First and foremost, workers need to possess a basic level of digital fluency in order to successfully implement digital transformation. Depending on the industry, digital fluency can range from a basic knowledge of Microsoft Suite to an understanding of cloud computing. This necessity of this skill is company-wide; Harvard Business School Professor Tsedel Neeley points out that digital fluency adheres to a basic tenet of linguistics. "I often reference the 30% rule; borrowed from the study of languages, when applied to digital fluency, it dictates that the entire company needs to be, at least, at a 30% fluency baseline in order to move in a new digital direction effectively." ... An oft-neglected component of digital transformation is cybersecurity. According to research and marketing firm ThoughtLab, the average number of cyberattacks rose by 15.1% in 2021, as compared to 2022. The implications are sobering: Blockchain analysis firm Chainalysis reports that victims of ransomware spent almost $700 million paying off their attackers in 2020. As the digital transformation process accelerates, companies should cover potential risk areas by hiring those with cybersecurity skills.
The first is because they are ephemeral in nature and always growing. The second is that they rely on outdated, and ineffective tooling and processes. What once worked in the data center does not work for the cloud. This leads to blind spots and greater difficulty protecting data. In one study, 87% of respondents say they fear that a lack of cloud visibility is obscuring security threats to their company. And 95% blame visibility problems for application and network performance issues. Cloud security monitoring provides deep visibility across multiple environments for real-time threat discovery and remediation. ... Oftentimes, they discover cloud security gaps long before companies do. When this happens, bad actors can enter without detection. In most cases, the affected organization is completely unaware of the breach and vulnerability or misconfiguration that enabled it. ... With a robust cloud security monitoring solution in place, companies can discover and remediate misconfigurations like publicly exposed data stores, over-privileged Identities, lack of encryption, lack of auditing, or vulnerabilities in a workload in near real-time — before these issues can be exploited.
Merritt has found a niche working with clients that might be startups or smaller or medium-size companies that are growing quickly. He notes that he can relate to their entrepreneurial values from having worked at a number of these kinds of companies himself. “I can switch roles according to what they need in the moment,” he says. “One week I'm coding, the next I'm doing high-level design, and the next may be a go-to-market plan. I thrive on this kind of change, and clients appreciate that I can switch roles as they require.” “I try to do work on hard problems that require heavy left-brain thinking, like coding or debugging, in the morning,” Merritt says. “Then get out for some physical exercise to clear my head. I try to push meetings, writing, and admin to the afternoon or evening.” For his current client, Merritt is doing a lot of architectural design work for security, infrastructure, and technology operations, including writing code, testing, and planning. “For some clients, I'm collaborating a lot all day,” he says. For others, “I just show results when I'm done,” he says. “I post milestones regularly, so clients can follow where I'm at with their project.
A good IDaaS solution should be able to apply identity-based, context-aware rules across an organization’s ecosystem to spot unauthorized behavior before it leads to a breach. It should be capable of operating autonomously to authenticate the right users based on contextual data – and block access based on suspicious activity. As organizations build larger and more complex cloud-based data landscapes, they should create a zero-trust environment which protects against threats on the inside as well as external risks. Through intelligent, autonomous defense technology, businesses can also implement systems that analyze far more than just a password or one-time code when determining whether a user is granted access to a system or data. IP addresses, past behavior, endpoint ID, geolocation and the time of day are just some of the data points that should be gathered and analyzed by an intelligent IDaaS platform to decide whether an access request should be granted. A modern approach to identity within the network can help to mitigate the risk of insider attacks.
The phrase “practice makes perfect” is misleading. There is no perfect. However, good practice makes you better and allows you to both hone and verify your skills—and one of the best ways to practice is on a range. If you want to get better at golf, you go to a driving range. If you want to improve your marksmanship, you go to a shooting range. You might not think of cybersecurity in the same way, but the same principle applies. Organizations today must defend a complex and expanding attack surface, against sophisticated adversaries and a daunting threat landscape. You certainly don't want to wait until you’re in the middle of an active cyberattack to learn the hard way that you’re not as prepared as you need to be. ... Likewise, a cyber range should also emulate a real-world IT environment as much as possible. It should deliver realistic network traffic and accurately emulate network, user, and threat actor behavior. Ideally, it should be an expandable, high-fidelity, open platform that provides flexibility to train in a variety of scenarios. A cyber range is multifaceted and enables a variety of training or validation scenarios.
