Daily Tech Digest - April 19, 2024

Cloud cost management is not working

The Forrester report illuminates significant visibility challenges when using existing CCMO tools. Tracking expenses across different cloud activities, such as data management, egress charges, and application integration, remains a challenge. Finops is normally on the radar, but these enterprises have yet to adopt useful finops practices, with most programs either nonexistent or not yet off the ground, even if funded. Then there’s the fact that enterprises are not good at using these tools yet, and they seem to add more cost with little benefit. The assumption is that they will get better and costs will get under control. However, given the additional resource needs for AI deployments, improvements are not likely to occur for years. At the same time, there is no plan to provide IT with additional funding, and many companies are attempting to hold the line on spending. Despite these challenges, getting cloud spending under control continues to be a priority, even if results do not show that. This means major fixing needs to be done at the architecture and integration level, which most in IT view as overly complex and too expensive to fix. 

Why Selecting the Appropriate Data Governance Operating Model Is Crucial

When deciding on the data governance operating model, you cannot simply pick one approach without evaluating the benefits each one offers. You need to weigh the potential benefits of centralized and decentralized governance models before making a decision. If you find that the benefits of centralizing your governance operations exceed those of a decentralized model by at least 20%, then it’s best to centralize. With a centralized governance model, you can bridge the skills gap, enjoy consistent outcomes across all business units, easily report on operations, ensure executive buy-in at the C-level, and plan for effectiveness in continuous feedback elicitation, improvements, and change management. However, the downside is that it often leads to operation rigidity, which reduces motivation among mid-level managers, and bureaucracy often outweighs the benefits. It’s important to consider socio-cultural aspects when formulating your operating model, as they can significantly influence the success of your organization.

5 Steps Toward Military-Grade API Security

When evaluating client security, you must address environment-specific threats. In the browser, military grade starts with ensuring the best protections against token theft, where malicious JavaScript threats, also known as cross-site scripting (XSS), are the biggest concern. To reduce the impact of an XSS exploit, it is recommended to use the latest and most secure HTTP-only SameSite cookies to transport OAuth tokens to your APIs. Use a backend-for-frontend (BFF) component to issue cookies to JavaScript apps. The BFF should also use a client credential when getting access tokens. ... A utility API then does the cookie issuing on behalf of its SPA without adversely affecting your web architecture. In an OAuth architecture, clients obtain access tokens by running an OAuth flow. To authenticate users, a client uses the OpenID Connect standard and runs a code flow. The client sends request parameters to the authorization server and receives response parameters. However, these parameters can potentially be tampered with. For example, an attacker might replay a request and change the scope value in an attempt to escalate privileges.

Break Security Burnout: Combining Leadership With Neuroscience

The problem for cybersecurity pros is that they often get stuck in a constant state of psychological fight-or-flight response pattern due to the constant stress cycle of their jobs, Coroneos explains. iRest is a training that helps them switch out of this cycle to bring them to a deeper state of relaxation to reset that fight-or-flight response. This will help the brain switch off, so it is not constantly creating stress not only in the workplace but throughout their everyday lives, thus creating burnout, he says. "We need to get them into a position where they can come into a proper relationship into their subconscious," Coroneos says, adding that so far cybersecurity professionals who have experienced the training — which Cybermindz is currently piloting— report they are sleeping better and making clearer decisions after only a few sessions of the program. Indeed, while burnout remains a serious problem, the message Coroneos and Williams ultimately want to convey is one of hope that there are solutions to solve the burnout problem currently facing cybersecurity professionals, and that the enormous pressures these dedicated professionals face is not being overlooked.

Unlocking Customer Experience: The Critical Role of Your Supply Chain

It is crucial to find a partner that understands that digital transformation alone is not enough. Unlike point solution vendors who solve isolated problems, prioritize a partner that focuses on three main areas: people, processes, and systems. A good partner will begin its approach by understanding what is actually happening with mission-critical processes in the supply chain like inbound and outbound logistics, supplier management, customer service, help desk, and financial processes. Understanding these root causes helps identify opportunities for improvement and automation. Analyzing data and feedback reveals pain points, bottlenecks, and inefficiencies within each process. Utilizing process mapping and performance metrics helps pinpoint areas ripe for enhancement. Automation technologies, like AI and machine learning, streamline repetitive tasks, reducing errors and enhancing efficiency. By continuously assessing and optimizing these processes, businesses can improve responsiveness, reduce costs, and enhance overall supply chain performance, ultimately driving customer satisfaction and competitive advantage.

