Quote for the day:
“Only put off until tomorrow what you are willing to die having left undone.” -- Pablo Picasso
Why FinOps Belongs in Your CI/CD Workflow
By codifying FinOps governance policies, teams can put guardrails in place while
still granting developers autonomy to create resources. Guardrails don’t stifle
innovation — they’re simply there to prevent costly mistakes. Every engineer
makes mistakes, but guardrails ensure that those mistakes don’t lead to
$10K-per-day cloud bills due to an overlooked database instance in a Terraform
template taken off of GitHub. Additionally, policy enforcement must be dynamic
and flexible, allowing organizations to adjust tagging, cost constraints and
security requirements as they evolve. AI-driven governance can scale policy
enforcement by identifying repeatable patterns and automating compliance checks
across environments. ... Shifting left in FinOps isn’t just about cost
visibility — it’s about ensuring cost efficiency is enforced as code, and
continuously on your production systems. Legacy cost analysis tools provide
visibility into cloud spending but rarely offer actionable cleanup
recommendations. This includes actionable insights for cloud waste reduction,
ensuring that predefined cost-saving policies highlight underutilized or
orphaned resources while automated cleanup workflows help reclaim unused
infrastructure.
How AI is changing cybersecurity for better or worse
“Agentic AI, capable of independently planning and acting to achieve specific
goals, will be exploited by threat actors,” Lohrmann says. “These AI agents can
automate cyberattacks, reconnaissance and exploitation, increasing attack speed
and precision.” Malicious AI agents might adapt in real-time, bypassing
traditional defenses and enhancing the complexity of attacks, Lohrmann says.
AI-driven scams and social engineering will surge, Lohrmann says. “AI will
enhance scams like ‘pig butchering’ — long-term financial fraud — and voice
phishing, making social engineering attacks harder to detect,” he says. ... AI
can also benefit organizations’ cybersecurity programs. “In general, AI-enabled
platforms can provide a more robust, technology-backed line of defense against
threat actors,” Cullen says. “Because AI can process huge amounts of data, it
can provide faster and less obvious alerts to these threats.” Cybersecurity
teams need to “fight fire with fire” by detecting and stopping threats with AI
tool sets, Lohrmann says. For example, with new AI-enabled tools employee
actions such as inappropriate clicking on links, sending emails to the wrong
people, and other policy violations can be detected and stopped before a breach
occurs.
Learning AI governance lessons from SaaS and Web2
Autonomous systems are advancing quickly, with the emergence of agents capable
of communicating with each other, executing complex tasks, and interacting
directly with stakeholders developing. While these autonomous systems
introduce exciting new use cases, they also create substantial challenges. For
example, an AI agent automating customer refunds might interact with financial
systems, log reason codes for trends analysis, monitor transactions for
anomalies, and ensure compliance with company and regulatory policies — all
while navigating potential risks like fraud or misuse. ... Early SaaS and Web2
companies often relied on reactive strategies to address governance issues as
they emerged, adopting a “wait and see” approach. SaaS companies focused on
basics like release sign-offs, access controls, and encryption, while Web2
platforms struggled with user privacy, content moderation, and data misuse.
This reactive approach was costly and inefficient. SaaS applications scaled
with manual processes for user access management and threat detection that
strained resources. ... A continuous, automated approach is the key to
effective AI governance. By embedding tools that enable these features into
their operations, companies can proactively address reputational, financial,
and legal risks while adapting to evolving compliance demands.
7 types of tech debt that could cripple your business
As a software developer, writing code feels easier than reviewing someone else’s
and understanding how to use it. Searching and integrating open source libraries
and components can be even easier, as the weight of long-term support isn’t at
the top of many developers’ minds when they are pressured to meet deadlines and
deploy frequently. ... “The average app contains 180 components, and failing to
update them leads to bloated code, security gaps, and mounting technical debt.
Just as no one wants to run mission-critical systems on decade-old hardware,
modern SDLC and DevOps practices must treat software dependencies the same way —
keep them updated, streamlined, and secure.” ... CIOs with sprawling
architectures should consider simplifications and one step to establish
architectural observability practices. These include creating architecture and
platform performance indicators by aggregating application-level monitoring,
observability, code quality, total costs, DevOps cycle times, and incident
metrics as a tool to evaluate where architecture impacts business operations.
... Joe Byrne, field CTO of LaunchDarkly, says, “Cultural debt can have several
negative impacts, but specific to AI, a lack of proper engineering practices,
resistance to innovation, tribal knowledge gaps, and failure to adopt modern
practices all create significant roadblocks to successfully leveraging AI.”
Why people are the key to successful cloud migration
The consequences of overlooking the human element are significant. According to
McKinsey’s research, European companies are five times more likely than their US
counterparts to pursue an IT-led cloud migration, focusing primarily on ‘lifting
and shifting’ existing workloads rather than transforming how people work. This
approach might explain why many organisations are seeing limited returns on
their investment. Migration creates a good opportunity to review methods and
processes while ensuring teams have the tools they need to work efficiently.
both human impact and technological enablement, even the most technically sound
migration can fail to deliver the desired results. ... The true value of cloud
transformation extends far beyond technical metrics and cost savings.
Organisations need to track employee satisfaction and engagement levels
alongside traditional technical key performance indicators (KPIs). This includes
monitoring adoption rates of new tools, time saved through improved processes,
and skill development achievements. Business impact measures should encompass
customer satisfaction, process efficiency improvements, and innovation metrics.
