Niel Harper on Cybersecurity Risks and Solutions in Outsourcing

Niel Harper, a seasoned cybersecurity expert with a global perspective, offers valuable insights into digital security and risk management. Through Harper’s expertise, this interview explores the challenges and opportunities presented by emerging technologies, the importance of robust security practices in outsourcing partnerships, and the future of cybersecurity. Join us as we delve into Harper’s perspectives on building resilient security strategies, fostering trust in digital partnerships, and preparing for tomorrow’s cybersecurity threats.

Q: Let’s start with an introduction. Could you tell us about yourself? What’s your career trajectory been like? 

A: I am originally from Barbados, but I have lived in more than ten (10) countries throughout my career, including Canada, Denmark, France, and Germany. I started my career as a telecommunications engineer, and my last pure play role in the field was as Technical Operations Manager at AT&T Wireless, where I led the team that deployed and managed GSM mobile networks.

I transitioned to cybersecurity in 2006, first working as a Manager of Internal & ICT Audit with a quad-play telecoms provider in the Dutch Antilles. Since then, I’ve held several roles including Head of Network & Security Engineering, Chief Information Officer, Chief Information Security Officer, and Chief Trust Officer. I also worked with the Internet Society in Washington, D.C., as the Director of Next Generation Leaders, overseeing their global cyber-policy capacity-building programs.

My work has also involved advising governments and international organizations on developing national cybersecurity and cybercrime policies, legislation, and cyber capacity-building roadmaps. In the past and currently, I have served on a wide range of industry working groups and corporate boards, including the Professional Standards Working Group of the UK Cyber Security Council, Information Security Special Interest Group at the United Nations, and the Cyber Risk & Corporate Governance Working Group at the World Economic Forum. I am currently an Independent Director and Vice-Chair, Board of Directors at ISACA and sit on the Independent Management Advisory Committee (IMAC) of the International Telecommunication Union.

Q: When evaluating potential outsourcing partners, what key security factors should companies prioritize? How can they effectively assess a provider’s security capabilities? 

A: A major element of a supplier risk management framework is vendor risk assessment. Companies need to have processes in place that assess a vendor’s control environment, not just when initiating the partnership but continuously throughout the life of the contract. The best mechanisms for risk assessment are independent third-party attestations and certifications such as ISO 27001, SOC 2 Type II, HITRUST, and PCI-DSS.

Q: What steps can organizations take to build and maintain trust with their customers and stakeholders when it comes to outsourcing security? 

A: Security is, in many ways, a market differentiator and competitive advantage. By that measure, organizations must adeptly communicate and promote their commitment to security. This can be done by creating a focused security page on their website, publishing a detailed security whitepaper, streamlining access to security certifications/ attestations, regular social media posts, blogs and interviews on security topics, and customer-centric tips and tricks, among other interventions.

Q: Has the increased adoption of emerging technologies such as artificial intelligence, machine learning, and blockchain impacted the security landscape? What challenges and opportunities are these technologies presenting? 

A: Most definitely! AI has had a material impact on the ability of malicious actors to make their threats, techniques, and procedures (TTPs) much more efficient but with greater complexity and difficulty in terms of detection and mitigation. On the flipside, AI also presents opportunities in the form of automation and orchestration to better analyze and more quickly respond to threat intelligence and security events.

Regarding Blockchain, we see that the largest and most popular use case is cryptocurrencies. The crypto industry is by far one of the most attacked, peaking in 2022 with 219 attacks and over USD 3.7 billion in assets stolen from crypto businesses. Crypto has also become the de facto means of payment for ransomware actors.

Q: How can organizations strike the right balance between leveraging the benefits of outsourcing while maintaining strict control over security and data protection? 

A: When a company outsources, it transfers risks to an organization with a more robust control framework. Therefore, the key to leveraging outsourcing with continued assurance that privacy and security controls are in place is implementing a comprehensive supplier risk management framework.

Q: From your experience, what are some essential security best practices that outsourcing companies should implement to protect both themselves and their client’s data? 

A: To substantiate and solidify the digital trust relationship with its clients, an outsourcing company must adopt ‘security & resilience’ as a corporate ethos. At the board level, directors need to be competent in cyber risk and corporate governance to direct and challenge the business’ IT and cybersecurity leadership. Executive management has to set a strong tone from the top in formulating an organizational structure that best underpins cybersecurity excellence. This includes commitments in terms of messaging, unequivocal support, delegated authority, and adequate resourcing (human capital and financial).

