CISOs Struggle for C-Suite Status Even as Expectations Skyrocket
In many instances, CISOs who want clear risk guidance from their board don't get
it. Barely more than one-third (36%) described their board as offering them
clear enough insight into their organization's risk tolerance levels for them to
act upon. "The evolution of the CISO role over the past few years has
accelerated dramatically," says Nick Kakolowski, research director at IANS. With
organizations digitizing more of their operations, CISOs are taking on more
responsibilities and have become de facto owners of digital risk, he says.
"[But] organizations haven't figured out how to support and empower them as the
scope of the role grows." Concerns have been growing within the CISO community
in recent years about the escalating expectations around the role, even as their
ability to meet those expectations has remained largely unchanged. Incidents
like one last October where the SEC charged SolarWinds CISO Tim Brown with fraud
and internal control failures over the 2020 breach at the company, and where a
judge sentenced former Uber CISO Joe Sullivan to three years of probation over a
2016 breach, have fueled those concerns.
Three of four CISOs ready for job change
“Satisfaction has been rising consistently for the past few years, but last
year, it dipped,” says IANS Research Director Nick Kakolowski. “Last year, the
pressure on CISOs ratcheted up big time with the new SEC rules and CISOs being
held personally liable for breaches. ... “The environment surrounding CISOs is
extremely turbulent right now, and their individual exposure to lawsuits is at
an all-time high. CISOs face a real danger of being indicted or sued for
things outside of their control,” adds Patrick “Pat” Arvidson, chief strategy
officer for Interpres, a maker of a threat-informed defense surface management
platform. ... Another finding in the report is that CISOs aren’t getting the
facetime with boards that they need. Eighty-five percent of CISOs in the
survey indicated their board should offer clear guidance on their
organization’s risk tolerance for the CISO to act on, but only 36% found that
to be the case. “We are seeing some boards figuring this out and being
effective there, but across the board, there’s either a lack of visibility at
the board level—CISOs aren’t consistently reporting to the board—or CISOs and
boards haven’t figured out how to speak each other’s language,” Kakolowski
says.
How Accelerated Adoption of a Data Governance Framework Helped a Large Financial Services Organization Build a Snowflake Data Vault
The Domain Working Group meetings were instrumental in helping both business
stakeholders and technology developers walk through examples and requirements
for merging sometimes incomplete, inaccurate, and inconsistent data from 3
sources into a single complete, accurate, and consistent golden record. As
business stakeholders started to understand the savings in time spent querying
3 data sources, reconciling and explaining differences between sources, and
deciding which data is most trusted, and also started to see the benefits of
having a single authoritative view of their domain data, enthusiasm for the
Data Vault initiative increased. Embedding data governance practices and tools
by creating a data governance workstream within a business or technology
project is one of many approaches an organization can take to expand or
accelerate engagement, adoption, and implementation of a data governance
program. The success of this Data Vault project was partially attributed to
the established data governance framework and team, but the biggest benefit
was the adoption of data governance by dozens of previously unaware employees
through exposure to the data governance program and witnessing real-life
benefits of active end-to-end data governance made part of their everyday job
responsibilities.
Putting a Number on Bad Data
Several quantifiable metrics can serve as a starting point for evaluating the
cost of bad data, including the rate of occurrence or number of incidents per
year, time to detection, and time to resolution. ... Number and frequency of
incidents: While some companies may experience data incidents on a daily
basis, others may go days – if not weeks – without one. The criticality of the
incidents can vary from something “minor,” such as stale data linked to a
dashboard that nobody has used in ages, to a data duplication problem causing
the server to overcharge and ultimately go down. ... Mean time to resolution
(MTTR): What happens once an incident is reported? MTTR is the average time
spent between becoming aware of a data incident and resolving it. The
resolution time is greatly influenced by the criticality of the incident and
the complexity of the data platform, which is why we are considering the
average for the purpose of this framework. ... Mean time to production (MTTP)
is the average time it takes to ship new data products or, in other words, the
average time to market for data products. This could be the time spent by an
analyst “cleaning” the data for a data science model.
Microservices Architecture: Navigating the Buzz
Despite the apparent advantages, there are various challenges that I think are
important to highlight. Worth noting is that they are all avoidable when
considered and planned around upfront. A common reason why teams end up
sticking with a traditional monolithic approach includes the fact that
microservices bring increased complexity. This complexity comes in the form of
teams needing to understand how to design, build, and manage distributed
systems. More specifically, not knowing how to implement a reliable
communication protocol for microservices to be able to communicate is a
recurring pain point that leads to decreased system performance, and in turn,
has teams switching back to their monolithic system. Another challenge that
arises from having an increased number of interactions comes in the form of
system testing and debugging. Aside from these difficulties, another major
concern when considering microservices includes that of security. Implementing
robust authentication, authorization, and encryption across each and every
service is crucial.
