What Gartner’s top cybersecurity predictions for 2022-23 reveal
Implied in the predictions is advice to focus not just on ransomware or any
other currently trending type of cyberattack, but to prioritize cybersecurity
investments as core to managing risks and see them as investments in the
business. By 2025, 60% of organizations will use cybersecurity risk as a primary
determinant in conducting third-party transactions and business engagements,
according to Gartner‘s predictions. Doubling down with greater resilience across
every threat surface is key. For example, while Gartner mentions zero-trust
network access (ZTNA) in just one of the eight predictions, the core concepts of
ZTNA and its benefits are reflected in most of the predictions. The predictions
also note that investing in preventative controls is not enough, and that there
needs to be a much higher priority placed on resilience. This is because threat
surfaces grow faster than many organizations can gain visibility to and protect.
By 2025, it is expected that 80% of enterprises will adopt a strategy to unify
web, cloud services and private application access from a single vendor’s
secured service edge (SSE) platform.Don't Get Fired: How to Sell Max Cybersecurity to the C-Suite
"So some of the strategies that I use when I'm working with the C-level teams, the boards of directors, is I don't just give them a summarization or my opinion," continued O'Neill Sr. "I bring in events from insurance -- our insurance broker or our auditors -- and I say, 'Hey, can you give me a few examples of other customers where their cybersecurity insurance didn't get renewed because of some event? Or can you give me an example of a audit that failed because proper levels of protection weren't put in place?' "And I articulate those things to the CEOs and the boards of directors. Not in long-worded descriptions, but basically like, 'Hey, you know, if you look at this year, and our actual insurance broker says that they have processed claims for a billion dollars this year because of security events where malware has been involved.' And then I show them data where I say, 'Okay, of the 100 events ... about 15 percent of those companies never survived. They did not return back to business.' Okay.How tech companies are responding to the talent gap
The savviest organizations are taking on the onus of training talent
themselves, increasingly hiring people straight out of school, according to
Jean-Marc Laouchez, president of the Korn Ferry Institute. These firms are
also trying to instill a culture of continuous learning and training.
“Constant learning — driven by both workers and organizations — will be
central to the future of work, extending far beyond the traditional definition
of learning and development,” Laouchez wrote. In that light, coding bootcamps
have become talent pools for organizations looking for skills-based applicants
over more traditional college graduates. Graduates from coding boot camps
reported a quick ROI, higher salaries, and STEM career opportunities,
according to recent survey of 3,800 US graduates of university coding
bootcamps by US education company 2U and Gallup. All graduates reported they
saw their salaries increase by a median of $11,000 one year after graduation,
with those who moved from non-STEM to STEM jobs after graduation seeing the
highest income growth.Strategies for adopting data stewardship without a CDO
If the company has already concluded that it can’t hire a full-time CDO, the
next best thing is to look at individuals in the company who have some of the
skills or who have backgrounds and talents that would enable them to skill up
quickly. The first place to look is in the database group. The database
administrator should be charged with oversight of the development of the
entire corporate data architecture. When an overall data architecture is in
place, you have a structure that ensures all of your various data repositories
and processes can interact with each other in enterprise-wide data exchanges
and ensures you have the tools, such as APIs (application programming
interfaces) and ETL (extract, transform, load), to facilitate integration.
This also means eradicating stand-alone data silos that might exist within the
company. ... The database group can work hand in hand with the IT security
group to make sure all data is properly secured and that it meets corporate
governance standards, even if the data is incoming from third-party
vendors.Secure everything, not just the weakest link
When looking at the security of links between a company and its business
partners, BCS volunteer Petra Wenham says: “We must include the company’s IT
in that statement and the security of a partner’s IT system.” Junade Ali, a
technologist with an interest in software engineering management and computer
security, points to the OAuth vulnerability as an example of the risks
organisations face across their supply chains when they connect or make use of
third-party systems. “In the recent past, I’ve worked on changing practices
across the industry when it comes to password security,” he says. “I developed
the anonymity models used by Have I Been Pwned, the developer tooling needed
to improve password security practices and published scientific studies used
to change the industry understanding of the best practice.” What Ali learned
was that the reuse of compromised credentials from one low-value website (say,
a pizza restaurant) often cascades to compromising someone’s online banking.
