Daily Tech Digest - July 19, 2023

This is why personal encryption is vital to the future of business

We already recognize that humans are the weakest link in any security infrastructure. But what isn’t sufficiently recognized is that any action that puts those humans more at risk makes anyone they work for more vulnerable. A well-resourced attacker will simply identify who works at the company they're aiming for and then find ways to compromise some of those individuals using seemingly unrelated tricks. That compromised data will then feed into more sophisticated attacks against the actual target. So, what makes it easy to create those customized attacks in the first place? Information about those people, what they enjoy, who they know, where they go, and how they flow. That’s precisely the kind of data any weakening in end-to-end encryption for individuals makes easier to get. Because if you weaken personal data protection in one place, you might as well weaken it in every place. And once you do that, you’re presenting hackers and attackers with a totally tempting table of attack surface treats to chow down on. This is not clever, nor is it sensible.

Data protection and AI - accountability and governance

Part of risk remediation will include having policies and procedures in place that ensure operational staff have sufficient direction as to their roles and responsibilities. These should be readily available and supported by training. Risk management policies will need to be implemented or existing policies updated to address AI-specific considerations. For example regarding obtaining and handling AI training and test data, procuring and assessing external software, allocating roles and responsibilities for validation and independent sign-off of AI system development, deployment and updates (which may also include a role for an ethics committee) as well as ensuring policies relevant to automated decision making that address risks of bias, prejudice or lack of interpretability. ... The UK GDPR requires controllers to be transparent with individuals about how their personal data will be collected and processed within AI systems, including by telling them how and why such data will be processed and in explaining any decisions made with AI, how long any personal data will be retained and who it will be shared with. For further information about transparency in AI systems see here.

E-Waste: Australia’s Hidden ESG Nightmare

For Australian enterprises, e-waste is an IT life-cycle challenge, as much as an environmental one. With an increasingly decentralized workforce, IT teams are struggling to keep up with patch maintenance as well as the provisioning and deployment of new devices in such a way that it doesn’t disrupt operations. Consequently, these organizations are prone to create unnecessary e-waste through their poor processes, which can incur several consequences for a business. ... It remains true that managing e-waste at scale can be a logistical challenge for organizations. The best solution would be for IT teams to work with their suppliers and partners to establish a cyclical logistics chain, where older equipment is automatically fed back to the vendor and added to their e-waste management programs using the same logistics that deliver new technology. With the right partners and suppliers, which can offer reliable data-wiping services, the IT team will be able to manage the challenges of e-waste management in Australia. Largely due to these risk factors, the costs of poorly managing e-waste is likely to accelerate rapidly in the months ahead.

The draft data privacy law surprises with its simplicity

For the most part, the draft Digital Personal Data Protection Bill was pretty much what we had been promised—simple, principles-based and generally appropriate for our current stage of maturity. Most businesses I spoke with confirmed that, if passed as is, they would have no problem complying with the obligations it imposed after a reasonably short transition period. To be clear, there were things we would have liked to see changed—clauses that needed to be tweaked and others I would have liked removed. I had an opportunity to engage in the consultations that followed and found the government not just willing to hear our points of view, but keen to understand what impact the text of the draft would have on implementation of the law. In a truly democratic process, it is impossible for everyone’s suggestions to be incorporated, especially when they come from different perspectives. I know that is probably the case for several of my suggestions, but I know that where there exists a multiplicity of views, it is only possible for one to be reflected. 
The question is how an enterprise can use its data to do more than just do cool things? Enterprises are considering how their data can help shareholders. Kobielus wrote TDWI’s Best Practices Report with an eye to determining the chief factors that contribute to data monetization success. He found what he calls “four strategies for data monetization.” “The first one may not, at first glance, sound like a key strategy for monetization of data at all, but it is. It is data democratization -- giving everybody in your organization access to the best data you have to support data-driven analytics,” such as performing queries and producing reports. Enterprises can see the payoff of data democratization in terms of qualitative factors (such as employees working smarter), but there are quantitative factors as well, such as making better business decisions that enable the organization to boost sales, hold on to customers, or upsell to existing customers “When we talk about data monetization, it's a maturity model, where you move from data democratization to operationalize data . 

