Daily Tech Digest - October 26, 2023

CTOs Look to Regain Control of the IT Roadmap

Putting an emphasis on modular architecture and open standards can ensure easier integration or disengagement from specific solutions, thereby mitigating these concerns. ... instead of an expensive and time consuming “rip and replace” model, organizations are extending the life and value of their existing ERP investments and shifting their newly freed up resources to drive innovation “around the edges” of their current robust ERP core. “This approach applies to all industries and sizes, enabling organizations to minimize churn and focus on customer value, competitive advantage and growth,” he says. The survey also indicated IT leaders are exploring alternatives to subscription-based licensing models, focusing on optimizing operational costs and aligning investments with business strategies for growth and innovation. “Applications that enable competitive advantage and differentiate a company are a high priority for organizations, while for example, ERP administration functions like HR and finance offer very little differentiation and are frequently retained as a foundational core, optimized for cost and efficiency,” Rowe explains.

Measure Developer Joy, Not Productivity, Says Atlassian Lead

So, when senior leadership is under pressure to show the outcome of one of their most sizable operating expenses, what’s a tech company to do? First, Boyagi suggested, change your questions. Instead of “How do I increase developer productivity?” or “How can I measure developer productivity?” try “How can I make developers happier?” and “How can I help developers be more productive?” The questions can help steer the conversation in a more useful direction: “I think every company has to go on a journey and do what’s right for them in terms of productivity. But I don’t think I think measurement is the thing we should be talking about.” First, because productivity for knowledge workers has always been one of the hardest things to measure. And, he added, because we need to take inspiration from other companies, not replicate what they do. Boyagi doesn’t suggest you try to do what Atlassian does. But feel free to take inspiration from and leverage its DevEx strategy, as well as those from the likes of other high-performing organizations like Google, Netflix, LinkedIn and Spotify.

How much cybersecurity expertise does a board need?

For companies who have still not yet built up the cybersecurity expertise among its directors and reporting committees, there’s work to do, says Lam, who explains there are a number of ways to build up that "cyber-IQ". “One is you should get the right board talent in terms of risk and cyber expertise that’s appropriate to their risk profiles,” says Lam, who explains that companies leery of using up a hotly contested director seat for a cyber specialist simply need to broaden their recruitment parameters. ... As organizations slowly morph their board composition, they also need to be careful to not get into a situation where one director is solely responsible for cybersecurity oversight and no one else minds that area of risk, warns Chenxi Wang ... “There’s been an explosive offering of cyber governance training in recent years. While that is a great step in the right direction, a lot of them vary as far as the quality of content goes,” Shurtleff tells CSO. “You can’t substitute somebody’s cyber experience and knowledge from a lifetime of professional experience into a two-week course. ...”

What is a business intelligence analyst? A key role for data-driven decisions

The role is becoming increasingly important as organizations move to capitalize on the volumes of data they collect through business intelligence strategies. BI analysts typically discover areas of revenue loss and identify where improvements can be made to save the company money or increase profits. This is done by mining complex data using BI software and tools, comparing data to competitors and industry trends, and creating visualizations that communicate findings to others in the organization. ... It’s a role that combines hard skills such as programming, data modeling, and statistics with soft skills such as communication, analytical thinking, and problem-solving. Candidates need a well-rounded background to balance the line between IT and the business, and usually a bachelor’s degree in computer science, business, mathematics, economics, statistics, management, accounting, or a related field. If you have a degree in an unrelated field but have completed courses in these subjects, that can suffice for an entry-level role in some organizations. Other senior positions may require an MBA, but there are plenty of BI jobs that require only an undergraduate degree.

Infrastructure teams need multi-cloud networking and security guardrails

The key is to ensure that the technology implemented is actually providing a guardrail and not imposing a speedbump or roadblock. Network and security teams need to provide infrastructure and services that are programmatic and easy to use. For instance, DevOps should be able to request IP addresses, spin up secure DNS services, request changes to firewall policies, or adjust transit routing with a couple clicks. If approvals are required from network and security teams, those approvals should be automated as much as possible. This drive toward programmatic services is apparent in my research at Enterprise Management Associates (EMA). For instance, I recently surveyed 351 IT professionals about their multi-cloud networking strategies for the report “Multi-Cloud Networking: Connecting and Securing the Future.” (Check out EMA’s free webinar to learn more about what we found in that research). In that report, 82% of respondents told us that it was at least somewhat important for their multi-cloud networking solutions to have open APIs.

