July 19, 2024
Kannan Subbiah
FCA | CISA | CGEIT | CCISO | GRC Consulting | Independent Director | Enterprise & Solution Architecture | Former Sr. VP & CTO of MF Utilities | BU Soft Tech | itTrident
IT security focuses on protecting an organization’s data and guarding against breaches and cyberattacks. While IT regulatory policies are generally designed to ensure security, making security and compliance closely intertwined, they are not identical. Regulatory policies frequently mandate specific security practices, thus aligning compliance efforts with security goals. For example, regulations might require an organization to have data encryption, access controls, and regulatory security audits. However, being compliant does not automatically guarantee an organization’s security. Compliance mandates often set minimum standards, and organizations may need to implement additional security measures beyond what is required to adequately protect their data. Conversely, some aspects of the compliance process may do nothing to enhance security. ... Creating an IT compliance checklist can greatly simplify the arduous task of maintaining compliance. The checklist ensure critical tasks are consistently performed, tailored to each organization’s industry, specific compliance requirements, and daily operations.
While collaboration and information sharing has become pivotal, financial institutions are also faced with the pressure to consolidate technology and reduce the number of vendors with whom they work. This is evidenced by the growing number of financial institutions investing in cyber fraud fusion centres to create a centralized environment that aligns the data, technology and operational capabilities of traditionally siloed teams. ... Given the complexity of cybercrime and the differences in financial institutions and their unique requirements, EFM strategy requires a layered approach and flexibility in the solutions that support it. A layered defence allows financial institutions to address different aspects and stages of fraud attempts across the digital lifecycle and cross-verify suspicious activities to increase confidence in risk decisions. The importance of behavioural biometrics intelligence within the EFM ecosystem can no longer be ignored given customer adoption and success. Many forward-thinking institutions have implemented the technology to bolster or complement existing EFM systems, detect emerging fraud types and elevate customer safety in digital banking.
For all of its potential benefits, AI is also vulnerable to misuse. Weak oversight, for instance, can lead to biases in predictive policing or errors in evidence analysis. "It's crucial to implement checks and balances to ensure that AI is used ethically and accurately," Rome says. Meanwhile, many law enforcement organizations are reluctant to embrace technology due to budget constraints, a lack of technical expertise, and an overall resistance to change. Concerns about privacy and civil liberties are also hindering adoption. In particular, there's the possibility of AI bias, which can lead to inaccurate conclusions when discriminatory data and algorithms are baked into AI models. ... Despite the challenges, the long-term outlook is promising, Rome says. "As technology advances and law enforcement agencies become more familiar with AI's potential, its adoption is likely to increase," he predicts. Claycomb agrees, but notes that adopters will need to implement workflows that take full advantage of other technology tools, including deploying powerful and connected mobile device fleets.
领英推荐
Automation has been a game changer in the software testing process, but there is still one big problem: tests can eventually lose their relevance and accuracy. ... Generative AI, unlike your average automation process, is backed up by a pool of data. To top that up, it’s continuously learning with each command and addition to the database. This means that if the new test case has a slightly different aim, the AI system should pick up on that and make the necessary adjustments. This type of action can still be a hit-or-miss, depending on how well-trained the database is, but with the proper human intelligence assistance, it could take off a lot from the development process. ... When testing models are created manually, they are done with a standard background. The developer had an environment in mind (or several of them), creating a realistic area to test it against. This can bring various limitations, depending on how many data sets you use. However, Generative AI can create diverse models that the human brain could not have even thought about. Indeed, AI can tend to hallucinate when it does not have enough data, but even those scenarios can give you a couple of ideas
It’s a deliberation that organizations might have comfortably back-burnered, until last summer when Terraform’s continued viability as an IaC industry-standard suddenly came under intense scrutiny when HashiCorp changed its license scheme from a purely open source model to a less-than-open alternative. Since that time, the Linux Foundation-backed OpenTofu initiative appears to have changed the headers of code HashiCorp had previously released under its new Business Source License (BUSL), rereleasing it under the MPL 2.0 license. ... Organizations will want to impose restrictions on developers’ resource usage, Williams foresees. Those restrictions will be based not on capacity — which the IaC engineer understands more readily — but instead upon cost. Presently, enabling the restrictions necessary to maintain compliance and achieve security objectives requires, at the very least, expert guidance. Meanwhile, the influx of talent in platform engineering is weighted towards AI engineers who may not know what these infrastructure resources even are.
Integrating threat modeling into a DevOps workflow involves embedding security practices throughout the development and operations lifecycle. This approach ensures continuous security assessment and improvement, aligning with the DevOps principles of continuous integration and continuous deployment (CI/CD). ... Automated tools play a crucial role in facilitating continuous threat modeling and security assessments. Tools such as OWASP Threat Dragon, Microsoft Threat Modeling Tool and IriusRisk can automate various aspects of threat modeling, making it easier to integrate these practices into the CI/CD pipeline. Automation helps ensure that threat modeling is performed consistently and efficiently, reducing the burden on development and security teams. ... Effective threat modeling requires close collaboration between development, operations and security teams. This cross-functional approach ensures that security is considered from multiple perspectives and throughout the entire development lifecycle. Collaboration can be fostered through regular meetings, joint workshops and shared documentation.