The CIO at a crossroads: Evolve or become a dead-end job
While the CIO role is undoubtedly changing, no business can afford to let their
staff go out and buy whatever technology they want. The potential risks of
leaving professionals to their own devices range from burgeoning costs in terms
of cloud provision to the fear of sensitive enterprise data being pushed into
public AI systems without due care and attention. Businesses need someone to
ensure advanced digital technologies are exploited in a safe, secure, and
cost-effective manner. And the person within the enterprise who holds that
experience is still the CIO, says Richardson. “While things are now much more
advanced, that core role — ensuring reliable, efficient, and secure business
operations — is still crucially important,” he says. “There is certainly a very
wide scope of functional and technical disciplines for modern CIOs to
understand, such as cybersecurity, cloud infrastructure, AI and machine
learning, end-user experience design, enterprise architecture, and more.” That’s
a belief that chimes with Lily Haake, head of technology and digital executive
search at recruiter Harvey Nash.
Victory by Surveillance Isn’t Possible—To Win, Engage the Adversary
Despite the profound intelligence exhibited by tools and methodologies
originating from academia or the minds of Silicon Valley innovators, they
inherently maintain a passive stance. More intelligent surveillance simply will
not get the job done. Moreover, our faith in AI-based solutions may well be
(dramatically) overstated. Like in any arms race, the enemy gains access to the
same tools and techniques used in defense for the benefit of their offense. This
fact does not make for any “we are pulling ahead” kind of thinking. As
AI-designed offensive techniques come online, we might in fact be further
behind, which is a terrible thing to say after laying out US$200 billion for
security tools last year. ... When each new tool we innovate adds to
our burden as defenders, but doesn’t, realistically, alter the awful trends, we
need a rethink. Basic zero-sum game theory—my opponent’s gain is at my expense,
and vice versa—ensures we will stay on the receiving end unless there is a cost
associated with the attacker’s behavior.
Why are OpenAI, Microsoft and others looking to make their own chips?
“The obvious point is that they have some requirement nobody is serving, and I
reckon it might be an inference part that’s cheaper to buy and cheaper to run
than a big GPU, or even the top Sapphire Rapids CPUs, without making them
beholden to either AWS or Google,” according to Omdia principal analyst
Alexander Harrowell. He added that he was basing his opinion on CEO Sam Altman’s
comments that GPT-4 is unlikely to scale further, and would rather need
enhancing. Scaling an LLM requires more compute power when compared to
inferencing a model. Inferencing is the process of using a trained LLM to
generate more accurate predictions or results. Further, analysts said that
acquiring a large chip designer might not be a sound decision for OpenAI as it
would approximately cost around $100 million to design and get the chips ready
for production. “While OpenAI can try and raise money from the market for the
effort, the deal with Microsoft earlier this year essentially led to selling an
option over half the company for $10 billion, of which some unspecified
proportion is in non-cash Azure credits — not the move of a company that’s
rolling in cash,” Harrowell said.
It’s Time to End the Battle Between Waterfall and Agile
Hybrid methodologies, such as the one implemented by Philips for their digital
transformation initiatives, offer a mix of Agile’s flexibility and Waterfall’s
structure. Philips adopted a hybrid approach for its HealthSuite digital
platform, delivering rapid, iterative releases for software development while
still adhering to strict documentation and safety guidelines. By combining
these two approaches, Philips was able to create a hybrid approach that was
both flexible and structured. This resulted in better product quality, reduced
time to market, predictable costs and savings. ... A hybrid approach allows
for risk mitigation by blending Agile’s adaptability with Waterfall’s
structured planning, as demonstrated by Tesla’s hybrid approach to the
development of their Model 3. To build the Gigafactory, where the vehicle’s
batteries are produced, Tesla utilized rigorous planning and risk assessment
methods. At the same time, Tesla’s capability to update vehicle software over
the air allows for rapid issue resolution and feature addition
post-production. This dual strategy enables Tesla to mitigate risks
effectively while maintaining flexibility in a high-stakes manufacturing
landscape.
5 Focus Areas for Better Cloud Security Programs in Financial Services
Finserv organizations need a strategy for discovering employees’ usage of
cloud apps or services that haven’t been authorized by the IT department –
also known as Shadow IT – that may lead to unsecured data. One popular method
to monitor Shadow IT usage is a Cloud Access Security Broker (CASB): an
intermediary between cloud consumers and providers that enforces security
policies as cloud resources are accessed. Secure web gateways (SWG) and
next-generation firewalls are other helpful tools used to inspect network
traffic and provide advanced protection. But it’s not enough to just take
stock of Shadow IT – organizations also need a plan for how to secure any
unauthorized apps or services they discover. ... Finserv firms store an
average of 61% of sensitive data in the public cloud – equal to other sectors.
