Quote for the day:
“The more you loose yourself in something bigger than yourself, the more energy you will have.” -- Norman Vincent Peale
Leadership lessons from NetForm founder Karen Stephenson
Co-creation is a hot buzzword encouraging individuals to integrate and create
with each other, but the simplest way to integrate and create is in the mind of
one person — if they’re willing to push forward and do it. Even further, what
can an integrated team of diverse minds accomplish when they co-create? ... In
the age of AI, humans will need to focus on what humans do well. At the moment,
at least, that’s making novel connections, thinking by analogy and creating the
new. Our single-field approach to learning, qualifications and career ladders
makes it hard for us to compete with machines that are often smarter than we are
in any given discipline. For that creative spark and to excel at what messy,
forgetful, slow, imperfect humans do best, we need to work, think and live
differently. In fact, the founders of five of the largest companies in the world
are (or were) polymaths — mentally diverse people skilled in multiple
disciplines — Bill Gates, Steve Jobs, Warren Buffett, Larry Page and Jeff Bezos.
They learn because they’re curious and want to solve problems, not for a career
ladder. It’s easier than ever, today, to learn with AI and online materials and
to collaborate with tech and humans around the world. All you need to do is open
inward to your talents and desires, explore, collect and fuse.Why cloud and AI projects take longer and how to fix the holdups
In the case of the cloud, the problem is that senior management thinks that the
cloud is always cheaper, that you can always cut costs by moving to the cloud.
This is despite the recent stories on “repatriation,” or moving cloud
applications back into the data center. In the case of cloud projects, most
enterprise IT organizations now understand how to assess a cloud project for
cost/benefit, so most of the cases where impossible cost savings are promised
are caught in the planning phase. For AI, both senior management and line
department management have high expectations with respect to the technology, and
in the latter case may also have some experience with AI in the form of
as-a-service generative AI models available online. About a quarter of these
proposals quickly run afoul of governance policies because of problems with data
security, and half of this group dies at this point. For the remaining
proposals, there is a whole set of problems that emerge. Most enterprises admit
that they really don’t understand what AI can do, which obviously makes it hard
to frame a realistic AI project. The biggest gap identified is between an AI
business goal and a specific path leading to it. One CIO calls the projects
offered by user organizations as “invitations to AI fishing trips” because the
goal is usually set in business terms, and these would actually require a
project simply to identify how the stated goal could be achieved.Who pays when a multi-billion-dollar data center goes down?
While the Lockton team is looking at everything from immersion cooling to
drought, there are a handful of risks where it feels the industry isn't
adequately preparing. “The big thing that isn't getting on people's radars in a
growing way is customer equipment," Hayhow says “Looking at this through the
lens of the data center owner or developer, it's often very difficult. “It's a
bit of an unspoken conversation that the equipment in the white space belongs to
the customer. Often you don't have custody over it, you don't have visibility
over it, and it’s highly proprietary. But the value of it is growing.” Per
square meter of white space, the Lockton partner suggests that the value of the
equipment five years from now will be exponentially larger than the value of the
equipment five years ago, as more data centers invest in expensive GPUs and
other equipment for AI use cases. “Leases have become clearer in terms of
placing responsibility for damage to customer equipment more squarely on the
shoulders of the owner, developer,” Hayhow says. “We're having that conversation
in the US, where the halls are larger, the value of the equipment is greater,
and some of the hyperscale customers are being much more prescriptive in terms
of wanting to address the topic of damage to our equipment … if you lose 20
megawatts worth of racks of Nvidia chips, the lead time to get those replaced,
unless you're building elsewhere, is quite significant.”AI Agents Need Security Training – Just Like Your Employees
“It may not be as candid as what humans would do during those sessions, but AI
agents used by your workforce do need to be trained. They need to understand
what your company policies are, including what is acceptable behavior, what data
they're allowed to access, what actions they're allowed to take,”
Maneval explained. ... “Most AI tools are just trained to do the same thing
over and over and so it means decisions are based on assumptions from limited
information,” she explained to Infosecurity. “Additionally, most AI tools solve
real problems but also create real risks and each solve different problems and
creates different risks.” While some cybersecurity experts argue that auditing
AI tools is no different to auditing any other software or application, Maneval
disagrees. ... Maneval’s said her “rule of thumb” is that whether you’re dealing
with traditional machine learning algorithms, generative AI applications of AI
agents, “treat them like any other employees.” This not only means that
AI-powered agents should be trained on security policies but should also be
forced to respect security controls that the staff have to respect, such as
role-based access controls (RBAC). “You should look at how you treat your humans
and apply those same controls to the AI. You probably do a background check
before anyone is hired. Do the same thing with your AI agent. ..."Why must CISOs slay a cyber dragon to earn business respect?