Demystifying the top five OT security myths

“A common belief is that the OT protocols are proprietary, and the attacker doesn’t have access to OT devices or specific proprietary protocols,” he said. “To some extent, the proprietary nature of the OT device does pose a challenge to hacking, but threat actors behind targeted attacks are usually knowledgeable, persistent and resourceful.” Goh said such threat actors, particularly those backed by nation-states, have the resources to replicate an OT system, and create and rigorously test their malware in a lab before launching an attack. “This possibility is highly speculated in the Triton malware attack, which happened in 2017 in a malicious attempt to destroy and damage a petrochemical plant in Saudi Arabia by targeting the safety system,” he added. ... In the concept of defence-in-depth, firewalls are used to separate the different layers of an OT network. Goh said while it is mandatory to use firewalls to protect an OT network from unauthorised access, this protection is only as good as the policy and the security of the firewall. “We all know that misconfigurations of firewall rules happen and are not uncommon,” he said, citing a study that found one in five firewalls have one or two configuration issues.

JPMorgan Chase CISO explains why he's an 'AI optimist'

We've started to look at it. That's the short answer. The longer answer is, I was a bit of an AI pessimist before November of last year. Seeing ChatGPT in action for the first time and what it could do opened my mind -- perhaps many others' as well. It felt like we tipped over the precipice of an AI era. I'm an optimist about its capabilities. Most of the last nine or 10 months or so have been us trying to enable AI to use inside of the firm. We have been users of traditional AI for some time. Generative AI is newer for us in the business. We've spent the last six or seven months designing the right isolated mechanisms that are safe for us to use to produce our data. That's something we'll start doing internally as a business more broadly and think through how we use it as a cybersecurity use case. It's probably not going to be done in a generic sense in the short-term. Cybersecurity practitioners and maybe some industry consortiums need to get together to build and train the right models to support cybersecurity. It's clear to me that one, everybody's thinking about how they use AI in their tech. 

CISOs struggling to understand value of security controls data

Understanding where security controls are failing is a critical first step to mitigating cyber risk and making the right decisions. Unfortunately, only 36% of security leaders are totally confident in their security data and use it for all strategic decision making. This is a concerning finding, as without trusted data CISOs might struggle to influence senior business stakeholders and ensure the right people are held accountable for fixing security issues. ... The benefits of improving data quality and trust are clear, with 84% of security leaders believing that increasing trust in their data would help them secure more resources to protect their organization. But first there needs to be a mindset change in security leaders and the board—away from using controls data for reporting, and instead embracing it to proactively drive business decisions and stop problems before they occur. “The industry needs to change if we are to solve the CISO security controls conundrum, and Continuous Controls Monitoring (CCM) can be the catalyst. It isn’t a better reporting tool, it’s a way of knowing what to do next – making day-to-day cybersecurity firefighting easier and getting ahead of the game on strategic risk,” argues Panaseer Security Evangelist, Marie Wilcox.

How to Become a Data Governance Specialist

Generally, a DG specialist will have a bachelor’s degree in a field related to computers (information technology, computer science) and one to four years of experience. However, a combination of computer and communication skills is needed for this position. Lots of technical experience can stand in for a bachelor’s degree, but the lack of a degree will limit chances for advancements and promotions. Some employment advertisements will require a Data Governance and Stewardship certification. The certification process typically requires a degree, attending a workshop, a test, and a fair amount of experience. Certification can be difficult to get, in part because there are very few organizations offering it. This requirement may be an unrealistic expectation on the part of the employer, particularly for non-management positions. ... Much of Data Governance is actually about changing habitual behavior. When changes are made, it is common for a team to be assembled to execute the project. A Data Governance program must be presented as a practice and not a project. Projects have start and end dates. 

Has Your Architectural Decision Record Lost Its Purpose?

Sometimes the expected longevity of a decision causes a team to believe that a decision is architectural. Most decisions become long-term decisions because the funding model for most systems only considers the initial cost of development, not the long-term evolution of the system. When this is the case, every decision becomes a long-term decision. This does not make these decisions architectural, however; they need to have high cost and complexity to undo/redo in order for them to be architecturally significant. To illustrate, a decision to select a database management system is usually regarded as architectural because many systems will use it for their lifetime, but if this decision is easily reversed without having to change code throughout the system, it’s generally not architecturally significant. Modern RDBMS technology is quite stable and relatively interchangeable between vendor products, so replacing a commercial product with an open-source product, and vice versa, is relatively easy so long as the interfaces with the database have been isolated.

Quote for the day:

"The task of leadership is not to put greatness into humanity but to elicit it, for the greatness is already there." -- John Buchan

No comments:

Post a Comment