Public sector IT projects need ethical data practices from start
“When you openly communicate your purpose – when you’re open about how you’re
doing things, how data has been used – you instil the most valuable thing when
doing data projects, which is trust,” he says. “We are probably in a place where
people don’t trust organisations or the government with their data, and that’s a
bad place to be… so the transparency, openness, communicating purpose, engaging
with people is fairly key.” Ahmed adds that, even in situations where it is not
possible to consult the public – for example, when systems are being built for
law enforcement or intelligence purposes, or just internally for use by civil
servants – openness among the internal stakeholders is still very important. All
of this should also be documented: “To make [ethical] framework that’s suitable,
to what you’re doing as an organisation, keep referring to it, refresh it,
measure your outcomes, learn from it… the potential loss of revenue or
reputation for an organisation or government departments are huge if it goes
wrong. With ethics, the win is not getting things wrong, the win is having less
negative impact or more positive impact.”
Securing APIs and Microservices in the Cloud
No matter what your role is within the software development and API process,
you need to be thinking about the implications of your work. Are you being as
secure as possible? Because we end up with delays, fails, or worse. What I
mean by this is, obviously, you have delays or fails. That can just be
annoying when you end up with everything behind schedule, over budget.
Everyone a little bit stressed. It's more than just that. If we look at
security over the last five years, it used to be a case where you would get
your personal details stolen. It might be credit cards. It might be address,
or in America, social security number. What you're starting to see now,
especially in the last year or two, is a lot more ransomware. While before, it
would be like, we're going to take your data, and that's obviously bad. People
can replace credit cards. It's a bit harder to replace your social security,
there has been large rises of fraud. It's bad. Ransomware is worse, because
then you are totally locked out of your system. Then you are, as the name
suggests, at ransom.
The Fiction of Sentient AI
Artificial intelligence has a unique possibility that tickles this part of the
imagination: it seems familiar. We can recognize a part of ourselves in it:
the systematic thinking part. It is rationality without irrationality. Pure
reason in action where the results are always clean and binary. There is a
non-human purity of thought in the elegance of its solutions. We have always
yearned futilely for this purity — in our food, our philosophical quests, our
relationships, even in our gods. But this purity, the simple and bold ease
with which we solve at a rapid pace our most bothersome tasks creates both
complacency and trepidation. The complacency is apparent. We have always, as a
species, had an infinite capacity for self congratulation. The trepidation
part is more intriguing. It exposes how poorly we have actually sized
ourselves up, and reveals at once, both the fallacy of thought, its ambitions
and its limitations. The fever-dream of sentient AI and the climax of our race
is a trite template for thousands of sci-fi stories across several medium.
Ways to spot if your organisation has a false sense of security – and what to do about it
We tend to think of the security team as solely responsible for all aspects of
systems security implementation and management, with the IT team more focused
on enabling the workstreams of the organisation through data protection, and
ensuring backup and recovery systems are properly implemented. Given the
complementary nature of security threats, and needing to easily backup and
recover if / when an attack occurs, it seems logical that these two groups
would collaborate closely. But, that’s often not the case. In fact, we found
this split between the two roles to be worryingly prevalent in our research.
19% of UK SecOps decision-makers responding to our survey believe
collaboration with IT is not strong, and 5% went as far as to call it “weak.”
Flipping the coin, among IT decision-makers, 16% believe collaboration is not
strong. Across the two roles, in total, 20% of IT and SecOps respondents
believe the collaboration between the two is not strong.
How ‘synthetic media’ will transform business forever
The world is on the brink of a revolution in various “realities” — virtual,
augmented, and mixed (VR, AR and MR). Mark Zuckerberg’s Meta is planning a
grand pivot from old-school social networking to next-generation virtual or
mixed reality, which Zuckerberg famously branded “the Metaverse.” By
definition, AR, VR, and MR involve digital content, either existing in a
digital world (VR) or superimposed on the real world (AR). Very close to all
of this content will come in the form of synthetic media. In fact, Meta has
already introduced a new AI-powered synthetic media engine, called
Make-A-Video. As with the new generation of AI-art engines, Make-A-Video uses
text prompts to create videos. Meta is currently promoting this engine as a
very fast way for creators to create video content or virtual environments.
Normally, a company making, say, marketing content would need to hire a
production crew, pay for post-production work, hire actors, find a location —
all that. But products like Make-A-Video suggest that, in the near future, a
single creative could make video productions alone in a few hours.
