Why Cybersecurity Should Highlight Veteran-Hiring Programs
Veterans who did not work in cybersecurity while in the military still have
valuable skills that they bring to the field, however. The military emphasizes
teamwork, adaptability, and responsibility, all traits that security
professionals need to have. Military personnel are also trained in careful
decision-making under extreme pressure using the available information. ...
Earlier this year, the White House National Cyber Workforce and Education Summit
issued a call to action to increase cybersecurity education and training
opportunities. One of the announcements was to encourage more apprenticeship
programs to help develop and train the cybersecurity workforce. In the months
since, there have been a number of initiatives from cybersecurity organizations,
including the SANS Institute. Many colleges and universities have specific
training programs to give veterans hands-on experience in various areas.
Cybersecurity training platform Cybrary said this week it is partnering with
VetSec, a community of over 3,300 veterans working in or transitioning into
cybersecurity, and TechVets, a bridge service for moving veterans, service
leavers, reservists, and their families into IT careers.
ESG and C: Does Cybersecurity Deserve Its Own Pillar in ESG Frameworks?
Thefts of personal information during a cybersecurity breach erode trust on the
part of customers investors, employees and other stakeholders, demonstrating the
link between cyber risk and social risk. The new disclosure and reporting
requirements embedded in the Security and Exchange Commission’s latest
regulations governing the oversight of cybersecurity underline the link between
governance risk and cyber risk. All this evidence shows that either
cybersecurity is already part of ESG, and, perhaps, a more appropriate
abbreviation should be ESGC. Most enterprise risk management policies have
already expanded their oversight from purely financial risk to these other
areas, including cybersecurity. Cyber risk can be as harmful to a company’s
reputation and value as any other ESG issue, and the damage is inflicted and
experienced in much the same way. As cyberattacks increase in size and
frequency, the direct and indirect damage to companies — including loss of
customer confidence, reputational damage, potential impact on the stock price
and possible regulatory actions or litigation — arguably touches all aspects of
ESG.
Efficient data governance with AI segmentation
An effective and efficient technology is available to replace such archaic
methods and reduce risk fast, at a fraction of the cost: artificial intelligence
(AI) segmentation. With AI-based segmentation, we ascertain what attributes of a
file point to it being more likely to contain sensitive data after scanning just
a small statistical sample of files. This provides us with important information
to prioritize our search for high-risk data. For example, are Word documents at
a higher risk than PowerPoint presentations? Is there a particular folder that
is more likely to contain sensitive data? Once we have our riskiest data
highlighted, we can immediately start a full scan and remediation process,
eliminating the highest risk as early in the process as possible. Thus, we have
prioritized the remediation process to achieve the greatest risk reduction in
the least amount of time. For example, suppose we have many terabytes of data
broken up into chunks of 100 terabytes. To index or scan 100 terabytes at a time
could require several months of work, and it takes even longer to go through all
of it.
What Makes a Good Cybersecurity Professional?
A cybersecurity professional is, at their core, an analytical person who looks
at a problem from multiple points of view and devises an approach to solve the
problem. When doing so, they must collaborate with people from different
backgrounds and functions to understand the problem in depth and in context.
This requires good communication skills, unlike some other technology-heavy
roles in which a specification (spec) is provided and the task is strictly to
achieve the spec. Someone could be an analyst, a risk advisor, a banker or a
human resources (HR) professional and they could still be considered a
cybersecurity professional. Cybersecurity relies on an understanding of human
behavior and on contextual transactions in different lines of business. For
example, a banker knows the pitfalls of processes when it comes to
banking-related operations. They can bring this wealth of knowledge to
cybersecurity operations by gaining the right skill set to build their
technological capability. Imagine this to be a role where a consultant envisions
the strategy and the solution and builds the technological stack required to
solve the problem.
Agility, business more important than cost, network management for IT teams
Half of IT teams rated end-to-end visibility as a top priority, while just under
that number said multicloud software-defined networks (SDNs) were on their
most-wanted list. The bottom line in this area, said Cisco, was that although an
unpredictable world challenges IT organisations, it also presents new
opportunities for those that use technology to support dynamic business needs.
It said IT needs to adopt an agile, cloud-like operations model for everything
it does, including network operations. Cisco also remarked that as endpoints and
applications become more dispersed and distributed, network complexity
multiplies. While adoption of public cloud is growing, 50% of workloads are
still deployed on-premise, and as a result, most environments will continue to
be a mix of public cloud, hosted, private cloud, edge and on-premise
environments, it said. CloudOps and NetOps figured highly in both operational
and organisational trends and there was greater alignment between the objectives
of both. In all, 49% of CloudOps and 42% of NetOps respondents said security was
their top motivation for using multiple clouds, and both said business
performance, security and agility were top priorities.
