Quote for the day:
"Engagement is a leadership responsibility—never the employee’s, and not HR’s." -- Gordon Tredgold
Why cloud outages are becoming normal
As the headlines become more frequent and the incidents themselves start to
blur together, we have to ask: Why are these outages becoming a monthly,
sometimes even weekly, story? What’s changed in the world of cloud computing
to usher in this new era of instability? In my view, several trends are
converging to make these outages not only more common but also more disruptive
and more challenging to prevent. ... The predictable outcome is that when
experienced engineers and architects leave, they are often replaced by
less-skilled staff who lack deep institutional knowledge. They lack adequate
experience in platform operations, troubleshooting, and crisis response. While
capable, these “B Team” employees may not have the skills or knowledge to
anticipate how minor changes affect massive, interconnected systems like
Azure. ... Another trend amplifying the impact of these outages is the
relative complacency about resilience. For years, organizations have been
content to “lift and shift” workloads to the cloud, reaping the benefits of
agility and scalability without necessarily investing in the levels of
redundancy and disaster recovery that such migrations require. There is
growing cultural acceptance among enterprises that cloud outages are
unavoidable and that mitigating their effects should be left to providers.
This is both an unrealistic expectation and a dangerous abdication of
responsibility.AI agents are changing entire roles, not just task augmentation
Task augmentation was about improving individual tasks within an existing
process. Think of a source-to-pay process in which specific steps are
automated. That is relatively easy to visualize and implement in a classic
process landscape. Role transformation, however, requires a completely
different approach. You have to turn your entire end-to-end business process
architecture into a role-based architecture, explains Mueller. ... Think of an
agent that links past incidents to existing problems. Or an agent that
automatically checks licenses and certifications for all running systems. “I
wonder why everyone isn’t already doing this,” says Mueller. In the event of
an incident with a known problem, the agent can intervene immediately without
human intervention. That’s an autonomous circle. For more complex tasks, you
can start in supervised mode and later transition to autonomous mode. ... The
real challenge is that companies are so far behind in their capabilities to
handle the latest technology. Many cannot even visualize what AI means. The
executive has a simple recommendation: “If you had to build it from scratch on
greenfield, would you do it the same way you do now?” That question gets to
the heart of the matter. “Everyone looks at the auto industry and sees that it
is being disrupted by Chinese companies. This is because Chinese companies can
do things much faster than old economies,” Mueller notes.Why are AI leaders fleeing?
Normally, when big-name talent leaves Silicon Valley giants, the PR language
is vanilla: they’re headed for a “new chapter” or “grateful for the journey” —
or maybe there’s some vague hints about a stealth startup. In the world of AI,
though, recent exits read more like a whistleblower warnings. ... Each
individual story is different, but I see a thread here. The AI people who were
concerned about “what should we build and how to do it safely?” are leaving.
They’ll be replaced by people whose first, if not only, priority is “how fast
can we turn this into a profitable business?” Oh, and not just profitable; not
even a unicorn with a valuation of $1 billion is enough for these people. If
the business isn’t a “decacorn,” a privately held startup company valued at
more than $10 billion, they don’t want to hear about it. I think it’s very
telling that Peter Steinberger, the creator of the insanely — in every sense
of the word — hot OpenClaw AI bot, has already been hired by OpenAI. Altman
calls him a “genius” and says his ideas “will quickly become core to our
product offerings.” Actually, OpenClaw is a security disaster waiting to
happen. Someday soon, some foolhardy people or companies will lose their
shirts because they trusted valuable information with it. And, its inventor is
who Altman wants at the heart of OpenAI!? Gartner needs to redo its hype
cycle. With AI, we’re past the “Peak of Inflated Expectations” and charging
toward the “Pinnacle of Hysterical Financial Fantasies.”Poland Energy Survives Attack on Wind, Solar Infrastructure
The attack on Poland's energy sector late last year might have failed, but
it's also the first large-scale attack against decentralized energy resources
(DERs) like wind turbines and solar farms. ... The attacks were destructive by
nature and "occurred during a period when Poland was struggling with low
temperatures and snowstorms just before the New Year." ... Dragos said
that over the past year, Electrum has worked alongside another threat actor,
tracked as Kamicite, to conduct destructive attacks against Ukrainian ISPs and
persistent scanning of industrial devices in the US. Kamicite gained initial
access and persistence against organizations, and Electrum executed follow-on
activity. Dragos has tracked Kamicite activities against the European ICS/OT
supply chain since late 2024. "Electrum remains one of the most aggressive and
capable OT/ICS-adjacent threat actors in the world," Dragos said. "Even when
targeting IT infrastructure, Electrum's destructive malware often affects
organizations that provide critical operational services, telecommunications,
logistics, and infrastructure support, blurring the traditional boundary
between IT and OT. Kamacite's continuous reconnaissance and access development
directly enable Electrum's destructive operations. These activities are
neither theoretical nor preparatory, they are part of active campaigns
culminating in real-world outages, data destruction, and coordinated
destabilization campaigns."Why SaaS cost optimization is an operating model problem, not a budget exercise
When CIOs ask why SaaS costs spiral, the answer is rarely “poor discipline.”
It’s usually structural. ... In the engagement I described, SaaS sprawl had
accumulated over years for understandable reasons: Business units bought tools
to move faster; IT teams enabled experimentation during growth
phases; Mergers brought duplicate platforms; and Pandemic-era
urgency favored speed over standardization. No one made a single bad decision.
Hundreds of reasonable decisions added up to an unreasonable outcome. ...
