Daily Tech Digest - October 17, 2023

Beware the cost traps that can strain precious cybersecurity budgets

Overlapping services that duplicate functions are another common overspend that can eat into security budgets. "Paying for these duplicate security functions can be financially inefficient and strain the budget," says Nick Trueman, CISO at cloud services provider Nasstar. It can also result in integration challenges whereby coordinating and integrating multiple providers with similar functions leads to complexities and interoperability issues, he adds. CISOs should conduct a comprehensive review and identify all current security providers and the services they offer. ... On the topic of redundancies, CISOs can often end up paying for tools that do not deliver the expected benefits, significantly impacting their security budgets and coverage plans. CISOs may encounter scenarios where they invest in security tools or technologies that, despite their initial promise, fail to provide the anticipated value or return on investment (ROI), says Paul Baird, chief technical security officer at Qualys. This could happen for several reasons, including inadequate integration with existing systems, limited user adoption, or the tools not effectively addressing the organization's specific security needs.

Essential cyber hygiene: Making cyber defense cost effective

When it comes to dollars and cents, the industry as a whole has made many attempts to calculate the cost of a cyber attack. The same can’t be said about estimating the costs of implementing cyber defenses. But there’s value in knowing both of those metrics. Knowing what an enterprise can spend to prevent an attack is helpful when you know what they’re willing to spend to recover from an attack. For example, if the cost of recovering from a cyber attack is $1.25 million but an enterprise can spend only $1 million on implementing a set of robust cyber defenses, which one should they choose? To estimate the cost of IG1 Safeguards, we looked at the tools that an enterprise needs to implement them. Tools are priced in many ways, the most common being the following: by number of employees, users, workstations/servers, and/or by usage (e.g., megabyte, gigabyte, hours). CIS created IG1 Enterprise Profiles to help streamline the process of calculating costs. Our estimate shows that obtaining and deploying commercially-supported versions of the tools should be less than 20% of the Information Technology (IT) budget for any size enterprise.

Why the human factor is critical to ITOps success

Communication between developer teams and “business types” can be fraught. Developers typically work very hard for long hours to deliver what customers want. Yet efforts frequently fall flat, due in no small part to a failure of one or both sides to understand or explain what the other really wants or needs, says Shafrir. “There will always be a wall between the two, but especially during this time with tonnes of services on the internet and daily changes to software. It’s a problem if only business people are in touch with customers,” he says. Developers often have little idea how the customers are using the product – not least because they write code and “throw it over the fence”. “Then it’s frustrating when we’re [developers] told our quality is very low and it’s not a good job and we don’t work hard enough and other things,” says Shafrir. Shafrir recommends that IT leaders “take down that wall” between the two teams. If developers are notified and know exactly – continuously – how the code is performing in the customer environment, fixes can be rolled out faster. 

Security Governance and Risk Management in Enterprise Architecture

Security governance isn't just a rulebook. It's a structured approach that champions data protection, system reliability, and seamless business operations. With this governance in place, the intricate realm of cybersecurity becomes a navigable terrain. True security roots itself deep within organizational culture. When every team member, from the top brass to the newest recruit, values security, the organization stands united and fortified. A collective commitment to security amplifies the organization's resilience. ... Frameworks, especially ones like the NIST Risk Management Framework, offer more than theoretical value: they shape practical decisions in technology, placing risk considerations at the forefront. Adopting such guiding principles ensures that architectural choices resonate with both innovation and security. Still, the landscape of risk is dynamic, changing with every technological advancement and emerging threat. Regular, thorough risk assessments become a beacon that illuminates potential security gaps. Allocating resources to these evaluations ensures a resilient and adaptive enterprise architecture, always prepared for the challenges ahead.

Why A One-Size-Fits-All 'Compliance' Plan Can Be Dangerous

IT departments these days use many different architectures with various hardware, software and network configurations. Because of these differences, it's difficult to create a single cybersecurity formula that works for all companies. Some of the pitfalls of trying to cut corners and save costs by implementing a generic plan include: Lack Of Customization - A one-size-fits-all approach doesn't consider the specific problems and needs of each company. What works for one organization may not be enough to address the weaknesses and particular requirements of the next. It's important to customize security measures to fit the unique characteristics of each company to effectively protect against cyber threats. Increased Risk Of Breaches - When companies use a standardized compliance plan, it sets a basic level of security. However, this plan might not take into account the specific risks and security gaps that exist in each organization. Without customized security measures, a greater chance exists of experiencing data breaches or cyberattacks.

