Daily Tech Digest - March 20, 2023

The Rise of the BISO in Contemporary Cybersecurity

In general, “A BISO is assigned to provide security leadership for one particular business unit, group, or team within the greater organization,” explains Andrew Hay, COO at Lares Consulting. “Using a BISO divides responsibility in large companies, and we often see the BISOs reporting up to the central CISO for the organization.” “A BISO is responsible for establishing or implementing security policies and strategies within a line of business,” adds Timothy Morris, chief security advisor at Tanium. “Before the BISO role became popular, other director-level roles performed similar functions in larger organizations as an information security leader.” The precise role of the BISO varies from company to company depending on the needs of that company. “In some cases, the BISO will hold a senior position reporting directly to the CISO, CTO, or CIO,” explains Kurt Manske, managing principal for strategy, privacy, and risk at Coalfire. “At this level, the BISO acts as a liaison with business unit leaders and executives to promote a strong information security posture across the organization.”

CEO directives: Top 5 initiatives for IT leaders

Cybersecurity became a bigger issue this year for Josh Hamit, senior VP and CIO at Altra Federal Credit Union, due in part to Russia’s invasion of Ukraine, which touched off warnings about possible Russia-backed hackers stepping up cyberattacks on US targets. As a result, Hamit has brought extra attention to partnering with Altra’s CISO to perfect security fundamentals, cyber hygiene and best practices, and layered defenses. More likely cyber scenarios have IT leaders increasingly concerned as well. For instance, three out of four global businesses expect an email-borne attack will have serious consequences for their organization in the coming year, according to CSO Online’s State of Email Security report. Hybrid work has led to more email (82% of companies report a higher volume of email in 2022) and that has incentivized threat actors to steal data through a proliferation of social engineering attacks, shifting their focus from targeting the enterprise network itself to capitalizing on the vulnerable behaviors of individual employees.

Breach Roundup: Med Devices, Hospitals and a Death Registry

A vulnerability the Indian government at first said did not exist it now says is fixed. The Indian Ministry of Railways in December denied that the data of 30 million people allegedly on sale on the dark net came from a hacker breaching Rail Yatri, the official app of Indian Railways. On Wednesday, Minister of State for Electronics and Information Technology Rajeev Chandrasekhar said the Indian Railway Catering and Tourism Corp. fixed the issue and took necessary precautions to prevent its recurrence. Neither Rail Yatri nor the minister disclosed the penalty paid for the incident. ... A February data breach of the U.S. Marshals Service systems, which led to hackers maliciously encrypting systems and exfiltrating sensitive data law enforcement data, got worse. A threat actor is reportedly selling 350 gigabytes of data allegedly stolen from the servers for $150,000 on a Russian-speaking hacking forum. The data on sale allegedly includes "documents from file servers and work computers from 2021 to February 2023, without flooding like exe files and libraries," reported Bleeping Computer. 

BianLian ransomware group shifts focus to extortion

Researchers observed that the speed at which BianLian posts the masked details has also increased over time. If one is to accept the date of compromise listed by BianLian as accurate, the group averages just ten days from an initial compromise to ratcheting up the pressure on a victim by posting masked details. In some instances, BianLian appears to have posted masked details within 48 hours of a compromise, Redacted said in its report. “With this shift in tactics, a more reliable leak site, and an increase in the speed of leaking victim data, it appears that the previous underlying issues of BianLian’s inability to run the business side of a ransomware campaign appear to have been addressed,” Redacted said, adding that these improvements are likely the result of gaining more experience through their successful compromise of victim organizations. The BianLian group appears to bring close to 30 new command-and-control (C2) servers online each month. In the first half of March, the group has already brought 11 new C2 servers online. The average lifespan of a server is approximately two weeks, Redacted said.

CIOs Must Make Call on AI-Based App Development

Erlihson says other key stakeholders necessary for an AI-based app development strategy include the chief data officer (CDO), who can help manage and govern the organization’s data assets, ensure data quality, and make sure that data is used in compliance with regulations. The chief financial officer (CFO) can ensure that the organization’s investments in AI-based tools are aligned with the financial objectives and overall budget of the company. “It's also important to include business leaders to identify business problems that can be solved by AI, providing use cases, and setting priorities for AI-based app development based on business needs,” he says. Legal and compliance must also be involved to ensure AI-based tools are compliant with data privacy laws and regulations, security, and ethical use of AI. “Finally, operations and IT teams are needed to provide feedback on the feasibility and scalability of AI-based tool development and deployment and to assure that the necessary IT infrastructure required to support AI-based app deployment is in place,” Erlihson says.