He adds: “The message here is clear – security isn’t purely within our fiefdom
and we depend on others to keep our data safe.”How APTs Are Achieving Persistence Through IoT, OT, and Network Devices
Due to the low security and visibility of these devices, they are an ideal
environment for staging secondary attacks on more valuable targets inside the
victim's network. To do this, an attacker will first get into the company's
network through traditional approaches like phishing. Attackers can also gain
access by targeting an Internet-facing IoT device such as a VoIP phone, smart
printer, or camera system, or an OT system such as a building access control
system. Since most of these devices use default passwords, this type of breach
is often trivial to achieve. Once on the network, the attacker will move
laterally and stealthily to seek out other vulnerable, unmanaged IoT, OT, and
network devices. Once those devices have been compromised, the attacker just
needs to establish a communication tunnel between the compromised device and
the attacker's environment at a remote location. In the case of UNC3524,
attackers used a specialized version of Dropbear, which provides a
client-server SSH tunnel and is compiled to operate on the Linux, Android, or
BSD variants that are common on those devices.Transforming advanced manufacturing through Industry 4.0
Organizational problems often involve low buy-in and a lack of concentration from leadership as a business attempts to see a digital transformation through. That hampers the effort’s potential success and long-term viability. Inadequate knowledge of digital capabilities and a lack of organizational talent can prevent broader buy-in and properly scaled transformative efforts. Technology roadblocks commonly include low support from partners in scaling deployment while facing multiple platform choices, which hinders an organization’s ability to move quickly into new territory. The transformation’s starting point can also stall when leaders aren’t convinced of their ability to increase the size and scope of the digital architecture they choose for implementation. AI companies have tried many approaches to overcome these barriers and realize improved performance through digital manufacturing transformations. An examination of advanced manufacturing lighthouses reveals two critical reasons that their transformations succeeded: first, they chose the right use cases; second, they looked for ways that those use cases could reinforce one another.Cybersecurity and the metaverse: Identifying the weak spots
The metaverse is designed to function through the use of digital avatars that
each user creates for themselves. Ostensibly, this avatar will be both unique
and secure, which will allow the real human it represents to use their
personally identifiable information (PII) and other sensitive information to
make purchases, do work and even receive healthcare. In addition, through the
avatar, the user can interact with others in the digital space, including
working with colleagues in a virtual office. The concern, however, is that
because the avatar is, fundamentally, the skeleton key to your private offline
information, from your PII to your financial accounts, if a hacker gains access
to your avatar, then they can open the door to your entire life. This holds the
potential to take identity theft to an unprecedented level. Identity theft in
the metaverse can also take another, and perhaps even more sinister, turn,
however. If hackers gain control of your avatar, they may well engage in
behaviors that can ruin your relationships and reputation, and may even put your
offline safety at risk. The promise of edge computing comes down to data
Move computing power to where the data is. Determining whether edge or cloud is optimal for a particular workflow or use case can cause analysis paralysis. Yet the truth is the models are complementary, not competing. “The general rule of thumb is that you’re far better moving compute to the data than vice versa,” said Robert Blumofe, executive vice president and chief technology officer at Akamai. “By doing so, you avoid back hauling, which hurts performance and is expensive.” Consider an e-commerce application that orchestrates actions like searching a product catalog, making recommendations based on history, or tracking and updating orders. “It makes sense to do the compute where that data is stored, in a cloud data warehouse or data lake,” Blumofe said. The edge, on the other hand, lends itself to computing on data that’s in motion — analyzing traffic flow to initiate a security action, for example. Go heavy on experimentation. It’s still early days in edge computing, and most companies are at the beginning of the maturity curve, evaluating how and where the model can have the most impact.The surveillance-as-a-service industry needs to be brought to heel
The problem here is that surveillance technologies such as these have been
commercialized. It means capabilities that historically have only been available
to governments are also being used by private contractors. And that represents a
risk, as highly confidential tools may be revealed, exploited,
reverse-engineered and abused. As Google said: “Our findings underscore the
extent to which commercial surveillance vendors have proliferated capabilities
historically only used by governments with the technical expertise to develop
and operationalize exploits. This makes the Internet less safe and threatens the
trust on which users depend.” Not only this, but these private surveillance
companies are enabling dangerous hacking tools to proliferate, while giving
these high-tech snooping facilities available to governments — some of which
seem to enjoy spying on dissidents, journalists, political opponents, and human
rights workers. An even bigger danger is that Google is already tracking at
least 30 spyware makers, which suggests the commercial surveillance-as-a-service
industry is strong.
Quote for the day:
"Strategy is not really a solo sport _ even if you_re the CEO." -- Max McKeown
No comments:
Post a Comment