Daily Tech Digest - December 27, 2020

Adopting AI Responsibly to Prevent Risks to Your Brand and Customer Experience

For years, AI has been successfully used in a variety of sectors, from chatbots to the automotive industry. The easier question to answer would be: Where is AI not being used yet? The challenge is how to place ethics above boardroom priorities, which put profit ahead of people. I wish I could say this is a thing of the past, but many companies still have this goal, even if it’s not intentional. I am not saying that profit is not or should not be the aim of businesses. I mean that fairness toward customers should be considered above any self-interest. Profit is often the result of substantial and desirable ethical work for employees, customers, partners, and stakeholders. Unfortunately, we still have companies that unintentionally (?) break customer trust, and in some cases, had even been aware of the issue. This can seriously affect any past efforts to develop a brand people trust. Even if your CX is perceived of as great, with one breach of trust, you will lose your key assets: employees and customers. Customers oftentimes love AI and machine learning (ML). Both businesses and customers alike reap the benefits of this complementary technologies. What we all want – based on a recent BCG survey – is something quite simple.


Why Is Cloud Governance Critical for the Success of Cloud Adoption?

The objective of cloud governance is not to limit access to cloud resources but to streamline it and manage it more efficiently. An intelligently-designed cloud governance policy lays the foundation for the success of your cloud adoption. ... The absence of a cloud governance framework usually means that an alternate governance policy, typically a more centralized one, exists. Such a centralized approach inhibits fast decision-making, which works against the organizational goals like agility and flexibility in adding new revenue streams, expanding to new markets, reducing time-to-market, and so on. It impedes the company’s responsiveness against the market dynamics, giving the competition more room to meet the customer needs. A comprehensive cloud governance framework complements an organization’s goals without compromising its resource utilization objectives. ... Cloud service providers recommend their customers to move their multiple-tenant workloads that reside in a single account to different cloud accounts. This allows organizations to offer precise control to users for only the workloads that are relevant to them. Such a siloed management of access drastically limits the financial and security fallout resulting from an issue – be it a technical issue or a security issue.


Implications Of AI On Everyday Documents

Industries generate millions of documents every month as a byproduct of business processes. And each of these documents contains meaningful snippets of information that are hidden deep inside. Once the datasets are identified, collected, and cleansed, it was time to move to the next step. The next step includes providing meaning to text extracted from digital assets such as documents, text files, and scanned images and use these datasets to feed downstream business apps, set up workflows and optimise business processes. All previous attempts of using AI to understand documents have failed because it focused on the co-occurrence of individual words and phrases existing in individual business documents. It was time to move beyond that by creating tools that could understand different portions of the document and their unique usage in any organisation. Therefore, the result is an intelligent model that can look for specific entities such as dates, contract numbers, purchase order numbers, etc. in different documents in minutes to generate meaningful insights and accelerate business outcomes. Think itinerary processing, financial compliance, auditing, renewal follow-up, invoice processing, and so on, all reviewed, identified, and automated.


The digital revolution: eight technologies that will change health and care

Wearable devices are in a newer category of technologies encompassing smartwatches (eg, an Apple Watch), activity trackers (eg, a Fitbit) and connected patches (eg, a smart bandage or smart plaster). These are generally in direct contact with the wearer for long durations, generating large quantities of data on specific biometrics or behaviours. Many large technology companies are positioning these devices as health or wellness devices not medical devices – currently side-stepping regulatory requirements. However, there is potential for these devices to be widely used in health and care, as well as by individuals to improve their health and care. For example, a wearable sensor measuring heart rate can give a truer indication of a person’s heart-rate at various stress levels (sitting, standing, walking, etc) over time instead of a single one-off measure in a surgery which could be erroneous due to patient anxiety or stress. App stores already feature thousands of health and wellbeing apps, encompassing everything from diet diaries and mindfulness guidance to period trackers and musculoskeletal rehabilitation support. However, the uptake by the health and care system has been patchy due to a range of issues including quality, evidence, clinician knowledge, confidence and skills, and integration into pathways.


Diversity and inclusion make IT stronger

“Diversity at its core takes advantage of people’s unique backgrounds and skill sets and makes for richer content and discovery of what we do,” says Darren Dworkin, senior vice president and CIO at Cedars-Sinai; the healthcare organization was ranked No. 3 for D&I on the 2020 Best Places to Work in IT list. “The IT group spends a lot of time working closely with all sorts of departments and stakeholders … and having folks with different backgrounds and skills reflects that and helps us relate and translate so we can be a department that contributes to the mission of the organization.” For Erickson Living, diversity & inclusion has long been a core value, exemplified through one of the three pillars in its Employee Transformation initiative, which includes curiosity, competence, and community. Erickson, which ranked No. 1 for diversity on the 2020 Best Places to Work in IT list, maintains a robust D&I council made up of employees and leadership and offers D&I training at all levels to instruct managers, directors, and rank-and-file employees in such issues as how to overcome unconscious bias in the workforce and how to promote civil treatment among colleagues.


The Season for Nonprofit Cybersecurity Risks to Reach New Heights

Nonprofits and charities frequently outsource a lot of their day-to-day IT work or make use of cloud-hosted solutions, such as software-as-a-service (SaaS) options. However, there’s a growing trend among threat actors to exploit third-party providers in order to gain access to their customers’ data assets. As the past year’s high-profile breach of Blackbaud should remind us, nonprofits may be at extra risk from these types of attacks. It’s vital to examine the data privacy and security policies that your provider has in place, as well as to check that all relevant compliance audits are up to date. Cloud use has grown across industries over the course of 2020. This, in turn, puts increased pressure on managed service providers, who are challenged to find the talent they need to manage their data in the cloud. (Cloud environments require more specialized skills because they’re so complex.) Finally, it may be worthwhile to purchase cybersecurity insurance if you don’t already carry it. A well-chosen policy can absorb many of the financial risks that come with collecting donations online. 


Digital Transformation: The Key To Tackling Climate Change

The starting point is to understand how and where energy is consumed, lost or wasted and here digital technologies are key. Sensors that can monitor performance, software that can connect operations with IT systems, automation and analytics will equip organisations and individuals alike with the ability to better manage and optimise their environment whether at work or home. The good news is that most of the energy and digital automation technology already exists to enable us to do so. Consider data centres. According to a report by the International Energy Agency in June, there was an increase in global internet traffic of 40% between February and April as the use of the cloud for remote working became more prevalent. The physical aspects of work across many industries have changed, and we can expect digital channels and e-commerce to remain the default for the ways things are done for the foreseeable future and long after the pandemic has been consigned to history. Yet far from being like the ‘dark satanic mills’ William Blake wrote about in the first industrial revolution, data centres can be carbon neutral, carbon positive, even. EcoDataCenter in Sweden is the world's first climate-positive data centre.


Top Digital Banking Transformation Trends for 2021

Financial marketers were thrust into the spotlight with the COVID crisis, needing to respond to unforeseen circumstances in an instant. Instead of selling services, marketers were being asked to customize communication to help customers deal with the financial impact of the pandemic. Blanket communication around branch closures quickly needed to transform to personalized messages around loan payment deferrals and how to use unfamiliar digital tools. The coming year will bring the next evolution of financial marketing, leveraging data and advanced analytics to provide predictive personalization. This use of AI and machine learning will result in tailored websites, real-time financial recommendations, and a level of test and learn capabilities far beyond what was imagined just a few years ago. For the vast majority of financial institutions, this level of personalization is playing a game of catch up in meeting consumer expectations. Accenture found that nearly half (48%) of consumers abandoned a purchase process when the website did not personalize the experience, with nearly all consumers (91%) saying they are more likely to do business with brands that know them, look out for them and reward them.