Generative AI is everything, everywhere, all at once

Unlike generative AI, which exploded within the past year thanks in part to OpenAI's consumer-facing ChatGPT, AI is nothing new. And it's a fairly ambiguous term, Toubia explained. "There's a wide range of things you could label as AI or machine learning," he said. "There's some very simple statistical methods that have been around for over 100 years that technically could be as clever as AI." Given the enigmatic nature of generative AI, it's also a complicated product to patent, audit, or regulate, which further exacerbates AI washing. "Companies don't really have to publish or explain their AI because it's a trade secret. There's no pattern that you could read, and we don't really know what's under the hood, so to speak," Toubia said. Regulatory institutions like the FTC are certainly trying to control the unwieldy industry with industry-wide warnings and reports. While he appreciates the ideas behind the warnings, Thurai is doubtful that the FTC's stern warnings and oversights will be enforced due to how difficult it will be to prove in court.

The Whats and Hows of DevOps Talent Retention

Given that a lack of opportunities for growth accounts for close to half of DevOps employees’ turnover rates, it once again highlights the importance of a well-planned approach to support ongoing learning. By understanding employee employees’ performance, preferences and environment, a wider range of support offers can be implemented. Providing tailored assignments that allow employees to focus on their skills or passion not only helps build commitment to the job but it also acts as a motivator. This can stem from a simple 15-minute project or a year-long program. But advocating personal development courses and upskilling techniques are not enough. Employers must also harness peer recognition. A sales organization within the United States Postal Service (USPS) recently made an attempt to boost peer recognition by enabling their employees to identify behavior associated with new skills learned by setting up a simple online platform. The group oversaw an overall employee engagement rise by 8% in the initial pilot group. Such strategies were then used to improve work across the organization.

How to Partner with Law Enforcement Following a Cyberattack

Law enforcement will come with the intention of acting as partner to the victim organization, alongside other stakeholders like remediation firms and insurance companies. “We would really expect to be seen as true partners in every sense of the word,” says Alway. A law enforcement team could include investigative agents with cybersecurity backgrounds, as well as technical experts, such as computer scientists and data analysts. That partnership will be based on information sharing. Organizations will tell law enforcement about the nature of the incident, provide logs, and any other evidence of the intrusion and answer questions. Law enforcement will share their knowledge of IOCs and any information they have that can help enterprises during the remediation process. “There’s no such thing as over communication in cyber incidents,” says Alway. It is important to keep in mind that law enforcement’s job takes time. “A lot of times the investigation piece could drag on for multiple years, whereas the company [or] organization is on a shorter timeline,” says Cabrera.

Cyber security professionals say industry is “booming”

Cyber security professionals are still positive about the industry and their opportunities despite the economic climate, according to The Chartered Institute of Information Security's (CIISec) 2022/2023 State of the Profession report – the eighth annual survey of the cyber security industry. In the survey of 302 security professionals, almost 80% say they have ‘good’ or ‘excellent’ career prospects, and more than 84% say the industry is ‘growing’ or ‘booming’. Despite being protected from economic challenges, the report highlights that the industry is still plagued by issues including stress and overwork. 22% of respondents work more than the 48 hours per week mandated by the UK Government, and 8% work more than 55 hours which, according to the World Health Organisation, marks the boundary between safe and unsafe working hours. The reports also found: Worries over workload loom over cyber security professionals - When asked what keeps them awake at night, the two main sources of stress for cyber professionals are day-to-day stress/workload (identified by 50%) and suffering a cyber-attack (32%).

Are enterprise architects the new platform team leaders?

Today there is a need for platform teams to architect the connections between business processes, outcomes, and the technology. Many teams today still operate in silos which can manifest within their specific functional pieces of technology or just individual teams. However, today, there are several key factors reshaping the way teams approach their work. The easy access to technology outside of corporate IT has fundamentally changed the dynamic. In addition, the idea of IT owning a very small piece of the technology is no longer acceptable. For example, if you are a database team, you can’t just be responsible for the database itself – you must also own the delivery of that database as a service, including the additional technology around it like the OS, compute, memory, and all elements of cost, security, access, and performance. Enterprise architects in this new role as platform leaders must adopt a cross-functional mindset. They must look left and right x-functionally at the technology, how it should fit together, the services the company should offer – and for what use cases.

Quote for the day:

"A leader is always first in line during times of criticism and last in line during times of recognition." -- Orrin Woodward

No comments:

Post a Comment