Daily Tech Digest - September 21, 2022

IT Talent Crunch Shifts Tech Investment Strategies

Prasad Ramakrishnan, CIO at Freshworks, points out that low- and no-code tools enable businesses to do more with less, and the easy-to-use, configuration-based user experience of these tools means anyone can use them. He adds tech stacks have become bloated and complex, with features end users typically don't care about. “In an attempt to check every box, technology went from being purpose-built, to tailored to no one,” he says. “The pandemic has made this trend more pronounced.” Ramakrishnan conducts an “app rationalization” exercise regularly with his team, evaluating software applications in terms of integrations needed, their security, whether they are being used (to retire if needed) and how much they are being used (to reduce licenses if needed). “Constantly audit your tech stack,” he advises. “We also involve the end user to make sure everyone is part of the process, akin to a democratized process.” From his perspective, leaders need to create space for end-user feedback -- without it, companies could be taking away valuable tools that employees use and leave them with bloated applications they never use.

Why Investors & Founders Need To Embed Corporate Governance

There have been numerous tweets and posts about governance, the blame game, and other topics. Governance, in my opinion, begins with the founders and senior management. The investors/board have no way of knowing about fraud or any of the aforementioned issues because they are not involved in the day-to-day operations. However, once discovered, the board of directors and investors are responsible for resolution. Consider the case of a company in the news: many prominent Sillicon Valley and New York-based investors participated despite the fact that one of the cofounders was convicted of identity theft. If they believe in second chances, why not make this cofounder a full-fledged director of the company? There is also the role of regulatory bodies such as the RBI, given that some of these startups (particularly fintech) are governed by them because they have a stake in a bank. Laws and regulations that encourage collaboration to ensure there is no “conflict” or, for example, our regulations make it impossible for investors to liquidate and take their money back.

Introduction to SOLID Principles of Software Architecture

Per the Single Responsibility Principle, every class should not have more than one responsibility, (i.e., it should have one and only one purpose). If you have multiple responsibilities, the functionality of the class should be split into multiple classes, with each of them handling a specific responsibility. ... When classes are open for extension but closed for modification, developers can extend the functionality of a class without having to modify the existing code in that class. In other words, programmers should make sure their code can handle new requirements without compromising on the existing functionality. Bertrand Meyer is credited with introducing this principle in his book entitled “Object-Oriented Software Construction.” According to Meyer, “a software entity should be open for extension but closed for modification.” The idea behind this principle is that it allows developers to extend software functionality while preserving the existing functionality. In practical terms, this means that new functionality should be added by extending the code of an existing class rather than by modifying the code of that class.

The Uber Hack’s Devastation Is Just Starting to Reveal Itself

“It’s disheartening, and Uber is definitely not the only company that this approach would work against,” says offensive security engineer Cedric Owens of the phishing and social engineering tactics the hacker claimed to use to breach the company. “The techniques mentioned in this hack so far are pretty similar to what a lot of red teamers, myself included, have used in the past. So, unfortunately, these types of breaches no longer surprise me.” The attacker, who could not be reached by WIRED for comment, claims that they first gained access to company systems by targeting an individual employee and repeatedly sending them multifactor authentication login notifications. After more than an hour, the attacker claims, they contacted the same target on WhatsApp pretending to be an Uber IT person and saying that the MFA notifications would stop once the target approved the login. Such attacks, sometimes known as “MFA fatigue” or “exhaustion” attacks, take advantage of authentication systems in which account owners simply have to approve a login through a push notification on their device rather than through other means, such as providing a randomly generated code. 

Does your password policy align with NIST recommendations?

“NIST outlines several simple steps to strengthen passwords against modern password-based attacks. Organizations that ignore NIST’s recommendations are leaving an essential authentication security layer vulnerable,” notes Josh Horwitz, chief operating officer at Enzoic. ... As hacking threats increase and many IT teams are understaffed, upgrading your password policy may seem like a nice-to-have. However, password hardening is easy to do, leverages the existing investment in passwords and, unlike most security policies, actually makes things easier for users and administrators. The right solution reduces user frustration around frequent required resets and complex rules. Technology can also lower administrative burden and spend by using automation to reduce password reset calls and boost cybersecurity. Adopting modern technology such as Enzoic for Active Directory can help you avoid security breaches, prevent ransomware attacks and avoid account takeovers. “Organizations need a way to identify when passwords become compromised,” says Horwitz, adding, “Otherwise, their users and administrators can’t follow or enforce the NIST requirement to not reuse compromised passwords.”

