Transforming GRC Landscape with Generative AI
Streamlining GRC workflows and integrating various components of the
technology stack can significantly enhance efficiency. Apache Airflow is an
open-source workflow automation tool that orchestrates complex data pipelines
and automates GRC processes, leading to substantial efficiency gains. Apache
Camel facilitates integration between different system components, ensuring
smooth data flow across the technology stack. Additionally, robotic process
automation (RPA) can be implemented using open-source platforms like Robot
Framework. These platforms automate repetitive tasks within GRC processes,
further enhancing operational efficiency and allowing human resources to focus
on more strategic activities. By leveraging these open-source tools and
techniques, organizations can build a robust infrastructure to support
GenAI and RAG in their GRC processes, achieving enhanced efficiency, accuracy,
and strategic insights. ... Traditional approaches are labour-intensive and
prone to human error, leading to inefficiencies and increased compliance
risks. By contrast, GenAI and RAG can streamline processes, reduce the burden
on human resources, and provide timely and accurate information for strategic
planning.
Two AI Transparency Concerns that Governments Should Align On
AI raises two fundamental transparency concerns that have gained in salience
with the spread of generative AI. First, the interaction with AI systems
increasingly resembles human interaction. AI is gradually developing the
capability of mimicking human output, as evidenced by the flurry of
AI-generated content that bears similarities to human-generated content. The
“resemblance concern” is thus that humans are left guessing: Is an AI system
in use? Second, AI systems are inherently opaque. Humans who interact with AI
systems are often in the dark about the factors and processes underlying AI
outcomes. The “opacity concern” is thus that humans are left wondering: How
does the AI system work? ... Regulatory divergence presents a unique
opportunity for governments to learn from each other. Governments can draw
from the expertise accumulated by national regulators and other governments
that are experimenting to find effective AI rules. For example, governments
looking to establish information rights can learn from Brazil’s precise
elaboration of information to be disclosed, South Korea’s detailed procedure
for requesting information, and the EU’s unique exception mechanisms.
5 IT risks CIOs should be paranoid about
CIOs sitting on mounting technical debt must turn paranoia into action plans
that communicate today’s problems and tomorrow’s risks. One approach is to
define and seek agreement of non-negotiables with the board and executive
committee, outlining criteria of when upgrading legacy systems must be
prioritized above other business objectives. ... CIOs should be drivers of
change — which can create stress — while taking proactive and ongoing steps to
reduce stress in their organization and across the company. The risks of
burnout mount because of higher business expectations of delivering new
technology capabilities, leading change management activities, and ensuring
systems are operational. CIOs should promote ways to disconnect and reduce
stress, such as improving communications, simplifying operations, and setting
realistic objectives. ... “When considering the growing number of global third
parties organizations need to collaborate with, protecting the perimeter with
traditional security methods becomes ineffective the moment the data leaves
the enterprise,” says Vishal Gupta, CEO & co-founder of Seclore.
Understanding the difference between competing AI architectures
A common misconception is that AI infrastructure can just be built to the
NVIDIA DGX reference architecture. But that is the easy bit and is the minimum
viable baseline. How far organizations go beyond that is the differentiator.
AI cloud providers are building highly differentiated solutions through the
application of management and storage networks that can dramatically
accelerate the productivity of AI computing. ... Another important difference
to note with regards AI architecture versus traditional storage models is the
absence of a requirement to cache data. Everything is done by direct request.
The GPUs talk directly to the disks across the network, they don't go through
the CPUs or the TCP IP stack. The GPUs are directly connected to the network
fabric. They bypass most of the network layers and go directly to the storage.
It removes network lag. ... Ultimately, organisations should partner with a
provider they can rely on. A partner that can offer guidance, provide
engineering and support. Businesses using cloud infrastructure are doing so to
concentrate on their own core differentiators.
How Much Data Is Too Much for Organizations to Derive Value?
“If data is in multiple places, that is increasing your cost,” points out
Chris Pierson, founder and CEO of cybersecurity company BlackCloak.
Enterprises must also consider the cost of maintenance, which could include
engineering and program analyst time. Beyond storage and maintenance costs,
data also comes with the potential cost of risk. Threat actors constantly look
for ways to access and leverage the data safeguarded by enterprises. If they
are successful, and many are, enterprises face a cascade of potential costs.
... Once an enterprise is able to wrap its arms around data governance,
leaders can start to ask questions about what kind of data can be deleted and
when. The simple answer to the question of how much is too much boils down to
value versus risk. “Start with the fundamental question: What does the company
get from the data? Does it cost more to store and protect that data than the
data actually provides to the organization?” says Wall. When it comes to
retention, consider why data is being collected and how long it is needed. “If
you don't need the data, don't collect it. That should always be the first
fundamental rule,” says Pierson.