Managing Human Risk Requires More Than Awareness Training

The first step in managing human risk is to conduct a risk assessment to identify the risk factors most critical to the organization. Sound familiar? To be successful, a risk analyst must assess the likelihood of a vulnerability being exploited and the impact that would occur because of the event. To find these threat sources, the security operations team should be engaged to uncover documentation regarding cyberincidents, threat intelligence and mitigation plans from past audits. The security operations team also tests users on the likelihood of penetration, for example, through phishing simulation exercises. Once an assessor has this information, they can build a risk register to prioritize the highest risk factors. Any educator knows that it is not possible to teach someone everything that they need to know and expect them to retain all the information. ... For example, employees in an organization should be made aware of the risk associated with phishing attacks or identity theft efforts that engage employees through attack vectors such as emails, texts or phone call

A quick intro to the MACH architecture strategy

At the very least, most software teams are likely putting one or more MACH elements to considerable use already. In that case, this evaluation will help reveal which of the four components your organization might be overlooking. For instance, if your organization is currently deploying microservices-based applications on individual servers, deploying those applications in containers across a cluster of servers would be one way to closer align with a MACH strategy. Another plausible scenario is that a software team already uses microservices and cloud-native hosting, but isn't yet managing APIs in a way that positions it at the center of application design plans and build processes. Adopting an API-first development strategy -- that is, one that places a priority on determining how APIs will behave and addresses specific business requirements before any actual coding starts -- would place that team one step closer to proper MACH adoption. However, for teams that are truly starting at square one, such as those still running a localized monolith, it often makes the most sense to start out with headless application design. 

Is PC-as-a-Service part of your hybrid work strategy?

Getting new PCs into the hands of employees and making sure they’re regularly refreshed is complex. The old models of centralized staging and warehousing can create delays and excess shipping costs in today’s hybrid workstyles. Moreover, IT teams struggle to find time to manage day-to-day PC lifecycle tasks. ... By taking this service-oriented approach to PC management, IT teams will spend less time managing and supporting devices, freeing up time to focus on projects that have a greater impact on the business. From a financial perspective, Dell APEX PCaaS flips the script of employee device purchasing from a fixed cost to a predictable, monthly expenditure. Payments that spread out over time—like leasing a car or subscribing to cable services—align with your experience of consuming cloud software while affording you flexibility in how you plan your budget and allocate people resources. With Dell APEX PCaaS you can help your overworked IT staff deploy, support, and manage PCs, reducing time to value and total cost of ownership while ensuring that employees remain productive.

Why and how CISOs should work with lawyers to address regulatory burdens

As the regulatory burden increases, organizations and CISOs are having to take ownership of cyber risk, but it needs to be seen through the lens of business risk, according to Kayne McGladrey, field CISO with Hyperproof. Cyber risk is no longer simply a technology risk. "The problem is, organizationally, companies have separated those two and have their business risk register and their cyber risk register, but that’s not the way the world works anymore," says McGladrey. He believes the Securities and Exchange Commission (SEC), the Federal Trade Commission, FTC and other regulators in the US are trying to promote collaboration among business leaders because cyber risks are functionally business risks. ... However, not all CISOs are naturally well versed in defining the business case of cyber risk, and McGladrey believes CISOs who are more adept at articulating the business value of doing cybersecurity will find it easier to achieve buy-in, while those with a more technical background that emphasize compliance over business risk may find it more difficult to get support and budget.

Stress Test: IT Leaders Strained by Talent Shortage, Tech Spend

George Jones, CISO at Critical Start, says a shortage of skilled professionals has led to delays in certain projects and increased workloads for existing team members. “To combat these delays, we have looked at upskilling current employees, brought in interns with specific skill sets, leveraged contract and freelance workers, and implemented knowledge-sharing to encourage cross-functional collaboration, empowering employees to learn from one another,” he says. He explains Critical Start employees have clearly defined roles and responsibilities that align with their team and organizational goals, and cross-functional collaboration is encouraged to leverage diverse perspectives and expertise. “Agile methodologies promote transparency, adaptability, and iterative progress and foster a culture of psychological safety where individuals feel comfortable sharing ideas, taking risks, and learning from failures,” he adds. Jones says to foster a culture of communication and collaboration, my teams meet regularly to share knowledge, project updates, and provide feedback on what is working and what isn’t.

Quote for the day:

"When your values are clear to you, making decisions becomes easier." -- Roy E. Disney

No comments:

Post a Comment