8 Soft Skills That Make You an Even Better Leader

Emotional intelligence (EQ) is defined as “the capacity to be aware of, control and express one’s emotions, and to handle interpersonal relationships judiciously and empathetically.” Those with high EQ are better able to handle high-pressure situations, conflict resolution, constructive criticism, and more. This ability is highly sought-after for teams, especially ones made up of differing backgrounds. According to a survey conducted by CareerBuilder, 75% of hiring managers valued EQ over IQ. Hard skills and intelligence are more easily taught to employees while EQ takes more time and understanding to grasp. ... Overwhelm is something many entrepreneurs must deal with. That’s the world we live in today. That’s where self-motivation comes into play. We must all learn how to manage our energy. Energy comes not just from having a balanced diet, but also from our personal drive to achieve, resilience, and commitment. A personal drive to achieve is directly linked to our mindset. Research shows that those with a growth mindset are far more like to succeed in the endeavors they engage in because they believe they can improve. Resilience is born out of courage to overcome challenges.


Data Distribution in Apache Ignite

Inevitably, the evolution of a system that requires data storage and processing reaches a threshold. Either too much data is accumulated, so the data simply does not fit into the storage device, or the load increases so rapidly that a single server cannot manage the number of queries. Both scenarios happen frequently. Usually, in such situations, two solutions come in handy—sharding the data storage or migrating to a distributed database. The solutions have features in common. The most frequently used feature uses a set of nodes to manage data. ...  The problem of data distribution among the nodes of the topology can be described in regard to the set of requirements that the distribution must comply with: The algorithm allows the topology nodes and front-end applications to discover unambiguously on which node or nodes an object (or key) is located; The more uniform the data distribution is among the nodes, the more uniform the workloads on the nodes is. Here, I assume that the nodes have approximately equal resources; and If the topology is changed because of a node failure, the changes in distribution should affect only the data that is on the failed node. It should also be noted that, if a node is added to the topology, no data swap should occur among the nodes that are already present in the topology.



Quote for the day:

"If you find a path with no obstacles, it probably doesn't lead anywhere." -- Frank A Clark

Daily Tech Digest - December 26, 2020

Ransomware: Attacks could be about to get even more dangerous and disruptive

Ransomware attacks have become more powerful and lucrative than ever before – to such an extent that advanced cyber-criminal groups have switched to using it over their traditional forms of crime – and it's very likely that they're just going to become even more potent in 2021.  For example, what if ransomware gangs could hit many different organisations at once in a coordinated attack? This would offer an opportunity to illicitly make a large amount of money in a very short amount of time – and one way malicious hackers could attempt to do this is by compromising cloud services with ransomware. "The next thing we're going to see is probably more of a focus on cloud. Because everyone is moving to cloud, COVID-19 has accelerated many organisations cloud deployments, so most organisations have data stored in the cloud," says Andrew Rose, resident CISO at Proofpoint. We saw a taster of the extent of the widespread disruption that can be caused when cyber criminals targeted smartwatch and wearable manufacturer Garmin with ransomware. The attack left users around the world without access to its services for days. If criminals could gain access to cloud services used by multiple organisations and encrypt those it would cause widespread disruption to many organisations at once.


Overcoming Data Scarcity and Privacy Challenges with Synthetic Data

Synthetic data is data that is artificially generated rather than collected by real-world events. It is data that serves the purpose of resembling a real dataset but is entirely fake in nature. Data has a distribution, a shape that defines the way it looks. Picture a dataset in a tabular format. We have all these different columns and there are hidden interactions between the columns, as well as inherent correlations and patterns. If we can build a model to understand the way the data looks, interacts, and behaves, then we can query it and generate millions of additional synthetic records that look, act, and feel like the real thing. Now, synthetic data isn’t a magical process. We can’t start with just a few poor-quality data points and expect to have a miraculous high-quality synthetic dataset from our model. Just like the old saying goes, "garbage in, garbage out," in order to create high-quality synthetic data, we need to start with a dataset that is both high-quality and plentiful in size. With this, it is possible to expand our current dataset with high-quality synthetic data points.


How Brexit Could Help London Evolve From A Fintech Center Into A DeFi Hub

The popularity of DeFi—using crypto technology to recreate traditional financial instruments such as loans and insurance—has exploded over the last year or so, growing to a $16 billion global market. The price of ethereum, the world's second largest cryptocurrency by value, has soared this year as investors pour funds into DeFi projects that are built on top of it. "There's more and more DeFi innovators in London," said Stani Kulechov, the founder and chief executive of London-based technology company and DeFi protocol Aave, speaking over the phone. "Up until recently, fintechs and banks have been all about innovating on the front-end—the user experience. Now, DeFi is helping the back-end innovate." Aave, a money market for lending and borrowing assets, has become one of the top DeFi protocols since it was created in 2017 and was given an Electronic Money Institution license in July by the U.K.'s Financial Conduct Authority (FCA). "I think we'll see London emerge as a hub for DeFi," added Kulechov. The City of London, a financial powerhouse rivaled only by New York, is currently under threat as the U.K. prepares to end its transition out of the European Union at the end of this month.


Outlook 2021: Designing data governance policies to promote domestic startups

With more and more startups relying on data driven business models and analytics for improving the service/product, and using data for their competitive advantage, data governance laws with steep compliances are a cause for worry. The regulations will have a direct effect on how the businesses deal with data available to them, and that is on the market. The regulatory uncertainty in matters pertaining to handling data and the drawing economic value from data, causes indirect impact on long term innovation and investments as well. Investors that are looking for facilitating growth in the domestic market are also deeply concerned about the current trend of steep compliance, excessive government access to data and regulatory uncertainty. In this context, the commonalities in the two frameworks are pertinent to note. Firstly, both the PDP and the NPD framework restrict cross border data flows, citing reasons pertaining to sensitivity of data that underlies it. While the concerns regarding harm are valid, the solution to address the concerns might be misplaced. The assumption is that security is better served if the data is stored within the territorial limits of the country and that rests on shaky grounds. 


Why cybersecurity tools fail when it comes to ambiguity

"Cybersecurity is very good at identifying activities that are black or white--either obviously bad and dangerous or clearly good and safe," writes Margaret Cunningham, PhD, psychologist and principal research scientist at Forcepoint's Innovation Lab, in her research paper Exploring the Gray Space of Cybersecurity with Insights from Cognitive Science. "But, traditional cybersecurity tools struggle with ambiguity--our algorithms are not always able to analyze all salient variables and make a confident decision whether to allow or block risky actions." For example, an employee accessing sensitive files after company business hours might not be a security issue--the person could be traveling and in a different time zone. "We don't want to stop the person from doing work because the access is flagged as an unapproved intrusion due to the time," says Cunningham. "Building the capability to reason across multiple factors, or multiple categories, will help prevent the kinds of concrete reasoning mistakes that result in false positives and false negatives in traditional cyber toolsets." The success of cybercriminals, admits Cunningham, is in large part due to their ability to quickly morph attack tools, and cybersecurity tech cannot keep pace.


