Quote for the day:
"Strong convictions precede great actions." -- James Freeman Clarke
90% of companies are woefully unprepared for quantum security threats
Companies shouldn't wait, Bain warned, pointing to rapid progress made by IBM,
Google, and other industry leaders on this front. "At a certain threshold,
quantum computing will be able to easily and quickly break asymmetric
cryptography protocols such as Rivest-Shamir-Adelman (RSA), Diffie-Hellman (DH),
and elliptic-curve cryptography (ECC) and reduce the time required,
weakening symmetric cryptography such as advanced encryption standard
(AES) and hashing functions," ... The highest impact will be on secure keys
and tokens, digital certificates, authentication protocols, data encrypted at
rest, and even network security and identity access management
(IAM) tools. Essentially, anything currently relying on
encryption. Beyond that, quantum computing could supercharge malware and
make it easier to identify and weaponize "zero day" flaws, Bain
warned. Another risk highlighted by security experts is "steal now, crack
later" techniques, whereby threat actors harvest data now to decrypt
later. ... Companies need a board-led – and funded – roadmap to
consider post-quantum risks across their business decision making, ensuring
quantum resilience across their own suppliers, existing technology, and even
their products. But so far, the Bain survey revealed only 12% of companies are
considering quantum readiness as a key factor in procurement and risk
assessments.The New Rules of Work: What a global HR leader reveals about modern talent
The impact of AI on the workforce is a subject Sonia has thought deeply about, especially as it relates to entry-level talent. “There’s always been a question about repetitive engineering tasks—whether these should be done by engineers or by diploma holders. Now, with AI in the picture, many of these tasks will be automated,” she says. Rather than seeing this as a threat, Kutty believes it frees up human talent to focus on innovation and problem-solving. “Our true value at Quest Global comes from leveraging innovation to solve the toughest engineering problems. AI will allow us to do more of this meaningful work.” ... While the company offers AI-based courses and certifications, Kutty emphasises the importance of fostering a mindset of adaptability and systems thinking. “We call it nurturing ‘polymath engineers’—professionals who can think broadly, adapt to new challenges, and learn continuously,” she says. ... As the engineering and R&D sector prepares for rapid growth, Kutty identifies leadership development as her biggest challenge—and her greatest responsibility. “We need strong leaders who understand this industry and are ready to step up when the time comes. Planning for leadership succession keeps me up at night. It’s critical for our continued success.” On the other hand, client expectations have evolved alongside technological advances. “In the past, clients would tell us exactly what they wanted. Now, they expect us to tell them what’s possible with AI and technology. They see us as partners in innovation, not just service providers,” Kutty observes.Work-from-office mandate? Expect top talent turnover, culture rot
There is value in cross-functional teams working together in person, says
Lawrence Wolfe, CTO at marketing firm Converge. “When teams meet for
architecture sessions, design sprints, or incident response, the pace of
progress, as well as the level of clarity, may increase simply because being
in-person caters to the way most people in the business interact,” he says.
However, there are potential downsides for IT leaders, with strict
work-from-office policies making it more difficult to attract and retain top IT
talent. ... Despite possible resistance, it makes sense for some IT jobs to be
tied to an office, says Lena McDearmid, founder and CEO of culture and
leadership advisory firm Wryver. Some IT roles, including device provisioning,
network operations, and conference room IT support, are better done in person,
she notes. She sees some other benefits in specific situations. “In-person work
is genuinely valuable for onboarding and mentoring early-career technologists,
especially when learning how the organization actually operates, not just how
the codebase works,” McDearmid says. “It’s also powerful when teams need to
think together in high-bandwidth ways: whiteboards, war rooms, architecture
reviews, incident response, or when solving messy, cross-functional problems.”