Interestingly, not everyone subscribes to the idea that the dissemination of cybersecurity information should ever be restricted, even voluntarily. Enthusiasts of so-called full disclosure insist that publishing as much information as possible, as widely as possible, as quickly as possible, is actually the best way to deal with vulnerabilities, exploits, cyberattacks, and the like. Full-disclosure advocates will freely admit that this sometimes plays into the hands of cybercriminals, by clearly identifying the information they need (and giving away knowledge they might not previously have had) to initiate attacks right away, before anyone is ready. Full disclosure can also disrupt cyberdefences by forcing sysadmins everywhere to stop whatever they are doing and divert their attention immediately to something that could otherwise safely have been scheduled for attention a bit later on, if only it hadn’t been shouted from the rooftops. Nevertheless, supporters of full disclosure will tell you that nothing could be simpler, easier or fairer than just telling everybody at the same time.
Today’s technology leaders are a critical part of running any business and have been awarded a seat at the table to partner and drive progress. This requires that IT leaders not only understand the technology and the industry as they have in the past but also the value of building strong relationships and trust in the organization. To build these relationships and trust, I have significantly focused on listening and understanding different points of view. With business partners, this allows you to truly understand the business problems being brought to the team to solve and dig below the surface to ensure you provide robust solutions for the customer. This instills trust and confidence in the group. Equally important is listening to your team members, truly understanding the work they are engaged in and why it matters. When the team understands the end goal, it drives empowerment that leads to innovation and efficiency. It allows the team to contribute to the company’s success by being a part of the solution, not just executing against a predefined plan.
The NHS situation is already offering several important lessons to other healthcare entities and their vendors, some experts say. "It is critical that an organization ensure that vendors that have network access or connectivity ensure that they have proper cyber hygiene protections in place," says retired supervisory FBI agent Jason G. Weiss, an attorney at law firm Faegre Drinker Biddle & Reath LLP. It is also critical to audit and ensure that the protections a vendor claims to have in place are verifiable and subject to testing to ensure the controls work appropriately, he adds. "One option is to require IT vendors to have established and proven cybersecurity frameworks in place such as ISO 27001, zero trust architecture or the National Institute of Standards and Technology's Cybersecurity Framework, just to name a few options," he says. In the meantime, threats, such as ransomware as a service, that are available to cyberthreat actors have greatly expanded the scope of potential threats that healthcare sector entities and their vendors face, he says.
“DevOps, and more recently DataOps, has pushed software development to the front of most corporate IT roadmaps. The rise of DevOps has been well explained as a new approach to make monolithic applications more agile and responsive to market and workforce changes,” says Ramachandran. “There are so many different patterns in data integration – from batch, to streaming and beyond – that a patchwork landscape of technologies has led to huge fragmentation. Data engineers without the right tools end up stressing about constantly pivoting to keep things in sight and steady, which is a drag on resources,” Ramachandran adds. “Therefore, DevOps is only useful if businesses can interpret and take action on the data. Organisations must have a strong pipeline in place to manage the incoming data and this is where application integration comes in. Having a powerful integration platform can automatically manage the DevOps data pipeline to provide better visibility and insights, real-time engagement with customers, and frictionless partner and supplier transactions.”
It happens in unhealthy organizational environments where developers build silos of knowledge. I have talked to a tech giant where a single engineer wrote essential services. He held the organization hostage to receive a better salary, did not get what he wanted, and left the company in the end. They had to rewrite it as nobody was able to support it. Silos, however, can occur naturally due to high pressure from management for fast delivery. In high-pressure environments, developers have to specialize in certain areas to be more efficient. So the de-silofication should be considered a complementary task while dealing with technical debt. Regardless of why such silos occurred, we should know how many of them are critical. I have witnessed huge companies that should not allow five specific engineers to travel on the same tram, as the risk of survival of the company if something happens with the tram is simply too high. If this is the case in your company, then it is time for you to think about doing things differently. Spread the knowledge, and implement a proxy strategy where other engineers will start taking tasks intended for the “tram-people.”
Quote for the day:
"What great leaders have in common is that each truly knows his or her strengths - and can call on the right strength at the right time." -- Tom Rath