The Benefits of Automating Data Lineage in the Initial Phases of a Data Governance Initiative

If you are putting in place a data governance framework you can’t put controls and data quality reports on every single piece of data throughout your organisation. But if you have data lineage it will help you identify the areas where your data is most at risk of something going wrong, enabling you to put in place appropriate checks, controls and data quality reports. Having data lineage also allows you to speed up data discovery. So many organisations have vast quantities of data that would be valuable to them, if only they knew it existed. Finally, as I mentioned at the start of this article for many industries there is a regulatory requirement to have data lineage in place. It’s clear that having data lineage has lots of benefits, but on so many occasions data lineage is captured and documented manually. Whether you do data lineage automatically or manually you will achieve the benefits mentioned above, but taking a manual approach to data lineage requires considerable effort. When I first started capturing data lineage I tried starting at the beginning, where data first comes into the organisation and tried to follow it as it flowed. However, this approach fails because a lot of people who produce or capture data have absolutely no idea where it goes.



Why Credit Karma Crafted a Tool to Automate Its DevOps Cycle

Unruh says part of his challenge when he joined Credit Karma about three years ago was to increase efficiency of releasing code across the company. The engineers there had been using an older Jenkins-style system, he says, which served as a generic job runner. Developing products on that system meant clearing a few hurdles along the way, Unruh says, including jumping through a remote desktop running on a Windows computer. On top of that, teams building new microservices were required to write custom deployment code to move production forward, he says. That would be the basis for the job for the system to execute the service, Unruh says. That meant everything was different because every team took their own approach, he says, which slowed them down. “It linearly required 15 steps just to deploy your service into production,” Unruh says. “It was really cumbersome and there was no way for us to standardize.” Looking for ways to improve efficiency, he wanted to eliminate the need to jump to another host just to access the system. Unruh says he also sought to end the need for custom code for deploying a service. “I just build a service and I can deploy it,” he says.


Q&A on the Book Retrospectives Antipatterns

Retrospectives antipatterns are patterns I have seen recurring in many retrospectives, and the way I have described them in the book is in the context you would normally find them, the antipattern "solution" that is often used for various reasons, such as haste, ignorance, or fear, and the refactored solution to this antipattern. Some of the antipatterns have a refactored solution that will get you out of the pickle right away, but for some of the others it is more a warning of things to avoid, because if you find yourself in that antipattern there is nothing better to do than to consider other options for the next retrospective. ... The prime directive was written by Norm Kerth in his book "Project Retrospectives: A Handbook for Team Review" and it goes like this: "Regardless of what we discover, we understand and truly believe that everyone did the best job they could, given what they knew at the time, their skills and abilities, the resources available, and the situation at hand." It basically means that when we enter a retrospective we should strive to be in the mindset that allows us to think that everybody did the best they could at all times, given the circumstances.


Here’s How CIOs Can Create More Inclusive Cultures In Their Tech Teams

Often, diversity and inclusion outcomes are directly linked to recruitment and outreach efforts. But while many people fret about flaws in the education system that seem to discourage young women from pursuing tech-related subjects, Barrett has found in her work with Girls Who Code that the problem lies elsewhere. It’s not a lack of interest amongst female students, she said. Instead, it’s the culture of the technology industry. Girls who complete the organization’s program go on to major in computer science at a rate of 15 times the national average. But, Barrett noted, “our girls still don’t feel welcome in tech.” According to a recent report by Girls Who Code and consulting firm Accenture, it’s possible to lower the attrition rate for female employees by 70% over the next decade. The study’s recommendations include establishing supportive parental leave policies, creating external goals and targets around diversity, providing workplace support for women and creating inclusive networking opportunities. Role models are also crucial. “We know very often that women report that it’s hard to be what they can’t see,” Barrett said. “It’s hard to feel connected to an organization when they don’t see women in tech thriving.”


Commonwealth entities left to self-assess security in cloud procurement

Macquarie Government managing director Aidan Tudehope said he was disappointed by the decision to discontinue the CCSL certification regime. "This is about more than simply the physical geographic location where data is stored. Data sovereignty is about the legal authority that can be asserted over data because it resides in a particular jurisdiction, or is controlled by a cloud service provider over which another jurisdiction extends," he said. "Data hosted in globalised cloud environments may be subject to multiple overlapping or concurrent jurisdictions as the debate about the reach of the US CLOUD Act demonstrates. As the ACSC points out, globalised clouds are also maintained by personnel from outside Australia, adding another layer of risk." He believes the only way to guarantee Australian sovereignty is ensuring data is hosted in an Australian cloud, in an accredited Australian data centre, and is accessible only by Australian-based staff with appropriate government security clearances. "Taken alongside Minister Robert's planned sovereign data policy, this guide opens new opportunities for Australian cloud service providers," he said.



Quote for the day:

"The most important quality in a leader is that of being acknowledged as such." -- Andre Maurois

Daily Tech Digest - December 25, 2020

An introduction to data science and machine learning with Microsoft Excel

To most people, MS Excel is a spreadsheet application that stores data in tabular format and performs very basic mathematical operations. But in reality, Excel is a powerful computation tool that can solve complicated problems. Excel also has many features that allow you to create machine learning models directly into your workbooks. While I’ve been using Excel’s mathematical tools for years, I didn’t come to appreciate its use for learning and applying data science and machine learning until I picked up Learn Data Mining Through Excel: A Step-by-Step Approach for Understanding Machine Learning Methods by Hong Zhou. Learn Data Mining Through Excel takes you through the basics of machine learning step by step and shows how you can implement many algorithms using basic Excel functions and a few of the application’s advanced tools. While Excel will in no way replace Python machine learning, it is a great window to learn the basics of AI and solve many basic problems without writing a line of code. Linear regression is a simple machine learning algorithm that has many uses for analyzing data and predicting outcomes. Linear regression is especially useful when your data is neatly arranged in tabular format. Excel has several features that enable you to create regression models from tabular data in your spreadsheets.


The Four Mistakes That Kill Artificial Intelligence Projects

Humans have a “complexity bias,” or a tendency to look at things we don’t understand well as complex problems, even when it’s just our own naïveté. Marketers take advantage of our preference for complexity. Most people would pay more for an elaborate coffee ritual with specific timing, temperature, bean grinding and water pH over a pack of instant coffee. Even Apple advertises its new central processing unit (CPU) as a “16-core neural engine” instead of a chip and a “retina display” instead of high-definition. It’s not a keyboard; it’s a “magic keyboard.” It’s not gray; it’s “space gray.” The same bias applies to artificial intelligence, which has the unfortunate side effect of leading to overly complex projects. Even the term “artificial intelligence” is a symptom of complexity bias because it really just means “optimization” or “minimizing error with a composite function.” There’s nothing intelligent about it. Many overcomplicate AI projects by thinking that they need a big, expensive team skilled in data engineering, data modeling, deployment and a host of tools, from Python to Kubernetes to PyTorch. In reality, you don’t need any experience in AI or code.


