Regulations are still necessary to compel adoption of cybersecurity measures
Ultimately, though, there should be clear mandates to push the industry toward
clear outcomes, Rivas said. Such requirements, for example, could include a
proper patch management strategy and robust monitoring system, Sondhi said.
These should be accompanied by roadmaps for rollout, so market players would be
given the necessary timelines to ensure compliance, he added. Acknowledging
there will inevitably be pushback over concerns such mandates have on cost and
time-to-market, he said regulations need not be overly complex. They also can
point to accompanying standards bodies tasked to provide more details and update
the adoption of best practices when necessary. This will free up governments
from having to keep up with market changes and to instead focus on mandating
high-level requirements, he noted. Enforcement also is a good starting point
when the road toward cyber resilience may be long and fraught with complexities.
Organizations in operational technology (OT) sectors, in particular, have
ecosystems that have to be managed differently from IT infrastructures, Sondhi
said.
Beyond The 10X Software Engineer: Focusing On The Bigger Picture
Match team responsibilities with the load they can handle. You can do with
additional training, a good choice of underlying technologies, pair programming,
reshuffling responsibilities among teams and strategic hiring for the critical
skills still missing. For new team members, focus on tasks doable first within a
four-hour time slot and then in two to three days, so they can experience
repeatable success right away. With time, you can extend the average task
timeline to two weeks. Make sure there's a variety of tasks of similar
complexity. For example, you don't want to corner a software developer into only
fixing bugs. Mix things up to challenge team members with creative tasks like
minor new functionalities. Eliminate excessive bureaucracy and low-value
business processes. Boring or superfluous administrative tasks are a real
motivation drain, so reviewing them and removing those with low value have a
visible impact. Map team competencies to task complexity. This can be done
formally or informally and usually narrows down the list of competencies for
each team.
The Purpose of Estimation in Scrum: Sizing for Sprint Success
In response to the limitations of hours-based estimation, Scrum Teams are
turning to alternative methods such as relative estimation (using points).
Alternatively, teams are increasingly using flow metrics as a simpler and often
more accurate way to forecast value delivery. Relative estimation is a technique
used to estimate the size, complexity, and effort required for each Product
Backlog item. To use relative estimation, the Scrum Team first selects a point
system. Common point systems include Fibonacci or a simple scale from 1 to five.
(See our recent article How to create a point system for estimating in Scrum.
Once the team has selected a point system, they create an agreement which
describes which type of items to classify as a 1, 2, and so on. It is possible
for the team just to use its judgment, documenting that information in their
team agreements. Then, when the team needs to estimate new work, they simply
compare the new work to similar work done in the past, and assign the
appropriate number.
What Enterprises Need to Know About ChatGPT and Cybersecurity
Receiving the most valuable information from ChatGPT requires asking the correct
questions and expanding on the initial inquiry to obtain desired results and a
deeper understanding. Hackers are learning that they cannot ask ChatGPT a
directly malicious question, or they will receive a response such as, “I do not
create malware.” Instead, they ask it to pretend that ChatGPT is an AI model
that can execute a particular script. Bad actors continue to exploit and
socially engineer the process of installing malware or getting people to
relinquish credentials for unauthorized data system access. AI tools are making
it easier for cybercriminals to harm people. ... One noteworthy point is that
the ability to use AI to manipulate humans through social engineering is
becoming increasingly controllable. However, ChatGPT is not a Rosetta Stone-like
translator for hackers. Although both AI-generated scripts and social media
platform scripts are made by machines, their complexity, reliability and
security can differ significantly.
Weathering the Storm: A Guide to Preserving Business Continuity
Organizations that are most vulnerable to disruption tend to be those that rely
on legacy systems that have a single point of communications failure. The
additional risk exposure that accompanies these older networks may well justify
shifting to a cloud-based network (such as SD-WAN, a software-defined wide area
network) that provides the flexibility to bounce between broadband and ethernet
in real time to preserve bandwidth and connectivity. Similarly, it may be worth
considering moving to a unified communications platform, which is designed to
maintain multichannel communications for customers and employees. ... Based on
the risk assessment, create a formal, highly detailed plan specifying how your
organization will manage various crisis scenarios, the tools it will use to keep
the business running, and how, and by whom, information will be communicated
internally and externally. The plan also should identify critical on-premises
hardware and brick-and-mortar IT infrastructure (such as data centers) that must
be protected, and how they will be protected. Organizations with a continuity
plan already in place should revisit it at least annually and update it as
needed.
