Singh calls herself a business information security partner, but the title
most commonly employed for this role is business information security officer
(BISO). People in these roles are responsible for one or more areas of the
business and they usually report to the CISO or CTO, based on
job descriptions found online and those laid out by multiple sources
interviewed for this article. The people holding these roles also come from
diverse educational and experiential backgrounds, at the core of which are
strong familiarity with compliance regulations, solid cybersecurity
foundations, and business acumen. ... Renee Guttmann, who’s been CISO to
several Fortune 50 companies, says that the most important thing she looks for
in a BISO is a thorough understanding of the business unit they support, which
includes identifying the company’s “crown jewels”: what the most important
assets are, where they are, and the targeted attacks to which they are
potentially vulnerable. The BISO should be able to identify the risks and work
with others, such as architecture and infrastructure managers, to prioritize
risks.
DevOps: 3 steps to plan and execute a successful project
The preliminary stages of a DevOps project are crucial. Without clear
direction and a shared understanding across the team, the initiative is doomed
to failure. The team and the client must therefore be willing to dedicate the
time necessary to understand each other’s goals and ensure their visions
align. This can be done through meetings and workshops, where participants
identify objectives and team members establish a clear goal for how the final
product should look. When executed correctly, the DevOps team will exit the
project’s first phase with a well-defined brief and a clear understanding of
the client’s goals. If this step is rushed, engineers will be hindered by a
lack of direction, increasing the likelihood that the finished product will
not meet the client’s requirements. ... Phase two is when the development of
the app begins. This is usually facilitated by using a cloud-based solution,
where the team begins preparing the environment’s aesthetic, working out the
components it should contain, and understanding how they should be configured
to maximize efficiency.
5 Key Kubernetes Trends to Follow in 2023
Multi-cluster Kubernetes is important because it makes it feasible to separate
workloads using not just namespaces, but entirely distinct clusters. Doing so
provides more security and performance protections than you can get using
namespaces, which offer only virtualized segmentation between workloads. As a
result, multi-cluster Kubernetes makes Kubernetes more valuable for use cases
that involve very stringent security requirements, or where it's critical to
avoid the "noisy neighbor" problems that can happen when multiple workloads
share the same hosting infrastructure. ... No one has ever accused Kubernetes
of being an easy platform to use. On the contrary, you'll find plenty of
warnings on the internet that Kubernetes is "hard," or even "damn
complicated." But you could have said the same thing about Linux in the 1990s,
or the Amazon cloud in the mid-2000s, when those platforms were new. Like
other major technologies that preceded it, Kubernetes is still growing up, and
there remains plenty of room to improve it by improving the platform's
usability.
Moving Beyond Security Awareness to Security Education
“Unlike awareness, application security education is based on central
principles or ‘big ideas’. If key security concepts are part of a continuous
and programmatic education initiative, development teams can learn to apply
knowledge, skills, and experience to novel situations and better secure
applications,” said Baker. When application security principles are
understood, developers can then not only identify when code isn’t quite right
or spot something that creates risk, but also effectively design against it.
“Awareness doesn’t go far enough for security-critical roles such as software
developers, product and UX managers, quality assurance and scrum masters who
are all responsible for delivering safe applications,” said Baker. “What’s
needed is deeper education, and there are several ways that this can be
incorporated into the awareness training mix.” First and foremost, Baker
stated, the concept of continuous and programmatic security education—and why
it matters for security-critical roles—requires buy-in from everyone within
the organization.
Blow for Meta: must stop serving personalised ads until it's GDPR compliant
According to nyob, ten confidential meetings took place between Meta and the
DPC during the course of the proceedings, over which time the DPC came down on
the side of the company and its bypassing of the standard GDPR rules for
consent. Schrems has launched multiple successful legal campaigns against
technology companies and their misuse of personal data. He said: "This case is
about a simple legal question. Meta claims that the 'bypass' happened with the
blessing of the DPC. For years the DPC has dragged out the procedure and
insisted that Meta may bypass the GDPR, but was now overruled by the other EU
authorities. It is overall the fourth time in a row the Irish DPC got
overruled." Schrems claimed the DPC had refused to release the details of the
decision to nyob and accused the regulator of playing "a very diabolic public
relations game". He added: "By not allowing noyb or the public to read the
decision, it tries to shape the narrative of the decision jointly with Meta.
It seems the cooperation between Meta and the Irish regulator is well and
alive - despite being overruled by the EDPB"
What is data ingestion?