Three reasons why context is key to narrowing your attack surface

Security has become too complex to manage without a contextual understanding of the infrastructure, all assets and their vulnerabilities. Today’s typical six-layer enterprise technology stack consists of networking, storage, physical servers, as well as virtualization, management and application layers. Tech stacks can involve more than 1.6 billion versions of tech installations for 300+ products provided by 50+ vendors, per Aberdeen Research. This sprawl is on top of the 75 security products that an enterprise leverages on average to secure their network. Now, imagine carrying over this identical legacy system architecture but with thousands of employees all shifting to remote work and leveraging cloud-based services at the same time. Due to security teams implementing new network configurations and security controls essentially overnight, there is a high potential of new risks being introduced through misconfiguration. Security teams have more ingress and egress points to configure, more technologies to secure and more changes to properly validate. The only way to meaningfully address increased risk while balancing limited staff and increased business demands is to gain contextual insight into the exposure of the enterprise environment that enables smarter, targeted risk reduction.


How to Really Improve Your Business Processes with “Dashboards”

The managers’ success is measured mainly by this task. That is correct in most cases as he is usually receiving a bonus based on how well the KPIs under his responsibility perform over a given period. Our goal is to design an information system to support him with this task. The best way to do that is to help him answer the main questions related to each step based on the data we have: Is there a problem? What caused the problem? Which actions should we take? Were the actions successful? From looking at the questions above, you can already tell that the dashboard described at the beginning of this article only helps answer the first question. Most of the value that an automated analytics solution could have is left out. Let’s have a look at how a more sophisticated solution could answer these questions. I took the screenshots from one of the actual dashboards we implemented at my company. ... The main idea is that a bad result is, in most cases, not caused by the average. Most of the time, outliers drag down the overall result. Consequently, showing a top-level KPI without quickly allowing for root cause analysis leads to ineffective actions as the vast majority of dimension members is not a problem.


The top 5 open-source RPA frameworks—and how to choose

RPA has the potential to reduce costs by 30% to 50%. It is a smart investment that can significantly improve the organization's bottom line. It is very flexible and can handle a wide range of tasks, including process replication and web scraping. RPA can help predict errors and reduce or eliminate entire processes. It also helps you stay ahead of the competition by using intelligent automation. And it can improve the digital customer experience by creating personalized services. One way to get started with RPA is to use open-source tools, which have no up-front licensing fees. Below are five options to consider for your first RPA initiative, with pros and cons of each one, along with advice on how to choose the right tool for your your company. ... When compared to commercial RPA tools, open source reduces your cost for software licensing. On the other hand, it may require additional implementation expense and preparation time, and you'll need to rely on the open-source community for support and updates. Yes there are trade-offs between commercial and open souce RPA tools—I'll get to those in a minute. But when used as an operational component of your RPA implementations, open-source tools can improve the overall ROI of your enterprise projects. Here's our list of contenders.


What happens when you open source everything?

If you start giving away the product for free, it’s natural to assume sales will slow. The opposite happened. (Because, as Ranganathan pointed out, the product wasn’t the software, but rather the operationalizing of the software.) “So on the commercial side, we didn’t lose anybody in our pipeline [and] it increased our adoption like crazy,” he said. I asked Ranganathan to put some numbers on “crazy.” Well, the company tracks two things closely: creation of Yugabyte clusters (an indication of adoption) and activity on its community Slack channel (engagement being an indication of production usage). At the beginning of 2019, before the company opened up completely, Yugabyte had about 6,000 clusters (and no Slack channel). By the end of 2019, the company had roughly 64,000 clusters (a 10x boom), with 650 people in the Slack channel. The Yugabyte team was happy with the results. The company had hoped to see a 4x improvement in cluster growth in 2020. As of mid-December, clusters have grown to nearly 600,000, and could well get Yugabyte to another 10x growth year before 2020 closes. As for Slack activity, they’re now at 2,200, with people asking about use cases, feature requests, and more.


Simplifying Cybersecurity: It’s All About The Data

The most effective way to secure data is to encrypt it and then only decrypt it when an authorized entity (person or app) requests access and is authorized to access it. Data moves between being at rest in storage, in transit across a network and in use by applications. The first step is to encrypt data at rest and in motion everywhere, which makes data security pervasive within the organization. If you do not encrypt your network traffic inside your “perimeter,” you aren’t fully protecting your data. If you encrypt your primary storage and then leave secondary storage unencrypted, you are not fully protecting data. While data is often encrypted at rest and in transit, rarely is it encrypted while in use by applications. Any application or cybercriminal with access to the server can see Social Security numbers, credit card numbers and private healthcare data by looking at the memory of the server when the application is using it. A new technology called confidential computing makes it possible to encrypt data and applications while they are in use. Confidential computing uses hardware-based trusted execution environments (TEEs) called enclaves to isolate and secure the CPU and memory used by the code and data from potentially compromised software, operating systems or other VMs running on the same server.


Why the US government hack is literally keeping security experts awake at night

One reason the attack is so concerning is because of who may have been victimized by the spying campaign. At least two US agencies have publicly confirmed they were compromised: The Department of Commerce and the Agriculture Department. The Department of Homeland Security's cyber arm was also compromised, CNN previously reported. But the range of potential victims is much, much larger, raising the troubling prospect that the US military, the White House or public health agencies responding to the pandemic may have been targeted by the foreign spying, too. The Justice Department, the National Security Agency and even the US Postal Service have all been cited by security experts as potentially vulnerable. All federal civilian agencies have been told to review their systems in an emergency directive by DHS officials. It's only the fifth such directive to be issued by the Cybersecurity and Infrastructure Security Agency since it was created in 2015. It isn't just the US government in the crosshairs: The elite cybersecurity firm FireEye, which itself was a victim of the attack, said companies across the broader economy were vulnerable to the spying, too.


Creating the Corporate Future

With the move to the later 20th century, post-industrial age began with the systems thinking at its core. The initiating dilemma for this change was that not all problems could be solved by the prevailing world view, analysis. It is unfortunate to think about the number of MBAs that were graduated with callus analysis at their core. As enterprise architects know, when a system is taken apart, it loses its essential properties. A system is a whole that cannot be understood through analysis. What is needed instead is a synthesis or the putting together things together. In sum, analysis focuses on structure whereas synthesis focuses on why things operate as they do.  At the beginning of the industrial age, the corporation was viewed as a legal mechanism and as a machine. However, in the post-industrial age, Ackoff suggests a new view of the corporation. He suggests a view of the corporation as a purposefully system that is part of more purposeful systems and parts of which, people, have purposes on their own. Here leaders need to be aware of the interactions of corporations at the societal, organizational, and individual level. At the same time, they need to realize how an organizations parts affect the system and how external systems affect the system.


Microservices vs. Monoliths: An Operational Comparison

There are a number of factors at play when considering complexity: The complexity of development, and the complexity of running the software. For the complexity of development the size of the codebase can quickly grow when building microservice-based software. Multiple source codes are involved, using different frameworks and even different languages. Since microservices need to be independent of one another there will often be code duplication. Also, different services may use different versions of libraries, as release schedules are not in sync. For the running and monitoring aspect, the number of affected services is highly relevant. A monolith only talks to itself. That means it has one potential partner in its processing flow. A single call in a microservice architecture can hit multiple services. These can be on different servers or even in different geographic locations. In a monolith, logging is as simple as viewing a single log-file. However, for microservices tracking an issue may involve checking multiple log files. Not only is it necessary to find all the relevant logs outputs, but also put them together in the correct order. Microservices use a unique id, or span, for each call.