Phishing emails are more believable than ever. Here’s what to do about it
Because most ransomware is delivered through phishing, employee education is
essential to protecting your organization from these threats. That said,
there’s no single “one size fits all” education program--these training
efforts should be tailored to your enterprise's unique needs. Below are
several types of services and/or programs that are designed to help users
understand and detect phishing and other cyber threats, all of which can serve
as a great starting point for building a comprehensive employee security
awareness program. ... Delivering simulated phishing emails to your
organization’s employees allows them to practice identifying malicious
communications so that they know what to do when a threat actor strikes. The
FortiPhish Phishing Simulation Service uses real-world simulations to help
organizations test user awareness and vigilance to phishing threats and to
train users on what steps to take when they suspect they might be a target of
a phishing attack. ... As with the introduction of any new technology,
cybercriminals will continually find ways to use these tools for nefarious
purposes.
9 Steps to Platform Engineering Hell
The platform team still works with a DevOps mindset and continues to write
pipelines and automation for individual product teams. They get too many
requests from developers and don’t have the time or resources to zoom out and
come up with a long-term strategy to build a scalable IDP and ship it as a
product to the rest of the engineering organization. ... More platform
engineers are finally hired on the team, all very experienced, with years
working in operations. They come together and think hard about the biggest Ops
issues they experienced during their careers. They start designing a platform
to fix all those annoying issues that bugged them for years, but developers
will never use this platform. It doesn’t solve their problems; it only solves
Ops problems. ... Because you’re a large enterprise with inefficient
cross-unit communication, mid-management starts several platform engineering
initiatives without aligning with each other. Leadership doesn’t intervene,
efforts double, communication is not facilitated and gets progressively worse.
You end up with five platforms for five teams, most of which don’t work at
all.
The must-knows about low-code/no-code platforms
Low-code/no-code platforms inadvertently make it easy to bypass the procedural
steps in production that safeguard code. This issue can be exacerbated by a
workflow’s lack of developers with concrete knowledge of coding and security,
as these individuals would be most inclined to raise flags. From data breaches
to compliance issues, increased speed can come at a great cost for enterprises
that don’t take the necessary steps to scale with confidence. ... Maintaining
a strong team of professional developers and guardrail mechanisms can prevent
a Wild West scenario from emerging, where the desire to play fast and loose
creates security vulnerabilities, mounting technical debt from a lack of
management and oversight happening at the developer level, and inconsistent
development practices that spur liabilities, software bugs, and compliance
headaches. AI-powered tools can offset complications caused by acceleration
and automation through code governance and predictive intelligence mechanisms
however, enterprises often find themselves with a piecemealed portfolio of AI
tools that create bottlenecks in their development and delivery processes or
lack proper security tools to ensure the quality of code.
What It Takes To Architect A Culture Of Cybersecurity
Just because organizations impart mandatory compliance and security awareness
training to their employees does not mean employees will act securely. This is
because of something called the knowledge-behavior gap. Having knowledge does
not mean that people behave in a certain way. For them to transition from
behavior to knowledge, they also need “acceptance” and “intent.” Think of it
like the speed limit sign we consciously choose to ignore. We know the sign’s
there, we know it’s against the law to exceed it, we know that speeding kills,
and yet we choose to turn a blind eye. Since most organizations do not
actively manage and cultivate their security culture, they assume that it does
not exist in their organization. The reality is that every organization,
regardless of size, has a culture. The way in which organizations and
leadership teams treat, value, and manage security, influences and builds its
security culture. Unfortunately, most organizations do not track the
security-related aspects of their culture in its early stages and eventually,
it ends up spiraling out of control and manifesting into something the
organization may have difficulty reversing.
A semantic layer allows business users with little or no technical skills to
access and consume data without needing to understand the underlying technical
complexities. It makes data more accessible and understandable to
non-technical users, enabling them to easily query, analyze, and make informed
decisions based on the data. ... Integrating data into a semantic layer from
multiple sources -- each with its own structure, format, and levels of detail
-- can be a complex undertaking. The process of harmonizing these sources
demands time and meticulous attention to detail. Creating intricate business
views using precise calculations within the semantic layer presents yet
another challenge. Applying complex formulas, conditional rules, and
computations across multiple data sources is a grueling task. Mapping business
metrics with consistency in calculations and hierarchies across diverse BI
tools can be highly complicated as each tool handles it in a different manner.
... You’ll need a scalable and efficient semantic layer that is adept at
collaborating with multiple BI tools.
Quote for the day:
"Nothing in the world is more common
than unsuccessful people with talent." -- Anonymous
