Daily Tech Digest - March 07, 2023

The four qualities of resilient teams

The first quality is team confidence, or the belief that the team can handle just about anything that comes its way. Team confidence, the authors note, isn’t really the sum of a lot of individual confidence, for swollen egos don’t benefit the team. The goal is collective and mutual confidence. And not too much, because overconfidence undermines success. “Moderately high confidence offers a healthy balance of confidence and caution,” the authors write. To build team confidence, managers are urged to make goals and processes clear, empower the team by encouraging members to participate in decision-making, cheer successes, and provide useful feedback during struggles. The second quality is having the foresight to create a teamwork road map, or a plan that “reflects the extent to which all team members know what their own roles and responsibilities are, and the extent to which they agree on what all other team members’ roles and responsibilities are. Team members may even know how to perform one another’s roles so that at any point, one person can step in for another.”

What is zero trust? A model for more effective security

Removing that implicit trust takes time, according to experts, and most organizations are far from accomplishing that objective. “It’s a journey of change,” says Chalan Aras, a member of the Cyber & Strategic Risk practice at Deloitte Risk & Financial Advisory. Zero trust is also a collection of policies, procedures, and technologies. Organizations that want to implement an effective zero-trust strategy must have an accurate inventory of assets, including data. They must have an accurate inventory of users and devices as well as a robust data classification program with privileged access management in place, Valenzuela says. Other components include comprehensive identity management, application-level access control, and micro-segmentation. Another important element is user and entity behavior analytics, which uses automation and intelligence to learn normal (and therefore accepted and trusted) user and entity behaviors from anomalous behaviors that shouldn’t be trusted and therefore denied access.

Will ChatGPT make low-code obsolete?

Unlike technologies of the past which typically automate or speed-up a repetitive process (manufacturing, logistics, transportation etc.), ChatGPT does something entirely new – enhancing the creativity of the user. While we can debate whether this is true creativity or not, ultimately if the outcome is the same, is it not still creative? Think of how ChatGPT could help a software developer crack a particularly challenging piece of code, or how it could optimise existing code. It can also help developers be more creative by reducing the repetitive/boring part of their jobs so they can focus on the parts they love, leaving them more time to flex their creative muscles. Going beyond the developer use case, and ChatGPT has the ability to democratise coding itself by providing a way for non-coders to develop applications themselves – in much the same way that low-code promises, but on steroids. This “democratisation of IT” promises a new wave of innovation by enabling organisations to create new processes without the new to engage with IT at all. ChatGPT could achieve the same outcome as low-code but in half the time.

SBOMs should be a security staple in the software supply chain

NIST's standard includes multiple elements, from the software component used and its supplier to version numbers and access to the component's repository. Version levels must be evaluated against release levels, potential threats found, and risks determined. "Unwinding large applications, from open-source operating systems, to in-house developed applications, to third-party 'shrink-wrapped' stacks is fraught with contextual challenges, inventory methods, and manual verification, all of which are prone to error," Masserini writes. While the process of identifying and reporting issues is codified, "it does not address the issue of manually maintaining such an inventory and consistently validating its contents," he says. Automation must be put into every step of the process, from generating and publishing SBOMs to ingesting them – and then bring vulnerability remediation into their current app security programs without having to adopt new workflows, Lambert says. There are other considerations. SBOMs deliver a lot of information, but organizations need to decide how they're going to use it. 

Digital twins could be the key to successful automation

The primary advantage of the digital twin is that it evolves as automation evolves. As a result, if any changes are applied to the automation in the RPA platform, those same changes are reflected in the twin, ideally in real-time or at least near real-time. Operational metrics are also accessible and displayed where the twin resides so that it can be monitored and continuously improved. Beyond changes and operational metrics, a digital twin in automation enables an organization to compile accurate documentation and detailed audit trails for the entire automation estate and maintain it in a single, centralized repository. Doing so not only addresses the problem of misplaced or lost process design documents, but also solves one of the major pain points of automating: An inability to visualize and understand how automations have changed over time. Maintaining digital twins for all automations in a central location — regardless of the RPA platform in which they are designed, deployed and orchestrated — vastly improves automation standardization, governance and visibility.

