CTOs Look to Regain Control of the IT Roadmap
Putting an emphasis on modular architecture and open standards can ensure easier integration or disengagement from specific solutions, thereby mitigating these concerns. ... instead of an expensive and time consuming “rip and replace” model, organizations are extending the life and value of their existing ERP investments and shifting their newly freed up resources to drive innovation “around the edges” of their current robust ERP core. “This approach applies to all industries and sizes, enabling organizations to minimize churn and focus on customer value, competitive advantage and growth,” he says. The survey also indicated IT leaders are exploring alternatives to subscription-based licensing models, focusing on optimizing operational costs and aligning investments with business strategies for growth and innovation. “Applications that enable competitive advantage and differentiate a company are a high priority for organizations, while for example, ERP administration functions like HR and finance offer very little differentiation and are frequently retained as a foundational core, optimized for cost and efficiency,” Rowe explains.
Measure Developer Joy, Not Productivity, Says Atlassian Lead
So, when senior leadership is under pressure to show the outcome of one of their most sizable operating expenses, what’s a tech company to do? First, Boyagi suggested, change your questions. Instead of “How do I increase developer productivity?” or “How can I measure developer productivity?” try “How can I make developers happier?” and “How can I help developers be more productive?” The questions can help steer the conversation in a more useful direction: “I think every company has to go on a journey and do what’s right for them in terms of productivity. But I don’t think I think measurement is the thing we should be talking about.” First, because productivity for knowledge workers has always been one of the hardest things to measure. And, he added, because we need to take inspiration from other companies, not replicate what they do. Boyagi doesn’t suggest you try to do what Atlassian does. But feel free to take inspiration from and leverage its DevEx strategy, as well as those from the likes of other high-performing organizations like Google, Netflix, LinkedIn and Spotify.
How much cybersecurity expertise does a board need?
For companies who have still not yet built up the cybersecurity expertise among
its directors and reporting committees, there’s work to do, says Lam, who
explains there are a number of ways to build up that "cyber-IQ". “One is you
should get the right board talent in terms of risk and cyber expertise that’s
appropriate to their risk profiles,” says Lam, who explains that companies leery
of using up a hotly contested director seat for a cyber specialist simply need
to broaden their recruitment parameters. ... As organizations slowly morph their
board composition, they also need to be careful to not get into a situation
where one director is solely responsible for cybersecurity oversight and no one
else minds that area of risk, warns Chenxi Wang ... “There’s been an explosive
offering of cyber governance training in recent years. While that is a great
step in the right direction, a lot of them vary as far as the quality of content
goes,” Shurtleff tells CSO. “You can’t substitute somebody’s cyber experience
and knowledge from a lifetime of professional experience into a two-week course.
...”
What is a business intelligence analyst? A key role for data-driven decisions
The role is becoming increasingly important as organizations move to capitalize
on the volumes of data they collect through business intelligence strategies. BI
analysts typically discover areas of revenue loss and identify where
improvements can be made to save the company money or increase profits. This is
done by mining complex data using BI software and tools, comparing data to
competitors and industry trends, and creating visualizations that communicate
findings to others in the organization. ... It’s a role that combines hard
skills such as programming, data modeling, and statistics with soft skills such
as communication, analytical thinking, and problem-solving. Candidates need a
well-rounded background to balance the line between IT and the business, and
usually a bachelor’s degree in computer science, business, mathematics,
economics, statistics, management, accounting, or a related field. If you have a
degree in an unrelated field but have completed courses in these subjects, that
can suffice for an entry-level role in some organizations. Other senior
positions may require an MBA, but there are plenty of BI jobs that require only
an undergraduate degree.
Infrastructure teams need multi-cloud networking and security guardrails
The key is to ensure that the technology implemented is actually providing a
guardrail and not imposing a speedbump or roadblock. Network and security teams
need to provide infrastructure and services that are programmatic and easy to
use. For instance, DevOps should be able to request IP addresses, spin up secure
DNS services, request changes to firewall policies, or adjust transit routing
with a couple clicks. If approvals are required from network and security teams,
those approvals should be automated as much as possible. This drive toward
programmatic services is apparent in my research at Enterprise Management
Associates (EMA). For instance, I recently surveyed 351 IT professionals about
their multi-cloud networking strategies for the report “Multi-Cloud Networking:
Connecting and Securing the Future.” (Check out EMA’s free webinar to learn more
about what we found in that research). In that report, 82% of respondents told
us that it was at least somewhat important for their multi-cloud networking
solutions to have open APIs.
Demystifying the top five OT security myths
“A common belief is that the OT protocols are proprietary, and the attacker
doesn’t have access to OT devices or specific proprietary protocols,” he said.
