“When you openly communicate your purpose – when you’re open about how you’re doing things, how data has been used – you instil the most valuable thing when doing data projects, which is trust,” he says. “We are probably in a place where people don’t trust organisations or the government with their data, and that’s a bad place to be… so the transparency, openness, communicating purpose, engaging with people is fairly key.” Ahmed adds that, even in situations where it is not possible to consult the public – for example, when systems are being built for law enforcement or intelligence purposes, or just internally for use by civil servants – openness among the internal stakeholders is still very important. All of this should also be documented: “To make [ethical] framework that’s suitable, to what you’re doing as an organisation, keep referring to it, refresh it, measure your outcomes, learn from it… the potential loss of revenue or reputation for an organisation or government departments are huge if it goes wrong. With ethics, the win is not getting things wrong, the win is having less negative impact or more positive impact.”
No matter what your role is within the software development and API process, you need to be thinking about the implications of your work. Are you being as secure as possible? Because we end up with delays, fails, or worse. What I mean by this is, obviously, you have delays or fails. That can just be annoying when you end up with everything behind schedule, over budget. Everyone a little bit stressed. It's more than just that. If we look at security over the last five years, it used to be a case where you would get your personal details stolen. It might be credit cards. It might be address, or in America, social security number. What you're starting to see now, especially in the last year or two, is a lot more ransomware. While before, it would be like, we're going to take your data, and that's obviously bad. People can replace credit cards. It's a bit harder to replace your social security, there has been large rises of fraud. It's bad. Ransomware is worse, because then you are totally locked out of your system. Then you are, as the name suggests, at ransom.
Artificial intelligence has a unique possibility that tickles this part of the imagination: it seems familiar. We can recognize a part of ourselves in it: the systematic thinking part. It is rationality without irrationality. Pure reason in action where the results are always clean and binary. There is a non-human purity of thought in the elegance of its solutions. We have always yearned futilely for this purity — in our food, our philosophical quests, our relationships, even in our gods. But this purity, the simple and bold ease with which we solve at a rapid pace our most bothersome tasks creates both complacency and trepidation. The complacency is apparent. We have always, as a species, had an infinite capacity for self congratulation. The trepidation part is more intriguing. It exposes how poorly we have actually sized ourselves up, and reveals at once, both the fallacy of thought, its ambitions and its limitations. The fever-dream of sentient AI and the climax of our race is a trite template for thousands of sci-fi stories across several medium.
We tend to think of the security team as solely responsible for all aspects of systems security implementation and management, with the IT team more focused on enabling the workstreams of the organisation through data protection, and ensuring backup and recovery systems are properly implemented. Given the complementary nature of security threats, and needing to easily backup and recover if / when an attack occurs, it seems logical that these two groups would collaborate closely. But, that’s often not the case. In fact, we found this split between the two roles to be worryingly prevalent in our research. 19% of UK SecOps decision-makers responding to our survey believe collaboration with IT is not strong, and 5% went as far as to call it “weak.” Flipping the coin, among IT decision-makers, 16% believe collaboration is not strong. Across the two roles, in total, 20% of IT and SecOps respondents believe the collaboration between the two is not strong.
The world is on the brink of a revolution in various “realities” — virtual, augmented, and mixed (VR, AR and MR). Mark Zuckerberg’s Meta is planning a grand pivot from old-school social networking to next-generation virtual or mixed reality, which Zuckerberg famously branded “the Metaverse.” By definition, AR, VR, and MR involve digital content, either existing in a digital world (VR) or superimposed on the real world (AR). Very close to all of this content will come in the form of synthetic media. In fact, Meta has already introduced a new AI-powered synthetic media engine, called Make-A-Video. As with the new generation of AI-art engines, Make-A-Video uses text prompts to create videos. Meta is currently promoting this engine as a very fast way for creators to create video content or virtual environments. Normally, a company making, say, marketing content would need to hire a production crew, pay for post-production work, hire actors, find a location — all that. But products like Make-A-Video suggest that, in the near future, a single creative could make video productions alone in a few hours.
