February 14, 2023
Kannan Subbiah
FCA | CISA | CGEIT | CCISO | GRC Consulting | Independent Director | Enterprise & Solution Architecture | Former Sr. VP & CTO of MF Utilities | BU Soft Tech | itTrident
CISOs shouldn’t be surprised to hear that even well-prepared teams can have moments of paralysis; it’s just human nature, McKeown says. She says sometimes responders may experience cognitive narrowing, where they’re so focused on the situation directly in front of them that they can’t consider the full circumstances—an experience that can stop responders from thinking as they normally would. Niel Harper, an enterprise cybersecurity leader who serves as a board director with the governance association ISACA, witnessed a team freeze in response to a ransomware attack on his first day working with a company as an advisor. “They literally did not know what to do, even though they had some experience with [incident response] walkthroughs,” he recalls. “They were in panic mode.” Harper says he has seen other situations where the response was stymied and thus delayed. In some cases, teams were afraid that they’d be seen as overreacting. In others, they were paralyzed with the fear of being blamed.
Consider an organization that is focusing on increasing revenue by expanding outbound sales in new territories in the European market. A compliance-focused organization might conduct an internal assessment of EU General Data Protection Regulation (GDPR) requirements, determine if there are current controls in place to meet them and report metrics indicating the organization is compliant. However, a risk-focused enterprise begins by assessing the unique threats within the region and determining the risk factors that could prevent the organization from conducting sales in Europe. Wearing risk-colored glasses empowers risk professionals to proactively monitor and communicate risk in a context their organization will understand. Viewing business outcomes from this perspective enables organizational leadership to prioritize investments and agree on a suitable level of protection.
The underinvestment was more stark among small companies, of which 69% had not invested enough in cyber security, according to the study conducted by Netskope, a supplier of secure access service edge (SASE) services. Major data breaches over the past year, however, have cast the spotlight on cyber security, with over three-quarters (77%) of 300 respondents who participated in the study noting that their leadership’s awareness of cyber threats had increased. Some 70% also noted an increase in their leadership’s willingness to bolster investments – the proportion of organisations that are planning bigger cyber security budgets between 2022 and 2023 jumped to 63%, compared with 45% that saw increases between 2020 and 2022. This increase is most pronounced among larger organisations with over 200 employees, where over 80% are increasing cyber security budgets. Among small firms with fewer than 20 employees, 41% planned to spend more on cyber security between 2022 and 2023, up from just 23% between 2020 and 2022.
领英推荐
Zero-knowledge encryption is not a specific encryption protocol, but a process that focuses on preserving a user’s data privacy and security to the maximum extent. In order for a service to be truly zero-knowledge, a user’s data must be encrypted before it leaves the device, while it’s being transferred, and when it is stored on an external server. This is because modern encryption in general is incredibly effective at barring unauthorized participants from decoding encrypted data. It’s functionally impossible to crack modern-day encryption using brute-force approaches. However, for ease of use and UX benefits, many service providers also hold a user’s encryption key—introducing an additional point of failure that’s attractive for malicious actors because service providers often hold many user keys. There are a variety of benefits (and also detriments) when service providers share knowledge of an encryption key, but it also means that someone other than the user can decrypt the data—which makes it not zero-knowledge.
Why Do ML over the Web? First off, he mentioned privacy. One common use case is for processing sensor data in ML workloads — such as data from a webcam or microphone. Using TensorFlow.js, Mayes said, “none of that data goes to the cloud […] it all happens on-device, in-browser, in JavaScript.” For this reason, TensorFlow.js is being used by companies doing remote healthcare, he said. Another privacy use case is human-computer interaction. “With some of our models, we can do body pose estimation, or body segmentation, face keypoint estimation, all that kind of stuff,” Mayes said. Lower latency is another reason to do ML in the browser, according to Mayes. “Some of these models can run over 120 frames per second in the browser, on an NVIDIA 1070 let’s say,” he said. “So that’s kind of [an] old generation graphics card and [yet it’s] still pushing some decent performance there.” Cost was his third reason, “because you’re not having to hire and run expensive GPUs and CPUs in the cloud and keep them running 24/7 to provide a service.”
Continuous monitoring entails understanding not only the risks you’re facing now and those visible on the horizon, but also the risks beyond the horizon. This requires recognizing risk velocity, acknowledging risk volatility, and developing and deploying a mechanism by which you can periodically check in on, and be alerted to, key risks. The key is to think differently, and to use your 360° view of your organization to develop strategies that help you simultaneously plan and execute in coordination and ongoing communication with first- and second-line roles. ... KRIs are crucial for continuous monitoring, helping companies be more proactive in identifying potential impacts. KRIs are selected and designed by analyzing risk-related events that may affect the organization’s ability to achieve its objectives. Typically, by looking at risk events that have impacted the organization (in the past or currently), it’s possible to work backward to pinpoint the root-cause or intermediate events that led to them.