Quote for the day:

"If something is important enough, even if the odds are against you, you should still do it." -- Elon Musk

Daily Tech Digest - December 24, 2020

Ethical AI isn’t the same as trustworthy AI, and that matters

Certainly, unethical systems create mistrust. It does not follow, however, that an ethical system will be categorically trusted. To further complicate things, not trusting a system doesn’t mean it won’t get used. The capabilities that underpin AI solutions – machine learning, deep learning, computer vision, and natural language processing – are not ethical or unethical, trustworthy, or untrustworthy. It is the context in which they are applied that matters. .... The scale at which an AI pundit can be deployed to spread disinformation or simply influence the opinions of human readers who may not realize the content’s origin makes this both unethical and unworthy of trust. This is true even if (and this is a big if) the AI pundit manages to not fall prey to and adopt the racist, sexist, and other untoward perspectives rife in social media today. ... Ultimately, ethics can determine whether a given AI solution sees the light of day. Trust will determine its adoption and realized value. All that said, people are strangely willing to trust with relatively little incentive. This is true even when the risks are higher than a gelatinous watermelon cookie. But regardless of the stakes, trust, once lost, is hard to regain.


As technology develops in education so does the need for cybersecurity

One of the most effective ways to boost cybersecurity in education is by adopting a proactive mentality, rather than a reactive one. Schools cannot afford to wait until an attack happens to put processes in place to defend themselves. Instead, they need to create a “cyber curriculum” that informs everyone – IT teams, teachers, and students alike – about staying secure online. This curriculum should include documentation that people can refer to at any time, guiding them on the risks and warning signs of cyber attacks, as well as best practices for smart online use. Likewise, the curriculum should include on-demand training courses, current cybersecurity news and trends, and the contact information for the people who are responsible for taking action if the network is compromised. At the same time, IT admins need to be conducting regular penetration tests and appoint a “red team” to expose possible vulnerabilities. This team should test the school’s system under realistic conditions and without warning, so as to identify weaknesses that may not be immediately obvious. 


After early boom, fintech lending startups face a reality check

Industry experts pointed out that from here on, the lending startups will exercise abundant caution. There are a couple of points playing out in the industry; first, there is availability of liquidity in the system; secondly, there is demand since consumers need credit to restart their lives. The repayment stress will continue well into 2021. Also, larger, well-capitalised players might show a higher risk appetite and grab market share next year, leading to some loss in business for fintechs, who might want to conserve capital and recover existing loans. In a report titled ‘NBFC Sector in India: A brief update post Covid’, consultancy firm Alvarez and Marsal pointed out that that 10-15 percent of the customers who opted for a moratorium could see defaults, thereby pushing up overall NPA numbers by 300-400 basis points. Around 50 percent of those who took the moratorium could opt for restructuring of their loans and lenders could see a spike in their credit costs, too, the report added. There is already a spurt in demand for gold loans, which is a secured form of personal loan. Bankers in the know pointed out that they are more comfortable giving out secured loans in the aftermath of the pandemic, given that consumers across the board could be in tough financial situations.


Infer# Brings Facebook's Infer Static Analyzer to C# and .NET

Infer is a static analysis tool open-sourced by Facebook in 2015. It supports Java and C/C++/Objective-C code and is able to detect a number of potential issues, including null pointer exceptions, resource leaks, annotation reachability, missing lock guards, and concurrency race conditions in Android and Java code; and null pointer dereferences, memory leaks, coding conventions, and unavailable API’s for languages belonging to the C-family. Infer# is not the only static analyzer available for .NET, says Microsoft senior software engineer Xin Shi. However, Infer# brings unique capabilities to the .NET platform. What sets Infer# apart is its focus on cross-function analysis, which is not found in other analyzers, and incremental analysis. PreFast detects some instances of null derereference exceptions and memory leaks, but its analysis is purely intra-procedural. Meanwhile, JetBrains Resharper heavily relies on developer annotations for its memory safety validation. ... The advantages of working from a low-level representation of the source code are twofold: first, the CIL underlies all .NET languages, and therefore InferSharp supports all .NET languages this way


DevSecOps Can Address the Challenges of Governance, Risk, Compliance (GRC)

DevOps originated within IT to meet similar performance and innovation goals. While security and compliance have always been a part of DevOps, the term DevSecOps is often used to ensure security is explicitly emphasized. Seeing DevSecOps as part of a broader GRC framework makes clear how DevSecOps serves the needs of organizations to innovate faster, maintain complete visibility and control, and effectively manage risk. GRC and DevSecOps use different tools, require different skills, follow different processes, and are emphasized by different teams. But their goals are aligned, and it’s important for both teams to appreciate this so they can collaborate effectively. DevOps specialists are often narrowly focused on process automation or improving handoffs within IT. It’s important for IT teams to appreciate their work in the broader context of serving the company’s GRC initiatives. By contrast, GRC-focused consultants and leaders need to understand DevSecOps as a complementary approach that they should encourage, not inhibit. The IT industry evolves faster than most departments in the company, so compliance officers should defer to IT teams on the most efficient methods to meet requirements. Their main role should be to emphasize the goals and requirements of GRC, and to invite creative solutions from IT. 


Best Practices for Building Offline Apps

On the flip side, some features are non-negotiable: you simply have to be connected to the internet to use them, such as location services. That’s OK! Identify what features need an internet connection, then create messages or alerts informing those features’ needs to users. Users will appreciate it because you’ll take the guesswork out of understanding your app’s limits when offline. Conflicting information can be a big problem. It may not be enough to simply merge and override all changes except the last time a user was online. Users should have a clear understanding of what happens when conflict is unavoidable. Once they know their options, they can choose what works for them. There are several solutions for handling conflicting information. It is up to you if you want the user to pick and choose which version to keep or to institute a “last write wins” rule. No matter what you choose, the app should handle this gracefully. Update too frequently and you may miss out on the benefits of being offline first. Update too slowly and you may create more conflicts than necessary and frustrate users.Knowing what to update along with when to update is an important consideration as well.


Data anonymization best practices protect sensitive data

Before developing policies and procedures, buying products or implementing manual data anonymization processes, identify all potential PII data elements in your organization. The larger your environment, the more susceptible your organization will be to storing unidentified PII data. This isn't an easy task. Most data including PII doesn't sit idle. Once a data element is created, it quickly spreads to reports, dashboards and other data stores across an organization. Ensuring a person's continuous anonymity throughout an enterprise is inherently fluid by its nature. In other words: things change. Data audits and continuous feedback from IT and business personnel that interact with PII will help to identify potential issues. From products that specifically focus on data anonymization best practices to enterprise-wide offerings that provide a wide range of data security features, there is wealth of software solutions available. The larger an organization is, the more important these tools become. Based on the amount of data your organization stores, you may need to purchase a product or two to properly identify and safeguard sensitive PII data assets. There is a broad spectrum of data anonymization products that are available. In addition, some existing data storage platforms inherently provide anonymization features.


Quarterbacking Vulnerability Remediation

As the quarterback, security teams identify the nature of the vulnerability, the business assets most at risk, the potential impact on the enterprise, and the patch, configuration change, or workaround that will resolve the breach. Armed with this knowledge, they pull in the right players from other IT functions, align on the necessary fix, and coordinate the remediation campaign, efficiently and effectively. When security and IT teams align on a remediation strategy, the shared context and agreement on execution provides the foundation needed to remediate vulnerabilities at scale. Even if the fix goes wrong, problems get resolved faster when the lines of communication are open. Fixing complex vulnerabilities often requires multiple coordinated elements. The Boothole vulnerability is an excellent example of this: Boothole's sheer pervasiveness makes it incredibly difficult to patch in enterprise settings. It's a cross-platform vulnerability that requires both hardware and software fixes — including firmware and OS updates — that must be performed in precise order. Security, DevOps, and IT teams must work together to minimize its business impact and avoid compromise. As the quarterback, the security team needs to think and act like a team captain: What's the best approach?


