A CISO’s First 90 Days: The Ultimate Action Plan and Advice
It’s a CISOs responsibility to establish a solid security foundation as rapidly
as possible, and there are many mistakes that can be made along the way. This is
why the first 90 days are the most important for new CISOs. Without a clear
pathway to success in the early months, CISOs can lose confidence in their
ability as change agents and put their entire organization at risk of data theft
and financial loss. No pressure! Here’s our recommended roadmap for CISOs in the
first 90 days of a new role. ... This means they can reduce the feeling of
overwhelm and work strategically toward Business goals. For a new CISO, it can
be challenging trying to locate and classify all the sensitive data across an
organization, not to mention ensuring that it’s also safe from a variety of
threats. Data protection technology is often focused on perimeters and
endpoints, giving internal bad actors the perfect opportunity to slip through
any security gaps in files, folders, and devices. For large organizations, it’s
practically impossible to audit data activity at scale without a robust DSPM.
There’s No Value in Observability Bloat. Let’s Focus on the Essentials
Telemetry data gathered from the distributed components of modern cloud
architectures needs to be centralized and correlated for engineers to gain a
complete picture of their environments. Engineers need a solution with critical
capabilities such as dashboarding, querying and alerting, and AI-based analysis
and response, and they need the operation and management of the solution to be
streamlined. What’s important for them to know is that it’s not necessary to
spend more to ensure peak performance and visibility as their environmental
complexity grows. ... No doubt, more data is being generated, but most of
it is not relevant or valuable to an organization. Observability can be
optimized to bring greater value to customers, and that’s where the market is
headed. Call it “essential observability.” It’s a disruptive vision to propose a
re-architected approach to observability, but what engineers need is a new
approach making it easier to surface insights from their telemetry data while
deprioritizing low-value data. Costs can be reduced by consuming only the data
that enables teams to maintain performance and drive smart business
decisions.
Shedding Light on Dark Patterns in FinTech: Impact of DPDP Act
In practice, these patterns exploit human psychology and trick people into
making unwanted choices/ purchases. It has become a menace for the FinTech
industry. These patterns are used to encourage people to sign up for loans,
credit cards, and other financial products that they may not need or
understand. However, the new Digital Personal Data Protection Act, 2023 (“DPDP
Act”), can be used to bring such dark patterns under control. The DPDP Act
requires online platforms to seek consent of Data Principals through clear,
specific and unambiguous notice before processing any data. Further, the Act
empowers individuals to retract/ withdraw consent to any agreement at any
juncture. ... Companies will need to review their user interfaces and
remove any dark patterns that they are using and protect the personal data and
use the data for ‘legitimate purposes’ only and take consent from users,
through clear affirmative action, in unambiguous terms. They will also need to
develop new ways to promote their products and services without relying on
deception.
Can business trust ChatGPT?
It might seem premature to worry about trust when there is already so much
interest in the opportunities Gen AI can offer. However, it needs to be
recognized that there’s also an opportunity cost — inaccuracy and misuse could
be disastrous in ways organizations can’t easily anticipate. Up until now,
digital technology has been traditionally viewed as being trustworthy in the
sense that it is seen as being deterministic. Like an Excel formula, it will be
executed in the same manner 100% percent of the time, leading to a predictable,
consistent outcome. Even when the outcome yields an error — due to
implementation issues, changes in the context in which it has been deployed, or
even bugs and faults — there is nevertheless a sense that technology should work
in a certain way. In the case of Gen AI, however, things are different; even the
most optimistic hype acknowledges that it can be unpredictable, and its output
is often unexpected. Trust in consistency seems to be less important than
excitement at the sheer range of possibilities Gen AI can deliver, seemingly in
an instant.
A Few Best Practices for Design and Implementation of Microservices
The first step is to define the microservices architecture. It has to be
established how the services will interact with each other before a company
attempts to optimise their implementation. Once microservices architecture
gets going, we must be able to optimise the increase in speed. It is better to
start with a few coarse-grained but self-contained services. Fine graining can
happen as the implementation matures over time. The developers, operations
team, and testing fraternity may have extensive experience in monoliths, but a
microservices-based system is a new reality; hence, they need time to cope
with this new shift. Do not discard the monolithic Application immediately.
Instead, have it co-exist with the new microservices, and iteratively
deprecate similar functionalities in the monolithic application. This is not
easy and requires a significant investment in people and processes to get
started. As with any technology, it is always better to avoid the big bang
approach, and identify ways to get the toes wet before diving in head
first.