... IT leaders enforcing in-person work mandates can also focus on making the
workplace a real place to collaborate, she adds. CIOs can align office space,
meeting schedules, and in-office days so they reinforce the goals of
collaboration and knowledge sharing, Wettemann adds.Rethinking IT leadership to unlock the agility of ‘teamship’
Rather than waiting for the leader to set the pace, the best teams coach one
another, challenge one another, co-elevate one another, and move faster,
because they and their leaders have built cultures where candor is a shared
responsibility. For CIOs navigating the messy middle of AI, modernization, and
talent transformation, this shift from leadership to what Ferrazzi calls
“teamship” may be the most important upgrade of all. ... The No. 1 shift is to
move from leadership to teamship. That means stop thinking of leadership as a
hub and spoke. Don’t think aboutwhat you need to give feedback on, how you
need to hold people accountable, how you need to do this or that. Instead,
think about, how do you get your team to step up and meet each other, to give
each other feedback, to hold each other’s energy up. Get out of the center and
expect your team to step up. ... To be effective, stress testing needs to be
positioned as a service to the person who’s giving the project update. We’re
not trying to make them look bad or catch them in what they’re doing wrong.
The feedback should be offered and received as data, with no presumption that
they have to act on it. ... That fear is rooted in a misunderstanding of how
high-performing teams actually work. In traditional leadership models,
accountability flows upward: People worry about what the boss will think. In
teamship, accountability flows sideways: People worry about letting their
peers down.
The Upside Down’s danger lies in the unseen portals – the gates and rifts –
that allow its monstrous inhabitants, like the Demogorgon and the Mind Flayer,
to cross over and wreak havoc in the seemingly safe, familiar world of
Hawkins. Today, nearly every business’s hidden reality is its extended attack
surface. It’s the sprawling, complex, and often unmanaged network of IT, OT,
IoT, medical, cloud systems and beyond that modern organizations rely on. ...
For the CISO and security team, this translates directly to the need for full,
continuous visibility across every single connected device and system to
protect the entire attack surface and manage their organization’s cyber risk
exposure in real time. Like the Dungeons and Dragons analogies the kids use to
understand the creatures and their tactics, security teams rely on context and
intelligence – risk scoring, vulnerability prioritization, and threat analysis
– to understand how an asset is connected, why it is vulnerable, and what the
most effective countermeasure is. ... First and foremost, cybersecurity
requires teamwork, particularly through the fusion of IT, OT, security and
business leadership so that they work from a unified view of any risks at
hand. It also demands persistence from the dedicated security professionals
protecting our digital infrastructure. Most of all, cybersecurity needs to be
a proactive and preemptive effort where risk exposures are continuously
monitored and threats can be stopped before they ever fully manifest.
The plan is unprecedented among governments legislating online safety, in that
it makes downloading the app, designed by the Government’s chief information
officer, mandatory for age assurance. Per the Extra report, “if adults refuse
to download the digital wallet, they will no longer be able to access their
existing social media accounts.” “Mr. O’Donovan said the process of
downloading the app might inconvenience someone for ‘three or four minutes’
but this was a small ask in order to protect children online.” O’Donovan has
called the harmful effects of social media and other online content on youth a
“severe public health issue.” ... Concerns about age assurance technology
persist among privacy rights activists. Since age verification and facial age
estimation often involves the processing of biometrics, the potential for
sensitive data to be exposed is high. And requiring the process to run through
a government product is likely to agitate fears about mass surveillance.
O’Donovan says the risk to Ireland’s youth is higher. ... “At the end of the
day, if the companies have a social conscience and are interested in the
protection of children online, I don’t see why anybody who wouldn’t be trading
in Ireland, not just domiciled in Ireland, wouldn’t adopt the format that
we’re proposing,” he says. “Some of them do have, you know, something
bordering on a social conscience, which is to be welcomed. But others
don’t.”
