Beware the cost traps that can strain precious cybersecurity budgets
Overlapping services that duplicate functions are another common overspend that
can eat into security budgets. "Paying for these duplicate security functions
can be financially inefficient and strain the budget," says Nick Trueman, CISO
at cloud services provider Nasstar. It can also result in integration challenges
whereby coordinating and integrating multiple providers with similar functions
leads to complexities and interoperability issues, he adds. CISOs should conduct
a comprehensive review and identify all current security providers and the
services they offer. ... On the topic of redundancies, CISOs can often end up
paying for tools that do not deliver the expected benefits, significantly
impacting their security budgets and coverage plans. CISOs may encounter
scenarios where they invest in security tools or technologies that, despite
their initial promise, fail to provide the anticipated value or return on
investment (ROI), says Paul Baird, chief technical security officer at Qualys.
This could happen for several reasons, including inadequate integration with
existing systems, limited user adoption, or the tools not effectively addressing
the organization's specific security needs.
Essential cyber hygiene: Making cyber defense cost effective
When it comes to dollars and cents, the industry as a whole has made many
attempts to calculate the cost of a cyber attack. The same can’t be said about
estimating the costs of implementing cyber defenses. But there’s value in
knowing both of those metrics. Knowing what an enterprise can spend to prevent
an attack is helpful when you know what they’re willing to spend to recover from
an attack. For example, if the cost of recovering from a cyber attack is $1.25
million but an enterprise can spend only $1 million on implementing a set of
robust cyber defenses, which one should they choose? To estimate the cost of IG1
Safeguards, we looked at the tools that an enterprise needs to implement them.
Tools are priced in many ways, the most common being the following: by number of
employees, users, workstations/servers, and/or by usage (e.g., megabyte,
gigabyte, hours). CIS created IG1 Enterprise Profiles to help streamline the
process of calculating costs. Our estimate shows that obtaining and deploying
commercially-supported versions of the tools should be less than 20% of the
Information Technology (IT) budget for any size enterprise.
Why the human factor is critical to ITOps success
Communication between developer teams and “business types” can be fraught.
Developers typically work very hard for long hours to deliver what customers
want. Yet efforts frequently fall flat, due in no small part to a failure of one
or both sides to understand or explain what the other really wants or needs,
says Shafrir. “There will always be a wall between the two, but especially
during this time with tonnes of services on the internet and daily changes to
software. It’s a problem if only business people are in touch with customers,”
he says. Developers often have little idea how the customers are using the
product – not least because they write code and “throw it over the fence”. “Then
it’s frustrating when we’re [developers] told our quality is very low and it’s
not a good job and we don’t work hard enough and other things,” says Shafrir.
Shafrir recommends that IT leaders “take down that wall” between the two teams.
If developers are notified and know exactly – continuously – how the code is
performing in the customer environment, fixes can be rolled out faster.
Security Governance and Risk Management in Enterprise Architecture
Security governance isn't just a rulebook. It's a structured approach that
champions data protection, system reliability, and seamless business operations.
With this governance in place, the intricate realm of cybersecurity becomes a
navigable terrain. True security roots itself deep within organizational
culture. When every team member, from the top brass to the newest recruit,
values security, the organization stands united and fortified. A collective
commitment to security amplifies the organization's resilience. ... Frameworks,
especially ones like the NIST Risk Management Framework, offer more than
theoretical value: they shape practical decisions in technology, placing risk
considerations at the forefront. Adopting such guiding principles ensures that
architectural choices resonate with both innovation and security. Still, the
landscape of risk is dynamic, changing with every technological advancement and
emerging threat. Regular, thorough risk assessments become a beacon that
illuminates potential security gaps. Allocating resources to these evaluations
ensures a resilient and adaptive enterprise architecture, always prepared for
the challenges ahead.
Why A One-Size-Fits-All 'Compliance' Plan Can Be Dangerous
IT departments these days use many different architectures with various
hardware, software and network configurations. Because of these differences,
it's difficult to create a single cybersecurity formula that works for all
companies. Some of the pitfalls of trying to cut corners and save costs by
implementing a generic plan include: Lack Of Customization - A
one-size-fits-all approach doesn't consider the specific problems and needs of
each company. What works for one organization may not be enough to address the
weaknesses and particular requirements of the next. It's important to
customize security measures to fit the unique characteristics of each company
to effectively protect against cyber threats. Increased Risk Of Breaches -
When companies use a standardized compliance plan, it sets a basic level of
security. However, this plan might not take into account the specific risks
and security gaps that exist in each organization. Without customized security
measures, a greater chance exists of experiencing data breaches or
cyberattacks.
