This is why personal encryption is vital to the future of business
We already recognize that humans are the weakest link in any security
infrastructure. But what isn’t sufficiently recognized is that any action that
puts those humans more at risk makes anyone they work for more vulnerable. A
well-resourced attacker will simply identify who works at the company they're
aiming for and then find ways to compromise some of those individuals using
seemingly unrelated tricks. That compromised data will then feed into more
sophisticated attacks against the actual target. So, what makes it easy to
create those customized attacks in the first place? Information about those
people, what they enjoy, who they know, where they go, and how they flow. That’s
precisely the kind of data any weakening in end-to-end encryption for
individuals makes easier to get. Because if you weaken personal data protection
in one place, you might as well weaken it in every place. And once you do that,
you’re presenting hackers and attackers with a totally tempting table of attack
surface treats to chow down on. This is not clever, nor is it sensible.
Data protection and AI - accountability and governance
Part of risk remediation will include having policies and procedures in place
that ensure operational staff have sufficient direction as to their roles and
responsibilities. These should be readily available and supported by training.
Risk management policies will need to be implemented or existing policies
updated to address AI-specific considerations. For example regarding obtaining
and handling AI training and test data, procuring and assessing external
software, allocating roles and responsibilities for validation and independent
sign-off of AI system development, deployment and updates (which may also
include a role for an ethics committee) as well as ensuring policies relevant to
automated decision making that address risks of bias, prejudice or lack of
interpretability. ... The UK GDPR requires controllers to be transparent with
individuals about how their personal data will be collected and processed within
AI systems, including by telling them how and why such data will be processed
and in explaining any decisions made with AI, how long any personal data will be
retained and who it will be shared with. For further information about
transparency in AI systems see here.
E-Waste: Australia’s Hidden ESG Nightmare
For Australian enterprises, e-waste is an IT life-cycle challenge, as much as
an environmental one. With an increasingly decentralized workforce, IT teams
are struggling to keep up with patch maintenance as well as the provisioning
and deployment of new devices in such a way that it doesn’t disrupt
operations. Consequently, these organizations are prone to create unnecessary
e-waste through their poor processes, which can incur several consequences for
a business. ... It remains true that managing e-waste at scale can be a
logistical challenge for organizations. The best solution would be for IT
teams to work with their suppliers and partners to establish a cyclical
logistics chain, where older equipment is automatically fed back to the vendor
and added to their e-waste management programs using the same logistics that
deliver new technology. With the right partners and suppliers, which can offer
reliable data-wiping services, the IT team will be able to manage the
challenges of e-waste management in Australia. Largely due to these risk
factors, the costs of poorly managing e-waste is likely to accelerate rapidly
in the months ahead.
The draft data privacy law surprises with its simplicity
For the most part, the draft Digital Personal Data Protection Bill was pretty
much what we had been promised—simple, principles-based and generally
appropriate for our current stage of maturity. Most businesses I spoke with
confirmed that, if passed as is, they would have no problem complying with the
obligations it imposed after a reasonably short transition period. To be
clear, there were things we would have liked to see changed—clauses that
needed to be tweaked and others I would have liked removed. I had an
opportunity to engage in the consultations that followed and found the
government not just willing to hear our points of view, but keen to understand
what impact the text of the draft would have on implementation of the law. In
a truly democratic process, it is impossible for everyone’s suggestions to be
incorporated, especially when they come from different perspectives. I know
that is probably the case for several of my suggestions, but I know that where
there exists a multiplicity of views, it is only possible for one to be
reflected.
The question is how an enterprise can use its data to do more than just do
cool things? Enterprises are considering how their data can help shareholders.
Kobielus wrote TDWI’s Best Practices Report with an eye to determining the
chief factors that contribute to data monetization success. He found what he
calls “four strategies for data monetization.” “The first one may not, at
first glance, sound like a key strategy for monetization of data at all, but
it is. It is data democratization -- giving everybody in your organization
access to the best data you have to support data-driven analytics,” such as
performing queries and producing reports. Enterprises can see the payoff of
data democratization in terms of qualitative factors (such as employees
working smarter), but there are quantitative factors as well, such as making
better business decisions that enable the organization to boost sales, hold on
to customers, or upsell to existing customers “When we talk about data
monetization, it's a maturity model, where you move from data democratization
to operationalize data .
Managing Human Risk Requires More Than Awareness Training
The first step in managing human risk is to conduct a risk assessment to
identify the risk factors most critical to the organization. Sound familiar?