Empowering Developers in Code Security
When your team is ready to add security earlier in the development process, we
suggest introducing 'guardrails' into their workflow. Guardrails, unlike
wholly new processes, can slide into place unobtrusively, providing warnings
about potential security issues only when they are actionable and true
positives. Ideally, you want to minimize friction and enable developers to
deliver safer, better code that will pass tests down the line. One tool that
is almost universal across development and DevOps teams is Git. With over 97%
of developers using Git daily, it is a familiar platform that can be leveraged
to enhance security. Built directly into Git is an automation platform called
Git Hooks, which can trigger just-in-time scanning at specific stages of the
Git workflow, such as right before a commit is made. By catching issues before
making a commit and providing direct feedback on how to fix them, developers
can address security concerns with minimal disruption. This approach is much
less expensive and time-consuming than addressing issues later in the
development process. This can actually increase the time spent on new code by
reducing the amount of maintenance that eventually needs to be done.
Retrieval-augmented generation refined and reinforced
RAG strengthens the application of generative AI across business segments and
use cases throughout the enterprise, for example code generation, customer
service, product documentation, engineering support, and internal knowledge
management. ... The journey to industrializing RAG solutions presents several
significant challenges along the RAG pipeline. These need to be tackled for
them to be effectively deployed in real-world scenarios. Basically, a RAG
pipeline consists of four standard stages — pre-retrieval, retrieval,
augmentation and generation, and evaluation. Each of these stages presents
certain challenges that require specific design decisions, components, and
configurations. At the outset, determining the optimal chunking size and
strategy proves to be a nontrivial task, particularly when faced with the
cold-start problem, where no initial evaluation data set is available to guide
these decisions. A foundational requirement for RAG to function effectively is
the quality of document embeddings. Guaranteeing the robustness of these
embeddings from inception is critical, yet it poses a substantial obstacle,
just like the detection and mitigation of noise and inconsistencies within the
source documents.
Confidential AI: Enabling secure processing of sensitive data
Confidential AI is the application of confidential computing technology to AI
use cases. It is designed to help protect the security and privacy of the AI
model and associated data. Confidential AI utilizes confidential computing
principles and technologies to help protect data used to train LLMs, the
output generated by these models and the proprietary models themselves while
in use. Through vigorous isolation, encryption and attestation, confidential
AI prevents malicious actors from accessing and exposing data, both inside and
outside the chain of execution. ... Confidential AI can also enable new or
better services across a range of use cases, even those that require
activation of sensitive or regulated data that may give developers pause
because of the risk of a breach or compliance violation. This could be
personally identifiable user information (PII), business proprietary data,
confidential third-party data or a multi-company collaborative analysis. This
enables organizations to more confidently put sensitive data to work, as well
as strengthen protection of their AI models from tampering or theft.
Women in IT Security Lack Opportunities, Not Talent
.jpg?width=1280&auto=webp&quality=95&format=jpg&disable=upscale)
Female leaders are also instrumental in advocating for policies and practices
that promote diversity and inclusion, such as equitable hiring practices,
sponsorship programs, and family-friendly policies. "By actively working to
create a more inclusive environment, female cyber leaders can help pave the
way for future generations of women in cybersecurity," Dohm said. ... Guenther
noted that women often encounter unconscious biases that affect decisions
regarding leadership potential and technical capabilities, particularly as it
relates to perception bias. "Women in cybersecurity, as in many other fields,
often face double standards in how their actions and words are perceived
compared to their male counterparts," she said. For example, assertiveness,
decisiveness, and direct communication – qualities praised in male leaders –
can be unfairly labeled as aggressive or overly emotional when exhibited by
women. This disparity in perception can hinder women from being seen as
potential leaders or being evaluated fairly. "Addressing these biases is
crucial for creating a truly equitable workplace where everyone is judged by
the same standards and behaviors are interpreted consistently, regardless of
gender," Guenther said.
Early IT takeaways from the CrowdStrike outage
Recovering from CrowdStrike has been an all-hands-on-deck event. In some
instances, companies have needed humans to be able to touch and reboot
impacted machines in order to recover — an arduous process, especially at
scale. If you have outsourced IT operations to managed service providers,
consider that those MSPs may not have enough staff on hand to mitigate your
issues along with those of their other clients, especially when a singular
event has widespread fallout. ... Ensure you review recovery steps and
processes on a regular basis to guarantee that your team knows exactly where
those recovery keys are and what processes are necessary to obtain them. While
Bitlocker is often mandated for compliance reasons, it also adds a layer of
complications you may not be prepared for. ... It was also quickly identified
what the underlying culprit was, a CrowdStrike update that went faulty. In
other incident situations, you may not be so quickly informed. It may not be
clear what has happened and what assets have been impacted. Often, you’ll need
to reach out to staff who are closely working with impacted assets to
determine what is going on and what actions to take.
Quote for the day:
"Effective questioning brings insight,
which fuels curiosity, which cultivates wisdom." -- Chip Bell
.jpg?width=1280&auto=webp&quality=95&format=jpg&disable=upscale)
.jpg?width=1280&auto=webp&quality=95&format=jpg&disable=upscale)
/dq/media/media_files/5cF1SILWQRaPHFVmYj1U.jpg)
/pcq/media/media_files/5XXHuthlNeHT5EL5tDGP.png)
