The Industrywide Consequences of Making Security Products Inaccessible
Restricting access to security products creates situations where people from
underrepresented groups are not able to easily catch up with their more
fortunate peers who are already employed by enterprises with access to the
latest tooling. In other words, companies publicly championing their efforts
to increase diversity and get more people from underrepresented groups in the
industry are actually making it harder for the same people to get into
cybersecurity. It's not uncommon to see motivated and driven people from
underrepresented backgrounds spend their free time studying and trying to
level up their skills so they can move up the career ladder. While
scholarships and grants are certainly helpful, what can be even more impactful
is giving them access to tools they need to learn to develop new skills, build
résumés, and get hired or promoted. ... It seems like most security vendors
today create thought leadership content about how bad the talent shortage is
for the industry, yet few are making it easy for people to become job ready by
learning how to use their tools.
Open-Source Leadership to the European Commission: CRA Rules Pose Tech and Economic Risks to EU
As currently written, the CRA would impose a number of new requirements on
hardware manufacturers, software developers, distributors, and importers who
place digital products or services on the EU market. The list of proposed
requirements includes an "appropriate" level of cybersecurity, a prohibition
on selling products with any known vulnerability, security by default
configuration, protection from unauthorized access, limitation of attack
surfaces, and minimization of incident impact. The list of proposed rules also
includes a requirement for self-certification by suppliers of software to
attest conformity with the requirements of the CRA, including security,
privacy, and the absence of Critical Vulnerability Events (CVEs). The problem
with these rules, explained Mike Milinkovich, executive director of the
Eclipse Foundation, in a blog post, is that they break the "fundamental social
contract" that underpins open-source, which is, simply stated, that its
producers of that software provide it freely, but accept no liability for its
use and provide no warranties.
White House addresses AI’s risks and rewards
While Schiappa agreed that AI can exploit vulnerabilities with malicious code,
he argued that the quality of the output generated by LLM is still hit and
miss. “There is a lot of hype around ChatGPT but the code it generates is
frankly not great,” he said. Generative AI models can, however,
accelerate processes significantly, Schiappa said, adding that the “invisible”
part of such tools — those aspects of the model not involved in natural
language interface with a user — are actually more risky from an adversarial
perspective and more powerful from a defense perspective. Meta’s report said
industry defensive efforts are forcing threat actors to find new ways to evade
detection, including spreading across as many platforms as they can to protect
against enforcement by any one service. “For example, we’ve seen malware
families leveraging services like ours and LinkedIn, browsers like Chrome,
Edge, Brave and Firefox, link shorteners, file-hosting services like Dropbox
and Mega, and more. When they get caught, they mix in more services including
smaller ones that help them disguise the ultimate destination of links,” the
report said.
Start Your Architecture Modernization with Domain-Driven Discovery
/filters:no_upscale()/articles/architecture-modernization-domain-driven-discovery/en/resources/1figure1-large-1683727412214.jpg)
Architecture modernization projects are complex, expensive, and full of risks.
Starting with a Domain-Driven Discovery (DDD) focuses your team and improves
your chances of success. ... There was a time when we started new Agile
projects with a two-week Sprint 0 then launched right into coding the
solution. Unfortunately, teams often found out later they wasted time and
money on "building the wrong thing righter." The influences of Design Thinking
and Dual-Track Agile and frameworks like Mobius have opened our collective
eyes to the importance of a brief discovery for product work. ... We suggest
using event storming workshops to clarify the business processes related to
the in-scope systems. Start by choosing a primary process or experience to
focus on, such as a new customer registration. Next, collaboratively identify
every event in this end-to-end process. It’s important to focus on how it
works today, not how it should work in the future. Then identify a subset of
the events that are essential to the process and labels these Pivotal
Events.
Career Reinvention: Considering a Switch to Cybersecurity
A significant skills gap in the cybersecurity industry has created a unique
opportunity for individuals from various backgrounds to enter the field.
Employers are seeking new people who weren’t necessarily trained to be cyber
defenders but who have fresh perspectives and the potential to learn. This
situation creates a tremendous opportunity for career reinvention. In response
to this talent gap, the industry has committed to providing the new hires the
resources and support they need to reach their fullest potential and succeed
in a new career space. ... Of course, candidates should work to understand all
they can about the types of cyber roles they would be most qualified for and
interested in taking on – the good and the bad. This will ensure no element of
surprise later down the line that catches them off guard, potentially making
their career switch regretfully. It is also essential that any decisions being
made are based on desire and genuine interest. If one enjoys the work they do
and has the opportunity to work with good people, the rest will follow. Making
a career change can be stressful, so taking it one step at a time is the best
way to approach a drastic reinvention.
