Daily Tech Digest - December 28, 2023

CISO: Top 10 Trends for 2024

Mike highlighted recent legal cases involving CISOs, expressing concern about the unprecedented accountability of security professionals and the potential for them to be scapegoated. He discussed cases like Joe Sullivan at Uber and Tim Brown at SolarWinds, emphasizing the SEC's issuance of a Wells Notice for a CISO, a first in history. Mike questioned the trend of holding CISOs responsible for issues beyond their control and predicted a continued exodus of CISOs from their roles due to perceived lack of support. Yogesh offered a contrasting view, suggesting that recent cases may serve as catalysts for elevating the role of CISOs and improving security programs. ... Nitin addressed the widespread reliance on third parties in today's technological landscape and the need for continuous due diligence beyond initial assessments. Nitin emphasized the importance of close coordination and regular conversations with key third-party providers, highlighting the significance of vendor management skills and understanding the scope of responsibilities. Yogesh brought up the concept of shared responsibility models inspired by the practices of AWS and Amazon, emphasizing the need for a prioritized and evolving approach to third-party risk management.

Why People Should Be at the Heart of Operational Resilience

Embracing the ethos of “you build it, you run it” isn’t necessarily a bad thing, but turning it into a fetish can easily lead us into a place where failures and faults become the responsibility of individuals. That’s not good for anyone, humans or technology. “If the resilience of a system depends on humans never making mistakes, then the system is really brittle,” Shortridge said. “Humanity’s success is because of our creativity and ability to adapt; it isn’t because we’re great at doing the same thing the same way every time, or can memorize 50 things on a checklist that we never forget.” Although DevOps is well-intentioned in attempting to break down barriers, it has arguably contributed to a broader organizational discomfort with failure — a desire to control and minimize risk. “Many organizations struggle with the existential angst of wanting to prevent anything bad from ever happening,” Shortridge claimed. This she added, is ultimately “an impossible goal … It’s a downward spiral where the fear of things going wrong results in a slower, heavier approach, which actually increases the likelihood of things going wrong – as well as hindering the ability to swiftly recover from failure.”
Managing vendor partners is not a “one-and-done” activity. That’s why technology is so crucial to keep this process from being a herculean effort and make continuous monitoring more realistic throughout every stage of the vendor lifecycle. As an example, consider the initial assessment stage, when companies invite vendors to bid or pitch their services. Security questionnaires should be required at this point, especially for prospects that would be gaining full access to systems. These questionnaires can be automated to start, while still allowing respondents to supplement responses or resources. It's also a good idea to require a security audit report to illuminate any gaps that would need to be addressed before a contract gets signed. Regardless of the size or influence of vendor prospects, companies should always do their due diligence when it comes to assessing risks to avoid easily preventable attacks. Companies should provide a contract to approved vendors that clearly outlines compliance expectations — including a timeline of how long they have to fix any issues identified in the earlier security audit. 

Getting the most from cloud parking

Cloud parking, a component of FinOps, is the practice of shutting down cloud resources when your business is not using them. For example, if you have a cloud server instance running on a service like EC2, turning the server off when it's not hosting an active workload is an example of cloud parking. Later, if you want to use the server again, you'd "unpark" it by starting the instance back up. Cloud parking is important because almost all cloud services charge, at least in part, based on total running time. By parking cloud resources that you're not actively using, you stop the pricing meter and avoid paying for resources you don't actually need. ... Most types of cloud data resources, such as databases or storage volumes, can't be shut off in the same way that compute resources can, so businesses end up paying for their data even after applications that interact with the data are no longer running. With a sophisticated toolset that allows you to convert between data storage types quickly, it's possible to minimize this cost. For instance, imagine you shut down an EC2 instance and want to stop paying for the EBS volume that the instance uses.

The secret to making data analytics as transformative as generative AI

Unstructured and ungoverned data lakes, often built around the Hadoop ecosystem, have become the alternative to traditional data warehouses. They’re flexible and can store large amounts of semi-structured and unstructured data, but they require an extraordinary amount of preparation before the model ever runs. ... “The power of GPUs allows them to analyze as much data as they want,” Leff says. “I feel like we’re so conditioned — we know our system cannot handle unlimited data. I can’t just take a billion rows if I want and look at a thousand columns. I know I have to limit it. I have to sample it and summarize it. I have to do all sorts of things to get it to a size that’s workable. You completely unlock that because of GPUs.” RAPIDS, Nvidia’s open-source suite of GPU-accelerated data science and AI libraries also accelerates performance by orders of magnitude at scale across data pipelines by taking the massive parallelism that’s now possible and allowing organizations to apply it toward accelerating the Python and SQL data science ecosystems, adding enormous power underneath familiar interfaces.

