4. Ensuring that ICT and online industries understand their shared responsibility for securing cyberspace and commit to action

Based in Nairobi (Kenya), African Advanced Level Telecommunications Institute (AFRALTI) is an Inter-Governmental Institute established in 1991 to supplement and spearhead ICT development efforts mainly in English-speaking Africa. Currently the member States that have ratified the Intergovernmental Agreement (IGA) include Lesotho, Kenya, Malawi, Mozambique, Kingdom of Eswatini, Tanzania, Uganda and Zimbabwe, out of the 23 eligible members.

Incoming ISACA Board Features Experienced Leaders, Diverse Backgrounds

Deeply humbled to have been elected to the incoming Board of Directors for the Information Systems Audit and Control Association (ISACA).

The organisation has been instrumental in my career development and success, and I am looking forward to collaborating with this brilliant group of professionals and serving the dynamic and diverse ISACA community.

You can view the official announcement here: https://bit.ly/2QkW5S6

CARICOM Public Law Podcast – Cybersecurity and Digital IDs

Season 1 Episode 8 of the CARICOM Public Law Podcast is now available!

In this episode of the podcast, I spoke to the hosts about the technological, legal, ethical, economic, and business issues surrounding the Barbados government’s decision to introduce a new digital identification management system.

Special thanks to Rico J. Yearwood and Mequissa Baptiste for inviting me to share my perspectives on their platform.

Click on this link to tune in and listen!

Cybersecurity: Risks, Progress and the Way Forward in Latin America & the Caribbean

I will be chairing this Global Cyber Forum on 21 October 2020, where we will be discussing the state of cybersecurity capacities and capabilities across the Caribbean region.

Our speaker will be Kerry-Ann Barrett, Cybersecurity Policy Specialist at the Organization of American States (OAS), where she offers technical assistance to Member States in the development and implementation of their national cyber security strategies as well as assists in the implementation of various technical projects with the OAS Cybersecurity Program.

The overall basis for the session will be the 2020 Cybersecurity Report prepared by the Inter-American Development Bank (IDB), Organization of American States (OAS), and the Global Cyber Security Capacity Centre, University of Oxford. Our discussions will focus on the progress made thus far across the Caribbean, and what steps are necessary to move to the next level, including key areas such as national cybersecurity strategies, related action plans, or other cybersecurity capacity-building programs.

Tune in for what will be an engaging and informative session!

Cybersecurity pros are badly in need of MENTORS: And here’s why…

Finding and keeping cyber-talent is a top global concern for public- and private-sector organizations alike. Yet, the prevailing theory among industry analysts is that there is a talent crisis, with ‘experts’ predicting that by 2022 there will be more than 1.8 million unfilled jobs.

The above graphic highlights one of the industry’s most glaring shortcomings: Everyone wants to hire cybersecurity pros, but no one wants to develop, guide, instruct and enhance the career effectiveness of inexperienced/entry-level candidates. It’s a self-destructive, self-refuelling, self-fulfilling prophecy – And it NEEDS to STOP! We simply don’t have an assembly line of top-tier, experienced cyber pros to choose from.

So how do we develop the next generation of cybersecurity leaders? What are some of the individual actions veteran security leaders can take? How do we help those without the finances to obtain expensive security training and certifications? What role does the government have to play?

There are multiple dimensions to the institutionalisation of cyber capacity building. For example, there’s a national response and an enterprise response — and ideally the two should be coordinated (but most often are not).

There are established commercial training and certification programs, which can verify the capabilities of individuals. However, while these certifications can be used to get hired, organizations still have to continuously invest in their employees’ development. This is particular important given how rapidly the threat landscape changes.

From a national perspective, capabilities need to be developed to build trust in the online systems that underpin the digital economy. Part of building trust is creating a workforce of cyber pros to address key threats. Government should create a workforce development program as part of a national cybersecurity strategy, and it should address training at the college, university and professional certification levels.

But in the absence of such actions by corporations or countries, we cybersecurity leaders need to take up the charge. We need to commit to mentoring as many young professionals as we humanly can. It’s not only incumbent upon us to support their career progress, but also to give back to the profession as well as contribute to the overall trust model that underpins the global Internet. Let’s do our part!

What Do Great Airports and Great Cybersecurity Have In Common?

My 5 best airports are as follows:

  1. Singapore Changi Airport
  2. Tokyo International Airport – Haneda
  3. Seoul Incheon International Airport
  4. Hamad International Airport – Doha
  5. Hong Kong International Airport

Conversely, my 5 worst airports are:

  1. Newark Liberty International
  2. Berlin Schönefeld International
  3. Charles de Gaulle-Paris International
  4. Reykjavik International Airport
  5. London Gatwick International

Great airports are designed to manage high volumes of traffic while maintaining robust, granular security. They get the basic and advanced things right, while maintaining user friendliness and efficiency. They provide seamless connectivity, and are agile and responsive. They combine people, process and technology effectively. And they involve all stakeholders in continuous improvement plans. Great cybersecurity also does these things well!