Can Enterprise DevOps Ever Measure Up?
At the elitist of organizations, by Forney’s math, developers are spending up to
70% of their time writing and testing code, while the rest of their time is
filled with meetings and context switching. But when you examine that
exceptionally high 70%, she explained, you then have to consider how much time
they are just “keeping the lights on” or dealing with customer support or are on
call, versus “how much time they’re spending on the creation of new value.” She
said it becomes a “diminishing bucket of space.” Especially at older
organizations that haven’t quite migrated to the cloud and haven’t quite moved
completely from Waterfall to agile, she finds developers are often focusing on
the wrong work. Or they are building workarounds on top of their technical debt
as a quick win, instead of fixing with a long-term vision in mind. “We look at
organizations spending a huge amount of time doing planning and thinking these
are our top priorities in the organization, but in reality, what’s going on? Are
devs spending actually what you would expect to be the bulk of their time [on
this]?” Forney said that “more often than not, what you see is they’re spending
like 5% of their time across the entire organization level of effort on these
most important things.”
IT Security Hiring Must Adapt to Skills Shortages
.jpg?width=850&auto=webp&quality=95&format=jpg&disable=upscale)
Omri Weinberg, co-founder and CRO at DoControl, says promoting cybersecurity
education, offering mentorship and internships, increasing diversity, and
providing ongoing professional development opportunities are all ways to help
companies close the cybersecurity skills gap. “Collaboration among stakeholders
is essential to address this challenge effectively,” he says. “It all starts at
the top.” When it becomes a top priority to the board of directors, CEO and
other executives, they will invest more time, money, and effort to educate the
next generation alongside educational institutions to create more awareness and
opportunities for the future of the cyber workforce. “Cybersecurity is one of
the fastest evolving industries,” Sunil Muralidhar, vice president of growth and
strategic initiatives at ColorTokens, explains via email. “Regardless of the
specific specialization an individual might choose to focus on, creative
thinking and problem-solving skills are the best skills an employee can have.”
Also critical is the ability to collaborate with teams across the company, who
may have varying degree of technical or security skills.
Help for generative AI is on the way
Retrieval-augmented generation, or RAG, is a common method for adding context to
an interaction with an LLM. Under the bonnet, RAG retrieves supplementary
content from a database system to contextualize a response from an LLM. The
contextual data can include metadata, such as timestamp, geolocation, reference,
and product ID, but could in theory be the results of arbitrarily sophisticated
database queries. This contextual information serves to help the overall system
generate relevant and accurate responses. The essence of this approach lies in
obtaining the most accurate and up-to-date information available on a given
topic in a database, thereby refining the model’s responses. A useful by-product
of this approach is that, unlike the opaque inner workings of GPT-4, if RAG
forms the foundation for the business LLM, the business user gains more
transparent insight into how the system arrived at the presented answer. If the
underlying database has vector capabilities, then the response from the LLM,
which includes embedded vectors, can be used to find pertinent data from the
database to improve the accuracy of the response
Meta to label AI-generated images from Google, OpenAI and Adobe
“We’re building this capability now, and in the coming months we’ll start
applying labels in all languages supported by each app,” Clegg added. The move
to label AI-generated images from companies, such as Google, OpenAI, Adobe,
Shutterstock, and Midjourney, assumes significance as 2024 will see several
elections taking place in several countries including the US, the EU, India, and
South Africa. This year will also see Meta learning more about how users are
creating, and sharing AI-generated content and what kind of transparency
netizens are finding valuable, the Clegg said. Clegg’s statement about elections
rings in a reminder of the Cambridge Analytica scandal, unearthed by the New
York Times and The Observer back in 2018, that saw Facebook data of at least 50
million users being compromised. Last month, ChatGPT-maker OpenAI suspended two
developers who created a bot mimicking Democratic presidential hopeful
Congressman Dean Phillips, marking the company’s first action against the misuse
of AI. Meta, according to Clegg, already marks images created by its own AI
feature, which includes attaching visible markers and invisible
watermarks.
AI is supercharging collaboration between developers and business users
AI enables team members "to create and share content more easily, automate, and
optimize business processes more efficiently," he continues. "It enhances team
communications by bringing clarity and utilizing transcripts to leverage exact
words to remove ambiguity. All of this helps learning and development, and
fosters team culture and engagement." The company also employs "AI-powered
chatbots that can translate messages, summarize conversations, and provide
relevant information," Naeger states. "AI can also help teams share data and
insights more easily, by creating visualizations, dashboards, and reports. AI
can help teams coordinate their tasks and workflows more efficiently, by
automating or optimizing some of the processes." While AI-enhanced collaboration
in IT sites is already happening, the emerging technology is still very much a
work in progress. The move to AI-fueled collaboration means "organizations need
to adapt and be prepared for shifts in how these teams work, integrating
AI-driven metrics and managing AI tools," says Ammanath.
