Daily Tech Digest - February 07, 2024

Can Enterprise DevOps Ever Measure Up?

At the elitist of organizations, by Forney’s math, developers are spending up to 70% of their time writing and testing code, while the rest of their time is filled with meetings and context switching. But when you examine that exceptionally high 70%, she explained, you then have to consider how much time they are just “keeping the lights on” or dealing with customer support or are on call, versus “how much time they’re spending on the creation of new value.” She said it becomes a “diminishing bucket of space.” Especially at older organizations that haven’t quite migrated to the cloud and haven’t quite moved completely from Waterfall to agile, she finds developers are often focusing on the wrong work. Or they are building workarounds on top of their technical debt as a quick win, instead of fixing with a long-term vision in mind. “We look at organizations spending a huge amount of time doing planning and thinking these are our top priorities in the organization, but in reality, what’s going on? Are devs spending actually what you would expect to be the bulk of their time [on this]?” Forney said that “more often than not, what you see is they’re spending like 5% of their time across the entire organization level of effort on these most important things.”

IT Security Hiring Must Adapt to Skills Shortages

Omri Weinberg, co-founder and CRO at DoControl, says promoting cybersecurity education, offering mentorship and internships, increasing diversity, and providing ongoing professional development opportunities are all ways to help companies close the cybersecurity skills gap. “Collaboration among stakeholders is essential to address this challenge effectively,” he says. “It all starts at the top.” When it becomes a top priority to the board of directors, CEO and other executives, they will invest more time, money, and effort to educate the next generation alongside educational institutions to create more awareness and opportunities for the future of the cyber workforce. “Cybersecurity is one of the fastest evolving industries,” Sunil Muralidhar, vice president of growth and strategic initiatives at ColorTokens, explains via email. “Regardless of the specific specialization an individual might choose to focus on, creative thinking and problem-solving skills are the best skills an employee can have.” Also critical is the ability to collaborate with teams across the company, who may have varying degree of technical or security skills.

Help for generative AI is on the way

Retrieval-augmented generation, or RAG, is a common method for adding context to an interaction with an LLM. Under the bonnet, RAG retrieves supplementary content from a database system to contextualize a response from an LLM. The contextual data can include metadata, such as timestamp, geolocation, reference, and product ID, but could in theory be the results of arbitrarily sophisticated database queries. This contextual information serves to help the overall system generate relevant and accurate responses. The essence of this approach lies in obtaining the most accurate and up-to-date information available on a given topic in a database, thereby refining the model’s responses. A useful by-product of this approach is that, unlike the opaque inner workings of GPT-4, if RAG forms the foundation for the business LLM, the business user gains more transparent insight into how the system arrived at the presented answer. If the underlying database has vector capabilities, then the response from the LLM, which includes embedded vectors, can be used to find pertinent data from the database to improve the accuracy of the response

Meta to label AI-generated images from Google, OpenAI and Adobe

“We’re building this capability now, and in the coming months we’ll start applying labels in all languages supported by each app,” Clegg added. The move to label AI-generated images from companies, such as Google, OpenAI, Adobe, Shutterstock, and Midjourney, assumes significance as 2024 will see several elections taking place in several countries including the US, the EU, India, and South Africa. This year will also see Meta learning more about how users are creating, and sharing AI-generated content and what kind of transparency netizens are finding valuable, the Clegg said. Clegg’s statement about elections rings in a reminder of the Cambridge Analytica scandal, unearthed by the New York Times and The Observer back in 2018, that saw Facebook data of at least 50 million users being compromised. Last month, ChatGPT-maker OpenAI suspended two developers who created a bot mimicking Democratic presidential hopeful Congressman Dean Phillips, marking the company’s first action against the misuse of AI. Meta, according to Clegg, already marks images created by its own AI feature, which includes attaching visible markers and invisible watermarks. 

AI is supercharging collaboration between developers and business users

AI enables team members "to create and share content more easily, automate, and optimize business processes more efficiently," he continues. "It enhances team communications by bringing clarity and utilizing transcripts to leverage exact words to remove ambiguity. All of this helps learning and development, and fosters team culture and engagement." The company also employs "AI-powered chatbots that can translate messages, summarize conversations, and provide relevant information," Naeger states. "AI can also help teams share data and insights more easily, by creating visualizations, dashboards, and reports. AI can help teams coordinate their tasks and workflows more efficiently, by automating or optimizing some of the processes." While AI-enhanced collaboration in IT sites is already happening, the emerging technology is still very much a work in progress. The move to AI-fueled collaboration means "organizations need to adapt and be prepared for shifts in how these teams work, integrating AI-driven metrics and managing AI tools," says Ammanath. 

