The modern CISO: Scapegoat or value creator?
To showcase the value of their programs and demonstrate effectiveness, CISOs
must establish clear communication and overcome the disconnect between the
board and their team. It’s up to the CISO to ensure the board understands the
level of cyber risk their organization is facing and what they need to
increase the cyber resilience of their organization. Presenting cyber risk
levels in monetary terms with actionable next steps is necessary to bring the
board of directors on the same page and open an honest line of communication,
while elevating their cybersecurity team to the role of value creator. ...
CISOs are deeply wary about sharing too many details on their cybersecurity
posture in the public domain, because of the unnecessary and preventable risk
of exposing their organizations to cyberattacks, which are expected to cause
$10.5 trillion in damages by 2025. Filing an honest 10K while preserving your
organization’s cyber defenses requires a delicate balance. We’ve already seen
Clorox fall victim when the balance was off. ... Given the pace at which the
cybersecurity landscape is continuing to evolve, the CISO’s job is getting
tougher.
This Week in AI: OpenAI and publishers are partners of convenience
In an appearance on the “All-In” podcast, Altman said that he “definitely
[doesn’t] think there will be an arms race for [training] data” because “when
models get smart enough, at some point, it shouldn’t be about more data — at
least not for training.” Elsewhere, he told MIT Technology Review’s James
O’Donnell that he’s “optimistic” that OpenAI — and/or the broader AI industry
— will “figure a way out of [needing] more and more training data.” Models
aren’t that “smart” yet, leading OpenAI to reportedly experiment with
synthetic training data and scour the far reaches of the web — and YouTube —
for organic sources. But let’s assume they one day don’t need much additional
data to improve by leaps and bounds. ... Through licensing deals, OpenAI
effectively neutralizes a legal threat — at least until the courts determine
how fair use applies in the context of AI training — and gets to celebrate a
PR win. Publishers get much-needed capital. And the work on AI that might
gravely harm those publishers continues.
Private equity looks to the CIO as value multiplier
A newer way of thinking about value creation focuses on IT, he says, because
nearly every company, perhaps even the mom-and-pop coffee shop down the
street, is a heavy IT user. “With this third wave, we’re seeing private equity
firms retain in-house IT leadership, and that in-house IT leadership has led
to more value creation,” Buccola says. “Firms with great IT leadership, a
sound IT strategy, and a forward-thinking IT strategy, are creating more
value.” ... “All roads lead to IT,” says Corrigan, a veteran of PE-backed
firms, with World Insurance backed by Goldman Sachs and Charlesbank. “Every
aspect of the business is dependent on some type of technology.” Corrigan sees
CIOs being more frequently consulted when PE-back firms look to IT systems to
drive operational efficiencies. In some cases, cutting costs is a quicker path
to return on investment than revenue growth. “Every dollar you can cut out of
the bottom line is worth several dollars of revenue generated,” he says. ...
“The modern CIO in a private equity environment is no longer just a
back-office role but a strategic partner capable of driving the business
forward,” he says.
Sad Truth Is, Bad Tests Are the Norm!
When it comes to testing, many people seem to have the world view that
hard-to-maintain tests are the norm and acceptable. In my experience, the
major culprits are BDD frameworks that are based on text feature files. This
is amplifying waste. The extra feature file layer in theory allows;The user to
swap out the language at a later date; Allows a business person to write user
stories and or acceptance criteria; Allows a business person to read the user
stories and or acceptance criteria; Collaboration; Etc… You have actually
added more complexity than you think, for little benefit. I am explicitly
critiquing the approach of writing the extra feature file layer first, not the
benefits of BDD as a concept. You test more efficiently, with better results
not writing the feature file layer, such as with Smart BDD, where it’s
generated by code. Here I compare the complexities and differences between
Cucumber and Smart BDD. ... Culture is hugely important, I’m sure we and our
bosses and senior leaders would all ultimately agree with the following:For
more value, you need more feedback and less waste; For more feedback, you
need more value and less waste; For less waste, you need more value and
more feedback
6 Months Under the SEC’s Cybersecurity Disclosure Rules
There have been calls for regulatory harmonization. For example, the
Biden-Harris Administration’s National Cybersecurity Strategy released last
year calls for harmonization and streamlining of new and existing regulations
to ease the burden of compliance. But in the meantime, enterprise leadership
teams must operate in this complicated regulatory landscape, made only more
complicated by budgetary issues. “Security budgets aren't growing for the most
part. So, there's this tension between diverting resources to security versus
diverting resources to compliance … on top of everything else that the CISOs
have going on,” says Algeier. So, what should CISOs and enterprise leadership
teams be doing as they continue to work under these SEC rules and other
regulatory obligations? “CISOs should keep in mind the ability to quickly,
easily, and efficiently fulfill the requirements laid out by the SEC,
especially if they were to fall victim to an attack,” says Das. “This means
having not only the right processes in place, but investments into tools that
can ensure reporting occurs in the newly condensed timeline.”