Attribute-based encryption could spell the end of data compromise
The history of ABE goes back to a ground-breaking 2005 paper titled “Fuzzy
Identity-Based Encryption.” Fifteen years later, recognizing the paper’s
significance, the International Association for Cryptologic Research (IACR)
gave it a 2020 Test of Time Award. One of its co-authors, Dr. Brent Waters,
later said the paper has had a three-fold impact. First, there has been the
concept of ABE as its own application with distinctive new use cases, several
of which are discussed below. Second, the cryptographic research community not
only has spent years studying ABE, but also used ABE as a building block,
leveraging it to obtain new results in work on other problems. Third,
according to Dr. Waters, the work in ABE “inspired us to rethink encryption in
even bigger and grander ways.” One such overflow has been functional
encryption, which allows a user to learn only a function of a data set. For
ABE, the end goal is fine-grained access to the data itself. On its own,
that’s a revolution. An ABE scheme can provide the right user with a key to
very specific data. Not to an entire file cabinet, so to speak, but to a
single line item within a category of filed documents.
The Cashless Future: Convenience Versus Privacy and Freedom
While convenience reigns, privacy and governmental control remain crucial
considerations. Financial inclusion must also be championed, ensuring everyone
has access to secure and equitable payment methods. This transition demands
careful navigation, balancing innovation with the principles of trust and
individual freedom. The spectre of Central Bank Digital Currencies (CBDCs)
further fuels the debate. Some fear a dystopian future controlled by
governments with direct access to digital money. However, this ignores the
historical evolution of ethics, regulations and frameworks. Laws like the Ten
Commandments and the Magna Carta, enacted in our tribal and agrarian past,
have evolved alongside society, forming the cornerstone of trust and control
within our modern, interconnected world. We willingly relinquish information
through regulatory KYC and AML practices in exchange for the security and
transparency of banks. Similarly, could CBDCs provide a trusted digital
foundation without succumbing to the anxieties of overreach? Perhaps the
future holds not a revolution, but an evolution. A landscape where a
foundational digital currency, overseen by central banks, coexists with
diverse ecosystems like Disney coins or Amazon credits.
Harnessing the Power of Diverse Data with Fern Halper
Halper began with a quick overview of what constitutes diverse data. “Diverse
data is pretty much just what it sounds like -- data in formats other than
structured data,” she said. “This includes unstructured and semistructured
data (for example, XML and JSON) and data from different sources (such as
social media and IoT devices).” She explained that this diverse data is
becoming more important as companies seek any way to compete better in their
markets. “For example, a company can use the unstructured or semistructured
data from their call center interactions to better predict when a customer
might churn.” This diverse data can also be used to uncover hidden insights,
make better predictions, and otherwise better respond to what’s happening on
the ground, she added. “This reflects what we saw in the survey, which was
that the primary driver for using diverse data, cited by 53% of respondents,
was to better understand customers. This was followed by use cases related to
operational efficiency, which were cited by 43%.” The conversation then turned
to the subject of how organizations were managing all this data.
Deprecated npm packages that appear active present open-source risk
The problem is probably much worse because Aqua only checked direct
dependencies, not transient ones as well — the dependencies of dependencies.
The dependency chain for npm packages can go many levels deep and not
accounting for this is a common reason why vulnerable code might make it
into projects undetected. “This situation becomes critical when
maintainers, instead of addressing security flaws with patches or CVE
assignments, opt to deprecate affected packages,” the Aqua researchers said
in their report. “What makes this particularly concerning is that, at times,
these maintainers do not officially mark the package as deprecated on npm,
leaving a security gap for users who may remain unaware of potential
threats.” ... The npm repository package maintainers do have the option of
marking packages as deprecated, which will appear as a warning to users
visiting the page. They can also include a note for users with additional
information such as alternatives. This can be considered as official
deprecation. However, other signs can indicate that a project is dead even
if it doesn’t have a big warning on it.
How CEOs can mitigate compounding risks
Leaders should instruct their risk management functions to broaden the
aperture on the risk scenarios they monitor to include compounding risks.
For example, once risk managers have identified the top risks to the
business, they often create an enterprise-level risk management map.
Instead, the team should consider how and which individual risks could
combine to create a new compounding risk, with particular focus on risks
that may be minor individually but have high frequency (IT outages, for
instance). Looking at the business through the lens of the customer rather
than through product offerings can help risk managers see small but
recurring friction points that could cause customers to leave. ... Many
compounding risks stem from trends with long-term time horizons such as
climate change, market or business model innovations, or changing consumer
behaviors. These risks tend to build slowly until they hit the tipping point
of becoming existential for the organization. A horizon planning approach
can help management teams address risks that can emerge at various stages by
looking at three horizons: first, maintaining and defending the core
business; second, nurturing emerging businesses; and third, creating
genuinely new businesses.
Quote for the day:
"Whenever you see a successful
business, someone once made a courageous decision." --
Peter F. Drucker
No comments:
Post a Comment