Why should a security leader need to experience a major cyber incident to earn
business colleagues’ respect? Jeff Pollard, VP and principal analyst at
Forrester, says this enterprise perception problem is “just part of human
nature. If we don’t see the bad thing happening, we don’t appreciate all of
the things that were done to prevent that bad thing from happening.” Of
course, if an attack turns into an incident and defense goes poorly, “it can
easily turn from a hero moment to a scapegoat moment,” Pollard says.
Oberlaender, who now works as a cybersecurity consultant, is among those who
believe hard-earned experience should be rewarded, but that’s not what he’s
seeing in the market today. ... CISOs “feel that they need to fight off an
attack to show value, but there are many other successes they can do and
show,” says Erik Avakian, technical counselor at Info-Tech Research Group.
“Building KPIs is a powerful way to show their value.” ... Chris Jackson, a
senior cybersecurity specialist with tech education vendor Pluralsight,
reinforces the frustration that many enterprise CISOs feel about the lack of
appropriate respect from their colleagues and bosses. “CISOs are a lot like
pro sports coaches. It doesn’t matter how well they performed during the
season or how many games they won. If they don’t win the championship, it’s
seen as a failure, and the coach is often the first to go,” Jackson
says. The next cyber crisis may start in someone else’s supply chain
Organizations have improved oversight of their direct partners, but few can see
beyond the first layer. This limited view leaves blind spots that attackers can
exploit, particularly through third-party software or service providers. “We’re
in a new generation of risk, one where cyber, geopolitical, technology,
political risk, and other factors are converging and reshaping the landscape.
The impact on markets and operations is unfolding faster than many organizations
can keep up,” said Jim Wetekamp, CEO of Riskonnect. ... Third-party and
nth-party risks continue to expose companies to disruption. Most organizations
have business continuity plans for supplier disruptions, but their monitoring
often stops at direct partners. Only a small fraction can monitor risks across
multiple tiers of their supply chain, and some cannot track their critical
technology providers at all. Organizations still underestimate how dependent
they are on third parties and continue to rely on paper-based continuity plans
that offer a false sense of security. ... More companies now have a chief risk
officer, but funding for technology and tools has barely moved. Most risk
leaders say their budgets have stayed the same even as they are asked to cover
more ground. Many are turning to automation and specialized software to do more
with what they already have.