Networking for remote work puts the emphasis on people, not sites
Many companies had to support work-from-home (WFH) during COVID, and most looked
forward to having their staff back in the office. Most now tell me that some or
all of the staff isn’t coming back, and that remote work is a given for at least
some positions, likely for a very long time. That’s opened major questions about
how these now-forever-roaming workers are connected to information resources and
to each other. Didn’t we solve this already, with Zoom and Teams? Sort of.
Collaborative video applications provide a reasonable substitute for meetings,
but you still have the challenge of application access and information delivery.
A bit over 80% of enterprises I’ve talked with say they need to make a remote
worker look like they’re at their desk, and they need to be able to work as
though they were as well. During lockdown, most companies said they relied on
sending files and documents to workers. A few used SD-WAN technology to connect
workers’ homes to the company VPN. The former strategy is very limiting and
inefficient; you can’t replace checking account status online by sending around
documents.
5 ways to find hidden IT talent inside your organization
Nobody knows the hidden IT talents of non-IT employees better than their
managers and co-workers. At TruStone, business leaders and managers are open to
recognizing employees with IT potential that could benefit both the employee’s
career and the company. “We’re transparent that this would be a great person for
[an IT] career progression, so maybe they should come into IT,” Jeter says.
Jeter often discovers talent through his team’s product management consults
inside the organization. “With a lot of scaled agile framework, we have product
owners that sit outside of IT but within the business in areas like consumer
lending, member services, or mortgages. We have technologies to align with them
and they orchestrate the backlog” and other supporting duties, Jeter says. “They
see what IT does, and we see what they do — and some of them want to come into
IT.” IT scored a new team member recently after a product owner in operations
worked with IT on a product management consult. He had been with the company for
nine years and worked in training before business operations.
Not patched Log4j yet? Assume attackers are in your network, say CISA and FBI
The ubiquitous nature of Apache Log4j means it's embedded in a vast array of
applications, services and enterprise software tools that are written in Java
and used by organizations around the world, many of which rushed to apply the
fixes. But despite the urgent messaging around the need to apply critical
security updates, there are still organizations that haven't done so – meaning
they're still vulnerable to any cyber criminals or other malicious hackers
looking to exploit Log4j. Now CISA and the FBI have warned organizations with
affected VMware systems that didn't immediately apply patches or workarounds "to
assume compromise and initiate threat hunting activities". The cybersecurity
advisory (CSA) also warns any organizations that detect a compromise as a result
of Log4j to "assume lateral movement" by the attackers, investigate any
connected systems and audit accounts with high privilege access. "All
organizations, regardless of identified evidence of compromise, should apply the
recommendations in the mitigations section of this CSA to protect against
similar malicious cyber activity," said the alert.
Don’t get lost in the cloud: How to manage multiple providers
For organizations that take an ad hoc approach to multi-cloud, the risks include
cost overruns from engaging several different services, Linthicum warns. “They
don’t have a good handle on how the money’s being spent in a particular cloud
provider, even within the primary provider,” he says. “And they’re getting huge
cloud bills they didn’t expect, to the point that the boards of directors and
CIOs and C-suites are starting to notice.” Security concerns are another reason
to centralize cloud management. Organizations with three or four providers
should have a security system that spans all of them so they can avoid juggling
several separate dashboards, Linthicum suggests. “That’s where people get
confused, and that’s how breaches occur.” Besides a plan for how the various
providers work together, Linthicum says, it’s crucial to have a financial
operations (FinOps) program that monitors and manages usage and costs. “Many
enterprises don’t have that right now,” he notes. “They wait for their bill to
show up and then figure out what went on, and they’re just running it on a
spreadsheet where they’re not getting a true FinOps program in place.”
When, Why and How Facilitation Skills Help Scrum Teams
Stress levels run high when two vocal members in the team, Minal and Linda,
clash during the Sprint Retrospective. Minal expresses her disappointment with
how little progress the team made during the Sprint. She adds sarcastically that
maybe it was because of how they decided to implement the work, which was
originally Linda’s idea. Linda responds quickly in a defensive tone, and calls
out that Minal is always quick to point out what’s wrong but doesn’t contribute
many suggestions of her own. The Retrospective delves into a tense back and
forth between them and the Scrum Master who is facilitating the Retrospective,
firmly stops their argument. The Scrum Master moves the discussion to
improvement ideas for the team, and many items around managing work in progress
and exploring new technologies are suggested, but ultimately the team is stuck
at an impasse of what to carry forward. The timebox ends and the Scrum Master
calls an end to the Sprint Retrospective with no plans for the team on how to
improve.
Quote for the day:
"Make heroes out of the employees who
personify what you want to see in the organization." --
Anita Roddick
No comments:
Post a Comment