January 09, 2021
Kannan Subbiah
FCA | CISA | CGEIT | CCISO | GRC Consulting | Independent Director | Enterprise & Solution Architecture | Former Sr. VP & CTO of MF Utilities | BU Soft Tech | itTrident
How to be cyber-resilient to head off cybersecurity disasters
Responsible parties in organizations should bite the bullet and choose security over convenience. For example, zero trust in digital communications means people wanting to communicate with someone within the organization must be verified before any communications will be allowed. This also can apply to remote employees. "All users who request access to company resources, even those within the network, should be cleared based on variables such as the device used, project type, geographical location, and role," the authors note. "If anything is amiss, advanced verification has to be done." In addition, even with verification, user access should be limited using the least-privilege principle, in which users or processes are only given privileges essential to perform the intended task. For example, there is no need to give a receptionist the privilege of installing software. In zero trust, those responsible for cybersecurity also need to worry about malicious domains. The authors explain, "To fully implement a zero-trust framework, security teams must perform domain-reputation assessments to prevent access to unreputable domains."
2021 IT priorities require security considerations
AI's challenges include training the numerous deep learning algorithms that implement AI, the lack of labeled data for training and testing and, most importantly, issues with explainability of what AI does and why. Organizations must have experts on hand who understand internal processes and data before they can use AI effectively. Furthermore, AI can observe phenomena in data that humans have difficulty comprehending. Therefore, humans cannot place 100% trust in the results and recommendations, especially for life-critical applications. The potential for cyber attacks to cause physical harm to people and damage to equipment is one of the greatest concerns. Examples include disrupting the power grid or supply chains or internal attacks on the plethora of IoT devices used within companies. ... When executed mindfully, the cloud can provide a secure environment for organizations. Public cloud providers do an excellent job with the securing "of" the cloud, but it is up to organizations to manage security "in" the cloud. That is where a mindful security architecture and strategy comes in, including ensuring core cloud architecture adheres to best practices. All major public cloud providers have established framework models to use.
The 2021 Crystal Ball for Emerging Tech
Asad Hussain, PitchBook’s lead mobility analyst, says battery electric growth won’t stop anytime soon—but he believes that 2021 will be “the year of the self-driving SPAC.” SPACs are an attractive option for the AV sector for the same reasons as the EV sector: Capital-intensive startups without much (if any) revenue typically need cash quickly, and SPACs provide that. ... Uber officially acquired Postmates earlier this month, DoorDash went public last week, and Instacart’s IPO could come as soon as Q1 2021. Virtually all of the space’s leaders have moved beyond solely food delivery and into areas like convenience and retail. That's led to an even hotter market for last-mile delivery tech: This year, electric vehicle startups Rivian and Arrival partnered with Amazon and UPS, respectively, on future fleets of electric delivery vans. Amazon and Walmart’s delivery drone battle entered a new phase. And shipping giants like FedEx are rolling out autonomous same-day delivery bots. ... In 2021, experts told us, we can expect demand for data engineers and others who can help integrate AI and ML tools into a business’s existing infrastructure. “Small- and medium-sized businesses alike need to bring on the right skilled professionals to help integrate the right tools and systems [for AI],” says Paylor.
Explain How Your Model Works Using Explainable AI
In the industry, you will often hear that business stakeholders tend to prefer models that are more interpretable like linear models (linear\logistic regression) and trees which are intuitive, easy to validate, and explain to a non-expert in data science. In contrast, when we look at the complex structure of real-life data, in the model building & selection phase, the interest is mostly shifted towards more advanced models. That way, we are more likely to obtain improved predictions. Models like these are called black-box models. As the model gets more advanced, it becomes harder to explain how it works. Inputs magically go into a box and voila! We get amazing results. ... What if our data is biased? It will also make our model biased and therefore untrustworthy. It is important to understand & be able to explain to our models so that we can also trust their predictions and maybe even detect issues and fix them before presenting them to others. To improve the interpretability of our models, there are various techniques some of which we already know and implement. Traditional techniques are exploratory data analysis, visualizations, and model evaluation metrics. With the help of them, we can get an idea of the model’s strategy. However, they have some limitations.
How to Stay GDPR Compliant with Access Logs
Deleting user data from the database is easy. You have SQL for that. Deleting user PII from the log file is the tricky part. You might have different servers generating logs and you might feed logs to different cloud services. This might complicate how you perform record deletion. ... You have one month to respond to a user forget-me request. This actually means that you have one month to filter your log files from all user-related records – for example, filter out user IP addresses. Or you can limit the log retention period just to one month. All older log entries will get removed. This way you do not need to do anything besides a one-time configuration of the log retention period. ... PII found in the log events will be grouped together and encrypted. The initial setup will include one time generation of the log-entry password for each user. This password for example can be saved in the user profile stored in Databunker. As we need to know who the record owner is (to decrypt the record), we need to save the user id together with encrypted PII. So, another level of encryption will be used with a generic password. For user identified log events, PII will be encrypted twice. The first time the data will be encrypted using the user's log-entry password.
ThoughtSpot CEO - ‘I want to kill BI and I want all dashboards to die’
Nair argues that BI tools effectively decide what you want to see, which is counter to the idea of hyper-personalisation. ThoughtSpot is approaching this from a use case point of view. For example, Nair said that customer churn is an area that he believes the company can seriously ‘move the needle' for its customers. He gave the example of a large bank, which is unlikely to win lots of new customers in a saturated market, and as such, pleasing and keeping its existing customers is key. In this use case, Nair said, take a bank that has a customer that has a car loan, but is also now looking for a new home loan. But that same customer is annoyed with the bank, because they got charged interest for the car loan for making one payment a day late. This experience may put them off getting a home loan with the same bank and if the bank is just using aggregate, historical data on all customers with car loans, then they will not know the details of this unique customer. The problem is that just throwing more stuff at customers is creating more noise, not signal. So you need to distil the personalised data that you have. If the bank could go back to that customer and say ‘we messed up, we're sorry, here's the interest back, and by the way would you like a home loan?' - that's the bespoke experience and where data matters.
Read more here ...