CIOs are facing a mental health epidemic

A degree of stress for a CIO is expected and unavoidable in any change project. However, businesses are currently failing to manage this pressure effectively. Recent independent research conducted on behalf of Firstsource found that 55% of business leaders wished they had managed the emotional marathon of change projects better. And CIOs identified the three biggest causes of stress as: 1. Not having the right mix of skills in the team; 2. Pushing too hard and harshly without taking time to celebrate wins; and 3. Resistance from key stakeholders in other divisions and countries. To support CIO’s digital transformation, the research spoke with 120 business leaders to understand how to turn challenges into catalysts for success. This resulted in the emergence of a framework with five areas that are key to managing stress and ensuring a transformation project’s success. Proactively addressing these five areas will help CIOs deliver projects that unlock the full potential of their businesses while managing the stress levels of teams. Managing the business case optimism: CIOs will always aim to keep transformation projects realistic and grounded. However, business cases are never static.


5 things CIOs want from app developers

It’s very easy for development teams to get excited chasing innovations or adding spikes around new technologies to the backlog. CIOs and IT leaders want innovation, but they are also concerned when development teams don’t address technical debt. A healthy agile backlog should show agile teams completing a balance of spikes, technical debt, new functionality, and operational improvements.  Prioritization on agile teams should fall to the product owner. But IT leaders can establish principles if product owners fail to prioritize technical debt or if they force feature priorities without considering the agile team’s recommended innovation spikes. CIO and IT leaders are also realistic and know that new implementations likely come with additional technical debt. They understand that sometimes developers must cut corners to meet deadlines or identify more efficient coding options during the implementation. It’s reasonable to expect that newly created technical debt is codified in the source code and the agile backlogs, and that teams seek to address them based on priorities. Development teams are under significant pressure to deliver features and capabilities to end-users quickly. That is certainly one reason teams create new technical debt, but it’s a poor excuse for developing code that is not maintainable or that bypasses security standards.



Quote for the day:

"Coaching isn't an addition to a leader's job, it's an integral part of it." -- George S. Odiorne

Daily Tech Digest - December 23, 2020

How we protect our users against the Sunburst backdoor

SolarWinds, a well-known IT managed services provider, has recently become a victim of a cyberattack. Their product Orion Platform, a solution for monitoring and managing their customers’ IT infrastructure, was compromised by threat actors. This resulted in the deployment of a custom Sunburst backdoor on the networks of more than 18,000 SolarWinds customers, with many large corporations and government entities among the victims. According to our Threat Intelligence data, the victims of this sophisticated supply-chain attack were located all around the globe: the Americas, Europe, Middle East, Africa and Asia. After the initial compromise, the attackers appear to have chosen the most valuable targets among their victims. The companies that appeared to be of special interest to the malicious actors may have been subjected to deployment of additional persistent malware. Overall, the evidence available to date suggests that the SolarWinds supply-chain attack was designed in a professional manner. The perpetrators behind the attack made it a priority to stay undetected for as long as possible: after the installation, the Sunburst malware lies dormant for an extended period of time, keeping a low profile and thwarting automated sandbox-type analysis and detection.


Why I've Been Merging Microservices Back Into The Monolith At InVision

One of the arguments in favor of creating independent services is the idea that those services can then "scale independently". Meaning, you can be more targeted in how you provision servers and databases to meet service demands. So, rather than creating massive services to scale only a portion of the functionality, you can leave some services small while independently scaling-up other services. Of all the reasons as to why independent services are a "Good Thing", this one gets used very often but is, in my (very limited) opinion, usually irrelevant. Unless a piece of functionality is CPU bound or IO bound or Memory bound, independent scalability is probably not the "ility" you have to worry about. ... If I could go back and redo our early microservice attempts, I would 100% start by focusing on all the "CPU bound" functionality first: image processing and resizing, thumbnail generation, PDF exporting, PDF importing, file versioning with rdiff, ZIP archive generation. I would have broken teams out along those boundaries, and have them create "pure" services that dealt with nothing but Inputs and Outputs (ie, no "integration databases", no "shared file systems") such that every other service could consume them while maintaining loose-coupling.


CIOs see cloud computing as the bedrock of digital transformation

The CIOs also shared their challenges and experiences during the pandemic. Responding to the big business focus area that tech and cloud will enable or drive in 2021, Chatterjee shared, “For us, it’s very clear the data and analytics piece, and all the modeling that we are doing around fraud, retention propensity, the entire claims experience, I think, across the value chain, anything that is data and insights. And I will be careful in using the term ‘analytics’, because in a lot of areas we use analysis and we incorrectly call it analytics, but the idea is, cloud will enable the entire data and insights as a capability within the organisation. This is something big for us and will be driven by the cloud.” For SonyLiv, the focus is on harnessing the use of data. “We as an organisation, are digital and are using data in each and every decision that we make, whether it is on the infrastructure side, content programming, content production, churn analysis, retention – everywhere. I think it is all about data and democratisation of the data. We are working big time on introducing some of the prediction models, machine learning models, which can help us to retain users. So, I think data is going to play a critical role. The other area which I feel we as a business, is on the OTT side.


Why Boring Tech is Best to Avoid a Microservices Mess

You need to go back to the fundamentals. One way to look at it is understanding that microservices are distributed systems, something many people will have experience with. They should also be familiar with what another panelist, Oswaldo Hernandez Perez, engineering manager at Improbable, called the first law of distribution: “If you don’t need to do it, don’t do it.” So that means focusing on why you are building what you are building. What are you trying to achieve? This is a fundamental question that’s applicable to businesses of all sizes. What problem are you trying to solve, and how will your solution remove friction from its users’ lives? That’s what people care about. Even if you’re developing a niche app for a highly technical audience, they are unlikely to care too much about how it got to them, only that it did and it is fixing a problem for them. If the only way to achieve that is with microservices, then yes, you should definitely use them. If there is an alternative, then consider using that. Do not simply start breaking everything up into microservices just because that is what everyone is currently talking about. Ultimately, microservices are an architectural pattern to reduce complexity. It does this, but it also adds complexity elsewhere. If used in isolation, then you’ll fix your complexity in one dimension and have it proliferate elsewhere.


The power of value 4.0 for industrial internet of things

Technological discussions are essential to provide a solution to a defined improvement area or challenge, but they are meaningful only after there has been a clearly defined use case with concrete and measurable value identified and captured within financial reporting systems. This means that each effort should start with an integrated value design, rather than technology. It needs to be integrated in the sense that the designed target value can be directly linked to an outcome —for example, process improvements enabled by the digital solution that generated a measurable value impact. Value and solution design need to be one integrated effort. In consequence, this also implies that use cases need to be defined bottom-up, by the operators and resources that operate production and thus realize value add, rather than top-down. Within industrial settings, implementing industry 4.0 technologies takes more time and effort, compared to applications in the consumer space, for a variety of reasons. Any industrial customer today depends on existing brownfield installations to run and operate their business—these are mostly highly complex and tailored to the targeted product. Managing this complexity manually would be a Sisyphean struggle. When industrial companies are integrating digital manufacturing and supply chain solutions with their customers, they need to continually adapt the solution stack to customer requirements.