Global networks have been under siege for years, but recent attacks are more
sophisticated and move at unprecedented speed. Many organizations are still
relying on outdated infrastructure, with Cisco research revealing that 48% of
network assets worldwide are aging or obsolete. This creates vulnerabilities
that attackers eagerly exploit. It’s no longer enough to patch and maintain; a
fundamental shift in strategy is required. ... Modern networks typically span
solutions and services from a range of different vendors, creating layers of
complexity that can quickly overwhelm even experienced IT teams. This
complexity often translates into vulnerability, especially when secure
configurations aren’t consistently implemented or maintained. For many,
simplicity and automation are now mission critical. Businesses increasingly
need networks where secure configurations, protocols, and features are enabled
by default and adapt automatically. ... Organizations now face the challenge
of not only detecting threats quickly, but also responding before
vulnerabilities can be exploited. There is an urgent need to reduce the attack
surface, remove legacy insecure features, and introduce advanced capabilities
for detection and response. ... The next generation of security requires
networks to seamlessly provide identity management, deep visibility,
integrated detection and protection, and streamlined management, while also
incorporating advanced technologies like post-quantum cryptography.
The Upside Down is Real: What Stranger Things Teaches Us About Modern Cybersecurity
The Upside Down’s danger lies in the unseen portals – the gates and rifts –
that allow its monstrous inhabitants, like the Demogorgon and the Mind Flayer,
to cross over and wreak havoc in the seemingly safe, familiar world of
Hawkins. Today, nearly every business’s hidden reality is its extended attack
surface. It’s the sprawling, complex, and often unmanaged network of IT, OT,
IoT, medical, cloud systems and beyond that modern organizations rely on. ...
For the CISO and security team, this translates directly to the need for full,
continuous visibility across every single connected device and system to
protect the entire attack surface and manage their organization’s cyber risk
exposure in real time. Like the Dungeons and Dragons analogies the kids use to
understand the creatures and their tactics, security teams rely on context and
intelligence – risk scoring, vulnerability prioritization, and threat analysis
– to understand how an asset is connected, why it is vulnerable, and what the
most effective countermeasure is. ... First and foremost, cybersecurity
requires teamwork, particularly through the fusion of IT, OT, security and
business leadership so that they work from a unified view of any risks at
hand. It also demands persistence from the dedicated security professionals
protecting our digital infrastructure. Most of all, cybersecurity needs to be
a proactive and preemptive effort where risk exposures are continuously
monitored and threats can be stopped before they ever fully manifest.Shadow AI: The emerging enterprise risk that can no longer be ignored
With regulatory frameworks tightening and emerging national standards, unsanctioned AI activity can quickly become a governance liability. Instead of reactive controls, organisations are now moving toward multi-layered visibility frameworks: monitoring external AI calls, classifying enterprise assets by sensitivity and tracking unmanaged AI usage. Forward-looking teams are even translating these metrics into financial exposure scores, linking AI misuse to operational, reputational and regulatory impact. Assigning monetary value to Shadow AI risk has proven effective for prioritising mitigation at leadership levels. ... A structured foundation is essential, comprised of trusted assessment frameworks, tested architectural blueprints and scalable AI operating models. Some organisations are pairing these with comprehensive training programs to build AI-literate leaders and teams, ensuring governance evolves alongside capability. This reflects a broader shift: responsible AI has now become the foundation of durable competitive advantage. ... Regulators, global partners and enterprise clients are seeking evidence of formal AI governance models, not just intent. For example, as per the Digital India Act, sectoral data localisation rules and global regulatory momentum are prompting enterprises to strengthen AI auditability, model documentation and workforce training. For many organisations, AI governance has moved from an operational task to a board-level agenda.Ireland to make age checks through government app mandatory for social media
The plan is unprecedented among governments legislating online safety, in that
it makes downloading the app, designed by the Government’s chief information
officer, mandatory for age assurance. Per the Extra report, “if adults refuse
to download the digital wallet, they will no longer be able to access their
existing social media accounts.” “Mr. O’Donovan said the process of
downloading the app might inconvenience someone for ‘three or four minutes’
but this was a small ask in order to protect children online.” O’Donovan has
called the harmful effects of social media and other online content on youth a
“severe public health issue.” ... Concerns about age assurance technology
persist among privacy rights activists. Since age verification and facial age
estimation often involves the processing of biometrics, the potential for
sensitive data to be exposed is high. And requiring the process to run through
a government product is likely to agitate fears about mass surveillance.