How Design Thinking and Improved User Experiences Contribute to Customer Success

Everything is about the needs, preferences and behaviors of users and the frustrations they sometimes face, with a continuous feedback loop used for perpetual reporting. The model emphasizes the need for diverse voices, experimentation with new ways of working, rapid prototyping and iteration, as well as a commitment to constantly improving the quality of service. As an example of experimentation, Airbnb unlocked growth by using professional photography to replace poor-quality images advertising property rentals in New York and saw an instant uptick. Done right, it has the benefit of challenging developer assumptions and management status quo. It helps to mitigate against the narrative of ‘we’ve always done it this way’ or the temptation to ‘bloatware’ which adds pointless features and functions. Despite the name, Design Thinking doesn’t just impact software user experience design; product managers and others are also involved to create a holistic understanding of what is happening. 

Sovereign clouds are becoming a big deal again

Although sovereign clouds aim to increase data privacy and sovereignty, there are concerns that governments could use them to collect and monitor citizens’ data, potentially violating privacy rights. Many companies prefer to use global public cloud providers if they believe that their local sovereign cloud could be compromised by the government. Keep in mind that in many cases, the local governments own the sovereign clouds. Sovereign clouds may be slower to adopt new technologies and services compared to global cloud providers, which could limit their ability to innovate and remain competitive. Consider the current artificial intelligence boom. Sovereign clouds won’t likely be able to offer the same types of services, considering that they don’t have billions to spend on R&D like the larger providers. Organizations that rely on a sovereign cloud may become overly dependent on the government or consortium operating it, limiting their flexibility and autonomy. As multicloud becomes a more popular architecture, I suspect the use of sovereign clouds will become more common. 

Why You Need a Plan for Ongoing Unstructured Data Mobility

Most organizations keep all or most of their data indefinitely, but as data ages, its value changes. Some data becomes “cold” or infrequently accessed or not needed after 30 days yet must be retained for a period of time for regulatory or compliance reasons; some data should be deleted; and some data may be required for research or analytics purposes later. ... Ensuring easy mobility for the data as it ages and understanding the best options for different data segments is paramount. Another reason why unstructured data mobility is imperative is due to growing AI and machine learning adoption. Once data is no longer in active use, it has the potential for a second or third life in big data analytics programs. You might migrate some data to a low-cost cloud tier for archival purposes but IT or other departments with the right permissions should be able to easily discover it later and move it to a cloud data lake or AI tool when needed for many different use cases.

Microsoft: 365 Copilot chatbot is the AI-based future of work

Microsoft CEO Satya Nadella said the new 365 Copilot chatbot will “radically transform how computers help us think, plan and act. “Just as we can’t imagine computing today without a keypad, mouse or multitouch, going forward we won’t be able to imagine computing without copilots and natural language prompts that intuitively help us with continuation, summarization, chain-of-thought reasoning, reviewing, modifying and acting,” he said. Copilot combines a large language model (LLM) with the 365 suite and the user data contained therein. Through the use of a chatbot interface and natural language processing, users can ask questions of Copilot and receive human-like responses, summarize online chats, and generate business products. Copilot in Word, for example, can jump-start the creative process by giving a user a first draft to edit and iterate on — saving hours in writing, sourcing, and editing time, Microsoft said in a blog post. "Sometimes Copilot will be right, other times usefully wrong — but it will always put you further ahead,"

How CISOs Can Start Talking About ChatGPT

Do we have the right oversight structures in place? The fundamental challenge with AI is governance. From the highest levels, your company needs to devise a system that manages how AI is studied, developed and used within the enterprise. For example, does the board want to embrace AI swiftly and fully, to explore new products and markets? If so, the board should designate a risk or technology committee of some kind to receive regular reports about how the company is using AI. On the other hand, if the board wants to be cautious with AI and its potential to up-end your business objectives, then perhaps it could make do with reports about AI only as necessary, while an in-house risk committee tinkers with AI’s risks and opportunities. Whatever path you choose, senior management and the board must establish some sort of governance over AI’s use and development. Otherwise employees will proceed on their own – and the risks only proliferate from there.

Quote for the day:

"Humility is a great quality of leadership which derives respect and not just fear or hatred." -- Yousef Munayyer

No comments:

Post a Comment