Government agencies, almost by design, are large and slow-moving. When something goes wrong, the response is often to add another policy and another layer of approvals and reviews. This slows things down even more and frustrates efforts by CIOs and other decision-makers to make informed and timely choices. Further inhibiting—and complicating—operations, individual mission centers facing bureaucratic barriers often create their own duplicative capabilities, delivered quickly and effectively, but just for their own use. These silos are especially common when it comes to information technology and are given the pejorative label of “Shadow IT” by CIOs and others at the enterprise level who want to assert control over all agency technology. ... Don’t reinvent solutions just because that’s the way it’s been done. Resist the urge to customize. Change your policies and practices, if you can, so you can set and use standards that break down application, data and user silos. Push back internally on those policies that exist for the lowest common denominator. Challenge your technologists to leverage these standards and build tools that can solve enterprise problems at speed and scale.
In the announcement it read, " Italian banks are available to participate in projects and experiments of a digital currency of the European Central Bank, contributing, thanks to the skills acquired in the creation of infrastructure and distributed governance, to speed up the implementation of a European-level initiative in a first nation." A year ago the Association of Italian Banks set up a working group dedicated to deepening the understanding related to digital coins and crypto assets. From this group 10 recommenations were announced that include: Monetary stability and full respect for the European regulatory framework must be preserved as a matter of priority; Italian banks are already operating on a Distributed ledger technology Dlt infrastructure with the Spunta project. They intend to be part of the change brought about by an important innovation such as digital coins; A programmable digital currency represents an innovation in the financial field capable of profoundly revolutionizing money and exchange. This is a transformation capable of bringing significant potential added value, in particular in terms of the efficiency of the operating and management processes. ...
The rise of PaaS has changed what it takes to be a successful enterprise-software vendor. As PaaS services become more sophisticated, software application vendors have a tougher time justifying a price premium for products that could be delivered with a thin user interface on top of generic PaaS services. With PaaS tools giving attackers and customers themselves the means to develop new applications quickly, software vendors that do not innovate in kind will face increased risk. Software vendors need to defend their share of the profit pool by taking a clear look at where they have the best and most defendable opportunities to differentiate themselves. Rather than going head-to-head with the Big Three, one strategy is to specialize and tailor solutions to the needs of targeted verticals and use cases. This strategy proved successful in the early 2010s, when SaaS disruptors first entered the market. The legacy-software vendors that were closest to the customer and had a high degree of industry and domain expertise protected their market share and maintained their enterprise value-to-revenue multiples while customers that stressed differentiation on the basis of their technology were more vulnerable
Security has never been a top priority for manufacturers. Security features and best practices are often not taken into account when new products are purchased. With COVID-19 requiring companies across all industries to explore remote workforce options, manufacturing companies prioritized, and invested in, automation systems that make it easier for their employees to do their jobs from the safety of their homes. Although it is encouraging to see companies making investments to support their employees, many automation tools are being purchased without considering their security features. Standard security best practices such as checking for previous reported vulnerabilities, changing factory settings and passwords, and training employees in the secure ways to use the new solutions are not happening. With fewer guards and controls in place, it's easy for industrial control systems to be hacked simply through accident or user error. Despite the challenges plaguing the industry -- outdated technology, a disconnect between safety and security, and vulnerabilities associated with remote work operations -- there are small steps that manufacturers can take to significantly improve their security posture.
At the IEEE Symposium on Security & Privacy last month, researchers from Carnegie Mellon University presented a prototype security and privacy label they created based on interviews and surveys of people who own IoT devices, as well as privacy and security experts. They also published a tool for generating their labels. The idea is to shed light on a device's security posture but also explain how it manages user data and what privacy controls it has. For example, the labels highlight whether a device can get security updates and how long a company has pledged to support it, as well as the types of sensors present, the data they collect, and whether the company shares that data with third parties. “In an IoT setting, the amount of sensors and information you have about users is potentially invasive and ubiquitous," says Yuvraj Agarwal, a networking and embedded systems researcher who worked on the project. "It’s like trying to fix a leaky bucket. So transparency is the most important part. This work shows and enumerates all the choices and factors for consumers." Nutrition labels on packaged foods have a certain amount of standardization around the world, but they're still more opaque than they could be. And security and privacy issues are even less intuitive to most people than soluble and insoluble fiber.