Boardroom to War Room: Translating AI-Driven Cyber Risk into Action
Great CISOs today combine strategic leadership, financial knowledge, technological skills, and empathy to turn cybersecurity from a burden on operations into a strong enabler. This change happens faster with artificial intelligence. AI has a lot of potential, but it also makes things more uncertain. It can do things like forecast threats and automate orchestration. CISOs need to see AI problems as more than just technological problems; they need to see them as business risks that need clear communication, openness, and quick response. ... Not storytelling, but data and graphics win over executives. Suggested metrics include: Predictive accuracy - The percentage of risks that AI flagged before a breach compared to the percentage of threats that AI flagged after it happened; Speed of reaction - The average time it took for AI-enabled confinement to work compared to manual reaction; False positive rate - Tech teams employed AI to improve alerts and cut down on alert fatigue from X to Y; Third-party model risk - The number of outside model calls that were looked at and accepted; Visual callout suggestion - A mock-up of a dashboard that illustrates AI risk KPIs, a trendline of predictive value, and a drop in incidences. ... Change from being an IT responder who reacts to problems to a strategic AI-enabled risk leader. Take ownership of your AI risk story, keep an eye on third-party models, provide your board clear information, and make sure your war room functions quickly.Govt. faces questions about why US AWS outage disrupted UK tax office and banking firms
“The narrative of bigger is better and biggest is best has been shown for the
lie it always has been,” Owen Sayers, an independent security architect and data
protection specialist with a long history of working in the public sector, told
Computer Weekly. “The proponents of hyperscale cloud will always say they have
the best engineers, the most staff and the greatest pool of resources, but
bigger is not always better – and certainly not when countries rely on those
commodity global services for their own national security, safety and
operations. “Nationally important services must be recognised as best delivered
under national control, and as a minimum, the government should be knocking on
AWS’s door today and asking if they can in fact deliver a service that
guarantees UK uptime,” he said. “Because the evidence from this week’s outage
suggests that they cannot.” ... “In light of today’s major outage at Amazon Web
Services … why has HM Treasury not designated Amazon Web Services or any other
major technology firm as a CTP for the purposes of the Critical Third Parties
Regime,” asked Hillier, in the letter. “[And] how soon can we expect firms to be
brought into this regime?” Hillier also asked HM Treasury for clarification
about whether or not it is concerned about the fact that “seemingly key parts of
our IT infrastructure are hosted abroad” given the outage originated from a
US-based AWS datacentre region but impacted the activities of Lloyds Bank and
also HMRC.Quantum work, federated learning and privacy: Emerging frontiers in blockchain research
It is possible to have a future in which the field of quantum computation could
serve as the foundation for blockchain consensus. The future is alluring;
quantum algorithms can provide solutions to the issues that classical computers
find difficult and the method may be more effective and resistant to brute-force
attacks. The danger, however, is significant: when quantum computers are
sufficiently robust, existing encryption standards can be compromised. ...
Federated learning is another upcoming element of blockchain studies, a machine
learning model training technique that avoids data centralisation. Federated
learning enables various devices or nodes to feed into a standard model instead
of storing sensitive data in a central server inaccessible to third parties. ...
The issue of privacy is of specific importance today due to the increased
regulatory pressure on exchanges and cryptocurrency companies. A compromise
between user privacy and regulatory openness could prove to be the key to
success. Studies of privacy-saving instruments provide a competitive advantage
to blockchain developers and for exchanges interested in increasing their
influence on the global economy. ... The decade of blockchain research to come
will not be characterised by fast transactions or cheaper costs. It will redraw
the borders of trust, calculation, and privacy in digitally based
economies. Ransomware groups surge as automation cuts attack time to 18 mins
The ransomware group LockBit has recently introduced "LockBit 5.0", reportedly
incorporating artificial intelligence for attack randomisation and enhanced
targeting options, with a focus on regaining its previous position atop the
ransomware ecosystem. Medusa, by contrast, was noted to have fallen behind due
in part to lacking widespread automated and customisable features, despite
previous activity levels. ReliaQuest's analysis predicts the rise of new groups
through the lens of its three-factor model, specifically naming "The Gentlemen"
and "DragonForce" as likely to become major threats due to their adoption of
advanced technical capabilities. The Gentlemen, for instance, has listed over 30
victims on its data-leak site within its first month of activity, underpinned by
automation, prioritised encryption, and endpoint discovery for rapid lateral
movement. Conversely, groups such as "Chaos" and "Nova" are likely to remain
minor players, lacking the integral features associated with higher victim
counts and affiliate recruitment. ... RaaS groups now use automation to reduce
breakout times to as little as 18 minutes, making manual intervention too slow.
Implement automated containment and response plays to keep pace with attackers.
These workflows should automatically isolate hosts, block malicious files, and
disable compromised accounts quickly after a critical detection, containing the
threat before ransomware can be deployed.
No comments:
Post a Comment