Stepping up: Becoming a high-potential CEO candidate

Stanford University economics professor Nicholas Bloom, who’s spent his career researching CEOs, describes the reality he’s observed: “It’s frankly a horrible job. I wouldn’t want it. Being a CEO of a big company is a hundred-hour-a-week job. It consumes your life. It consumes your weekend. It’s super stressful. Sure, there’re enormous perks, but it’s also all encompassing.” Reinforcing the point, Microsoft CEO Satya Nadella describes the job as “24/7.” His late mentor Bill Campbell, who had been a CEO three times and was an influential coach to several technology industry leaders, would often remind him, “No one has ever lived to outwork the job. It will always be bigger than you.” Many CEOs secretly agree that the best job in the world is actually the one right below the CEO. There the spotlight burns less brightly, yet the opportunities to make a difference are great, as are the rewards. Without the right motivations and expectations, not only will you find that the effort required to be CEO outweighs any personal gain, but you will also be less likely to succeed. As CCHMC’s Fisher puts it, 

Enterprise IT moves forward — cautiously — with generative AI

The technology also needs human oversight. “Systems like ChatGPT have no idea what they’re authoring, and they’re very good at convincing you that what they’re saying is accurate, even when it’s not,” says Cenkl. There’s no AI assurance — no attribution or reference information letting you know how it came up with its response, and no AI explainability, indicating why something was written the way it was. “You don’t know what the basis is or what parts of the training set are influencing the model,” he says. “What you get is purely an analysis based on an existing data set, so you have opportunities for not just bias but factual errors.” Wittmaier is bullish on the technology, but still not sold on customer-facing deployment of what he sees as an early-stage technology. At this point, he says, there’s short-term potential in the office suite environment, customer contact chatbots, help desk features, and documentation in general, but in terms of safety-related areas in the transportation company’s business, he adds, the answer is a clear no.

Career paths for devops engineers and SREs

Solving business challenges today requires multidisciplinary teams and integrated solutions. If you enjoy problem-solving, shift to other organizational roles and develop broader perspectives on what’s required to deliver end-to-end solutions. One opportunity for developers is to shift to data science and machine learning roles. Tiago Cardoso, a product manager at Hyland, says, “Career paths for developers have become much more flexible and individualized, and I’m seeing a lot of new developer roles appearing, such as data engineers, ML engineers, ML architects, and MLops engineers. He adds, “Common career paths for those in devops and SREs include positions such as systems administrator, infrastructure engineer, and cloud architect.” ... Architect roles and responsibilities vary considerably from one organization to another, but successful architects are more than just technical experts. Architects scale their expertise by helping agile teams learn, apply, and create self-organizing standards around using technology to deliver business solutions.

Zero-Day Vulnerabilities Can Teach Us About Supply-Chain Security

Writing, testing and validating whether a fix will resolve a vulnerability can take trial and error. By definition, zero-days don’t have a patch, meaning it can often be days before developers can even begin the process of patching their applications. Furthermore, software needs to go through QA cycles before a true fix is identified. This is why security controls are necessary for blocking malicious activity before it reaches runtime. Additionally, developers must analyze their software development life cycle (SDLC) and augment it before a vulnerability is announced. An asset or application inventory should be a mandatory component so that when a vulnerability is disclosed, organizations know who owns the application and who to contact. ... Securing third-party or commercial-off-the-shelf software is one of the biggest cybersecurity challenges facing every organization. Unfortunately, most vendors don’t disclose the components and libraries that make up their software, making it difficult for organizations to know whether a vulnerability affects them once it’s disclosed.

Five Factors That Turn CISOs into Firefighters

When a CISO is referred to as a “firefighter,” it typically means that they are spending a significant amount of time responding to security incidents and putting out fires rather than being able to focus on proactively preventing those incidents from occurring in the first place. Here are some reasons why a CISO may become a firefighter: 1. Lack of resources: A CISO may not have sufficient resources (e.g., budget, staff, or technology) to implement a comprehensive cybersecurity program effectively. This can lead to security incidents that require a reactive response. 2. Insufficient risk management: A CISO may not have a robust risk management program in place, which means that security incidents are more likely to occur. Without proper risk management, a CISO may be caught off guard by security incidents and have to react quickly to mitigate the damage. 3. Lack of security awareness: Employees may not be properly trained on cybersecurity best practices, which can lead to security incidents such as phishing attacks or malware infections. ...

Quote for the day:

"Different times need different types of leadership." -- Park Geun-hye

No comments:

Post a Comment