Daily Tech Digest - May 12, 2023

The Industrywide Consequences of Making Security Products Inaccessible

Restricting access to security products creates situations where people from underrepresented groups are not able to easily catch up with their more fortunate peers who are already employed by enterprises with access to the latest tooling. In other words, companies publicly championing their efforts to increase diversity and get more people from underrepresented groups in the industry are actually making it harder for the same people to get into cybersecurity. It's not uncommon to see motivated and driven people from underrepresented backgrounds spend their free time studying and trying to level up their skills so they can move up the career ladder. While scholarships and grants are certainly helpful, what can be even more impactful is giving them access to tools they need to learn to develop new skills, build résumés, and get hired or promoted. ... It seems like most security vendors today create thought leadership content about how bad the talent shortage is for the industry, yet few are making it easy for people to become job ready by learning how to use their tools.


Open-Source Leadership to the European Commission: CRA Rules Pose Tech and Economic Risks to EU

As currently written, the CRA would impose a number of new requirements on hardware manufacturers, software developers, distributors, and importers who place digital products or services on the EU market. The list of proposed requirements includes an "appropriate" level of cybersecurity, a prohibition on selling products with any known vulnerability, security by default configuration, protection from unauthorized access, limitation of attack surfaces, and minimization of incident impact. The list of proposed rules also includes a requirement for self-certification by suppliers of software to attest conformity with the requirements of the CRA, including security, privacy, and the absence of Critical Vulnerability Events (CVEs). The problem with these rules, explained Mike Milinkovich, executive director of the Eclipse Foundation, in a blog post, is that they break the "fundamental social contract" that underpins open-source, which is, simply stated, that its producers of that software provide it freely, but accept no liability for its use and provide no warranties.


White House addresses AI’s risks and rewards

While Schiappa agreed that AI can exploit vulnerabilities with malicious code, he argued that the quality of the output generated by LLM is still hit and miss. “There is a lot of hype around ChatGPT but the code it generates is frankly not great,” he said. Generative AI models can, however, accelerate processes significantly, Schiappa said, adding that the “invisible” part of such tools — those aspects of the model not involved in natural language interface with a user — are actually more risky from an adversarial perspective and more powerful from a defense perspective. Meta’s report said industry defensive efforts are forcing threat actors to find new ways to evade detection, including spreading across as many platforms as they can to protect against enforcement by any one service. “For example, we’ve seen malware families leveraging services like ours and LinkedIn, browsers like Chrome, Edge, Brave and Firefox, link shorteners, file-hosting services like Dropbox and Mega, and more. When they get caught, they mix in more services including smaller ones that help them disguise the ultimate destination of links,” the report said.


Start Your Architecture Modernization with Domain-Driven Discovery

Architecture modernization projects are complex, expensive, and full of risks. Starting with a Domain-Driven Discovery (DDD) focuses your team and improves your chances of success. ... There was a time when we started new Agile projects with a two-week Sprint 0 then launched right into coding the solution. Unfortunately, teams often found out later they wasted time and money on "building the wrong thing righter." The influences of Design Thinking and Dual-Track Agile and frameworks like Mobius have opened our collective eyes to the importance of a brief discovery for product work. ... We suggest using event storming workshops to clarify the business processes related to the in-scope systems. Start by choosing a primary process or experience to focus on, such as a new customer registration. Next, collaboratively identify every event in this end-to-end process. It’s important to focus on how it works today, not how it should work in the future. Then identify a subset of the events that are essential to the process and labels these Pivotal Events. 


Career Reinvention: Considering a Switch to Cybersecurity

A significant skills gap in the cybersecurity industry has created a unique opportunity for individuals from various backgrounds to enter the field. Employers are seeking new people who weren’t necessarily trained to be cyber defenders but who have fresh perspectives and the potential to learn. This situation creates a tremendous opportunity for career reinvention. In response to this talent gap, the industry has committed to providing the new hires the resources and support they need to reach their fullest potential and succeed in a new career space. ... Of course, candidates should work to understand all they can about the types of cyber roles they would be most qualified for and interested in taking on – the good and the bad. This will ensure no element of surprise later down the line that catches them off guard, potentially making their career switch regretfully. It is also essential that any decisions being made are based on desire and genuine interest. If one enjoys the work they do and has the opportunity to work with good people, the rest will follow. Making a career change can be stressful, so taking it one step at a time is the best way to approach a drastic reinvention.