They also store similar types of vital data, but even more so in the way of
competitor data, confidential internal documents, personal staff information,
intellectual property, government identification, payment card information and
network passwords.
F5 Warns Australian IT of Social Engineering Risk Escalation Due to Generative AI
Australian IT teams can expect to be on the receiving end of social
engineering attack growth. F5 said the main counter to changing bad actor
techniques and capabilities will be education to ensure employees are made
aware of increasing attack sophistication due to AI. “Scams that trick
employees into doing something — like downloading a new version of a corporate
VPN client or tricking accounts payable to pay some nonexistent merchant —
will continue to happen,” Woods said. “They will be more persuasive and
increase in volume.” Woods added that organizations will need to ensure
protocols are put in place, similar to existing financial controls in an
enterprise, to guard against criminals’ growing persuasive power. This could
include measures such as payments over a certain amount requiring multiple
people to approve. ... There have been warnings that armies of bots,
supercharged by new AI tools, could be utilized by criminal organizations to
launch more sophisticated automated attacks against enterprise cybersecurity
defences, expanding a new front in organisations’ war against cyber
criminals.
Translating Failures into Service-Level Objectives
We can be proactive about failure and creating SLOs from chaos engineering and
game days. Chaos engineering is the discipline of experimenting on a system to
build confidence in the system’s capability to withstand turbulent conditions
in production. We want to inject failure into our systems to see how it would
react if this failure were to happen on its own. This allows us to learn from
failure, document it and prepare for failures like it. We can start practicing
these types of experiments with game days. A game day is a time when your team
or organization comes together to do chaos engineering. This can look
different for each organization, depending on the organization’s maturity and
architecture. These can be in the form of tabletop exercises, open
source/internal tooling such as Chaos Monkey or LitmusChaos, or vendors like
Harness Chaos Engineering or Gremlin. No matter how you go about starting this
practice, you can get comfortable with failure and continue to build a culture
of embracing failure at your organization. This also allows you to continue
checking on those SLOs we just set up.
Turning military veterans into cybersecurity experts
Cyber threat intelligence (CTI) is a specialism within cybersecurity that has
been built upon traditional military intelligence processes and theories and
because of this, any who have served in a traditional intelligence role in the
military will have a solid coverage of some of the hard skills needed for
these roles. With support upskilling, they build their knowledge of IT
networks and some CTI tooling and platforms, so this career path can be very
accessible. Information security management careers also require people to
know how to manage and lead, which is to manage people more often than tech.
While a grounding in the technical aspects of cybersecurity is very important,
ex-Forces commonly possess management and leadership skills and experience,
often developed over years during their military careers, which is evidently
useful the moment they step into a cyber team. To enhance this further, most
have worked with sensitive data, stored and processed on sensitive systems,
shaping or at least adhering to policy, and sometimes even managing large IT
accounts.
6 Pain Points for CISOs and CIOs and What to Do About Them
“Everybody is struggling with the sprawling technology stack,” says Carl
Froggett, CIO of cybersecurity company Deep Instinct. Many companies are
working with a mix of legacy technology, like on-premises servers, and new
cloud and SaaS systems. CIOs and CISOs are faced with the operational and
security challenges that come with this disparate tech stack and the migration
to new systems. With that sprawl comes the challenge of data governance. What
data does a company have? Where does it reside? How can it be safeguarded? If
CIOs and CISOs can’t answer the first two questions, they can’t even begin to
collaborate on an effective strategy for protecting their organizations’ data.
... While talent is a scarce commodity, CIOs and CISOs can leverage third
parties to get the skills they do not have internally and have yet to hire.
They can also find ways to automate lower-level tasks, freeing staff to spend
more time on other more important, less repetitive tasks. IT leadership can
also retrain and upskill existing team members.
Using Visual Studio Code for C# development
The C# Dev Kit adds more in the way of code navigation tooling, using the
Solution Explorer to work with test frameworks and the Roslyn tools to quickly
jump to specific parts of your application, peeking at definitions and
references to understand how classes and methods are used. The Solution
Explorer helps manage complex projects, using virtual solution folders to
group files without affecting your underlying file system. Solution folders
let you separate code from tests, as well as managing different UIs for
different device targets. The IntelliCode extension adds AI-supported code
completion to your editor, with the ability to predict entire lines of code,
based on what you’ve already written. This works alongside the normal
IntelliSense features to guide code predictions, reducing the risk of errors.
It will even highlight possible completions in IntelliSense and rank the
members in a class based on your code to speed up selections. It’s important
to understand that this is a local AI model. Unlike GitHub Copilot,
IntelliCode operates disconnected from the internet, helping keep code secret
and enabling you to work from anywhere.
Quote for the day:
“Identify your problems but give your
power and energy to solutions.” -- Tony Robbins