“To some extent, the proprietary nature of the OT device does pose a challenge
to hacking, but threat actors behind targeted attacks are usually knowledgeable,
persistent and resourceful.” Goh said such threat actors, particularly those
backed by nation-states, have the resources to replicate an OT system, and
create and rigorously test their malware in a lab before launching an attack.
“This possibility is highly speculated in the Triton malware attack, which
happened in 2017 in a malicious attempt to destroy and damage a petrochemical
plant in Saudi Arabia by targeting the safety system,” he added. ... In the
concept of defence-in-depth, firewalls are used to separate the different layers
of an OT network. Goh said while it is mandatory to use firewalls to protect an
OT network from unauthorised access, this protection is only as good as the
policy and the security of the firewall. “We all know that misconfigurations of
firewall rules happen and are not uncommon,” he said, citing a study that found
one in five firewalls have one or two configuration issues.
JPMorgan Chase CISO explains why he's an 'AI optimist'
We've started to look at it. That's the short answer. The longer answer is, I
was a bit of an AI pessimist before November of last year. Seeing ChatGPT in
action for the first time and what it could do opened my mind -- perhaps many
others' as well. It felt like we tipped over the precipice of an AI era. I'm
an optimist about its capabilities. Most of the last nine or 10 months or so
have been us trying to enable AI to use inside of the firm. We have been users
of traditional AI for some time. Generative AI is newer for us in the
business. We've spent the last six or seven months designing the right
isolated mechanisms that are safe for us to use to produce our data. That's
something we'll start doing internally as a business more broadly and think
through how we use it as a cybersecurity use case. It's probably not going to
be done in a generic sense in the short-term. Cybersecurity practitioners and
maybe some industry consortiums need to get together to build and train the
right models to support cybersecurity. It's clear to me that one, everybody's
thinking about how they use AI in their tech.
CISOs struggling to understand value of security controls data
Understanding where security controls are failing is a critical first step to
mitigating cyber risk and making the right decisions. Unfortunately, only 36%
of security leaders are totally confident in their security data and use it
for all strategic decision making. This is a concerning finding, as without
trusted data CISOs might struggle to influence senior business stakeholders
and ensure the right people are held accountable for fixing security issues.
... The benefits of improving data quality and trust are clear, with 84% of
security leaders believing that increasing trust in their data would help them
secure more resources to protect their organization. But first there needs to
be a mindset change in security leaders and the board—away from using controls
data for reporting, and instead embracing it to proactively drive business
decisions and stop problems before they occur. “The industry needs to change
if we are to solve the CISO security controls conundrum, and Continuous
Controls Monitoring (CCM) can be the catalyst. It isn’t a better reporting
tool, it’s a way of knowing what to do next – making day-to-day cybersecurity
firefighting easier and getting ahead of the game on strategic risk,” argues
Panaseer Security Evangelist, Marie Wilcox.
How to Become a Data Governance Specialist
Generally, a DG specialist will have a bachelor’s degree in a field related to
computers (information technology, computer science) and one to four years of
experience. However, a combination of computer and communication skills is
needed for this position. Lots of technical experience can stand in for a
bachelor’s degree, but the lack of a degree will limit chances for
advancements and promotions. Some employment advertisements will require a
Data Governance and Stewardship certification. The certification process
typically requires a degree, attending a workshop, a test, and a fair amount
of experience. Certification can be difficult to get, in part because there
are very few organizations offering it. This requirement may be an unrealistic
expectation on the part of the employer, particularly for non-management
positions. ... Much of Data Governance is actually about changing habitual
behavior. When changes are made, it is common for a team to be assembled to
execute the project. A Data Governance program must be presented as a practice
and not a project. Projects have start and end dates.
Has Your Architectural Decision Record Lost Its Purpose?
Sometimes the expected longevity of a decision causes a team to believe that a
decision is architectural. Most decisions become long-term decisions because
the funding model for most systems only considers the initial cost of
development, not the long-term evolution of the system. When this is the case,
every decision becomes a long-term decision. This does not make these
decisions architectural, however; they need to have high cost and complexity
to undo/redo in order for them to be architecturally significant. To
illustrate, a decision to select a database management system is usually
regarded as architectural because many systems will use it for their lifetime,
but if this decision is easily reversed without having to change code
throughout the system, it’s generally not architecturally significant. Modern
RDBMS technology is quite stable and relatively interchangeable between vendor
products, so replacing a commercial product with an open-source product, and
vice versa, is relatively easy so long as the interfaces with the database
have been isolated.
Quote for the day:
"The task of leadership is not to put
greatness into humanity but to elicit it, for the greatness is already
there." -- John Buchan
