Daily Tech Digest - October 11, 2023

The CIO at a crossroads: Evolve or become a dead-end job

While the CIO role is undoubtedly changing, no business can afford to let their staff go out and buy whatever technology they want. The potential risks of leaving professionals to their own devices range from burgeoning costs in terms of cloud provision to the fear of sensitive enterprise data being pushed into public AI systems without due care and attention. Businesses need someone to ensure advanced digital technologies are exploited in a safe, secure, and cost-effective manner. And the person within the enterprise who holds that experience is still the CIO, says Richardson. “While things are now much more advanced, that core role — ensuring reliable, efficient, and secure business operations — is still crucially important,” he says. “There is certainly a very wide scope of functional and technical disciplines for modern CIOs to understand, such as cybersecurity, cloud infrastructure, AI and machine learning, end-user experience design, enterprise architecture, and more.” That’s a belief that chimes with Lily Haake, head of technology and digital executive search at recruiter Harvey Nash.

Victory by Surveillance Isn’t Possible—To Win, Engage the Adversary

Despite the profound intelligence exhibited by tools and methodologies originating from academia or the minds of Silicon Valley innovators, they inherently maintain a passive stance. More intelligent surveillance simply will not get the job done. Moreover, our faith in AI-based solutions may well be (dramatically) overstated. Like in any arms race, the enemy gains access to the same tools and techniques used in defense for the benefit of their offense. This fact does not make for any “we are pulling ahead” kind of thinking. As AI-designed offensive techniques come online, we might in fact be further behind, which is a terrible thing to say after laying out US$200 billion for security tools last year. ... When each new tool we innovate adds to our burden as defenders, but doesn’t, realistically, alter the awful trends, we need a rethink. Basic zero-sum game theory—my opponent’s gain is at my expense, and vice versa—ensures we will stay on the receiving end unless there is a cost associated with the attacker’s behavior.

Why are OpenAI, Microsoft and others looking to make their own chips?

“The obvious point is that they have some requirement nobody is serving, and I reckon it might be an inference part that’s cheaper to buy and cheaper to run than a big GPU, or even the top Sapphire Rapids CPUs, without making them beholden to either AWS or Google,” according to Omdia principal analyst Alexander Harrowell. He added that he was basing his opinion on CEO Sam Altman’s comments that GPT-4 is unlikely to scale further, and would rather need enhancing. Scaling an LLM requires more compute power when compared to inferencing a model. Inferencing is the process of using a trained LLM to generate more accurate predictions or results. Further, analysts said that acquiring a large chip designer might not be a sound decision for OpenAI as it would approximately cost around $100 million to design and get the chips ready for production. “While OpenAI can try and raise money from the market for the effort, the deal with Microsoft earlier this year essentially led to selling an option over half the company for $10 billion, of which some unspecified proportion is in non-cash Azure credits — not the move of a company that’s rolling in cash,” Harrowell said.

It’s Time to End the Battle Between Waterfall and Agile

Hybrid methodologies, such as the one implemented by Philips for their digital transformation initiatives, offer a mix of Agile’s flexibility and Waterfall’s structure. Philips adopted a hybrid approach for its HealthSuite digital platform, delivering rapid, iterative releases for software development while still adhering to strict documentation and safety guidelines. By combining these two approaches, Philips was able to create a hybrid approach that was both flexible and structured. This resulted in better product quality, reduced time to market, predictable costs and savings. ... A hybrid approach allows for risk mitigation by blending Agile’s adaptability with Waterfall’s structured planning, as demonstrated by Tesla’s hybrid approach to the development of their Model 3. To build the Gigafactory, where the vehicle’s batteries are produced, Tesla utilized rigorous planning and risk assessment methods. At the same time, Tesla’s capability to update vehicle software over the air allows for rapid issue resolution and feature addition post-production. This dual strategy enables Tesla to mitigate risks effectively while maintaining flexibility in a high-stakes manufacturing landscape.

5 Focus Areas for Better Cloud Security Programs in Financial Services

Finserv organizations need a strategy for discovering employees’ usage of cloud apps or services that haven’t been authorized by the IT department – also known as Shadow IT – that may lead to unsecured data. One popular method to monitor Shadow IT usage is a Cloud Access Security Broker (CASB): an intermediary between cloud consumers and providers that enforces security policies as cloud resources are accessed. Secure web gateways (SWG) and next-generation firewalls are other helpful tools used to inspect network traffic and provide advanced protection. But it’s not enough to just take stock of Shadow IT – organizations also need a plan for how to secure any unauthorized apps or services they discover. ... Finserv firms store an average of 61% of sensitive data in the public cloud – equal to other sectors. They also store similar types of vital data, but even more so in the way of competitor data, confidential internal documents, personal staff information, intellectual property, government identification, payment card information and network passwords. 