Generative AI is everything, everywhere, all at once
Unlike generative AI, which exploded within the past year thanks in part to
OpenAI's consumer-facing ChatGPT, AI is nothing new. And it's a fairly
ambiguous term, Toubia explained. "There's a wide range of things you could
label as AI or machine learning," he said. "There's some very simple
statistical methods that have been around for over 100 years that technically
could be as clever as AI." Given the enigmatic nature of generative AI, it's
also a complicated product to patent, audit, or regulate, which further
exacerbates AI washing. "Companies don't really have to publish or explain
their AI because it's a trade secret. There's no pattern that you could read,
and we don't really know what's under the hood, so to speak," Toubia said.
Regulatory institutions like the FTC are certainly trying to control the
unwieldy industry with industry-wide warnings and reports. While he
appreciates the ideas behind the warnings, Thurai is doubtful that the FTC's
stern warnings and oversights will be enforced due to how difficult it will be
to prove in court.
The Whats and Hows of DevOps Talent Retention
Given that a lack of opportunities for growth accounts for close to half of
DevOps employees’ turnover rates, it once again highlights the importance of a
well-planned approach to support ongoing learning. By understanding employee
employees’ performance, preferences and environment, a wider range of support
offers can be implemented. Providing tailored assignments that allow employees
to focus on their skills or passion not only helps build commitment to the job
but it also acts as a motivator. This can stem from a simple 15-minute project
or a year-long program. But advocating personal development courses and
upskilling techniques are not enough. Employers must also harness peer
recognition. A sales organization within the United States Postal Service
(USPS) recently made an attempt to boost peer recognition by enabling their
employees to identify behavior associated with new skills learned by setting
up a simple online platform. The group oversaw an overall employee engagement
rise by 8% in the initial pilot group. Such strategies were then used to
improve work across the organization.
How to Partner with Law Enforcement Following a Cyberattack
Law enforcement will come with the intention of acting as partner to the
victim organization, alongside other stakeholders like remediation firms and
insurance companies. “We would really expect to be seen as true partners in
every sense of the word,” says Alway. A law enforcement team could include
investigative agents with cybersecurity backgrounds, as well as technical
experts, such as computer scientists and data analysts. That partnership will
be based on information sharing. Organizations will tell law enforcement about
the nature of the incident, provide logs, and any other evidence of the
intrusion and answer questions. Law enforcement will share their knowledge of
IOCs and any information they have that can help enterprises during the
remediation process. “There’s no such thing as over communication in cyber
incidents,” says Alway. It is important to keep in mind that law enforcement’s
job takes time. “A lot of times the investigation piece could drag on for
multiple years, whereas the company [or] organization is on a shorter
timeline,” says Cabrera.
Cyber security professionals say industry is “booming”
Cyber security professionals are still positive about the industry and their
opportunities despite the economic climate, according to The Chartered
Institute of Information Security's (CIISec) 2022/2023 State of the Profession
report – the eighth annual survey of the cyber security industry. In the
survey of 302 security professionals, almost 80% say they have ‘good’ or
‘excellent’ career prospects, and more than 84% say the industry is ‘growing’
or ‘booming’. Despite being protected from economic challenges, the report
highlights that the industry is still plagued by issues including stress and
overwork. 22% of respondents work more than the 48 hours per week mandated by
the UK Government, and 8% work more than 55 hours which, according to the
World Health Organisation, marks the boundary between safe and unsafe working
hours. The reports also found: Worries over workload loom over cyber security
professionals - When asked what keeps them awake at night, the two main
sources of stress for cyber professionals are day-to-day stress/workload
(identified by 50%) and suffering a cyber-attack (32%).
Are enterprise architects the new platform team leaders?
Today there is a need for platform teams to architect the connections between
business processes, outcomes, and the technology. Many teams today still
operate in silos which can manifest within their specific functional pieces of
technology or just individual teams. However, today, there are several key
factors reshaping the way teams approach their work. The easy access to
technology outside of corporate IT has fundamentally changed the dynamic. In
addition, the idea of IT owning a very small piece of the technology is no
longer acceptable. For example, if you are a database team, you can’t just be
responsible for the database itself – you must also own the delivery of that
database as a service, including the additional technology around it like the
OS, compute, memory, and all elements of cost, security, access, and
performance. Enterprise architects in this new role as platform leaders must
adopt a cross-functional mindset. They must look left and right x-functionally
at the technology, how it should fit together, the services the company should
offer – and for what use cases.
Quote for the day:
"A leader is always first in line
during times of criticism and last in line during times of recognition." --
Orrin Woodward