Data Waste Is Putting Retail Loyalty at Risk — Here’s Why

According to Wenthe, data wastage — the efficient or ineffective use of data — has become a common blight among brands in all industries, and especially those in the retail, automotive, CPG, and entertainment spaces. “Data wastage comes in a variety of forms from data sources such as customer service, sales, or operations departments,” Wenthe says. “[It] is usually the result of a collection of unnecessary data, withholding relevant data from the right team, or failure to analyze or action on the data that has been collected.” While it’s not always easy to identify data wastage, Wenthe says time spent managing customer data collections is often the main culprit. According to Gartner, data inefficiencies can end up costing organizations an average of $12.9 million per year — a huge chunk of change for just about any company to lose. “This issue is important for any brand where their data remains disjointed and unable to interact with one another,” Wenthe says. Given the influx of data coming through new channels and departments, including customer service, sales, and operations, it’s no surprise to hear that retail brands right now are struggling. 


Israeli threat group uses fake company acquisitions in CEO fraud schemes

The targeted organizations had headquarters in 15 countries, but since they are multinational corporations, employees of these companies from offices in 61 different countries were targeted. The reason why the group is focused on large enterprises is in the lure they chose to justify the very large transfers they're after: company acquisitions. It's not unusual for such multinational companies to acquire smaller companies in various local markets. ... "​​First, members of the executive team are likely to send and receive legitimate communications with the CEO on a regular basis, which means an email from the head of the organization may not seem abnormal," the researchers said. "Second, based on the stated importance of the supposed acquisition project, it’s reasonable for a senior leader at the company to be entrusted to help. And finally, because of their seniority within the organization, there is presumably less red tape that would need to be cut through in order for them to authorize a large financial transaction."


Poison Control: Report Says Tech Workplace Toxicity Rising

Joel Davies, senior people scientist at Culture Amp, says senior leadership hold the keys to creating a better work culture. “There is a common belief that ‘people leave managers, not companies,’ but we have found perceptions of senior leadership tend to be more important for employee engagement and commitment than perceptions of one’s direct manager. Senior leaders are role models, whether they like it or not. The way they behave at work creates powerful social norms that can impact how the rest of the organizations behaves.” In a tough economic environment, Tsingos says transparency goes a long way to building a positive workplace perception. “We’re living in an era of uncertainty in the financial markets,” he says. “This pressure creates toxicity. How do you deal with that. You deal with that with transparency. You deal with openness, and you deal with it by investing in your people. You might have a big company laying off thousands of people -- but there are some people who may come back and who are thankful for the transparency. Because that employer was investing in them and treating them nicely.”


The art of leading in the AI age

In the digital era, the leader as a subject matter expert is typically a senior programmer who takes on the role and responsibilities of someone who helps everyone else understand the opportunities and risks of developing something that makes life easier in the short term, but more complex and difficult in the longer term. ... we look for leaders who mediate between different reasons to use (or not to use) technology, because the best facilitator is the one who is most likely to make room for different needs and thus help her fellow human beings design their own lives. This means that leaders primarily act as organizational midwives who use their own experience and expertise to help others trust themselves—and one another—to do a job none of them could do alone. In the digital era, the leader as an organizational midwife is typically a chief experience officer or a people leader who takes on the role and responsibilities of someone who nurtures a culture in which decisions on how something should and should not be used are made deliberately and intentionally by everyone.


The Building Blocks of Success: Is Data Mesh Right for My Organization?

In many ways, data mesh is a lot like Legos. It’s possible to make over 915 million different combinations from just six different Lego bricks. A data mesh can similarly be built in any way that works best for your organization: choose each component carefully and build the solution that most fits your needs. ... The traditional operating model of centralized data engineering requires fewer skilled technical resources as the business teams all share those resources. Decentralization can lead to each business team hiring and supporting their own technical teams, which requires more resources. On the one hand, this is one reason agility and speed-to-delivery is improved: there are more people delivering, perhaps with fewer competing demands on their time. ... The strongest candidate for a data mesh includes a compelling business case, strong buy-in and sufficient resources, and an organizational culture that supports it. If you have an approach that’s working for you — say, your organization is not domain-oriented and has centralized IT with fungible resources that are implemented alongside various projects — then data mesh likely isn’t the right investment at this time.



Quote for the day:

"Uncertainty is a permanent part of the leadership landscape. It never goes away." -- Andy Stanley

No comments:

Post a Comment