Low-code and no-code automation accelerates user experience for financial institutions
Low-code and no-code automations help the business users, non-engineers and
non-developers solve the end-to-end customer experience problems easily and
quickly by creating the use cases themselves. The modern technology stack of
low-code automation tools enable the citizen developers to solve their
problems and replicate to scale across other businesses without having to rely
on their overburdened IT staff. One example of low-code automation is how many
traditional systems are focused on identity verification or KYC, whereas, most
of the frauds for a loan financing may be happening through a fraud paystub of
the consumer. As pay stubs are the correlators for whether a consumer will pay
back their loans successfully on time, it is important to apply AI/ML
automation to understand the validity of this important correlator to avoid
defaults. Understanding a fraudulent transaction versus a clean transaction
quickly and correctly is also very beneficial for the merchants as well as end
customers for better user experience and revenue generation.
One of the challenges of developer platforms is that they shouldn’t be viewed
as things that can just be built, launched, and then forgotten about; they
require constant evolution and maintenance. The feedback loops initiated by a
considered communication strategy will help here, but it’s also important to
consider the ways the platform evolves alongside the organization and emerging
technologies. A technique included for the first time in Volume 27 of our
Technology Radar—incremental developer platforms—can be particularly useful as
a way of responding to these multifaceted demands. Such an approach not only
ensures alignment with the specific needs of users, but also prevents the
platform from being derailed by over-ambition—something that typically stems
from a preconceived vision of what the platform should look like. The virtues
of an incremental approach to software are widely accepted by the industry, so
why don’t we bring this thinking to the way we think about platforms and
internal tooling?
Question your successes as much as your failures
What did you do to pull it off? Can it be replicated? What did you learn? It’s
an exercise that many leaders I’ve interviewed talked up even before the
pandemic. “I’ve learned to question success a lot more than failure,” said Kat
Cole, who is the president and chief operating officer of Athletic Greens, a
nutrition company. As she told me in an interview years ago, “I’ll ask more
questions when sales are up than I do when they’re down. I ask more questions
when things seem to be moving smoothly, because I’m thinking: ‘There’s got to
be something I don’t know. There’s always something.’ This approach means that
people don’t feel beat up for failing, but they should feel very concerned if
they don’t understand why they’re successful.” Successes can feel like moments
for celebration, rather than furrowed-brow scrutiny. But it is precisely those
moments of interrogation that can lead to insights and longer-term competitive
advantages. Today’s shorter economic cycles create more momentum, both good
and bad, and you want to be riding a wave rather than trying to paddle against
it.
What is confidential computing?
There are as many ways confidential computing can work as there are companies
coding them, but recall the definition noted above. Google Cloud uses
confidential virtual machines with secure encrypted virtualization extension
supported by 3rd Gen AMD EPYC CPUs and cloud computing cloud processes. Data
remains encrypted in memory with node-specific, dedicated keys that are
generated and managed by the processor, which security keys generated within
the hardware during node creation. From there, they never leave that hardware.
Today, IBM claims to be on the fourth generation of their confidential
computing products, starting with IBM Cloud’s Hyper Protect Services and Data
Shield in 2018. In pride of place with Hyper Protect services comes a FIPS
140-2 Level 4 certified cloud hardware security module. Both products are
rated for regulations such as HIPAA, GDPR, ISO 27K and more. IBM also offers
HPC Cluster, a portion of IBM cloud where customers’ clusters are made
confidential using “bring your own encrypted operating system” and “keep your
own key” capabilities.
The security dilemma of data sprawl
Security teams can look at specific verticals to understand what’s working (and
what’s not) when it comes to limiting data sprawl in the workplace. The finance
sector, for instance, is a prime example of an industry that has more stringent
security controls and regulations, therefore limiting apps in the workplace. The
Netskope Threat Labs team recently found that fewer than 1 in 10 employees in
finance use personal applications at work. Instead, they use managed apps that
are closely monitored by security teams. Other sectors are having a more
difficult time limiting data sprawl, given the remote nature of the business and
less stringent industry regulations. Retail employees, for example, are using a
slew of cloud apps in the workplace regularly. In fact, 40% of users in the
retail industry are uploading data to personal apps. It is crucial for IT
security teams, not just in this sector but across all industries, to take
proactive measures to help minimize the risk of data sprawl.
Quote for the day:
"The quality of leadership, more than
any other single factor, determines the success or failure of an
organization." -- Fred Fiedler and Martin Chemers