Cybersecurity teams hesitate to use automation in TDIR workflows
When organizations were asked about the TDIR management areas where they require
the most help, 36% of organizations expressed the need for third-party
assistance in managing their threat detection and response, citing the challenge
of handling it entirely on their own. This highlights a growing opportunity for
the integration of automation and AI-driven security tools. The second most
identified need, at 35%, was a desire for improved understanding of normal user
and entity and peer group behaviour within their organization, demonstrating a
demand for TDIR solutions equipped with user and entity behaviour analytics
(UEBA) capabilities. These solutions should ideally minimise the need for
extensive customisation while offering automated timelines and threat
prioritisation. “As organizations continue to improve their TDIR processes,
their security program metrics will likely look worse before they get better.
But the tools exist to put them back on the front foot,” continued Moore.
“Because AI-driven automation can aid in improving metrics and team morale,
we’re already seeing increased demand to build even more AI-powered features.
...”
6 best practices for third-party risk management
CISOs can’t adequately manage third-party security threats when they do not have
a complete picture of the third parties within their organization, says Murray,
who is also president and CAO at Murray Security Services. This may seem like an
obvious point, but Murray and others say this is a particularly challenging task
as an increasing amount of technology is now deployed by business units instead
of a centralized IT function committed to inventorying all tech assets. So,
CISOs need to implement strategies for identifying and maintaining an accurate,
comprehensive, and up-to-date inventory of the third parties whose security
risks must be assessed and managed, Murray says. There are certainly software
solutions that help here, but Valente advises CISOs to build in other steps to
help ferret out problems at third parties. For example, she says CISOs can work
with the finance department to review recurring payments (including those on
corporate credit cards) to identify new software subscriptions that were bought
without involving the organization’s procurement department and, thus, haven’t
yet been added to the inventory list.
Unstructured Data Management: Plan Your Security and Governance
Although it may sound obvious, you need holistic understanding of all data in
storage. Gaps in visibility, hidden applications, obscure data silos in branch
offices -- this all contributes to higher risk if the data is not managed
properly. Consider that protected data is going to end up in places where it
shouldn’t, such as on forgotten or underutilized file servers and shadow IT
cloud services. Employees unwittingly copy sensitive data to incompliant
locations more often than you’d think. You’ll need a way to see all your data in
storage and search across it to find the files to segment for security and
compliance needs. You can use the data management capabilities in your
NAS/SAN/cloud storage products to search for file types such as HR and IP data,
but you’ll need to integrate visibility across all storage vendors and clouds if
you use more than one vendor’s solution. ... IT infrastructure teams must
collaborate with security and network teams to procure, install, and manage new
storage and data management technology, but a more formal process centered
around the data itself is required. This may involve stakeholders from legal,
compliance, risk management, finance, and IT directors in key business
units.
Crucial Airline Flight Planning App Open to Interception Risks
Researchers from Pen Test Partners found that an App Transport Security (ATS)
feature in Flysmart+ Manager that would have forced the app to use HTTPS had not
been enabled. The app did not have any form of certificate validation either,
leaving it exposed to interception on open and untrusted networks. "An attacker
could use this weakness to intercept and decrypt potentially sensitive
information in transit," PTP said in its report this week. Ken Munro, a partner
at the pen testing firm, says the biggest concern had to do with the potential
for attacks on the app that could cause so called runway excursions — or
veer-offs and overruns — and potential tail strikes on takeoff. "The EFB is used
to calculate the required power from the engines for departure, also the
required braking on landing," Munro says. "We showed that, as a result of the
missing ATS setting, one could potentially tamper with the data that is then
given to pilots. That data is used during these 'performance' calculations, so
pilots could apply insufficient power or not enough braking action," he says.
The ATS issue in Flysmart+ Manager is just one of several vulnerabilities that
PTP has uncovered in EFBs in recent years.
Why CIOs back API governance to avoid tech sprawl
APIs are ubiquitous within modern software architectures, working behind the
scenes to facilitate myriad connected capabilities. “As enablers for the
integration of data and business services across platforms, APIs are very
aligned with current tech trends,” says Antonio Vázquez, CIO of software
company Bizagi. “Reusability, composability, accessibility, and scalability
are some of the core elements that a good API strategy can provide to support
tech trends like hybrid cloud, hyper-automation, or AI.” For these reasons,
API-first has gathered steam, a practice that privileges the development of
the developer-facing interface above other concerns. “API-first strategy
becomes critical to navigate contemporary tech trends, foster innovation, and
ensure adaptability in a rapidly evolving technological landscape,” says
Krithika Bhat, CIO of enterprise flash storage provider Pure Storage. She
considers the increasing adoption of cloud computing and microservice
architectures to be top drivers of formalized API-first approaches. Digital
transformation and growing reliance on third-party services are key
contributors as well, she adds.
Quote for the day:
“You are never too old to set another
goal or to dream a new dream.” -- C.S. Lewis
.jpg?width=850&auto=webp&quality=95&format=jpg&disable=upscale)