F5 Warns Australian IT of Social Engineering Risk Escalation Due to Generative AI

Australian IT teams can expect to be on the receiving end of social engineering attack growth. F5 said the main counter to changing bad actor techniques and capabilities will be education to ensure employees are made aware of increasing attack sophistication due to AI. “Scams that trick employees into doing something — like downloading a new version of a corporate VPN client or tricking accounts payable to pay some nonexistent merchant — will continue to happen,” Woods said. “They will be more persuasive and increase in volume.” Woods added that organizations will need to ensure protocols are put in place, similar to existing financial controls in an enterprise, to guard against criminals’ growing persuasive power. This could include measures such as payments over a certain amount requiring multiple people to approve. ... There have been warnings that armies of bots, supercharged by new AI tools, could be utilized by criminal organizations to launch more sophisticated automated attacks against enterprise cybersecurity defences, expanding a new front in organisations’ war against cyber criminals.

Translating Failures into Service-Level Objectives

We can be proactive about failure and creating SLOs from chaos engineering and game days. Chaos engineering is the discipline of experimenting on a system to build confidence in the system’s capability to withstand turbulent conditions in production. We want to inject failure into our systems to see how it would react if this failure were to happen on its own. This allows us to learn from failure, document it and prepare for failures like it. We can start practicing these types of experiments with game days. A game day is a time when your team or organization comes together to do chaos engineering. This can look different for each organization, depending on the organization’s maturity and architecture. These can be in the form of tabletop exercises, open source/internal tooling such as Chaos Monkey or LitmusChaos, or vendors like Harness Chaos Engineering or Gremlin. No matter how you go about starting this practice, you can get comfortable with failure and continue to build a culture of embracing failure at your organization. This also allows you to continue checking on those SLOs we just set up.

Turning military veterans into cybersecurity experts

Cyber threat intelligence (CTI) is a specialism within cybersecurity that has been built upon traditional military intelligence processes and theories and because of this, any who have served in a traditional intelligence role in the military will have a solid coverage of some of the hard skills needed for these roles. With support upskilling, they build their knowledge of IT networks and some CTI tooling and platforms, so this career path can be very accessible. Information security management careers also require people to know how to manage and lead, which is to manage people more often than tech. While a grounding in the technical aspects of cybersecurity is very important, ex-Forces commonly possess management and leadership skills and experience, often developed over years during their military careers, which is evidently useful the moment they step into a cyber team. To enhance this further, most have worked with sensitive data, stored and processed on sensitive systems, shaping or at least adhering to policy, and sometimes even managing large IT accounts.

6 Pain Points for CISOs and CIOs and What to Do About Them

“Everybody is struggling with the sprawling technology stack,” says Carl Froggett, CIO of cybersecurity company Deep Instinct. Many companies are working with a mix of legacy technology, like on-premises servers, and new cloud and SaaS systems. CIOs and CISOs are faced with the operational and security challenges that come with this disparate tech stack and the migration to new systems. With that sprawl comes the challenge of data governance. What data does a company have? Where does it reside? How can it be safeguarded? If CIOs and CISOs can’t answer the first two questions, they can’t even begin to collaborate on an effective strategy for protecting their organizations’ data. ... While talent is a scarce commodity, CIOs and CISOs can leverage third parties to get the skills they do not have internally and have yet to hire. They can also find ways to automate lower-level tasks, freeing staff to spend more time on other more important, less repetitive tasks. IT leadership can also retrain and upskill existing team members.

Using Visual Studio Code for C# development

The C# Dev Kit adds more in the way of code navigation tooling, using the Solution Explorer to work with test frameworks and the Roslyn tools to quickly jump to specific parts of your application, peeking at definitions and references to understand how classes and methods are used. The Solution Explorer helps manage complex projects, using virtual solution folders to group files without affecting your underlying file system. Solution folders let you separate code from tests, as well as managing different UIs for different device targets. The IntelliCode extension adds AI-supported code completion to your editor, with the ability to predict entire lines of code, based on what you’ve already written. This works alongside the normal IntelliSense features to guide code predictions, reducing the risk of errors. It will even highlight possible completions in IntelliSense and rank the members in a class based on your code to speed up selections. It’s important to understand that this is a local AI model. Unlike GitHub Copilot, IntelliCode operates disconnected from the internet, helping keep code secret and enabling you to work from anywhere.

Quote for the day:

“Identify your problems but give your power and energy to solutions.” -- Tony Robbins

No comments:

Post a Comment