October 19, 2023
Kannan Subbiah
FCA | CISA | CGEIT | CCISO | GRC Consulting | Independent Director | Enterprise & Solution Architecture | Former Sr. VP & CTO of MF Utilities | BU Soft Tech | itTrident
Ultimately, though, there should be clear mandates to push the industry toward clear outcomes, Rivas said. Such requirements, for example, could include a proper patch management strategy and robust monitoring system, Sondhi said. These should be accompanied by roadmaps for rollout, so market players would be given the necessary timelines to ensure compliance, he added. Acknowledging there will inevitably be pushback over concerns such mandates have on cost and time-to-market, he said regulations need not be overly complex. They also can point to accompanying standards bodies tasked to provide more details and update the adoption of best practices when necessary. This will free up governments from having to keep up with market changes and to instead focus on mandating high-level requirements, he noted. Enforcement also is a good starting point when the road toward cyber resilience may be long and fraught with complexities. Organizations in operational technology (OT) sectors, in particular, have ecosystems that have to be managed differently from IT infrastructures, Sondhi said.
Match team responsibilities with the load they can handle. You can do with additional training, a good choice of underlying technologies, pair programming, reshuffling responsibilities among teams and strategic hiring for the critical skills still missing. For new team members, focus on tasks doable first within a four-hour time slot and then in two to three days, so they can experience repeatable success right away. With time, you can extend the average task timeline to two weeks. Make sure there's a variety of tasks of similar complexity. For example, you don't want to corner a software developer into only fixing bugs. Mix things up to challenge team members with creative tasks like minor new functionalities. Eliminate excessive bureaucracy and low-value business processes. Boring or superfluous administrative tasks are a real motivation drain, so reviewing them and removing those with low value have a visible impact. Map team competencies to task complexity. This can be done formally or informally and usually narrows down the list of competencies for each team.
In response to the limitations of hours-based estimation, Scrum Teams are turning to alternative methods such as relative estimation (using points). Alternatively, teams are increasingly using flow metrics as a simpler and often more accurate way to forecast value delivery. Relative estimation is a technique used to estimate the size, complexity, and effort required for each Product Backlog item. To use relative estimation, the Scrum Team first selects a point system. Common point systems include Fibonacci or a simple scale from 1 to five. (See our recent article How to create a point system for estimating in Scrum. Once the team has selected a point system, they create an agreement which describes which type of items to classify as a 1, 2, and so on. It is possible for the team just to use its judgment, documenting that information in their team agreements. Then, when the team needs to estimate new work, they simply compare the new work to similar work done in the past, and assign the appropriate number.?
领英推荐
Receiving the most valuable information from ChatGPT requires asking the correct questions and expanding on the initial inquiry to obtain desired results and a deeper understanding. Hackers are learning that they cannot ask ChatGPT a directly malicious question, or they will receive a response such as, “I do not create malware.” Instead, they ask it to pretend that ChatGPT is an AI model that can execute a particular script. Bad actors continue to exploit and socially engineer the process of installing malware or getting people to relinquish credentials for unauthorized data system access. AI tools are making it easier for cybercriminals to harm people. ... One noteworthy point is that the ability to use AI to manipulate humans through social engineering is becoming increasingly controllable. However, ChatGPT is not a Rosetta Stone-like translator for hackers. Although both AI-generated scripts and social media platform scripts are made by machines, their complexity, reliability and security can differ significantly.
Organizations that are most vulnerable to disruption tend to be those that rely on legacy systems that have a single point of communications failure. The additional risk exposure that accompanies these older networks may well justify shifting to a cloud-based network (such as SD-WAN, a software-defined wide area network) that provides the flexibility to bounce between broadband and ethernet in real time to preserve bandwidth and connectivity. Similarly, it may be worth considering moving to a unified communications platform, which is designed to maintain multichannel communications for customers and employees. ... Based on the risk assessment, create a formal, highly detailed plan specifying how your organization will manage various crisis scenarios, the tools it will use to keep the business running, and how, and by whom, information will be communicated internally and externally. The plan also should identify critical on-premises hardware and brick-and-mortar IT infrastructure (such as data centers) that must be protected, and how they will be protected. Organizations with a continuity plan already in place should revisit it at least annually and update it as needed.
Because most ransomware is delivered through phishing, employee education is essential to protecting your organization from these threats. That said, there’s no single “one size fits all” education program--these training efforts should be tailored to your enterprise's unique needs. Below are several types of services and/or programs that are designed to help users understand and detect phishing and other cyber threats, all of which can serve as a great starting point for building a comprehensive employee security awareness program. ... Delivering simulated phishing emails to your organization’s employees allows them to practice identifying malicious communications so that they know what to do when a threat actor strikes. The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train users on what steps to take when they suspect they might be a target of a phishing attack. ... As with the introduction of any new technology, cybercriminals will continually find ways to use these tools for nefarious purposes.?