Tag: information security

The Current Debate on the UK Digital ID (“BritCard”) is Misleading – Here’s Why!

nielharper

The current negative debate about the BritCard is misleading because it largely relies on outdated assumptions about technology and centralization, ignoring the fundamental privacy safeguards that several countries have proven work effectively. The central flaw in the critical narrative is that it assumes a 21st-century digital ID is equivalent to the 1950s physical paper card or a single, insecure database. As with any technology, there are pros and cons to digital ID, but to act like it’s mass surveillance or gratuitous privacy violating is just wrong. What’s even more concerning to me is that a lot of the misinformation is being peddled by “privacy experts”.

Progressive countries like Singapore, Belgium, Austria, Estonia, Sweden, Denmark, Canada, Australia, Poland, Netherlands, UAE, and Germany all have digital ID systems. Digital ID facilitates streamlined access to services, increased efficiency, financial inclusion, reduced fraud, and enhanced security. Regarding privacy, they actually allow for contextual data sharing, which privacy experts have asked for repeatedly.

Data protection legislation and digital identity legislation have been coupled together in many countries to establish standards for security, user consent, data protection, and independent regulation. Moreover, privacy and security controls like zero knowledge protocol, unique ID verification, secure storage, data minimization, decentralized data exchange, and biometric safeguards, among others are employed to protect the privacy of individuals.

I have digital IDs for Denmark, Estonia, and Germany, and they are nothing like what these negative arguments suggest.

NOTE: The proposed central use case for the BritCard of combating illegal immigration is ill conceived and distorts the debate around the pros and cons of digital ID.

Why the UK Government’s Loan Guarantee for JLR is a Cause for Concern

nielharper

A cyber-attack “severely disrupted” Jaguar Land Rover (JLR) vehicle production, particularly at its two main UK plants. JLR’s retail business was also significantly impacted for consumers ordering or taking delivery of new vehicles. To help the carmaker recover and protect jobs within its extensive supply chain, the UK government has decided to underwrite a £1.5 billion loan guarantee.

The government’s loan guarantee is concerning because it socializes corporate risk, essentially creating a taxpayer-funded safety net for private sector cybersecurity failures. While the goal of protecting 100,000 supply chain jobs is sympathetic, this decision undermines the core market incentive for all businesses to achieve robust security resilience.

1. Incentivizing Security Complacency

By being the first company to receive such significant government aid following a cyber-attack, JLR sets a worrisome precedent. It signals to other large, systemically important companies that serious investment in preemptive cyber-defenses is optional. If a major breach causes a costly production shutdown, the government may provide a financial parachute to protect the supply chain. This effectively lowers the cost of poor security planning for major corporations and shifts the financial burden of resilience onto the public purse.

2. Rewarding Inadequate Preparation

The scale of JLR’s shutdown (e.g., halting all production for weeks) suggests a critical failure in both cyber resilience and business continuity planning (BCP). Should a secure and resilient organization be able to isolate an attack and recover without weeks of total shutdown, minimizing impact on its supply chain? Do the loan guarantees reward the company for a recovery posture that was either slow, inadequate, or both? Is the public essentially paying for the gap between JLR’s security maturity and the highly disruptive level of the breach? Many questions arise and a deeper discourse is needed into whether or not the government should be bailing out private corporations for suboptimal cybersecurity posture.

3. Moral Hazard and Unintended Consequences

This action creates a significant moral hazard. The government is protecting the ultimate parent company, India’s Tata Motors, from the full financial consequences of the attack by backstopping a commercial loan via the Export Development Guarantee (EDG). Taxpayers assume the risk of JLR defaulting, shielding the multinational owner from a major cyber-loss event. This is especially controversial given that JLR’s massive profits would normally imply responsibility for maintaining its own cyber insurance and resilience fund.

In short, while the loan guarantee offers necessary short-term relief to small suppliers facing collapse, there is the potential long-term cost of the erosion of market pressure on large corporations to treat cybersecurity as a non-negotiable, self-funded business continuity imperative.

AuditBoard names 25 CISOs to watch in 2025

nielharper

In the rapidly evolving landscape of cybersecurity, innovative Chief Information Security Officers (CISOs) play a pivotal role in safeguarding organizations against AI-driven threats, ransomware attacks, and supply chain vulnerabilities. To acknowledge and applaud those leading the charge in tackling these challenges, AuditBoard has carefully chosen 25 CISOs who exemplify a dedication to enhancing cyber risk defenses and sharing their insights with the information security (infosec) community.

This curated list showcases the industry’s most resilient and forward-thinking cybersecurity experts. The 2025 selection highlights individuals who are at the forefront of navigating the ever-changing digital risk landscape, demonstrating resilience and innovation in their approach to cybersecurity leadership.

Thank you AuditBoard for your recognition alongside these amazing industry titans!

Each of these individuals has made a significant contribution to the profession, to industry, and to the organizations they work for. Massive respect goes out to each of them!

Security Magazine Top Cybersecurity Leaders for 2025

nielharper

I would like to express my sincere gratitude to Security Magazine for recognizing me as one of the Top Cybersecurity Leaders for 2025.

I have always been a fan of Security Magazine and their laser focus on providing information and solutions on risk management, cybersecurity, physical security & safety, and other related industry trends. So this recognition from them is particularly appreciated.

Heartiest congratulations to my good friend Jason Lau and the other awardees Anmol Agarwal, Jay Gonzales, Sandra Cavazos, and David Baker – Your commitment to digital trust and your service to the profession are mighty!

Many thanks as well go out to the amazing teams I have led at INTERPOL, Doodle, and other companies. You are the real champions!