To be successful, a risk analyst must assess the likelihood of a vulnerability
being exploited and the impact that would occur because of the event. To find
these threat sources, the security operations team should be engaged to
uncover documentation regarding cyberincidents, threat intelligence and
mitigation plans from past audits. The security operations team also tests
users on the likelihood of penetration, for example, through phishing
simulation exercises. Once an assessor has this information, they can build a
risk register to prioritize the highest risk factors. Any educator knows that
it is not possible to teach someone everything that they need to know and
expect them to retain all the information. ... For example, employees in an
organization should be made aware of the risk associated with phishing attacks
or identity theft efforts that engage employees through attack vectors such as
emails, texts or phone call
A quick intro to the MACH architecture strategy
At the very least, most software teams are likely putting one or more MACH
elements to considerable use already. In that case, this evaluation will help
reveal which of the four components your organization might be overlooking.
For instance, if your organization is currently deploying microservices-based
applications on individual servers, deploying those applications in containers
across a cluster of servers would be one way to closer align with a MACH
strategy. Another plausible scenario is that a software team already uses
microservices and cloud-native hosting, but isn't yet managing APIs in a way
that positions it at the center of application design plans and build
processes. Adopting an API-first development strategy -- that is, one that
places a priority on determining how APIs will behave and addresses specific
business requirements before any actual coding starts -- would place that team
one step closer to proper MACH adoption. However, for teams that are truly
starting at square one, such as those still running a localized monolith, it
often makes the most sense to start out with headless application
design.
Is PC-as-a-Service part of your hybrid work strategy?
Getting new PCs into the hands of employees and making sure they’re regularly
refreshed is complex. The old models of centralized staging and warehousing
can create delays and excess shipping costs in today’s hybrid workstyles.
Moreover, IT teams struggle to find time to manage day-to-day PC lifecycle
tasks. ... By taking this service-oriented approach to PC management, IT teams
will spend less time managing and supporting devices, freeing up time to focus
on projects that have a greater impact on the business. From a financial
perspective, Dell APEX PCaaS flips the script of employee device purchasing
from a fixed cost to a predictable, monthly expenditure. Payments that spread
out over time—like leasing a car or subscribing to cable services—align with
your experience of consuming cloud software while affording you flexibility in
how you plan your budget and allocate people resources. With Dell APEX PCaaS
you can help your overworked IT staff deploy, support, and manage PCs,
reducing time to value and total cost of ownership while ensuring that
employees remain productive.
Why and how CISOs should work with lawyers to address regulatory burdens
As the regulatory burden increases, organizations and CISOs are having to take
ownership of cyber risk, but it needs to be seen through the lens of business
risk, according to Kayne McGladrey, field CISO with Hyperproof. Cyber risk is
no longer simply a technology risk. "The problem is, organizationally,
companies have separated those two and have their business risk register and
their cyber risk register, but that’s not the way the world works anymore,"
says McGladrey. He believes the Securities and Exchange Commission (SEC), the
Federal Trade Commission, FTC and other regulators in the US are trying to
promote collaboration among business leaders because cyber risks are
functionally business risks. ... However, not all CISOs are naturally well
versed in defining the business case of cyber risk, and McGladrey believes
CISOs who are more adept at articulating the business value of doing
cybersecurity will find it easier to achieve buy-in, while those with a more
technical background that emphasize compliance over business risk may find it
more difficult to get support and budget.
Stress Test: IT Leaders Strained by Talent Shortage, Tech Spend
George Jones, CISO at Critical Start, says a shortage of skilled professionals
has led to delays in certain projects and increased workloads for existing
team members. “To combat these delays, we have looked at upskilling current
employees, brought in interns with specific skill sets, leveraged contract and
freelance workers, and implemented knowledge-sharing to encourage
cross-functional collaboration, empowering employees to learn from one
another,” he says. He explains Critical Start employees have clearly defined
roles and responsibilities that align with their team and organizational
goals, and cross-functional collaboration is encouraged to leverage diverse
perspectives and expertise. “Agile methodologies promote transparency,
adaptability, and iterative progress and foster a culture of psychological
safety where individuals feel comfortable sharing ideas, taking risks, and
learning from failures,” he adds. Jones says to foster a culture of
communication and collaboration, my teams meet regularly to share knowledge,
project updates, and provide feedback on what is working and what isn’t.
Quote for the day:
"When your values are clear to you,
making decisions becomes easier." -- Roy E. Disney
No comments:
Post a Comment