During a review session, I asked a simple question about one of the
highest-cost platforms: “Who owns this product?” The room went quiet. IT
assumed the business owned it. The business assumed IT managed it. Procurement
negotiated the contract. Security reviewed access annually. No one was
accountable for adoption, value realization or lifecycle decisions. This lack
of accountability wasn’t unique to that tool — it was systemic. Best-practice
guidance on SaaS governance consistently emphasizes the importance of
assigning a clearly named owner for every application, accountable for cost,
security, compliance and ongoing value. Without that ownership, redundancy and
unmanaged spend tend to persist across portfolios. ... CIOs focus on licenses
and contracts, but the real issue is the absence of a product mindset. SaaS
platforms behave like products, but many organizations manage them like
utilities.Finding a common language around risk
The CISO warns about ransomware threats. Operations worries about supply chain
breakdowns. The board obsesses over market disruption. They’re all talking
about risk, but they might as well be on different planets. When the crisis
hits (and it always does), everyone scrambles in their own direction while the
place burns down. ... The Organizational Risk Culture Standard (ORCS) offers
something most frameworks miss: it treats culture as the foundation, not the
afterthought. You can’t bolt culture onto existing processes and call it done.
Culture is how people actually think about risk when no one is watching. It’s
the shared beliefs that guide decisions under pressure. Think of it as a
dynamic system in which people, processes and technology must dance together.
People are the operators who judge and act on risks. Processes provide
standards, so they don’t have to improvise in a crisis. Technology provides
tools to detect patterns, monitor threats and respond faster than human
reflexes. But here’s the catch: these three elements have to align across all
three risk domains. Your cybersecurity team needs to understand how their
decisions affect operations. Your operations team needs to grasp strategic
implications. ... The ORCS standard provides a maturity model with five
levels. Most organizations start at Level 1, where risk management is reactive
and fragmented. People improvise. Policies exist on paper, but nobody follows
them. Crises catch everyone off guard.Harnessing curated threat intelligence to strengthen cybersecurity
Improving one’s cybersecurity posture with up-to-date threat intelligence is a
foundational element of any modern security stack. This enables automated
blocking of known threats and reduces the workload on security teams while
keeping the network protected. Curated threat intelligence also plays a
broader role across cybersecurity strategies, like blocking malicious IP
addresses from accessing the network to support intrusion prevention and
defend against distributed denial-of-service (DDoS) attacks. ... Organizations
overwhelmed by massive amounts of cybersecurity data can gain clarity and
control with curated threat intelligence. By validating, enriching and
verifying the data, curated intelligence dramatically reduces false positives
and noise, enabling security teams to focus on the most relevant and credible
threats. Improved accuracy and certainty accelerates time-to-knowledge,
sharpens prioritization based on threat severity and potential impact, and
ensures resources are applied and deployed where they matter most. With higher
confidence and certainty, teams can respond to incidents faster and more
decisively, while also shifting from reactive to proactive and ultimately
preventative – using known adversary indicators and patterns to investigate
threats, strengthen controls, and stop attacks before they cause damage.
Curated threat Intelligence transforms one’s cybersecurity from reactive to
resilient. Password managers’ promise that they can’t see your vaults isn’t always true
All eight of the top password managers have adopted the term “zero knowledge” to
describe the complex encryption system they use to protect the data vaults that
users store on their servers. The definitions vary slightly from vendor to
vendor, but they generally boil down to one bold assurance: that there is no way
for malicious insiders or hackers who manage to compromise the cloud
infrastructure to steal vaults or data stored in them. ... New research shows
that these claims aren’t true in all cases, particularly when account recovery
is in place or password managers are set to share vaults or organize users into
groups. The researchers reverse-engineered or closely analyzed Bitwarden,
Dashlane, and LastPass and identified ways that someone with control over the
server—either administrative or the result of a compromise—can, in fact, steal
data and, in some cases, entire vaults. The researchers also devised other
attacks that can weaken the encryption to the point that ciphertext can be
converted to plaintext. ... Three of the attacks—one against Bitwarden and two
against LastPass—target what the researchers call “item-level encryption” or
“vault malleability.” Instead of encrypting a vault in a single, monolithic
blob, password managers often encrypt individual items, and sometimes individual
fields within an item. These items and fields are all encrypted with the same
key. Poor documentation risks an AI nightmare for developers
Poor documentation not only slows down development and makes bug fixing
difficult, but its effects can multiply. Misunderstandings can propagate through
codebases, creating issues that can take a long time to fix. The use of AI
accelerates this problem. AI coding assistants rely on documentation to
understand how software should be used. Without AI, there is the option of
institutional knowledge, or even simply asking the developer behind the code. AI
doesn’t have this choice and will confidently fill in the gaps where no
documentation exists. We’re familiar with AI hallucinations – and developers
will be checking for these kinds of errors – but a lack of documentation will
likely cause an AI to simply take a stab in the dark. ... Developers need to
write documentation around complete workflows: the full path from local
development to production deployment, including failures and edge cases. It can
be tricky to spot errors in your own work, so AI can be used to help here,
following the documentation end-to-end and observing where confusion and errors
appear. AI can also be used to draft documentation and generally does a pretty
good job of putting together documentation when presented with code. ...
Document development should be an ongoing process – just as software is patched
and updated, so should the documentation. Questions that come in from support
tickets and community forums – especially repeat problems – can be used to
highlight issues in documentation, particularly those caused by assumed
knowledge.
/articles/spec-driven-development/en/smallimage/spec-driven-development-thumbnail-1767777707872.jpg)