Critical Infrastructure (CI) Protection – Are We Ready?

nielharper


Critical infrastructure (CI) are those assets, systems, and networks that provide functions necessary for our human, social, and economic wellbeing. There are key sectors that are part of a complex, interconnected ecosystem and any threat to these sectors could have far-reaching and destructive national security, economic, and public health or safety consequences. 

Despite their reliance on critical infrastructure, developing countries (and several developed nations) at-large have not implemented a nationally-coordinated framework to protect their vital information assets. Cyber attacks, such as distributed denial of service (DDoS), ransomware, advanced persistent threats (APTs), and others can severely affect all the CNI sectors. Cyber attacks differ greatly from traditional types of threats such as terrorism, criminal activities, natural disasters and industrial accidents, among others. Cyber attacks can now be initiated by any person with limited technical proficiency or resources, and these attacks can have a direct effect on overall wellbeing of modern societies.

Last week, I presented at the 2025 Guyana Energy Conference on CNI protection, particularly touching on real-world incidents and addressing the threat landscape, risk assessment, adversary categories, challenges, and opportunities. I also emphasized that a multi-stakeholder approach premised on mutual trust is optimal towards achieving CI protection outcomes.

Check out my presentation HERE.

New ISACA Research: 63 Percent of Privacy Professionals Find Their Jobs More Stressful Now Than Five Years Ago

nielharper

The ISACA State of Privacy 2025 survey report, which gathered responses from over 1,600 privacy professionals globally, revealed that 63% of these professionals find their roles more stressful than they were five years ago, with 34% reporting a significant increase in stress levels. The primary sources of stress identified in the survey were the rapid pace of technological advancements (63%), difficulties with compliance (61%), and a lack of resources (59%).

“In an increasingly complex international regulatory environment, often with lacklustre resources, it is understandable that many privacy professionals are feeling strain from their efforts to stay compliant and keep their organizations’ data safe. Addressing these challenges and getting practitioners the support they need will be vital to not only ensure a healthy privacy workforce, but also to maintain data integrity and security, and avoid potential harm to data subjects.” I made these comments via BusinessWire on the report to emphasize not only the challenges associated with implementing privacy programs, but also the importance of organizations demonstrating their commitment to data governance, data ethics, privacy rights, and overall digital trust.

With AI, the privacy landscape has changed dramatically, including the regulatory burdens for companies. Continued leadership in the boardroom, at the executive level, as well as embedding privacy principles in organizational values is integral to nurturing the trust relationship between enterprises, their customers, and society at large.

Five Ways Security Professionals Can Start the New Year Strong

nielharper

As we step into the new year, it’s crucial for cybersecurity professionals to gear up for a more secure future. Beyond just looking ahead, it’s essential to consider how our personal and professional efforts can enhance #DigitalTrust.

Thanks to ISACA for featuring my latest blog post that outlines five impactful ways to kickstart 2025 and sustain momentum throughout the year. Let’s make 2025 a milestone year for cybersecurity!

You can read the full article here: https://bit.ly/4j7qCfj

Cyber firms need to centre their own resilience

nielharper

I recently authored a piece for the ComputerWeekly.com Security Think Tank discussing incident response in the wake of the July CrowdStrike incident, and articulating my viewpoint about what CrowdStrike got wrong, what it did right, and next steps

“Information security is essentially an information risk management discipline. By rendering many information systems inoperable, the global outage precipitated by Crowdstrike prevented several companies from accessing critical business information due to unplanned and extended downtime.

The unavailability was not only to information systems, but also to related information processing. It was not only an information risk event, but it was also an information security incident. And the impact of the risk event/information security incident was high from operational, financial, reputation, legal, technological and even regulatory perspectives.”

The full article can be found at this link.

The Lacework Modern CISO Network: Board Book

nielharper

“When boards fail to adequately oversee a growing risk with potentially catastrophic consequences, it’s a serious issue.

Yet, the problem remains — and often goes undetected.

Cybersecurity-related discussions in boardrooms sometimes seem to offer great promise; but in reality, they are unproductive sessions that lead to unfulfilled hopes. On the flip side, sometimes important issues are raised and directors do not sufficiently comprehend the matter under discussion. When board members do have technical knowledge, but are unfamiliar with both cybersecurity at the strategic level and the process of security oversight, boards seem to make other time-sucking errors that can create dangerous failures of oversight.

Finding board members who can successfully blend cybersecurity know-how with business acumen is not an easy task. According to the IANS Research report, just 14% of Russell 3000 CISOs have at least four out of the five ideal board candidate traits.

It is this challenge that this publication seeks to reconcile.”

The Modern CISO Network: Board Book offers boards a directory of experienced experts ready to advise and guide businesses as they navigate the complex world of cybersecurity. By arming companies with a diverse directory of CISOs and other cybersecurity leaders with relevant expertise both in terms of cybersecurity and business acumen, the board book will hopefully make it easier for companies to improve their resilience against modern-day threats.

Transitioning from a techie to a business leader is one the most valuable steps that a CIO or CISO can take, and provides immense value to both the individual in their professional journey and to the organization in terms of addressing pervasive business risks.

I am happy to be featured in the Board Book alongside some of the most outstanding board-ready CISOs in the world. I tip my hat to each and every one of them!

Will your incident response team fight or freeze when a cyberattack hits?

nielharper

“CISOs train their teams to fight hackers but often overlook the human tendency to freeze up during a crisis. Planning for the psychology of incident response can help prevent a team from seizing up at the wrong moment.”

The tendency for cyber professionals to freeze during incident response – especially those that have never actually experienced a cyber attack – is more prevalent than one would think. This occurs even in organizations that have well-drilled security awareness training, detailed incident playbooks, cyber-attack simulations, and red team exercises.

In this CSO Online article, myself and other security leaders discuss how to best prepare our teams and organisations to overcome the fear and freezing when faced with a real-time cyber-attack.