April 30, 2023

AI for security is here. Now we need security for AI

As the mass adoption and application of AI are still fairly new, the security of AI is not yet well understood. In March 2023, the European Union Agency for Cybersecurity (ENISA) published a document titled Cybersecurity of AI and Standardisation with the intent to “provide an overview of standards (existing, being drafted, under consideration and planned) related to the cybersecurity of AI, assess their coverage and identify gaps” in standardization. Because the EU likes compliance, the focus of this document is on standards and regulations, not on practical recommendations for security leaders and practitioners. There is a lot about the problem of AI security online, although it looks significantly less compared to the topic of using AI for cyber defense and offense. Many might argue that AI security can be tackled by getting people and tools from several disciplines including data, software and cloud security to work together, but there is a strong case to be made for a distinct specialization. When it comes to the vendor landscape, I would categorize AI/ML security as an emerging field. The summary that follows provides a brief overview of vendors in this space.

Enterprises Die for Domain Expertise Over New Technologies

Domain expertise is important to build a complete ecosystem that can scale. This can help businesses leverage relevant knowledge and datasets to develop custom solutions. This is why enterprises look for enablers that can bring in the domain expertise for particular use cases. ... One of the challenges that companies encounter today is how to utilise data effectively as per their business needs. According to a global survey conducted by Oracle and Seth Stephens-Davidowitz, 91% of respondents in India reported a ten-fold increase in the number of decisions they make every day over the past three years. As individuals attempt to navigate this increased decision-making, 90% reported being inundated with more data from various sources than ever before. “Some interesting findings we came across was that respondents who wanted technological assistance also said that the technology should know its workflow and what it is trying to accomplish,” Joey Fitts, vice president, Analytics Product Strategy, Oracle told ET.

Amazon’s quiet open source revolution

Let’s remember that the open source spadework is not done. For example, AWS makes a lot of money from its Kubernetes service but still barely scrapes into the top 10 contributors for the past year. The same is true for other banner open source projects that AWS has managed services for, such as OpenTelemetry, or projects its customers depend on, such as Knative (AWS comes in at #12). What about Apache Hadoop, the foundation for AWS Elastic MapReduce? AWS has just one committer. For Apache Airflow, the numbers are better. This is glass-half-empty thinking, anyway. The fact that AWS has any committers to these projects is an important indicator that the company is changing. A few years back, there would have been zero committers to these projects. Now there are one or many. All of this signals a different destination for AWS. The company has always been great at running open source projects as services for its customers. As I found while working there, most customers just want something that works. But getting it to “just work” in the way customers want requires that AWS get its hands dirty in the development of the project.

Response and resilience in operational-risk events

The findings have several urgent implications for leaders as they think about the overall resilience of their institutions, how to minimize the risk of such events occurring, and how to respond when crises do hit. The findings strongly suggest that broad market forces and industry dynamics can magnify adverse effects. Effective crisis and mitigation planning has to take account of these factors. Experience supports this view. In the not-so-distant past, especially before the financial crisis of 2008–09, many companies approached operational-risk measures from a regulatory perspective, with an economy of effort, if not formalistically. Incurring costs and paying fines for unforeseen breaches and events were accordingly counted as the cost of doing business. Amid crises, furthermore, communications were sometimes aimed at minimizing true losses—an approach that risked a damaging cycle of upward revisions. The present environment, however, is unforgiving of such approaches. An accelerated pace of change, especially in digitization and social media, magnifies the negative effects of missteps in the aftermath of crisis events.?

Developers Need a Community of Practice — and Wikis Still Work

This subject has flattened out a bit since the pandemic, after which fewer developers worked next to each other and keeping remote members connected is more the norm. A good Community of Practice should just look like a private Stack Overflow, with discussions on topics of concern to devs across the organization. This applies to most organizations that have siloed teams. If you are part of a one-team company, then a CoP should not be something you need right now — just be ready to be proactive when you are part of a bigger setup. The first seeds are usually sown when “best practice” is discussed, and managers realize that there is no point in having just one team getting things right. This is the time to establish a developer CoP, before something awkward gets imposed from above. The topics are often the complications that an organization stubbornly brings to existing tech; like understanding arcane branching policies, or working with an old version of software because it is the only sanctioned version, etc.?

Five Leadership Mindsets For Navigating Organizational Complexity: Rethinking Chaos And Opportunity

The world is unlikely to suddenly settle down. With that in mind, the context around chaotic moments changes. It’s no longer about just dealing with what’s in front of you; it’s about writing the script for the team to respond to future disruptions. So don’t just deal with it as a leader. Start viewing disruptions as valuable learning experiences that build resilience and adaptability within your organization. And once you have navigated through, take a moment to create a playbook for the future. Use retrospection with your team to find out the specific things that worked and the things that didn’t. ... “I don’t deal well with change” is a bad personal strategy, and I recommend that you drop any ideas that adaptability is an innate trait possessed only by a select few. With that said, I've found that learning requires experience. Social and business safety nets are key, so employees can learn with less fear. Encourage your employees to challenge their comfort zones, experiment with new approaches and learn from setbacks to develop the skills and strategies necessary for navigating change effectively.

Read more here ...