risk management – Niel Harper

The Dangers of Relying on Security Theater

February 1, 2026February 1, 2026nielharper

In 2026, phrases like “We take security seriously” or “Your security is important to us” have become the ultimate red flags.

When companies lead with these lines in their PR, it often signals the opposite: Security Theater 🎭

As a global digital trust and corporate governance professional, I see this daily. Theater is easy; resilience is hard. Theater is about “checking a box” for a board mandate, audit finding, or customer requirement; resilience is about an internal ethos that guides every business decision.

How do you spot the actors? Here are 6 signs of a “Theatrical” security posture:

Non-Existent or Weak “Tone at the Top”: The attitude and commitment of the Board and C-suite dictates the security culture that governs every employee’s daily actions. When the tone at the top is weak, the security program in most every case fails.

Compliance as a Destination: Treating a SOC 2 or ISO certification as the finish line rather than the baseline. Attackers don’t care if you passed an audit; they care about your unpatched edge devices and unsecured cloud assets.

“Shadow IT” Amnesia: Bragging about a new “AI Policy” while employees are quietly feeding sensitive intellectual property into unmanaged non-enterprise LLMs, leveraging third-party code with no security gates or approvals, and using unapproved plugins or add-ons in browsers / IDEs / issue-tracking platforms that are vastly insecure.

The “Culture” Conundrum: Forcing employees through 10 minutes of outdated, boring video slides once a year and calling it a “Security Culture.” Real culture is when people believe in security and live it each day in their actions and decisions. This also goes for the businesses whose “developer culture” requires security leadership to be ‘flexible’ and to ignore heinous security practices by software developers.

MFA Mirage: Having Multi-Factor Authentication (MFA) enabled, but allowing so many “exceptions” for executives or legacy systems that the front door is essentially unlocked.

Asset and Configuration Management: No accurate inventories exist for hardware / software / data assets, the majority of enterprise devices aren’t running unified endpoint management (UEM) or endpoint protection, cloud assets and their configuration status are unknown, an embarassingly low number of critical assets have logging enabled, and hardening templates don’t exist across virtual servers / microservices / network devices.

Digital Trust isn’t a marketing slogan. It is a measurable KPI. In 2026, the market must shift to rewarding candor and specificity over “vague invulnerability.”

The companies that thrive won’t be the ones that never get hit – they’ll be the ones that had the integrity to build real defenses before the curtain went up.

Stop the performance. Start the protection.

How the ISACA Board and Executive Management Address Cyber Risk

December 9, 2024December 11, 2024nielharper

“Notes from the Boardroom” is a series of blog posts from ISACA board directors providing transparency, context and perspective on how the ISACA board is carrying out its governance responsibilities.

“Cyber risk is a major risk facing virtually all organizations, including ISACA, and the ISACA Board of Directors and executive management, particularly, acknowledge their fiduciary duty to govern cyber risks effectively. ISACA leadership realizes that our management of the broader portfolio of risks, including cyber, demonstrates to our members, customers, staff and partners that digital trust is not only a commitment that we promote commercially, but it’s also an internal ethos that guides our business.”

Check out my recent blog which discusses the various ways in which we – the Board of Directors and executive management – address cyber risk and corporate governance within ISACA.

Cyber firms need to centre their own resilience

September 5, 2024September 5, 2024nielharper

I recently authored a piece for the ComputerWeekly.com Security Think Tank discussing incident response in the wake of the July CrowdStrike incident, and articulating my viewpoint about what CrowdStrike got wrong, what it did right, and next steps

“Information security is essentially an information risk management discipline. By rendering many information systems inoperable, the global outage precipitated by Crowdstrike prevented several companies from accessing critical business information due to unplanned and extended downtime.

The unavailability was not only to information systems, but also to related information processing. It was not only an information risk event, but it was also an information security incident. And the impact of the risk event/information security incident was high from operational, financial, reputation, legal, technological and even regulatory perspectives.”

The full article can be found at this link.

The UK seeks to enforce tougher standards on MSPs

January 20, 2022January 21, 2022nielharper

The UK government is proposing new regulations to strengthen cyber resilience in the private sector. Their intention is to expand cybersecurity rules for critical infrastructure (CI) operators to include managed service providers (MSPs), more stringent breach notification requirements, and legislation to establish the UK Cyber Security Council as the standards development organization for the cybersecurity profession. This is a welcomed development, but more details about implementation and enforcement are needed.

MSPs are deeply integrated into the supply chains of several businesses, especially those organisations categorised as CI providers. They not only have privileged access to their customer’s infrastructure and applications, but also to the personal data of millions of citizens. A single breach of a MSP can potentially allow threat actors to compromise hundreds, even thousands of organisations. Additionally, the accompanying fallout from personal data leakage would have a serious impact in terms of impersonation, fraud, and other identity-based crimes. Poor risk management practises and weak security controls in MSPs can have dire consequences to national security and the economic prosperity of the UK.

Better cyber incident reporting, especially where mandated by law, has several positive effects. For one, it ensures that regulations keep pace with the evolving threat landscape to better protect consumers by allowing them to respond quicker to leaks of their information. It also provides certain guarantees that law enforcement agencies (LEAs) receive timely information to better model threats, mitigate the risks, prevent or lessen harm from breaches, and take action to reduce the likelihood of future attacks.

At a macro level, the new regulations are focused on strengthening the country’s cyber-resilience in response to growing supply chain and critical infrastructure attacks – this is essentially a public safety matter. It can provide security to UK citizens against the negative impacts of attacks on critical infrastructure providers such as financial services, telecoms, energy, food & agriculture, defence, manufacturing, and others. It also protects businesses in these key industries where the incapacitation or destruction of their assets, networks and systems would have a paralysing effect on the UK’s national security, economic security, national public health or safety, or any combination thereof.

Cybersecurity is a risk management discipline, and improvements in the overall assessment of risks and development of effective risk responses leads to better security posture. For example, ransomware attacks are very much preventable, yet many businesses don’t invest the time or resources to understand their risks/exposures and implement relevant controls such as data recovery processes, isolated backups, encryption at rest, and routine backup testing. I believe these new regulations can most definitely enhance risk management capabilities in MSPs and other CI operators to counteract a broad range of cyber attacks, including ransomware.

It is imperative that companies develop stronger capabilities around risk management. For one, they need to view cyber risks as business risks and recognise that the impacts range from financial (loss of revenue or drop in share price) to operational (business disruption) to reputation (loss of customer and shareholder confidence) and ultimately regulatory (fines or other penalties). Consequently, they will need to embed a risk culture and build risk management capacity across their enterprises, or face punitive regulatory measures.

A shocking percentage of businesses routinely ignore growing cyber threats, thinking that “it won’t happen to them.” And this isn’t just small to medium enterprises (SMEs), but also large businesses across critical sectors. Several of these organisations don’t have a dedicated cybersecurity leader or functional information security department, refuse to invest in much needed controls and capabilities, and regularly hide breaches from staff, customers, and investors. Without specifically calling out any companies, there are more than enough examples of massive breaches at major businesses to validate my points. The price of failing to act is way too high, and the government would be negligent to not introduce these new regulations.

Why the humanitarian sector needs to make cybersecurity a priority

January 17, 2022January 17, 2022nielharper

“In the not-too-distant past, international organizations (IOs) and non-governmental organizations (NGOs) working on humanitarian initiatives largely depended on landlines and fax machines to communicate and convey data back to their regional hubs or headquarters.

Now, like most businesses, NGOs and IOs have invested significant funds in information and communication technologies to enhance their crisis management capabilities. For example, better and faster decision-making is achieved through capturing and analysing demographic data to identify vulnerable groups, online surveys have proven critical for water, sanitation, and hygiene teams in the delivery of population health services, and biometric-enabled digital vouchers have been instrumental in reducing errors and fraud in the payment of traders.

These changes make humanitarian aid faster and more efficient. Picking up these digital tools helps save lives. However, digital transformation has also made IOs and NGOs enticing targets for cyber attacks by criminals, terrorists, and authoritarian regimes. The reasons for this range from the purely financial – people in crisis make easy targets for scams and theft – to the political – digital is becoming another avenue to attack a regime’s perceived enemies.”

I recently joined with the World Economic Forum’s Centre for Cybersecurity to author this piece for the Davos Agenda.

This article examines the cybersecurity threats being faced by international organizations (IOs) and non-governmental organizations (NGOs), outlines some key steps they should take to counteract these threats, and touches on what the private sector can do to support IOs and NGOs in responding to these risks & challenges.

You can read the full article on the World Economic Forum website.

8 Pitfalls That Undermine Security Program Success

September 13, 2021May 6, 2022nielharper

“Some of the biggest breaches have come down to small mistakes.

Hackers used a compromised password to access the company network via a virtual private network in the May 2021 Colonial Pipeline attack. A widely known vulnerability that hadn’t yet been patched was the entry point for the 2017 Equifax attack. And a bitcoin scam on Twitter started with spear phishing attacks on Twitter employees.

Of course, there’s no such thing as a perfect security program, but such events show that cybersecurity teams can’t afford to overlook anything.”

In this CSO Online article, I joined a number of security leaders to discuss eight easy-to-overlook pitfalls that can undermine an otherwise successful security strategy.

You can access the full article here!