Cybersecurity as an employee benefit

Many business leaders and human resources professionals believe that cybersecurity is the responsibility of their information technology staff and managed services provider. However, ensuring that employees and their families have appropriate cybersecurity protection is an employee benefit that benefits employers as well. Mistakes, lack of awareness and general vulnerability of employees remains the most significant cyber security risk for most employers. Simply training employees about cyber threats typically fails to reduce that risk sufficiently. To have a truly cyber-mature workforce, employers need to engage employees in cybersecurity. Teaching employees about the threats to themselves and their families, and making personal protection services available to them, is a much better method to engage employees in cybersecurity. Cybersecurity training is not most people’s idea of a good time. However, employees sit up and take notice when trainers talk to them about the prevalence and severity of the cyber threats to themselves personally, including their identities, credit files, financial accounts, personal devices and home networks.

Meta, TikTok, YouTube and Twitter dodge questions on social media and national security

Whistleblowers and industry have repeatedly raised alarms about inadequate content moderation in other languages, an issue that gets inadequate attention due to a bias toward English language concerns, both at the companies themselves and at U.S.-focused media outlets. In a different hearing yesterday, Twitter’s former security lead turned whistleblower Peiter “Mudge” Zatko noted that half of the content flagged for review on the platform is in a language the company doesn’t support. Facebook whistleblower Frances Haugen has also repeatedly called attention to the same issue, observing that the company devotes 87% of its misinformation spending to English language moderation even though only 9% of the platform’s users speak English. In another eyebrow-raising exchange, Twitter’s Jay Sullivan declined to specifically deny accusations that the company “willfully misrepresented” information given to the FTC. “I can tell you, Twitter disputes the allegations,” Sullivan said, referring to testimony from the Twitter whistleblower on Tuesday.

5 steps to designing an embedded software architecture, Step 1

First, they are not very portable. For example, what happens if a microcontroller suddenly becomes unavailable? (Chip shortage, anyone?). If the code is tightly coupled, attempting to move the application code to run on a new microcontroller becomes a herculean effort. Application code is tightly coupled to low-level hardware calls on the microcontroller! I know a lot of companies who have suffered through this recently. If they didn’t update their architecture, they had to go back through all their code and change every line that interacted with the hardware. The companies that updated their architecture broke their architecture coupling through abstractions and dependency injection. Second, unit testing the application in a development environment rather than on the target hardware is nearly impossible. If the application code makes direct calls to the hardware, a lot of work will go into the test harness to successfully run that test, or the testing will need to be done on the hardware. Testing on hardware is slow and is often a manual rather than an automated process. 

The promise of sustainable AI may not outweigh the organizational challenges

Without help from technology, outlining sustainability goals would be a limiting and difficult exercise. Enterprises today struggle with quantifying the risk of climate change, especially when it comes to digital transformation. In fact, only 43% of global executives say they are aware of their organization’s IT footprint. Data analytics and AI offer a solution to this challenge, as they provide meaningful insights across industries to understand where those gaps exist and thus can help companies incorporate more sustainable practices. Research shows that 89% of organizations recycle less than 10% of their IT hardware. However, if a company is to truly reap all the environmental benefits of sustainable AI, IT must play a crucial role in using this technology as the organization’s biggest helper, not its adversary. There are four broad areas that offset the sustainability impact of AI machinery and technology: reporting, cloud, circular economy, and coding. Accurate metrics and reporting will keep the AI systems intact and constantly improving, while cloud promotes sustainability because users only pay for the infrastructure per use, eliminating the need to run data centers at full threshold.

Measuring performance in agile

It’s really easy to destroy the culture of an agile team with metrics. We need to be sure that what we measure encourages the right behaviour. Using a team’s velocity as a performance measurement comes with a strong warning label: “Scrum’s team-level velocity measure is not all that meaningful outside of the context of a particular team. Managers should never attempt to compare velocities of different teams or aggregate estimates across teams. Unfortunately, we have seen team velocity used as a measure to compare productivity between teams, a task for which it is neither designed nor suited. Such an approach may lead teams to “game” the metric, and even to stop collaborating effectively with each other. In any case, it doesn’t matter how many stories we complete if we don’t achieve the business outcomes we set out to achieve in the form of program-level target conditions” We’ve all heard about working smarter, not harder, yet by focusing on story points as a measurement, we find that although in the short term we will succeed at getting people to complete more story points by simply working harder, this approach will not necessarily achieve the outcomes that we want.

Quote for the day:

"Nobody in your organization will be able to sustain a level of motivation higher than you have as their leader." -- Danny Cox

No comments:

Post a Comment