Long-term value indicators such as employee retention rates, internal mobility,
and team productivity provide a more complete picture of transformation
success.
Evolving Technology and Corporate Culture Toward Autonomous IT and Agentic AI
Corporate culture will shape how seamlessly and effectively the modernization
effort toward a more autonomous and intelligent enterprise operation will
unfold. The best approaches align technology and culture along a structured
journey model — assessing both the IT and workforce needs around data maturity,
process automation, AI readiness, and success metrics. Such efforts can quickly
propel organizations toward the largely self-sustaining capabilities and
ecosystem of Agentic AI and autonomic IT. As IT teams become more comfortable
relying on AI, machine learning, predictive analytics, and automation, they can
begin to turn their attention to unlocking the power of Agentic AI. The term
refers to advanced scenarios where machine and human resources blend to create
an AI assistant capable of delivering accurate predictions, tailored
recommendations, and intelligent automations that drive business efficiency and
innovation. Such systems leverage generative AI and unsupervised ML combined
with human-in-the-loop automation training models to revolutionize IT
operations. Relinquishing the responsibility of mundane, repetitive tasks, IT
teams can begin to reap the benefits of autonomic IT — a seamlessly integrated
ecosystem of advanced technologies designed to enhance IT operations.
Building a Data Governance Strategy
In implementing a data strategy, a company can face several obstacles,
including:Cultural resistance: Cultural resistance emerges throughout the DG
journey, from initial strategy discussions through implementation and beyond.
Teams and departments may resist changes to their established processes and
workflows, requiring sustained change management efforts and clear communication
of benefits. Lack of Resources: Viewing governance solely through a compliance
lens leads to underinvestment, with 54% of data and analytics professionals
finding the biggest hurdle is a lack of funding for their data programs. In the
meantime, the demands of data governance have increased significantly due to a
complex and evolving regulatory landscape and accelerated digital transformation
where businesses must rely heavily on data-driven systems. Scalability: Modern
enterprises must manage data across an increasingly complex ecosystem of cloud
platforms, personal devices, and decentralized systems. This dispersed data
environment creates significant challenges for maintaining consistent governance
practices and data quality. Demands for unstructured data: The growing demand
for AI-driven insights requires organizations to govern increasing volumes of
unstructured data, including videos, emails, documents, and images.
How CISOs can meet the demands of new privacy regulations
The responsibility for implementing and documenting privacy controls and
policies falls primarily on the shoulders of the CISO, who must ensure that the
organization’s procedures for managing information protects privacy data and
meets regulatory requirements. Performing risk assessments that identify
weaknesses and demonstrate that they are being addressed is a crucial step in
the process, even more so now that they must be ready to produce risk
assessments whenever regulatory bodies request them. As if CISOs needed an added
incentive, regulators at the state and federal levels have been trending toward
targeting organization management, particularly CISOs, in the wake of costly
breaches. The consequences include hefty fines for organizations and, in
worst-case scenarios, even jail sentences for CISOs. Responsibility for privacy
protections also extends to third-party risks. Organizations can’t afford to
rely solely on promises made by third-party providers because regulators and
state attorneys generally can hold an organization responsible for a breach,
even if the exploited vulnerability belonged to a provider. Organizations need
to implement a framework for third-party risk management that includes
performing due diligence on the security postures of third parties.
Guess Who’s Hiding in Your Supply Chain
There are plenty of high-profile attacks that demonstrate how hackers use the
supply chain to access their target organisation. One of the most notable
attacks on a supply chain was on SolarWinds, where hackers deployed malicious
code into its IT monitoring and management software, enabling them to reach
other companies within the supply chain. Once hackers were inside, they were
able to compromise data, networks and systems of thousands of public and private
organisations. This included spying on government agencies, in what became a
major breach to national security. Government departments noticed that sensitive
emails were missing from their systems and major private companies such as
Microsoft, Intel, and Deloitte were also affected. With internal workings
exposed, hackers could also gain access to data and networks of customers and
partners of those originally affected, allowing the attack to spiral in impact
and affect thousands of organisations. Visibility is key to guard against future
attacks – without it an organisation can’t effectively or reliably identify
suspicious activity. ... When you put this into perspective, it becomes
unfathomable the amount of damage a cyber intruder could cause. Security teams
must deploy a multi-layered arsenal of tools and tactics to cover their bases
and should provision identities with only as much access as is absolutely
necessary.
11 ways cybercriminals are making phishing more potent than ever
Brand impersonation continues to be a favored method to trick users into opening
a malicious file or entering their details on a phishing site. Threat actors
typically impersonate major brands, including document sharing platforms such as
Microsoft’s OneDrive and SharePoint, and, increasingly frequently, DocuSign.
Attackers exploit employees’ inherent trust in commonly used applications by
spoofing their branding before tricking recipients into entering credentials or
approving fraudulent document requests. ... Another significant phishing
evolution involves abusing trusted services and content delivery platforms.
Attackers are increasingly using legitimate document-signing and file-hosting
services to distribute phishing lures. They first upload malicious content to a
reputable provider, then craft phishing emails or messages that reference these
trusted services and content delivery platforms. “Since these services host the
attacker’s content, vigilant users who check URLs before clicking may still be
misled, as the links appear to belong to legitimate and well-known platforms,”
warns Greg ... Image-based phishing is becoming more complex. For example,
fraudsters are crafting images to look like a text-based emails to improve their
apparent authenticity, while still bypassing conventional email filters.
_Federico_Caputo_Alamy.jpg?width=1280&auto=webp&quality=95&format=jpg&disable=upscale)