Data Waste Is Putting Retail Loyalty at Risk — Here’s Why
According to Wenthe, data wastage — the efficient or ineffective use of data —
has become a common blight among brands in all industries, and especially
those in the retail, automotive, CPG, and entertainment spaces. “Data wastage
comes in a variety of forms from data sources such as customer service, sales,
or operations departments,” Wenthe says. “[It] is usually the result of a
collection of unnecessary data, withholding relevant data from the right team,
or failure to analyze or action on the data that has been collected.” While
it’s not always easy to identify data wastage, Wenthe says time spent managing
customer data collections is often the main culprit. According to Gartner,
data inefficiencies can end up costing organizations an average of $12.9
million per year — a huge chunk of change for just about any company to lose.
“This issue is important for any brand where their data remains disjointed and
unable to interact with one another,” Wenthe says. Given the influx of data
coming through new channels and departments, including customer service,
sales, and operations, it’s no surprise to hear that retail brands right now
are struggling.
Israeli threat group uses fake company acquisitions in CEO fraud schemes
The targeted organizations had headquarters in 15 countries, but since they
are multinational corporations, employees of these companies from offices in
61 different countries were targeted. The reason why the group is focused on
large enterprises is in the lure they chose to justify the very large
transfers they're after: company acquisitions. It's not unusual for such
multinational companies to acquire smaller companies in various local markets.
... "First, members of the executive team are likely to send and receive
legitimate communications with the CEO on a regular basis, which means an
email from the head of the organization may not seem abnormal," the
researchers said. "Second, based on the stated importance of the supposed
acquisition project, it’s reasonable for a senior leader at the company to be
entrusted to help. And finally, because of their seniority within the
organization, there is presumably less red tape that would need to be cut
through in order for them to authorize a large financial transaction."
Poison Control: Report Says Tech Workplace Toxicity Rising
Joel Davies, senior people scientist at Culture Amp, says senior leadership
hold the keys to creating a better work culture. “There is a common belief
that ‘people leave managers, not companies,’ but we have found perceptions of
senior leadership tend to be more important for employee engagement and
commitment than perceptions of one’s direct manager. Senior leaders are role
models, whether they like it or not. The way they behave at work creates
powerful social norms that can impact how the rest of the organizations
behaves.” In a tough economic environment, Tsingos says transparency goes a
long way to building a positive workplace perception. “We’re living in an era
of uncertainty in the financial markets,” he says. “This pressure creates
toxicity. How do you deal with that. You deal with that with transparency. You
deal with openness, and you deal with it by investing in your people. You
might have a big company laying off thousands of people -- but there are some
people who may come back and who are thankful for the transparency. Because
that employer was investing in them and treating them nicely.”
The art of leading in the AI age
In the digital era, the leader as a subject matter expert is typically a
senior programmer who takes on the role and responsibilities of someone who
helps everyone else understand the opportunities and risks of developing
something that makes life easier in the short term, but more complex and
difficult in the longer term. ... we look for leaders who mediate between
different reasons to use (or not to use) technology, because the best
facilitator is the one who is most likely to make room for different needs and
thus help her fellow human beings design their own lives. This means that
leaders primarily act as organizational midwives who use their own experience
and expertise to help others trust themselves—and one another—to do a job none
of them could do alone. In the digital era, the leader as an organizational
midwife is typically a chief experience officer or a people leader who takes
on the role and responsibilities of someone who nurtures a culture in which
decisions on how something should and should not be used are made deliberately
and intentionally by everyone.
The Building Blocks of Success: Is Data Mesh Right for My Organization?
In many ways, data mesh is a lot like Legos. It’s possible to make over 915
million different combinations from just six different Lego bricks. A data
mesh can similarly be built in any way that works best for your organization:
choose each component carefully and build the solution that most fits your
needs. ... The traditional operating model of centralized data engineering
requires fewer skilled technical resources as the business teams all share
those resources. Decentralization can lead to each business team hiring and
supporting their own technical teams, which requires more resources. On the
one hand, this is one reason agility and speed-to-delivery is improved: there
are more people delivering, perhaps with fewer competing demands on their
time. ... The strongest candidate for a data mesh includes a compelling
business case, strong buy-in and sufficient resources, and an organizational
culture that supports it. If you have an approach that’s working for you —
say, your organization is not domain-oriented and has centralized IT with
fungible resources that are implemented alongside various projects — then data
mesh likely isn’t the right investment at this time.
Quote for the day:
"Uncertainty is a permanent part of
the leadership landscape. It never goes away." -- Andy Stanley