Cybersecurity teams hesitate to use automation in TDIR workflows

When organizations were asked about the TDIR management areas where they require the most help, 36% of organizations expressed the need for third-party assistance in managing their threat detection and response, citing the challenge of handling it entirely on their own. This highlights a growing opportunity for the integration of automation and AI-driven security tools. The second most identified need, at 35%, was a desire for improved understanding of normal user and entity and peer group behaviour within their organization, demonstrating a demand for TDIR solutions equipped with user and entity behaviour analytics (UEBA) capabilities. These solutions should ideally minimise the need for extensive customisation while offering automated timelines and threat prioritisation. “As organizations continue to improve their TDIR processes, their security program metrics will likely look worse before they get better. But the tools exist to put them back on the front foot,” continued Moore. “Because AI-driven automation can aid in improving metrics and team morale, we’re already seeing increased demand to build even more AI-powered features. ...”

6 best practices for third-party risk management

CISOs can’t adequately manage third-party security threats when they do not have a complete picture of the third parties within their organization, says Murray, who is also president and CAO at Murray Security Services. This may seem like an obvious point, but Murray and others say this is a particularly challenging task as an increasing amount of technology is now deployed by business units instead of a centralized IT function committed to inventorying all tech assets. So, CISOs need to implement strategies for identifying and maintaining an accurate, comprehensive, and up-to-date inventory of the third parties whose security risks must be assessed and managed, Murray says. There are certainly software solutions that help here, but Valente advises CISOs to build in other steps to help ferret out problems at third parties. For example, she says CISOs can work with the finance department to review recurring payments (including those on corporate credit cards) to identify new software subscriptions that were bought without involving the organization’s procurement department and, thus, haven’t yet been added to the inventory list.

Unstructured Data Management: Plan Your Security and Governance

Although it may sound obvious, you need holistic understanding of all data in storage. Gaps in visibility, hidden applications, obscure data silos in branch offices -- this all contributes to higher risk if the data is not managed properly. Consider that protected data is going to end up in places where it shouldn’t, such as on forgotten or underutilized file servers and shadow IT cloud services. Employees unwittingly copy sensitive data to incompliant locations more often than you’d think. You’ll need a way to see all your data in storage and search across it to find the files to segment for security and compliance needs. You can use the data management capabilities in your NAS/SAN/cloud storage products to search for file types such as HR and IP data, but you’ll need to integrate visibility across all storage vendors and clouds if you use more than one vendor’s solution. ... IT infrastructure teams must collaborate with security and network teams to procure, install, and manage new storage and data management technology, but a more formal process centered around the data itself is required. This may involve stakeholders from legal, compliance, risk management, finance, and IT directors in key business units. 

Crucial Airline Flight Planning App Open to Interception Risks

Researchers from Pen Test Partners found that an App Transport Security (ATS) feature in Flysmart+ Manager that would have forced the app to use HTTPS had not been enabled. The app did not have any form of certificate validation either, leaving it exposed to interception on open and untrusted networks. "An attacker could use this weakness to intercept and decrypt potentially sensitive information in transit," PTP said in its report this week. Ken Munro, a partner at the pen testing firm, says the biggest concern had to do with the potential for attacks on the app that could cause so called runway excursions — or veer-offs and overruns — and potential tail strikes on takeoff. "The EFB is used to calculate the required power from the engines for departure, also the required braking on landing," Munro says. "We showed that, as a result of the missing ATS setting, one could potentially tamper with the data that is then given to pilots. That data is used during these 'performance' calculations, so pilots could apply insufficient power or not enough braking action," he says. The ATS issue in Flysmart+ Manager is just one of several vulnerabilities that PTP has uncovered in EFBs in recent years.

Why CIOs back API governance to avoid tech sprawl

APIs are ubiquitous within modern software architectures, working behind the scenes to facilitate myriad connected capabilities. “As enablers for the integration of data and business services across platforms, APIs are very aligned with current tech trends,” says Antonio Vázquez, CIO of software company Bizagi. “Reusability, composability, accessibility, and scalability are some of the core elements that a good API strategy can provide to support tech trends like hybrid cloud, hyper-automation, or AI.” For these reasons, API-first has gathered steam, a practice that privileges the development of the developer-facing interface above other concerns. “API-first strategy becomes critical to navigate contemporary tech trends, foster innovation, and ensure adaptability in a rapidly evolving technological landscape,” says Krithika Bhat, CIO of enterprise flash storage provider Pure Storage. She considers the increasing adoption of cloud computing and microservice architectures to be top drivers of formalized API-first approaches. Digital transformation and growing reliance on third-party services are key contributors as well, she adds.

Quote for the day:

“You are never too old to set another goal or to dream a new dream.” -- C.S. Lewis

No comments:

Post a Comment