Europe's automobile industry is bound by regulations for supporting vehicle components to ensure consumers have access to critical parts, says Brad Ree, CTO of ioXt and board member with the ioXt Alliance, which is a trade group dedicated to securing IoT devices. But Ree says with connected devices, no regulator has yet made the leap to ensure that the software is supported for an extended period. "Right now, consumers really don't know how long the product is going to be supported," Ree says. That's critical because smart devices cost more than devices without software control features. The U.S. is trying to nudge manufacturers in the right direction. Two years ago, the National Telecommunications and Information Administration created a document about what type of information companies should clearly communicate to consumers before they buy a smart device. The voluntary recommendations include describing whether and how a device receives security updates and the anticipated timeline for the end of security support.
"The good news is that there's a lot of open source database choice for organizations," said James Curtis, senior research analyst at S&P Global. "The bad news is that there's a lot open source choice and that can cause some confusion." While a growing number of vendors support open source database products, the public cloud vendors also offer versions of many popular open source databases, Curtis noted. For example, AWS boasts a managed Cassandra service, as well as support for MySQL and PostgreSQL with its Relational Database Service (RDS). When they get ready to decide on which route to take, Curtis said that organizations need to choose a vendor that provides the support they are looking for. For open source database vendors, DBaaS might also represent a threat as it has the potential to replace or cannibalize existing on-premises deployments. Among DBaaS benefits, one of the most important is reducing the time organizations need to spend managing the infrastructure. "What will happen in the future is that database workloads will gravitate to the right environment in which it makes sense to run that workload," Curtis said. "Some workloads are best suited to run on premises and perhaps always will."
The first step is identifying an organization’s critical assets and the missions they support. The SEI's foundational process improvement approach to operational resilience management, the CERT Resilience Management Model (CERT-RMM), defines four asset types: people, facilities, technology, and information. "The COVID-19 crisis has impaired our people and our facilities, so it’s akin to a natural disaster," said Butkovic. However, most disaster plans did not anticipate that the event would affect everyone, everywhere. "Typically, you don’t have fires at all of your facilities at the same time, with little notion of when they’ll be put out. In that way, there are lessons to be learned from cyber events, which can affect all locations simultaneously." During a cyber attack, an organization might keep its technology assets out of harm's way by modifying firewall rules. During the COVID-19 pandemic, most human assets are keeping out of harm’s way by staying away from the workplace. But not all safeguards can remain in place forever.
While the future is uncertain, one clear trend is that remote work will play a larger role during and after the pandemic. After experiencing several weeks of office closures, organizational leaders are questioning the wisdom of maintaining the same amount of office space because in most cases, employees have proved they can be productive and collaborate effectively while working remotely. On the flip side, some employees have discovered they prefer working at home, at least part-time. To affect social distancing in the short-term, employers must rethink space utilization. Interestingly, they may find they've stumbled upon their longer-term strategy, which is some version of a partly remote, partly on-site workforce. With digital transformation, more tasks and processes are aided or facilitated by software. Meanwhile, the organizations' tech stacks are becoming increasingly virtual (cloud-based), intelligent (machine learning and AI), and diverse (including IoT). However, digital transformation isn't just about technology implementation, it's also about cultural transformation which reflects greater diversity and cross-departmental collaboration.
Attendees discussed how risk needs to be managed holistically. James Fong, Regional Business Director at RSA, highlighted the need to view risk in the context of four pillars namely, operations, workforce, supply chain and cybersecurity. Fong said that “Operational risk management, IT and security risk management, regulatory and corporate compliance, business resiliency, third party governance and audit management, need to be part of an integrated risk management plan.” Fong continued “Risk data needs to be shared on customised dashboards for executives, CISOs and others. The data needs to give a clear understanding of the monetary cost associated with the risk. For example, how much is a risk worth? What is the cost of the threat?” Importantly, organisations need to understand the risk associated with third party suppliers. A more common view expressed is that no matter how much you prepare yourself, there will always be instances when organisations need to react to situational change. For example, incoming threats that can choke or change content in the media industry.
Quote for the day: