CISO: Top 10 Trends for 2024
Mike highlighted recent legal cases involving CISOs, expressing concern about the unprecedented accountability of security professionals and the potential for them to be scapegoated. He discussed cases like Joe Sullivan at Uber and Tim Brown at SolarWinds, emphasizing the SEC's issuance of a Wells Notice for a CISO, a first in history. Mike questioned the trend of holding CISOs responsible for issues beyond their control and predicted a continued exodus of CISOs from their roles due to perceived lack of support. Yogesh offered a contrasting view, suggesting that recent cases may serve as catalysts for elevating the role of CISOs and improving security programs. ... Nitin addressed the widespread reliance on third parties in today's technological landscape and the need for continuous due diligence beyond initial assessments. Nitin emphasized the importance of close coordination and regular conversations with key third-party providers, highlighting the significance of vendor management skills and understanding the scope of responsibilities. Yogesh brought up the concept of shared responsibility models inspired by the practices of AWS and Amazon, emphasizing the need for a prioritized and evolving approach to third-party risk management.
Why People Should Be at the Heart of Operational Resilience
Embracing the ethos of “you build it, you run it” isn’t necessarily a bad thing,
but turning it into a fetish can easily lead us into a place where failures and
faults become the responsibility of individuals. That’s not good for anyone,
humans or technology. “If the resilience of a system depends on humans never
making mistakes, then the system is really brittle,” Shortridge said.
“Humanity’s success is because of our creativity and ability to adapt; it isn’t
because we’re great at doing the same thing the same way every time, or can
memorize 50 things on a checklist that we never forget.” Although DevOps is
well-intentioned in attempting to break down barriers, it has arguably
contributed to a broader organizational discomfort with failure — a desire to
control and minimize risk. “Many organizations struggle with the existential
angst of wanting to prevent anything bad from ever happening,” Shortridge
claimed. This she added, is ultimately “an impossible goal … It’s a downward
spiral where the fear of things going wrong results in a slower, heavier
approach, which actually increases the likelihood of things going wrong – as
well as hindering the ability to swiftly recover from failure.”
Managing vendor partners is not a “one-and-done” activity. That’s why technology
is so crucial to keep this process from being a herculean effort and make
continuous monitoring more realistic throughout every stage of the vendor
lifecycle. As an example, consider the initial assessment stage, when companies
invite vendors to bid or pitch their services. Security questionnaires should be
required at this point, especially for prospects that would be gaining full
access to systems. These questionnaires can be automated to start, while still
allowing respondents to supplement responses or resources. It's also a good idea
to require a security audit report to illuminate any gaps that would need to be
addressed before a contract gets signed. Regardless of the size or influence of
vendor prospects, companies should always do their due diligence when it comes
to assessing risks to avoid easily preventable attacks. Companies should provide
a contract to approved vendors that clearly outlines compliance expectations —
including a timeline of how long they have to fix any issues identified in the
earlier security audit.
Getting the most from cloud parking
Cloud parking, a component of FinOps, is the practice of shutting down cloud
resources when your business is not using them. For example, if you have a cloud
server instance running on a service like EC2, turning the server off when it's
not hosting an active workload is an example of cloud parking. Later, if you
want to use the server again, you'd "unpark" it by starting the instance back
up. Cloud parking is important because almost all cloud services charge, at
least in part, based on total running time. By parking cloud resources that
you're not actively using, you stop the pricing meter and avoid paying for
resources you don't actually need. ... Most types of cloud data resources, such
as databases or storage volumes, can't be shut off in the same way that compute
resources can, so businesses end up paying for their data even after
applications that interact with the data are no longer running. With a
sophisticated toolset that allows you to convert between data storage types
quickly, it's possible to minimize this cost. For instance, imagine you shut
down an EC2 instance and want to stop paying for the EBS volume that the
instance uses.
The secret to making data analytics as transformative as generative AI
Unstructured and ungoverned data lakes, often built around the Hadoop ecosystem,
have become the alternative to traditional data warehouses. They’re flexible and
can store large amounts of semi-structured and unstructured data, but they
require an extraordinary amount of preparation before the model ever runs. ...
“The power of GPUs allows them to analyze as much data as they want,” Leff says.
“I feel like we’re so conditioned — we know our system cannot handle unlimited
data. I can’t just take a billion rows if I want and look at a thousand columns.
I know I have to limit it. I have to sample it and summarize it. I have to do
all sorts of things to get it to a size that’s workable. You completely unlock
that because of GPUs.” RAPIDS, Nvidia’s open-source suite of GPU-accelerated
data science and AI libraries also accelerates performance by orders of
magnitude at scale across data pipelines by taking the massive parallelism
that’s now possible and allowing organizations to apply it toward accelerating
the Python and SQL data science ecosystems, adding enormous power underneath
familiar interfaces.