5 Robotic Process Automation (RPA) trends to watch in 2021

Expect a sharper focus on understanding and optimizing processes as a direct result of the shift from RPA adoption to evaluation and optimization. Plenty of organizations will realize their initial efforts were stymied by processes that they didn’t fully understand or that simply weren’t good fits for RPA. Day predicts that process-focused technologies and practices – such as process mining – will gain a greater share of attention in the new year. Related terms and technologies such as process discovery, process intelligence, process optimization, and process orchestration will similarly become a bigger part of the RPA vocabulary and toolkit. And as we wrote about recently, we could see a closer relationship between business process management (BPM) and RPA going forward. “Most companies are jumping straight into RPA or trying to automate processes without first adopting process mining, which leads to more strategic deployment of RPA and a more efficient automation framework overall,” Day says. “By more closely associating RPA with process mining and process management, RPA will stand a better chance for success – and organizations will not adopt automation for automation’s sake, and instead focus on ROI and higher success rates.”


Enterprise IT Leaders Face Two Paths to AI

There will be two pathways for companies to get AI software," said Andrew Bartels, VP and principal analyst serving CIO professionals at Forrester Research. The first movers will continue to build their own for speed to market and differentiation. It's a more expensive path, but some organizations will find value in pursuing it. Meanwhile, other organizations in the future will take another pathway. "The second pathway will be to wait for existing vendors to add the relevant functionality into existing products," Bartels said. "We think over time that will be the more dominant pathway." ... Bartels offers a simple model for assessing the maturity of your vendor's AI and whether it is the right fit for the task you have. He uses the metaphor of K-12 grade school students. If a vendor says they are adding AI functionality to their roadmap, that is a pre-kindergarten level. If they are actually developing the technology, they are in kindergarten. If they have it in beta with clients, they are a third grader. If they are in production with multiple clients for a few years then they are an eighth grader. The scale continues along the same lines with more advanced work. Bartels said enterprise IT leaders need to ask themselves: "Is this a task that an eighth grader could do? Then trust an AI engine to do it. Or, is this a task we would not give to a human who did not have an equivalent of an 11th grade education?" 


Responsible Innovation Starts With Cybersecurity

Recent events heightened the need to instill the cybersecurity culture and mindset into businesses and local governments. When employees understand how to monitor, spot, and recover from threats, systems can become more resilient. Murphy says, "When I talk with folks about cybersecurity, I tell them the most important thing is to educate your employees or citizens on how they should behave and the things to watch out for. The second component is to know what's going on in your world and then be able to respond or recover your environment. Educating your employees while using AI is key." At this point, even if companies and local governments have limited resources, there are still strategies they can take to secure their environment. Murphy says, "If you don't have the money, at least do things like segment your network. There are certain design criteria that you can build for a safer environment. There are best practices that don't require capital investment. At a minimum, there's good change control and configuration management practices that must be implemented." Without a foundation of cybersecurity, innovation cannot progress.


What AI investments should businesses prioritise for Covid-19 recovery?

While there will be a whole host of systems that businesses and individuals will interact with in the future, they must be intelligent, they need to involve us, they need to sense and be able take decisions, some on their own. What this means for businesses is that while the digital presence of systems and processes will only increase, increasing their intelligence and continually enhancing them will be crucial. Therefore, we can expect the role of AI to be far more strategic than ever before, particularly as we think about emotional intelligence in the future. The beauty of this change will be greater demand for people and skills. While AI will start making systems intelligent and reduce demand on maintenance and smaller operations, the next innovations, the roadmap development, the enhancements, and emotional intelligence will require more man=power. Up to now AI investment in industry has been aimed at solving specific business challenges and driving cost reduction, now businesses really need to invest in creating an enterprise grade AI stack to responsibly scale AI across the enterprise. Ultimately, organisations need to focus on improving the end user and customer experience, using AI to drive hyper-personalisation such as conversational commerce tools.


Enterprise IoT Security Is a Supply Chain Problem

IoT devices and systems represent additional enterprise attack surface — the same as allowing users to "bring your own device" for mobile devices. These devices expose the organization to the same types of risk as other devices deployed on the corporate network. Security flaws in IoT devices can lead to device takeover and the exposure of sensitive data, and they provide attackers a foothold in the corporate network that can be used to launch additional attacks. Additionally, these IoT systems tend to traffic in a lot of sensitive data, including confidential and proprietary information, and information that has privacy implications. This data will leave the corporate firewall and be processed by services hosted by the IoT system provider and places the burden on the enterprise to understand how these IoT systems affect their risk posture. Third-party risk must be approached in a structured manner as part of an overall vendor risk management program. New IoT systems that are going to be deployed on enterprise networks and process sensitive enterprise information need to be run through a vetting process, so the organizations understand the change in risk exposure. This process can share many of the same characteristics of a standard vendor risk management program but may need to be augmented to address some of the specific concerns that IoT systems raise.



Quote for the day:

"Appreciation is a wonderful thing: It makes what is excellent in others belong to us as well." -- Voltaire

Daily Tech Digest - December 22, 2020

Up Your DevOps Game: It’s Time for NoOps

It’s time for the next approach: Limit the number of choices to create standard best-in-class operations that deliver economies of scale and easily evolve with minimal hassle. NoOps simplifies cloud operations—everyone can do things the same way. NoOps aims to “completely automate the deployment, monitoring and management of applications and the infrastructure on which they run,” according to Forrester, which coined the term. NoOps is about standardizing the approach to deployments and reducing the number of variables, bringing simplicity. At its core, NoOps is focused on automating deployments and executions that are predictable and repeatable. The development and increasing adoption of containers are critical to the entire NoOps philosophy. Containers provide the ability to independently deploy services and applications, automating and standardizing the process to deploy anything, anywhere. Using containers delivers the tremendous portability that hasn’t been seen since the development of generic hardware. With encapsulation within the container, whatever is running inside will behave the same no matter where it is deployed. The NoOps-containers movement will transform the entire DevOps industry.


Today’s Lens of Information Governance (IG)

With the increasing list of data privacy laws and regulations and because remote workforces have created greater disconnect and information silos among departments, it is even more important for organizations to not treat data privacy as a one-department task. Instead, they must work as an organization to break through organizational data silos to ensure compliance is part of the entire culture. Though no specific national privacy regulation currently exists, any nationwide rules would likely follow the standards set forth by the European Union’s General Data Protection Regulation and the California Consumer Privacy Act (CCPA). Complicating matters further, online privacy laws, which differ widely from state to state, could expose companies to potential fines, reputational risk and damages resulting from data incidents. The California attorney general, for example, can impose penalties up to $2,500 for non-willful violations and $7,500 for intentional violations of the CCPA. Other key data regulations include the Sarbanes–Oxley Act of 2002, which standardizes record management practices, and the Gramm–Leach–Bliley Act (1999), which entails financial institutions shielding the nonpublic personal information of customers.