AI migration woes: Brain drain threatens India’s tech future

To address the challenge of talent migration, the biggest companies in India must work together to democratise access to resources and opportunities within its tech ecosystem. One key aspect of this approach involves fostering a culture of open collaboration among key stakeholders, including top-tier venture capitalists (VCs), corporates, academia and leading startups because no single entity can drive AI innovation in isolation. By creating a collaborative ecosystem where information is freely shared and resources are pooled, can level the playing field and provide equal opportunities for aspiring AI professionals across the nation. This could involve the establishment of platforms dedicated to knowledge exchange, networking events and cross-sector partnerships aimed towards accelerating innovation. ... In addition to these fundamental elements, the tech ecosystem in India must also prioritise accessibility and affordability in the adoption of AI-integrated technologies. The future-ready benefits of AI should be democratised, reaching not only large brands but also small and medium-sized enterprises (SMEs), startups and grassroots organisations. 

Are you a toxic cybersecurity boss? How to be a better CISO

Though most CISOs treat their employees fairly, CISOs are human beings — with all the frailties, quirks, and imperfections of the human condition. But CISOs behaving badly expose their own organizations to huge risks. ... One of the thorniest challenges of a toxic CISO is that the person causing the problem is also the one in charge, making them susceptible to blind spots about their own behavior. Nicole L. Turner, a specialist in workplace culture and leadership coaching, got a close-up look at this type of myopia when a top exec (in a non-security role) recently hired her to deliver leadership training to the department heads at his company. “He felt like they needed training because he could tell some things were going on with them, that they were burned out and overwhelmed. But as I’m training them, I notice these sidebar conversations [among his staff] that he was the problem, more so than the work itself. It was just such an ironic thing and he didn’t know,” recounts Turner, owner and chief culture officer at Nicole L. Turner Consulting in Washington, D.C. There’s also some truth to the adage that it’s lonely at the top, especially in a hypercompetitive corporate environment.

Who owns customer identity?

Onboarding users securely but still seamlessly is a constant conflict in many types of businesses, from retail, insurance, to fintech. ... If you are from a regulated industry, MFA becomes important. Make it a risk-based MFA, however, to reduce undue friction. If your business offers a D2C or B2C product or service, seamless onboarding is your number one priority. If user friction is the primary reason for your CIAM initiative, the product team or engineering team should take the lead and bring other teams along. If MFA is the main use case, the CISO should lead the discussions and then bring other teams along. ... If testing or piloting is possible, do so. Experimentation is very valuable in a CIAM context. Whether you are moving to a new CIAM solution, trying a new auth method, or changing your onboarding process in any other way, run a pilot or an A/B test first. Starting small, measuring the results, and taking longer-term decisions accordingly is a healthy cycle to follow when it comes to customer identity processes.

GenAI: A New Headache for SaaS Security Teams

The GenAI revolution, whose risks remain in the realm of the unknown unknown, comes at a time when the focus on perimeter protection is becoming increasingly outdated. Threat actors today are increasingly focused on the weakest links within organizations, such as human identities, non-human identities, and misconfigurations in SaaS applications. Nation-state threat actors have recently used tactics such as brute-force password sprays and phishing to successfully deliver malware and ransomware, as well as carry out other malicious attacks on SaaS applications. Complicating efforts to secure SaaS applications, the lines between work and personal life are now blurred when it comes to the use of devices in the hybrid work model. With the temptations that come with the power of GenAI, it will become impossible to stop employees from using the technology, whether sanctioned or not. The rapid uptake of GenAI in the workforce should, therefore, be a wake-up call for organizations to reevaluate whether they have the security tools to handle the next generation of SaaS security threats.

What CIOs Can Learn from an Attempted Deepfake Call

Defending against deepfake threats takes a multifaceted strategy. “There's a three-pronged approach where there's education, there's culture, and there's technology,” says Kosak. NINJIO focuses on educating people on cybersecurity risks, like deepfakes, with short, engaging videos. “If you can deepfake a voice and a face or an image based on just a little bit of information or maybe three to four seconds of that voice tone, that's sending us down a path that is going to require a ton of verification and discipline from the individual’s perspective,” says McAlmont. He argues that an hour or two of annual training is insufficient as threats continue to escalate. More frequent training can help increase employee vigilance and build that culture of talking about cybersecurity concerns. When it comes to training around deepfakes, awareness is key. These threats will continue to come. What does a deepfake sound or look like? (Pretty convincing in many cases.) What are some of the common signs that the person you hear or see isn’t who they say they are?

Quote for the day:

“A real entrepreneur is somebody who has no safety net underneath them.” -- Henry Kravis

No comments:

Post a Comment