3 Strategies For Turning Uncertainty Into a Clear Path Forward
To stand up to uncertainty, you must start reframing it as an opportunity. For
leaders, rapidly multiplying unknowns increases the pressure to rebuild and
reimagine their businesses. Though the journey from uncertainty to clarity is
formidable, addressing challenges with a lens of opportunity leads to more and
better innovation. ... A focus on simplicity can help. Simplicity is about
focusing on the right things rather than doing things right. It's about
focusing on the fundamentals, such as customer needs, and simple but powerful
questions, such as "what do they need?" that help you get to the core of a
problem and ensure you're solving the right one. "Keep it simple" means
focusing on the strongest growth opportunities and having the courage to get
rid of efforts that don't move the needle. ... For many who have "grown up" in
large, resource-rich corporate environments, there is an instinct to default
to resources (e.g. budget, headcount) to solve problems. However, my research
over 15 years has shown that constraints can help navigate uncertainty. How?
By activating creativity and ingenuity and relying on existing resources
rather than waiting for additional resources to get started.
AI Investments We Shouldn't Overlook
AI is not a product -- it’s an ever-growing cycle of data usage, and people
can be a huge factor in its failure. This leads us back to trust, as most
people don’t trust the technology or the leaders working to regulate it.
According to Pew Research, 52% of Americans say they feel more concerned than
excited about the increased use of artificial intelligence. Those concerns are
particularly strong in communities historically underrepresented in the design
and deployment of technology. Meaningful participation including communities
of users, impacted, as well as creators will improve ethical inquiry, help
reduce harmful biases, and build confidence in AI’s fairness. To help allay
these concerns, we need to have “seats at the table” for people with broader
domain expertise. This is especially vital in areas such as health, finance,
and law enforcement where bias has existed historically and is still a serious
concern. Additionally, we should consider funding the National Science
Foundation’s National AI Research Resource Task Force, and similar efforts, to
reduce the economic barriers of entry into AI professions.
How to turn shadow IT into a culture of grassroots innovation
Balancing innovation with IT control remains necessary. Cybersecurity,
including privacy and data protection, is considered the top business risk by
corporate leaders. Your organization’s risk tolerance will depend on its
culture, customers, and industry. Many aspects of security will be
non-negotiable, but many can be solved by listening to users and evolving how
you use platforms and services. One of the main risks associated with shadow
IT is being blind to where company data lives. Without control, you can’t
apply consistent policies. Let teams know why security processes are necessary
and which standards any platform or tool must meet. Work to understand the
business purpose of the adoption so you can help them find an alternative if
their initial choice doesn’t meet those standards. The goal is to help users
make intelligent security decisions – or help them behave securely by default
– while enabling them to take advantage of technology that enhances their
work. For example, by adopting a single sign-on solution with multi-factor
authentication, you can solve access issues and give people a wider choice of
apps and services while maintaining centralized visibility.
Unstructured Data Management Predictions for 2024
Data is increasingly in motion as IT needs to leverage new storage
technologies and satisfy new business requirements. Enterprise data migrations
of unstructured file and object data have long been complex and too manual and
often require professional services. Automation and AI tools will change this,
enabling intelligent, efficient data migrations that no longer need IT
managers to babysit them and they will also be adaptive. Modern tools will
know how to solve problems on the fly and self-remediate and will be able to
recommend optimal storage tiers for different unstructured data workloads and
use cases. This is a timely development, as data migrations are becoming more
varied all the time and dependent upon the customer's changing environment —
from firewall to network connections to security configurations. ...
Unstructured data management will deliver affordable resiliency at a fraction
of the cost, by creating cheap copies in durable object storage in the cloud
for non-critical data — which is the bulk of all data in storage. This "poor
man's data resiliency" approach will complement the 3x backup method for
mission-critical data to create a cost-effective and holistic disaster
recovery strategy.
ChatGPT can cough up sensitive information, raises privacy concerns
/2023/12/27/image/jpeg/X9COYhv8b8fLwbnfq4xE6LBR3pcaE6ukAdd0EiTQ.jpg)
While catastrophic forgetting is supposed to bury old information as new data
is added, researchers from Indiana University (IU) Bloomington have found that
memories of these large language models (LLMs) can be jogged, posing privacy
risks. According to a New York Times report, graphics editor Jeremy White was
informed that his email address was procured via ChatGPT by an IU Ph.D.
candidate, Rui Zhu. Zhu and his team were able to obtain White's and those of
over 30 NYT employees from GPT-3.5 Turbo, an LLM from OpenAI. ... Speaking to
the Daily Mail, AI expert Mike Wooldridge warned that confiding in ChatGPT
about personal matters or opinions, such as work grievances or political
preferences, could have consequences, reported The Guardian. Sharing private
information with the chatbot may be "extremely unwise" as the revealed data
contributes to training future versions. Wooldridge emphasizes that users
should not expect a balanced response, as the technology tends to "tell you
what you want to hear." He also dismissed the idea that AI possesses empathy
or sympathy and cautions users that anything shared with ChatGPT may be used
in future versions, making retractions nearly impossible.
Quote for the day:
"Knowledge is being aware of what you
can do. Wisdom is knowing when not to do it." -- Anonymous
No comments:
Post a Comment