Disaster Recovery for Multi-Region Kafka at Uber

When disaster strikes the primary region, the active-active service assigns another region to be the primary, and the surge pricing calculation fails over to another region. It’s important to note that the computation state of the Flink job is too large to be synchronously replicated between regions, and therefore its state must be computed independently from the input messages from the aggregate clusters. And a key insight from the practices is that offering reliable and multi-regional available infrastructure services like Kafka can greatly simplify the development of the business continuity plan for the applications. The application can store its state in the infrastructure layer and thus become stateless, leaving the complexity of state management, like synchronization and replication across regions, to the infrastructure services. Another multi-region consumption mode is active/passive: only one consumer (identified by a unique name) is allowed to consume from the aggregate clusters in one of the regions (i.e. the primary region) at a time. The multi-region Kafka tracks its consumption progress in the primary region, represented by the offset, and replicates the offset to other regions. So upon failure of the primary region, the active/passive mode allows the consumer to failover to another region and resume its consumption.


Here’s How IT Leaders Can Adapt to Stricter Data Privacy Laws

Data-reliant businesses like Apple and Facebook, which make billions of dollars annually off personal information, are keeping a close watch on the shifting privacy landscape. Google’s plans to eliminate third-party cookies from Chrome was a move towards ensuring consumer trust; and now many businesses and their IT teams are facing massive changes to their privacy and data collection practices. Google’s gesture is ironic seeing as the company is facing a $5B lawsuit after being accused of illegally invading the privacy of millions of users by continuously tracking internet usage through browsers set in “private” mode. Many CIOs and tech teams were initially afraid of the potential impact California’s initial CCPA would have on their businesses, especially considering the massive GDPR violations that have cost organizations upwards of $228M. Businesses and their tech teams should expect to see a continued federal push from the Biden administration to implement nationalized standards for data protection. The movement is starting to take shape with the passing of California’s new CPRA law, which gives the power of consent to consumers around how businesses manage their data. This is a big win for consumers, as nearly every major data company in the financial market has holding operations in California.


NSA Warns of Hacking Tactics That Target Cloud Resources

The warning comes after a week's worth of revelations over the SolarWinds breach that has affected government agencies as well as corporations, including Microsoft, FireEye, Intel and Nvida. Secretary of State Mike Pompeo, commenting on the breach, said in a Friday evening radio interview that "the Russians engaged in this activity." "I can't say much more as we're still unpacking precisely what it is, and I'm sure some of it will remain classified," Pompeo said, according to a transcript provided by the State Department. "But suffice it to say there was a significant effort to use a piece of third-party software to essentially embed code inside of U.S. government systems, and it now appears systems of private companies and companies and governments across the world as well. This was a very significant effort, and I think it's the case that now we can say pretty clearly that it was the Russians that engaged in this activity." In a pair of tweets on Saturday, President Donald Trump appeared to question whether Russia was involved in the hacking operation and opened up the possibility that China may have played a role. "The Cyber Hack is far greater in the Fake News Media than in actuality," Trump tweeted.


Advice for incident responders on recovery from systemic identity compromises

Once your incident responders and key personnel have a secure place to collaborate, the next step is to investigate the suspected compromised environment. Successful investigation will be a balance between getting to the bottom of every anomalous behavior to fully scope the extent of attacker activity and persistence and taking action quickly to stop any further activity on objectives by the attacker. Successful remediation requires as complete an understanding of the initial method of entry and persistence mechanisms controlled by the attacker as possible. Any persistence mechanisms missed could result in continued access by the attacker and potential for re-compromise. ... There are many ways to detect activity associated with this campaign. Exactly how your organization will detect attacker behavior depends on which security tools you have available, or choose to deploy in response. Microsoft has provided examples publicly for some of the core security products and services that we offer and are continually updating those documents as new threat intelligence is identified related to this attacker. 


What the antitrust lawsuits against big tech companies could mean for tech leaders

With the Microsoft antirust action more than 20 years in the past, perhaps the first obvious lesson that's applicable to today's tech giants is that whatever happens, it will happen slowly. Microsoft was sued in May 1998, and the settlement reached during the appeals process was approved in 2004. Much can happen in technology in six years; in fact, Google went from a university project to preparing for IPO during the full course of the Microsoft lawsuit. These companies are probably some of the few entities with the breadth and depth of legal resources to match the US government, so any action as dramatic as a forced breakup or significant restructuring of these giants that would significantly impact customers is likely years away at the earliest. In the nearer term, however, expect the tech giants to launch significant marketing efforts to polish up their public appearances and present themselves as champions of consumers and unwitting victims of government overreach. This campaign to generate goodwill may manifest itself in more transparent contractual terms, lower pricing, or more transparency for customers, benefits that will likely come available for little more than mentioning that you're concerned about the potential outcome of these lawsuits.


Data’s Gender Gap: How to Address Data’s Gender Gap

It is not enough to simply leave positions open to those of different genders (and races, sexual orientations, abilities, etc.), we must intentionally seek out those with different backgrounds to fill them. If the majority of those working on a team are men, a woman may feel unwelcome in that space. She might question what kind of workplace culture led to an all-male team, and if her contributions might be second-guessed by others due to her gender. When only one or a handful of women are present in a workplace, they may feel tokenized. By deliberately recruiting a representative population of women, an organization is showing a base level of commitment to welcoming and including people with different viewpoints and genders. According to LinkedIn’s 2018 Gender Insights Report, women apply to 20% fewer postings than men while on a job hunt. It is not certain whether this is simply due to women being more selective and particular than men in their job hunt, or if they are less likely to apply to a listing they do not precisely fit the requirements for than men. Either way, recruiters can make an effort to seek out women with backgrounds that sound intriguing for the positions they are hiring, and ask those they know to refer non-male candidates they believe would be up for the job.


The stakeholder–shareholder debate is over

CEOs are now becoming more like politicians, who have to be prepared to answer questions on just about any aspect of society. That’s a sharp departure for chief executives, whose compasses were previously pointed in a fixed direction toward shareholders. “The role is evolving, and it’s going to require a different kind of intelligence and greater situational awareness,” said George Barrett, former chairman and chief executive of Cardinal Health. “The job requires managing multiple levers. It used to be that most of these levers were behind the scenes. They were operational. There were a couple of stakeholders who had big, loud voices, and leaders tended to focus on managing them. Today, everything is louder, and leaders must be attentive to more engaged stakeholders. That requires a pretty skillful hand.” Chip Bergh, CEO of Levi Strauss, echoed Barrett’s insights: “You have to navigate all the different stakeholders and do the right thing. You also have to decide where you draw the line. Where do you weigh in? Because if you stand for everything, you stand for nothing. So we pick our spots about when we comment, and sometimes those are tough calls.”


Do You Think Like a Lawyer, a Scientist, or an Engineer?

Scientific thinking is an entirely different form of logical analysis. The challenge in science is not to follow the rules or define the rules; the challenge is to discover them. In any truly scientific investigation, we do not know the rules in advance. To discover the rules, we use observation and inference. This contrasts strongly with the IRAC method of logical analysis. The scientific method emphasizes intellectual humility, treating knowledge as layers of hypotheses. Accumulating new knowledge requires designing and running experiments to test new hypotheses. A hypothesis is an idea about what rules may govern a certain situation. Designing an experiment means imagining how a system would behave if a certain rule holds true. Running an experiment means carrying out a scenario to see if the results matched your expectations. In the scientific method, you validate your mental model against observed results. If results match your expectations, it gives confidence that the hidden rules match your hypothesis. The defining characteristic of the scientific method is building systems that enable us to learn. Learning underlying rules (while holding our knowledge of them as tentative) is the product of this exercise.



Quote for the day:

"Preconceived notions are the locks on the door to wisdom." -- Mary Browne