Daily Tech Digest - November 23, 2020

Superhuman resources: How HR leaders have redefined their C-suite role

CHROs have to be able to envision how the strategy will be executed, the talents and skills required to accomplish the work, and the qualities needed from leaders to maximize the organization’s potential. Increasingly, that requires a nuanced understanding of how technology and humans will interact. “HR leaders sit at a crossroads because of the rise of artificial intelligence and can really predict whether a company is going to elevate their humans or eliminate their humans,” said Ellyn Shook, the CHRO of professional-services firm Accenture. “We’re starting to see new roles and capabilities in our own organization, and we’re seeing a whole new way of doing what we call work planning. The real value that can be unlocked lies in human beings and intelligent technologies working together.” ... CHROs must operate at a slightly higher altitude than their peers on the leadership team to ensure that the different parts of the business work well together. At their best, these leaders view the entire organization as a dynamic 3D model, and can see where different parts are meshing well and building on other parts, and also where there are gaps and seams. The key is to make the whole organization greater than the sum of its parts.

Three IT strategies for the new era of hybrid work

While the hyper-automation strategy will make life much easier for IT teams by delivering on greater automated experiences, there will always be issues that humans will have to resolve. Organisations must equip their IT teams with the tools to handle these issues remotely and securely to succeed in an increasingly complex environment. This begins with utilising AI and building on deep learning capabilities that provide critical information to IT teams in real time. Say an employee is unable to access restricted customer information from his home network to complete a sales order and needs to enable VPN access. With the right software platforms, the IT representative will be able to guide him remotely, to push the necessary VPN software to his device, configure the necessary access information and provision his access through automation scripts. IT would also be able to discover the model of the router used in his home network if required and assist in router settings if the employee assigns the rights and authorisation. IT can also assess its vulnerabilities and advise the employee accordingly. In the past, the work would have to completed in the office. With hybrid work environments, going back to the office may not even be an option.

Security pros fear prosecution under outdated UK laws

MP Ruth Edwards, who previously led on cyber security policy for techUK, said: “The Computer Misuse Act, though world-leading at the time of its introduction, was put on the statute book when 0.5% of the population used the internet. The digital world has changed beyond recognition, and this survey clearly shows that it is time for the Computer Misuse Act to adapt. “This year has been dominated by a public health emergency – the coronavirus pandemic, but it has also brought our reliance on cyber security into stark relief. We have seen attempts to hack vaccine trials, misinformation campaigns linking 5G to coronavirus, a huge array of coronavirus-related scams, an increase in remote working and more services move online. “Our reliance on safe and resilient digital technologies has never been greater. If ever there was going to be a time to prioritise the rapid modernisation of our cyber legislation, and review the Computer Misuse Act, it is now,” she said. The study is the first piece of work to quantify and analyse the views of the wider security community in the UK on this issue, and the campaigners say they have found substantial concerns and confusion about the CMA that are hampering the UK’s cyber defences.

An In-Depth Explanation of Code Complexity

By knowing how many independent paths there are through a piece of code, we know how many paths there are to test. I'm not advocating for 100% code coverage by the way—that's often a meaningless software metric. However, I always advocate for as high a level of code coverage as is both practical and possible. So, by knowing how many code paths there are, we can know how many paths we have to test. As a result, you have a measure of how many tests are required, at a minimum, to ensure that the code's covered. ... By reducing software complexity, we can develop with greater predictability. What I mean by that is we're better able to say—with confidence—how long a section of code takes to complete. By knowing this, we're better able to predict how long a release takes to ship. Based on this knowledge the business or organization is better able to set its goals and expectations, especially ones that are directly dependent on said software. When this happens, it’s easier to set realistic budgets, forecasts, and so on. Helping developers learn and grow is the final benefit of understanding why their code is considered complex. The tools I've used to assess complexity up until this point don't do that. What they do is provide an overall or granular complexity score.

How DevOps Teams Get Automation Backwards

Do you know what data (and metadata) needs to be backed up in order to successfully restore? Do you know how it will be stored, protected and monitored? Does your storage plan comply with relevant statutes, such as CCPA and GDPR. Do you regularly execute recovery scenarios, to test the integrity of your backups and the effectiveness of your restore process? At the heart of each of the above examples, the problem is due in large part to a top-down mandate, and a lack of buy-in from the affected teams. If the DevOps team has a sense of ownership over the new processes, then they will be much more eager to take on any challenges that arise. DevOps automation isn’t the solution to every problem. Automated UI tests are a great example of an automation solution that’s right for some types of organizations, but not for others. These sorts of tests, depending on frequency of UI changes, can be fragile and difficult to manage. Therefore, teams looking to adopt automated UI testing should first assess whether the anticipated benefits are worth the costs, and then ensure they have a plan for monitoring and maintaining the tests. Finally, beware of automating any DevOps process that you don’t use on a frequent basis.

Security by Design: Are We at a Tipping Point?