At its simplest, data ingestion is the process of shifting or replicating data
from a source and moving it to a new destination. Some of the sources from
which data is moved or replicated are databases, files or even IoT data
streams. The data moved and/or replicated during data ingestion is then stored
at a destination that can be on-premises. ... Data ingestion uses software
automation to move large amounts of data efficiently, as the operation
requires little manual effort from IT. Data ingestion is a mass means of data
capture from virtually any source. It can deal with the extremely large
volumes of data that are entering corporate networks on a daily basis. Data
ingestion is a “mover” technology that can be combined with data editing and
formatting technologies such as ETL. By itself, data ingestion only ingests
data; it does not transform it. For many organizations, data ingestion is a
critical tool that helps them manage the front end of their data and data just
entering their enterprise. A data ingestion tool enables companies to
immediately move their data into a central data repository without the risk of
leaving any valuable data “out there” in sources that may later no longer be
accessible.
The Most Futuristic Tech at CES 2023
TCL's RayNeo X2 AR glasses are available for demo at CES 2023, and CNET's
Scott Stein was able to use them to translate a conversation with a Chinese
speaker in real time. The frames on the RayNeo X2 AR glasses are slightly
bulkier than regular eyeglass frames, but prescription inserts eliminate the
need to wear other glasses underneath, and the expected introduction of
Qualcomm's AR1 chipset should reduce the size further. The RayNeo X2 AR
glasses will be released to the developer community at the end of the first
quarter of 2023, with a commercial launch set for later in the year. ... One
of the more unusual prototypes shown at CES 2023 is a wearable neckband from a
Japanese startup company called Loovic. The device hangs around your neck,
sort of like studio headphones when not in use, and provides audio and tactile
directions to help you navigate without looking at your phone. The device was
inspired by Loovic CEO Toru Tamanka's son, who suffers from a cognitive
impairment that makes following directions difficult. It will work for anyone
who wants to receive navigation while keeping their head up.
Kubernetes must stay pure, upstream open-source
Vendors may modify code for their custom distributions or the supporting
applications you need to make Kubernetes run in production. While a modified
version of Kubernetes will work with a particular vendor’s application stack
and management tools, these proprietary modifications lock you into customized
component builds preventing you from integrating with other upstream
open-source projects without lock-in. And if their stack comprises multiple
products, it’s very hard to achieve interoperability, which can cause lots of
downstream issues as you scale. ... It’s incredibly difficult to merge back a
fork that has diverged drastically over the years from the upstream. This is
called technical debt – the cost of maintaining source code caused by
deviation from the main branch where joint development happens. The more
changes to forked code, the more money and time it costs to rebase the fork to
the upstream project.
Managing Remote Workforces: IT Leaders Look to Expanded Suite of Tools
Ramin Ettehad, co-founder of Oomnitza, says organizations must connect their
key systems and orchestrate rules, policies, and workflows across the
technology and employee lifecycle, not with tickets and manual workloads, but
rather with conditional rule-based automation of all tasks across teams and
systems. He notes an example of a key business process that is challenged in a
remote working world is employee onboarding and offboarding. “Companies want
to make a positive first impression by offering new employees a consumer-esque
onboarding experience,” he says. “This effort will maximize employee
experience and time to productivity.” From the perspective of Dan Wilson, vice
president analyst in the Gartner IT practice, some key tech tools for remote
workforce management include remote Control for IT support to remotely see and
interact with computers, as well as Unified Endpoint Management (UEM). “UEM
lets IT departments discover, manage, configure devices, and deploy software
and operating system updates without having to connect to the corporate
network or VPN,” he explains.
Social Engineering Attacks: Preparing for What’s Coming in 2023
Impersonation and comment spam have exploded over the past year and will
likely be some of the most prominent forms of phishing in 2023. This type of
social engineering attack exploits the trust and recognition associated with
influencers. Attackers create an account on a social media site that looks
nearly identical to an influencer’s. The posts are often giveaway
announcements, declaring that fans just need to “click this link” or “DM this
account on Telegram” to collect their winnings. Instead, people are tricked
into giving away money and are ghosted by the fake account. Impersonation and
comment spam have become so serious on YouTube that prominent creators have
asked the platform to address the issue. The scam results in monetary theft
and hurts the reputation of the creators being impersonated. ... One peculiar
new form of social engineering on the rise is reputation ransomware. This
scare tactic exploits the headline nature of data breach announcements. The
cybercriminal will demand ransom from the victim organization, threatening to
“leak” news of a fictional data breach if they do not pay.
Quote for the day:
"Without continual growth and
progress, such words as improvement, achievement, and success have no
meaning.” -- Benjamin Franklin
No comments:
Post a Comment