O’Donovan says the risk to Ireland’s youth is higher. ... “At the end of the
day, if the companies have a social conscience and are interested in the
protection of children online, I don’t see why anybody who wouldn’t be trading
in Ireland, not just domiciled in Ireland, wouldn’t adopt the format that
we’re proposing,” he says. “Some of them do have, you know, something
bordering on a social conscience, which is to be welcomed. But others
don’t.”Secure networking: the foundation for the AI era
Global networks have been under siege for years, but recent attacks are more
sophisticated and move at unprecedented speed. Many organizations are still
relying on outdated infrastructure, with Cisco research revealing that 48% of
network assets worldwide are aging or obsolete. This creates vulnerabilities
that attackers eagerly exploit. It’s no longer enough to patch and maintain; a
fundamental shift in strategy is required. ... Modern networks typically span
solutions and services from a range of different vendors, creating layers of
complexity that can quickly overwhelm even experienced IT teams. This
complexity often translates into vulnerability, especially when secure
configurations aren’t consistently implemented or maintained. For many,
simplicity and automation are now mission critical. Businesses increasingly
need networks where secure configurations, protocols, and features are enabled
by default and adapt automatically. ... Organizations now face the challenge
of not only detecting threats quickly, but also responding before
vulnerabilities can be exploited. There is an urgent need to reduce the attack
surface, remove legacy insecure features, and introduce advanced capabilities
for detection and response. ... The next generation of security requires
networks to seamlessly provide identity management, deep visibility,
integrated detection and protection, and streamlined management, while also
incorporating advanced technologies like post-quantum cryptography. Ransomware gang’s slip-up led to data recovery for 12 US firms
Researchers at Florida-based Cyber Centaurs said Thursday they took advantage
of a lapse in operational security by the gang: They found artifacts left
behind by Restic, an legitimate open source backup utility the gang uses to
encrypt and exfiltrate victim data into cloud storage environments it
controls. Assuming the gang regularly re-uses Restic-based infrastructure led
to finding an unnamed cloud storage provider where stolen data was dumped. ...
While Restic wasn’t used for exfiltration in this particular attack, Cyber
Centaurs suspected the gang regularly used it, based on patterns seen in other
incidents. It also suspected the infrastructure the crooks used was unlikely
to be dismantled even after negotiations ended or payments were made by
corporate victims. With that in mind, the incident response team developed a
custom enumeration script to identify certain patterns that identify S3-style
cloud bucket infrastructure that the stolen data might be going to. The script
ran through a curated list of candidate repository identifiers derived from
previously observed Restic artifacts. For each candidate, environment
variables were set to match the configuration style used by the threat actor,
including the repository endpoint and encryption password. Restic was then
instructed to list available snapshots in a structured format, enabling
investigators to analyze results without interacting with the underlying
data.The Real Attack Surface Isn’t Code Anymore — It’s Business Users
Traditional AppSec programs are optimized for code stored in repositories,
pushed through pipelines, and deployed through CI/CD, not for no-code apps,
connectors, and automations created on platforms like Power Platform,
ServiceNow, Salesforce, and UiPath. Meanwhile, most organizations assume
business-user automations are simple, low-risk, and limited in scope. The
reality is more complex. Citizen developers now outnumber traditional software
developers by an order of magnitude. Plus, they are wiring together data
sources, triggering multi-system workflows, and calling APIs, not just
building basic macros or departmental utilities. Because these automations are
created outside engineering governance, traditional monitoring tools never see
them. ... What emerges is a shadow layer of business logic that sits entirely
outside the boundaries of traditional AppSec, DevSecOps, and identity
programs. As long as ownership remains fragmented and discovery elusive,
security debt continues to grow unchecked. ... We’re entering an era where the
most dangerous vulnerabilities aren’t in the code AppDev teams write, but in
the thousands of workflows and automations business users build on their own.
The sooner organizations recognize and confront the invisible no-code estate,
the faster they can reduce the security debt accumulating inside their
infrastructure.
No comments:
Post a Comment