3 Strategies For Turning Uncertainty Into a Clear Path Forward

To stand up to uncertainty, you must start reframing it as an opportunity. For leaders, rapidly multiplying unknowns increases the pressure to rebuild and reimagine their businesses. Though the journey from uncertainty to clarity is formidable, addressing challenges with a lens of opportunity leads to more and better innovation. ... A focus on simplicity can help. Simplicity is about focusing on the right things rather than doing things right. It's about focusing on the fundamentals, such as customer needs, and simple but powerful questions, such as "what do they need?" that help you get to the core of a problem and ensure you're solving the right one. "Keep it simple" means focusing on the strongest growth opportunities and having the courage to get rid of efforts that don't move the needle. ... For many who have "grown up" in large, resource-rich corporate environments, there is an instinct to default to resources (e.g. budget, headcount) to solve problems. However, my research over 15 years has shown that constraints can help navigate uncertainty. How? By activating creativity and ingenuity and relying on existing resources rather than waiting for additional resources to get started.

AI Investments We Shouldn't Overlook

AI is not a product -- it’s an ever-growing cycle of data usage, and people can be a huge factor in its failure. This leads us back to trust, as most people don’t trust the technology or the leaders working to regulate it. According to Pew Research, 52% of Americans say they feel more concerned than excited about the increased use of artificial intelligence. Those concerns are particularly strong in communities historically underrepresented in the design and deployment of technology. Meaningful participation including communities of users, impacted, as well as creators will improve ethical inquiry, help reduce harmful biases, and build confidence in AI’s fairness. To help allay these concerns, we need to have “seats at the table” for people with broader domain expertise. This is especially vital in areas such as health, finance, and law enforcement where bias has existed historically and is still a serious concern. Additionally, we should consider funding the National Science Foundation’s National AI Research Resource Task Force, and similar efforts, to reduce the economic barriers of entry into AI professions.

How to turn shadow IT into a culture of grassroots innovation

Balancing innovation with IT control remains necessary. Cybersecurity, including privacy and data protection, is considered the top business risk by corporate leaders. Your organization’s risk tolerance will depend on its culture, customers, and industry. Many aspects of security will be non-negotiable, but many can be solved by listening to users and evolving how you use platforms and services. One of the main risks associated with shadow IT is being blind to where company data lives. Without control, you can’t apply consistent policies. Let teams know why security processes are necessary and which standards any platform or tool must meet. Work to understand the business purpose of the adoption so you can help them find an alternative if their initial choice doesn’t meet those standards. The goal is to help users make intelligent security decisions – or help them behave securely by default – while enabling them to take advantage of technology that enhances their work. For example, by adopting a single sign-on solution with multi-factor authentication, you can solve access issues and give people a wider choice of apps and services while maintaining centralized visibility.

Unstructured Data Management Predictions for 2024

Data is increasingly in motion as IT needs to leverage new storage technologies and satisfy new business requirements. Enterprise data migrations of unstructured file and object data have long been complex and too manual and often require professional services. Automation and AI tools will change this, enabling intelligent, efficient data migrations that no longer need IT managers to babysit them and they will also be adaptive. Modern tools will know how to solve problems on the fly and self-remediate and will be able to recommend optimal storage tiers for different unstructured data workloads and use cases. This is a timely development, as data migrations are becoming more varied all the time and dependent upon the customer's changing environment — from firewall to network connections to security configurations. ... Unstructured data management will deliver affordable resiliency at a fraction of the cost, by creating cheap copies in durable object storage in the cloud for non-critical data — which is the bulk of all data in storage. This "poor man's data resiliency" approach will complement the 3x backup method for mission-critical data to create a cost-effective and holistic disaster recovery strategy.

ChatGPT can cough up sensitive information, raises privacy concerns

While catastrophic forgetting is supposed to bury old information as new data is added, researchers from Indiana University (IU) Bloomington have found that memories of these large language models (LLMs) can be jogged, posing privacy risks. According to a New York Times report, graphics editor Jeremy White was informed that his email address was procured via ChatGPT by an IU Ph.D. candidate, Rui Zhu. Zhu and his team were able to obtain White's and those of over 30 NYT employees from GPT-3.5 Turbo, an LLM from OpenAI. ... Speaking to the Daily Mail, AI expert Mike Wooldridge warned that confiding in ChatGPT about personal matters or opinions, such as work grievances or political preferences, could have consequences, reported The Guardian. Sharing private information with the chatbot may be "extremely unwise" as the revealed data contributes to training future versions. Wooldridge emphasizes that users should not expect a balanced response, as the technology tends to "tell you what you want to hear." He also dismissed the idea that AI possesses empathy or sympathy and cautions users that anything shared with ChatGPT may be used in future versions, making retractions nearly impossible.

Quote for the day:

"Knowledge is being aware of what you can do. Wisdom is knowing when not to do it." -- Anonymous

No comments:

Post a Comment