The aim here is to make sure security is supporting the business objectives and strategy. Every department in the hybrid model, in turn, decides how their security efforts contribute to the overall risk reduction and better security posture. This means setting a baseline of security controls, communicating this to all business units, and then gradually rolling out training, updating policies and setting risk, assurance and audit processes to match. While developing this baseline, however, input from various departments should be considered, as it is essential to ensure adoption. When an overall control framework is developed, departments are asked to come up with a specific set of controls that meet their business requirements and take distinctive business unit characteristics into account. This should be followed up by gap assessment, understanding potential inconsistencies with the baseline framework.
Games make us happy because they are hard work that we choose for ourselves. And it turns out that nothing makes us happy than good and hard work. We don’t normally, think of games as hard work. After all, we play games, and we have been taught of play as the opposite. But nothing could be further from truth. ... A game is an opportunity to focus our energy on something better. On something that will make us better. On something we are good at, or getting better at and enjoy. As mentioned above, a gameplay is the opposite of depression. And that’s why so many games are addictive. Because they are able to boost our positive thinking that we are capable of doing and achieving something. When we’re in a state of optimistic engagement, it suddenly becomes biologically more possible for us to think positive thoughts. ... real-world hard work isn’t hard enough. You read it right. We become bored and feel underutilised. And this happens specifically in bigger companies where you feel that you don’t make a big impact by doing your small work. This is one of steps from Maslow’s hierarchy — feeling appreciated for what you do.
“Nation-state attacks are especially concerning in the OT sector because they’re typically conducted by well-funded, highly capable cyber criminals and are aimed at critical infrastructure,” the report said. The report is based on the analyses of responses from 701 representatives of the US, UK, Germany, Australia, Mexico and Japan working in industries that rely on industrial control systems (ICS) and other forms of OT. The report revealed that cyber attacks are relentless and continuous against OT environments. Most organisations in the OT sector have experienced multiple cyber attacks causing data breaches and/or significant disruption and downtime to business operations, plants and operational equipment, with many being hit by nation-state attacks, the report said. The finding showed cyber attacks are having an effect on physical systems, according to Eitan Goldstein, senior director, strategic initiatives at Tenable. “That is a really big change and that’s why the risk isn’t just theoretical anymore,” he told the BBC
The belief among many senior execs that appointing a C-level exec to oversee a problem or challenge will take care of it or make it go away. If you need proof, consider how many companies now have a Chief analytics, AI, brand, customer, data, digital, experience, knowledge...you don't really want me to go on, do you...Officer. I'm all for a Chief Information Security Officer (CISO), but many business execs think that, by having one, that person (and IT) has the cybersecurity efforts under control. It doesn't work that way. The CISO of a $3 billion bank told me: I may be responsible for the security of the bank’s information, but it’s the executive team and functional heads who must ensure that we manage and mitigate the day-to-day operational risks of cybersecurity efficiently and effectively.” Data breaches and cyberattacks affect the entire enterprise, not just a single unit, division, or department. Decisions to mitigate these threats shouldn’t be relegated to IT. In addition, cyberincidents require communications with the institution’s customers, employees, partners, and media. The executive team and board should help script the organization's responses.
New cyber threats are emerging regularly and the solution to them lies in an aggressive, pre-emptive, proactive posture. Successful and secure organizations must begin to think this way if they want true data security. To do this, organizations must pivot in their security mindset and begin to implement solutions that take a comprehensive look and map all legitimate executions of an application based on the codes written by its creators, such as Microsoft and Adobe. With that map, they can identify any inconsistencies or deviation from their source code. Recognized patterns and actions can then be confirmed in real time, while unidentified activities are reviewed and blocked instantaneously. A proactive approach is a critical mindset change and an imperative if companies want to ensure they are in control of their network security. If organizations remain reactive, they will continue to consume valuable resources and risk their reputations as they chase after and remediate the mess left after the cyberattack has happened.
The autonomy principles include that a team can work and deploy independently; they should never have to wait for, or synchronize with another team. Implementation details should be hidden from other teams and failures isolated within services to make them resilient. The principles also state that for each data storage there must be exactly one service responsible. The first team rule concerning automation is that scaling must be horizontally and done automatically. Teams should also embrace a culture of automation, automation test, deploy and operations as much as possible. They are encouraged to deploy to production early and often, but also to be able to quickly rollback, in case of errors. To enable this, services must be highly observable. For all teams, communication is standardized and asynchronous where possible. For synchronous communication they use REST (maturity level 2, without hypermedia) and Kafka for asynchronous communication.
The inefficiency factor in the case of traditional routing is one of the main reasons why SD-WAN is really taking off. SD-WAN vendors are adding proprietary mechanisms to their routing in order to select the best path, not the shortest path. Originally, we didn't have real-time traffic, such as, voice and video, which is latency and jitter sensitive. Besides, we also assumed that all links were equal. But in today's world, we witness more of a mix and match, for example, 100Gig and slower long-term evolution (LTE) links. The assumption that the shortest path is the best no longer holds true. To overcome the drawbacks of traditional routing, we have had the onset of new protocols, such as, IPv6 segment routing and named data networking along with specific SD-WAN vendor mechanisms that improve routing. For optimum routing, effective packet steering is a must. And SD-WAN overlays provide this by utilizing encapsulation which could be a combination of GRE, UDP, Ethernet, MPLS, VxLAN and IPsec. IPv6 segment routing implements a stack of segments inserted in every packet and the named data networking can be distributed with routing protocols.
Commerce in the information age has introduced a multitude of regulations that can threaten a CIO career path. Whether it's the Sarbanes-Oxley Act, which ensures the accuracy of financial reporting, or GDPR, which protects consumer data, businesses face a plethora of regulatory requirements that inevitably require IT systems to manage. In some industries, the number and diversity of regulatory mandates has been known to cause compliance fatigue, where people start getting sloppy about compliance as the volume of requirements increases. Compliance failures can not only result in a CIO's dismissal, but they can also cause enterprise-threatening damage due to big fines, lawsuits and even criminal prosecution. Just as damaging are failures in governance, where there are no systems in place to track and enforce a company's internal policies. A perfect example is the public embarrassment Facebook had to deal with during the 2013 Cambridge Analytica scandal.
Consider how behind the curtains of brilliant AI sit astounding designs that pave the way for instantaneous data retrieval. These pathways and storage units, though each initially the property of unique teams and business units, are integrated into a holistic framework by the efforts of Information Architects—the unsung heroes of AI—to create an enterprise-wide repository of knowledge to link departments and applications and just about anything else with clues into user behaviour. But no matter the data source, IAs must first groom input channels fed to AI systems in order to spotlight worthy patterns of interest. Everything is given an attribute and a value, and while not all data points will even contribute to an overall AI analysis, knowledge across an enterprise must nonetheless be put within accessible structures to help a system draw its own conclusions. IAs curate data according to real business needs to achieve specific, strategic solutions—and they use AI to adroitly connect the results of intelligence gathering.
Quote for the day:
"There are some among the so-called elite who are overbearing and arrogant. I want to foster leaders, not elitists." -- Daisaku Ikeda