Bridging Silos and Overcoming Collaboration Antipatterns in Multidisciplinary Organisations
Collaboration is at the heart of teamwork. Many modern organisations set up
teams to be cross-functional or multidisciplinary. Multidisciplinary teams are
made up of specialists from different disciples collaborating together daily
towards a shared outcome. They have the roles needed to design, plan, deliver,
deploy and iterate a product or service. Modern approaches and frameworks
often focus on increasing flow and reducing blockers, and one way to do this
is to remove the barrier between functions. However, as organisations
grow in size and complexity, they look for different ways of working together,
and some of these create collaboration anti-patterns. Three of the most common
antipatterns I see and have named here are: One person split across multiple
teams; Product vs. engineering wars; and X-led organisations,
The Rise of the Malicious App
Threat actors have changed the playing field with the introduction of
malicious apps. These applications add nothing of value to the hub app. They
are designed to connect to a SaaS application and perform unauthorized
activities with the data contained within. When these apps connect to the core
SaaS stack, they request certain scopes and permissions. These permissions
then allow the app the ability to read, update, create, and delete content.
Malicious applications may be new to the SaaS world, but it's something we've
already seen in mobile. Threat actors would create a simple flashlight app,
for example, that could be downloaded through the app store. Once downloaded,
these minimalistic apps would ask for absurd permission sets and then
data-mine the phone. ... Threat actors are using sophisticated phishing
attacks to connect malicious applications to core SaaS applications. In some
instances, employees are led to a legitimate-looking site, where they have the
opportunity to connect an app to their SaaS. In other instances, a typo or
slightly misspelled brand name could land an employee on a malicious
application's site.
What Is GreenOps? Putting a Sustainable Focus on FinOps
If the future of cloud sustainability appears bleak, Arora advises looking to
examples of other tech advancements and the curve of their development, where
early adopters led the way and then the main curve eventually followed. “The
same thing happened with electric cars,” Arora points out. “They didn’t enter
the mainstream because they were better for the environment; they entered the
mainstream because the cost came down.” And this is what he predicts will
happen with cloud sustainability. Right now, the early adopters are stepping
forward and championing GreenOps as a part of the FinOps equation. In a few
years, others will be able to measure their data, analyze how they reduced
their carbon impact and what effect it had on cloud spending and savings, and
then follow their lead. It’s naive to think that most companies will go out of
their way (and perhaps even increase their cloud spending) to reduce their
carbon footprint.
The Growing Importance of AI Governance
As AI systems become more powerful and complex, businesses and regulatory
agencies face two formidable obstacles:The complexity of the systems requires
rule-making by technologists rather than politicians, bureaucrats, and judges.
The thorniest issues in AI governance involve value-based decisions rather
than purely technical ones. An approach based on regulatory markets has been
proposed that attempts to bridge the divide between government regulators who
lack the required technical acumen and technologists in the private sector
whose actions may be undemocratic. The technique adopts an outcome-based
approach to regulation in place of the traditional reliance on prescriptive
command-and-control rules. AI governance under this model would rely on
licensed private regulators charged with ensuring AI systems comply with
outcomes specified by governments, such as preventing fraudulent transactions
and blocking illegal content. The private regulators would also be responsible
for the safe use of autonomous vehicles, use of unbiased hiring practices, and
identification of organizations that fail to comply with the outcome-based
regulations.
Legal Issues for Data Professionals
Lawyers identify risks data professionals may not know they have. Moreover,
because data is a new field of law, lawyers need to be innovative in creating
legal structures in contracts to allow two or more parties to achieve their
goals. For example, there are significant challenges attempting to apply the
legal techniques traditionally used with other classes of business assets
(such as intellectual property, real property, and corporate physical assets)
to data as a business asset class. Because the old legal techniques do not fit
well, lawyers and their clients need to develop new ways of handling the
business and legal issues that arise, and in so doing, invent new legal
structures that meet the specific attributes of data that differentiate data
from other business assets. To take one example, using software agreements as
a template for data transactions will not always work because the IP rights
for software do not align with data, the concept of software deliverables and
acceptance testing is not a good fit, and the representations and warranties
are both over and underinclusive.
Quote for the day:
"Rarely have I seen a situation where
doing less than the other guy is a good strategy." --
Jimmy Spithill