Despite increased budgets, organizations struggle with compliance
“While regulations are driving strategy shifts and increased budgets, the
talent shortage and fragmented infrastructure remain obstacles to compliance
and resilience. To succeed, organizations must find the right balance between
human expertise for complex situations and AI-enhanced automation tools for
routine tasks. This will alleviate operational strain and ensure security
professionals can focus on the parts of the job where human judgment is
irreplaceable.” ... 93% of organizations report rethinking their cybersecurity
strategy in the past year due to the rise of new regulations, with 58% stating
they have completely reconsidered their approach. The strategy shifts are also
impacting the roles of cybersecurity decision-makers, with 45% citing
significant new responsibilities. 92% of organizations reported an increase in
their allocated budgets. Among these organizations, a significant portion
(36%) witnessed budget increases of 20% to 49%, and a notable 23% saw
increases exceeding 50%.
Fundamentals of Dimensional Data Modeling
Dimensional modeling focuses its diagramming on facts and dimensions:Facts
contain crucial quantitative data to track business processes. Examples of
these metrics include sales figures or number of subscriptions. Dimensions
contain referential pieces of information. Examples of dimensions include
customer name, price, date, or location. Keeping the dimensions separate from
facts makes it easier for analysts to slice-and-dice and filter data to align
with the relevant context underlying a business problem. ... Dimensional
modeling provides a basis for meaningful analytics gathered from a data
warehouse for many reasons. Its processes lead to standardizing dimensions
through presenting the data blueprint intuitively. ... Dimensional data
modeling promises quick access to business insights when searching a data
warehouse. Modelers provide a template to guide business conversations across
various teams by selecting the business process, defining the grain, and
identifying the dimensions and fact tables. Alignment in the design requires
these processes, and Data Governance plays an integral role in getting
there.
Why the AI Revolution Is Being Led from Below
If shadow IT was largely defined by some teams’ use of unauthorized vendors
and platforms, shadow AI is often driven by the use of AI tools like ChatGPT
by individual employees and users, on their own and even surreptitiously. ...
So why is that a problem? The proliferation of Shadow AI can deliver many of
the same benefits as officially sanctioned AI strategies, streamlining
processes, automating repetitive tasks, and enhancing productivity. Employees
are mainly drawn to deploy their own AI tools for precisely these reasons —
they can hand off chunks of taxing work to these invisible assistants. Some
industry observers see the plus side of all this and are actively encouraging
the “democratization” of AI tools. At this week’s The Financial Brand Forum
2024, Cornerstone Advisors’ Ron Shevlin made it his top recommendation: “My #1
piece of advice is ‘drive bottom-up use.’ Encourage widespread AI
experimentation by your team members. Then document and share the process and
output improvements as widely as possible.”
A Strategic Approach to Stopping SIM Swap Fraud
Fraudsters are cautious about their return on investment. SIM swap fraud is a
high-risk endeavor, and they typically expect higher rewards. It involves the
risk of physically visiting telco operator premises, obtaining genuine looking
customer identification documents, using employees' mules, or bribing bank or
telco staff. Their targets are mostly high-balance accounts, including both
bank accounts and wallets. Over the years, we have learned that customers with
substantial account balances might often share bank details and OTPs during
social engineering schemes, but they typically refrain from sharing their PIN
due to the perceived risk involved. Even if a small percentage of customers
were to share their PIN, the risk would still be minimized, as the majority of
potential victims would refrain from sharing their PIN. The fraudsters would
need to compromise at three levels instead of two: data gathering,
compromising the telco operator and persuading the customer. If customers
detect something suspicious, they may become alert, resulting in fraudsters
wasting their investments.
Complexity snarls multicloud network management
While each cloud provider does its best to make networking simple across
clouds, all have very nuanced differences and varied best practices for
approaching the same problem, says Ed Wood, global enterprise network lead at
business advisory firm Accenture. This makes being able to create
enterprise-ready, secured networks across the cloud challenging, he adds.
Wasim believes that a lack of intelligent data utilization at crucial stages,
from data ingestion to proactive management, further complicates the process.
“The sheer scale of managing resources, coupled with the dynamic nature of
cloud environments, makes it challenging to achieve optimal performance and
efficiency.” Making network management even more challenging is a lack of
clarity on roles and responsibilities. This can be attributed to an absence of
agreement on shared responsibility models, Wasim says. As a result,
stakeholders, including customers, cloud service providers, and any involved
third parties, might each hold different views on responsibility and
accountability regarding data compliance, controls, and cloud operations
management.
Quote for the day:
"You may be disappointed if you fail,
but you are doomed if you don't try." -- Beverly Sills
No comments:
Post a Comment