Low-code and no-code automations help the business users, non-engineers and non-developers solve the end-to-end customer experience problems easily and quickly by creating the use cases themselves. The modern technology stack of low-code automation tools enable the citizen developers to solve their problems and replicate to scale across other businesses without having to rely on their overburdened IT staff. One example of low-code automation is how many traditional systems are focused on identity verification or KYC, whereas, most of the frauds for a loan financing may be happening through a fraud paystub of the consumer. As pay stubs are the correlators for whether a consumer will pay back their loans successfully on time, it is important to apply AI/ML automation to understand the validity of this important correlator to avoid defaults. Understanding a fraudulent transaction versus a clean transaction quickly and correctly is also very beneficial for the merchants as well as end customers for better user experience and revenue generation.
One of the challenges of developer platforms is that they shouldn’t be viewed as things that can just be built, launched, and then forgotten about; they require constant evolution and maintenance. The feedback loops initiated by a considered communication strategy will help here, but it’s also important to consider the ways the platform evolves alongside the organization and emerging technologies. A technique included for the first time in Volume 27 of our Technology Radar—incremental developer platforms—can be particularly useful as a way of responding to these multifaceted demands. Such an approach not only ensures alignment with the specific needs of users, but also prevents the platform from being derailed by over-ambition—something that typically stems from a preconceived vision of what the platform should look like. The virtues of an incremental approach to software are widely accepted by the industry, so why don’t we bring this thinking to the way we think about platforms and internal tooling?
What did you do to pull it off? Can it be replicated? What did you learn? It’s an exercise that many leaders I’ve interviewed talked up even before the pandemic. “I’ve learned to question success a lot more than failure,” said Kat Cole, who is the president and chief operating officer of Athletic Greens, a nutrition company. As she told me in an interview years ago, “I’ll ask more questions when sales are up than I do when they’re down. I ask more questions when things seem to be moving smoothly, because I’m thinking: ‘There’s got to be something I don’t know. There’s always something.’ This approach means that people don’t feel beat up for failing, but they should feel very concerned if they don’t understand why they’re successful.” Successes can feel like moments for celebration, rather than furrowed-brow scrutiny. But it is precisely those moments of interrogation that can lead to insights and longer-term competitive advantages. Today’s shorter economic cycles create more momentum, both good and bad, and you want to be riding a wave rather than trying to paddle against it.
There are as many ways confidential computing can work as there are companies coding them, but recall the definition noted above. Google Cloud uses confidential virtual machines with secure encrypted virtualization extension supported by 3rd Gen AMD EPYC CPUs and cloud computing cloud processes. Data remains encrypted in memory with node-specific, dedicated keys that are generated and managed by the processor, which security keys generated within the hardware during node creation. From there, they never leave that hardware. Today, IBM claims to be on the fourth generation of their confidential computing products, starting with IBM Cloud’s Hyper Protect Services and Data Shield in 2018. In pride of place with Hyper Protect services comes a FIPS 140-2 Level 4 certified cloud hardware security module. Both products are rated for regulations such as HIPAA, GDPR, ISO 27K and more. IBM also offers HPC Cluster, a portion of IBM cloud where customers’ clusters are made confidential using “bring your own encrypted operating system” and “keep your own key” capabilities.
Security teams can look at specific verticals to understand what’s working (and what’s not) when it comes to limiting data sprawl in the workplace. The finance sector, for instance, is a prime example of an industry that has more stringent security controls and regulations, therefore limiting apps in the workplace. The Netskope Threat Labs team recently found that fewer than 1 in 10 employees in finance use personal applications at work. Instead, they use managed apps that are closely monitored by security teams. Other sectors are having a more difficult time limiting data sprawl, given the remote nature of the business and less stringent industry regulations. Retail employees, for example, are using a slew of cloud apps in the workplace regularly. In fact, 40% of users in the retail industry are uploading data to personal apps. It is crucial for IT security teams, not just in this sector but across all industries, to take proactive measures to help minimize the risk of data sprawl.
Quote for the day:
"The quality of leadership, more than any other single factor, determines the success or failure of an organization." -- Fred Fiedler and Martin Chemers