A big contributor for security flat-footedness is the traditional “trust but verify” approach, with bolt-on and reactive architectures (and solutions) that make security complex and expensive. Detecting a threat, assessing true vs. false alerts, responding to incidents holistically and doing it all in a timely fashion demands a sizeable security workforce; a strong, well-practiced playbook; and an agile security model. As we have learned over the years, this has been hard to achieve in practice—even harder for small or mid-size organizations and those with smaller budgets. Even though dwell time has reduced in the last few years, attackers routinely spend days, weeks or months in a breached environment before being detected. Regulations like the EU General Data Protection Regulation (GDPR) mandate reporting of notifiable data breaches within 72 hours, even as the median dwell time stands at 56 days, rising to 141 days for breaches not detected internally. Forrester analyst John Kindervag envisioned a new approach in 2009, called “zero trust.” It was founded on the belief that trust itself represents a vulnerability and security must be designed into business with a “never trust, always verify” model.

Distributors adding security depth

“With the rapidly changing security landscape, and home working seemingly here to stay, this partnership will help organisations alleviate these security pressures through one consolidated cloud solution. Together with Cloud Distribution, we will continue to expand our UK Partner network, ensuring we are offering robust cloud security solutions with our approach that takes user organisations beyond events and alerts, and into 24/7 automated attack prevention,” he said.  Other distributors have also taken steps to add depth to their portfolios. Last month, e92plus also moved to bolster its offerings with the signing of web security player Source Defense. The distie is responding to the threats around e-commerce and arming resellers with tools to help customers that have been forced to sell online during the pandemic. The shift online has come as threats have spiked and the criminal activity around online transactions has increased. “As more businesses look to transact business online, bad actors are exploiting client-side vulnerabilities that aren’t protected by traditional solutions like web application firewalls,” said Sam Murdoch, managing director at e92cloud.

3 Steps CISOs Can Take to Convey Strategy for Budget Presentations

CISOs recognize they cannot reduce their organization's cyber-risk to zero. Still, they can reduce it as much as possible by focusing on eliminating the most significant risks first. Therefore, when developing a budget, CISOs should consider a proactive risk-based approach that homes in on the biggest cyber-risks facing the business. This risk-based approach allows the CISO to quantify the risk across all areas of cyber weakness, and then prioritize where efforts are best expended. This ensures maximum impact from fixed budgets and teams. The fact is, the National Institute of Standards and Technology reports that an average breach can cost an organization upward of $4 million — more costly than the overall budget for many organizations. Consider a scenario where one CISO invests heavily in proactive measures, successfully avoiding a major breach, while another invests primarily in reactive measures and ends up cleaning up after a major breach. The benefit is that one (the proactively inclined CISO) ends up spending 10x less overall. ... While there is more awareness among top leadership and board members regarding the daunting challenges of cybersecurity, a board member's view of cybersecurity is primarily concerned with cybersecurity as a set of risk items, each with a certain likelihood of happening with some business impact.

Keeping data flowing could soon cost billions, business warned

As soon as the UK leaves the EU, it will also cease to be part of the GDPR-covered zone – and other mechanisms will be necessary to allow data to move between the two zones. The UK government, for its part, has already green-lighted the free flow of digital information from the UK to the EU, and has made it clear that it hopes the EU will return the favor. This would be called an adequacy agreement – a recognition that UK laws can adequately protect the personal data of EU citizens. But whether the UK will be granted adequacy is still up for debate, with just over one month to go. If no deal is achieved on data transfers, companies that rely on EU data will need to look at alternative solutions. These include standard contractual clauses (SCCs), for example, which are signed contracts between the sender and the receiver of personal data that are approved by an EU authority, and need to be drawn for each individual data transfer. SCCs are likely to be the go-to data transfer mechanism in the "overwhelming majority of cases," according to the report, and drafting the contracts for every single relevant data exchange will represent a costly bureaucratic and legal exercise for many firms. UCL's researchers estimated, for example, that the London-based university would have to amend and update over 5,000 contracts.

Even the world’s freest countries aren’t safe from internet censorship

Ensafi’s team found that censorship is increasing in 103 of the countries studied, including unexpected places like Norway, Japan, Italy, India, Israel and Poland. These countries, the team notes, are rated some of the world’s freest by Freedom House, a nonprofit that advocates for democracy and human rights. They were among nine countries where Censored Planet found significant, previously undetected censorship events between August 2018 and April 2020. They also found previously undetected events in Cameroon, Ecuador and Sudan. While the United States saw a small uptick in blocking, mostly driven by individual companies or internet service providers filtering content, the study did not uncover widespread censorship. However, Ensafi points out that the groundwork for that has been put in place here. “When the United States repealed net neutrality, they created an environment in which it would be easy, from a technical standpoint, for ISPs to interfere with or block internet traffic,” she said. “The architecture for greater censorship is already in place and we should all be concerned about heading down a slippery slope.”

Quote for the day:

"Beginnings are scary, endings are usually sad, but it's the middle that counts the most." -- Birdee Pruitt

No comments:

Post a Comment