Q: How can outsourcing companies and their clients work together to foster a culture of shared responsibility and accountability for security? Are there any best practices you’ve observed in successful partnerships? 

A: I previously mentioned the supplier risk management framework, which must encompass shared strategy and roadmap development, perpetual monitoring of delivery quality and adherence to agreed service levels, legally binding obligations, and responsiveness to addressing areas of contention.

Q: What do you believe will be the most significant cybersecurity threats in the next 5-10 years? 

A: Speculating on the future of cybersecurity is inherently challenging. From new attacks and techniques to technology and defenses, the threat landscape is always changing. That said, I envision cyber workforce development as one of the biggest threats. This includes the pipeline of new professionals becoming increasingly empty due to negative gatekeeping, unwillingness to hire and train inexperienced candidates, lack of trained and capable professionals, gender barriers to entry, and the burnout and departure of existing leaders whose roles as mentors are integral.

Other threats include the risks of AI and ML, geopolitical risks/ state-sponsored attacks, privacy and security weaknesses in smart devices, quantum computing, and atrophy from regulatory experiments (e.g., GDPR, NIS 2, Cyber Resilience Act, DORA, etc.)

Q: How can generative AI be leveraged to enhance defensive capabilities and support the work of cybersecurity professionals? 

A: AI and related features such as machine learning, natural language processing, data mining, predictive analytics, behavioral analytics, and automated decision-making can be used to recognize patterns and learn from past incidents, interpreting human language and democratizing security decision-making across relevant teams, extracting valuable patterns and insights from large datasets, forecasting potential threats based on historical data, monitoring and analyzing user behavior to detect anomalies, and enabling quicker, data-driven responses to identified threats.

Still, AI has become a buzzword recently and is by no means a panacea or replacement for good security practices. Cybersecurity professionals must still develop competencies in delivering the core basics of day-to-day operations—risk assessment, asset management, vulnerability management, security architecture, secure software development, identity and access management, audit logging and monitoring, etc.

Q: How can organizations future-proof their security strategies to maintain resilience in the years ahead? 

A: Security strategies have to be living, breathing artifacts. An organization’s overall security strategy and roadmap needs to be refreshed every 2-3 years in response to changes in the business’ operating environment, shifts in the threat landscape, technological innovation, obsolescence of the existing technology stack, legal & regulatory requirements, and other micro- and macro-elements of the organization as a going concern.

Q: How do you envision the role of cybersecurity professionals evolving in the coming years? What skills will be most in demand? 

A: Skills requirements have appeared to be trending towards cyber security generalists, but I believe this will be reversed in the future, reverting to the importance of deep technical expertise and rewarding engineers with advanced technical skills. Hence, skills that will be in premium demand will be security governance, cloud security, threat intelligence, AI and ML, Operational Technology (OT) security, and regulatory and compliance.

Q: How do you stay informed about the latest developments in cybersecurity and privacy? What resources do you find most valuable? 

A: I stay informed on industry developments through a combination of formal and informal learning. I use courses and training for formal education, including conferences and classroom-led opportunities. Informally, I follow many technical publications and engage with my peers across different industries and geographies. There’s also a significant amount of learning in my advisory work with governments, regulators, and corporations.

Q: As you’ve progressed through technical and leadership positions, what new skills or perspectives have you had to develop to remain effective in your roles? 

A: The main perspective that has driven my transition to leadership positions is that the most challenging issues in cybersecurity occur at the intersection of technology, legal/ regulatory, and business. Hence, developing competencies across these three (3) areas has helped me to be more effective as a technical and people leader. Also, it’s critical to acknowledge that the hardest part of cyber risk management is relationship building, collaboration, and communication, both vertically and horizontally.

Q: What is the best piece of advice you’ve gotten in your career? 

A: A mentor once told me that to truly be successful, you have to both “stand out” and “stand up.” Standing out means you have to work hard to be better in everything you do—so mediocrity isn’t an option. Standing up means you must challenge the status quo and serve as an example by bringing others along with you. True leaders create other leaders.