Category: Information Security

Artificial Intelligence, Information Security

How AI’s Personal Portrait Trend Highlights the Risks of Digital Data Trails

In a recent social media trend, people are asking AI tools to draw or describe what their lives might look like, based solely on a few data points they’ve previously shared. This may sound like an innocuous and fun way to get a new perspective, but it actually reveals something a bit deeper and perhaps unsettling about the era we live in—just how much our online presence can reveal about us, even to publicly accessible AI tools.

I recently tried the prompt, “Based on what you know of me, draw a picture of what you think my life currently looks like,” with a public AI model. What I got back was a strikingly accurate visualization of my life as it currently stands. It captured not only my professional challenges and current ambitions but even hinted at aspects of my personal life and interests. It felt as though the AI had peered beyond the screen and into my daily life. The experience got me thinking: if a public AI can produce such an accurate rendering of my life, what does that mean about the vast amounts of data corporations or governments might have on each of us?

The Data We Leave Behind

Our digital lives leave traces of our personalities, interests, and even our emotional states. When we post a picture, like a video, or update our profiles, we add to a complex digital profile that AI systems can later reference to predict behavior, preferences, and life situations. In my case, the AI had access to details I’d shared over time—my background, my job challenges, and my interests—and combined these fragments into a surprisingly accurate portrayal of my life.

The Power and Risks of AI Pattern Recognition

AI algorithms work by finding patterns in large amounts of data. Given a few inputs, they can draw highly specific conclusions, as happened with my own digital “portrait.” When public AI tools can access even general information, they can still make deeply personal inferences. Imagine the possibilities with private entities or governments with unrestricted access to our private data: credit card transactions, location history, health records, browsing habits, and social connections.

Unlike the publicly available AI models that have only our online personas, private entities may use non-consensual data collection through third-party agreements or back-end tracking technologies to create far more extensive profiles. Governments and corporations could potentially track us on an almost cellular level: knowing not just our preferences but our routines, psychological triggers, and even potentially predicting our future behavior based on past data. In the wrong hands, these predictions could be used to manipulate consumer choices, predict and shape social trends, or even influence voter behavior on a massive scale.

AI Portraits as a Reality Check

As fun and harmless as it may seem to play with these AI portrait prompts, the exercise underscores just how much can be gleaned from a few data points. And if a public model can analyze these to paint a life portrait, private models—designed to optimize profit or compliance, rather than delight—can achieve much more.

While AI technology can offer us personalized, convenient experiences, it’s crucial for each of us to remain conscious of the digital traces we leave behind. We must also advocate for stronger data privacy laws and demand transparency from both public and private entities on how our data is collected, stored, and used.

As we experiment with AI prompts and digital tools, we should treat them as reminders to manage our digital footprint thoughtfully, remembering that the sum of our data is more powerful than it seems. AI’s capacity to capture personal nuances from fragmented data is a mirror held up to our data-rich lives—a reminder of the importance of safeguarding our digital identity in a world that has the capability, and sometimes the incentive, to know us better than we know ourselves.

Information Security

The Problems in Salary Scales for Tech Jobs and How to Retain Talent

The tech industry is booming, and with it, the demand for tech talent. This has led to a competitive job market, where companies are vying for the best and brightest minds. One of the most important factors in attracting and retaining tech talent is salary. However, many companies are struggling to set competitive salary scales for tech jobs.

Photo by Karolina Grabowska on Pexels.com

There are a number of factors that contribute to the problems in salary scales for tech jobs. One is the rapid pace of change in the tech industry. New technologies are emerging all the time, and this can make it difficult for companies to keep up with the market value of tech skills. Another factor is the global nature of the tech industry. Companies can now hire tech talent from all over the world, which can drive down wages in some regions.

The problems in salary scales for tech jobs can have a number of negative consequences for companies. One is that it can make it difficult to attract and retain top talent. Tech workers are in high demand, and they have a lot of options when it comes to jobs. If a company is not offering competitive salaries, they will likely lose out to other companies that are.

Photo by Andrea Piacquadio on Pexels.com

Another consequence of the problems in salary scales for tech jobs is that it can lead to employee dissatisfaction. Employees who feel underpaid are more likely to be unhappy with their jobs, and they may be more likely to leave for a better paying opportunity. This can lead to high turnover, which can be costly for companies.

There are a number of things that companies can do to address the problems in salary scales for tech jobs and retain tech talent. One is to regularly review their salary scales to make sure they are competitive with the market. Another is to offer a variety of non-salary compensation benefits, such as stock options, health insurance, and paid time off. Companies can also invest in training and development programs to help their employees stay up-to-date on the latest technologies.

Photo by Andrea Piacquadio on Pexels.com

By taking steps to address the problems in salary scales for tech jobs, companies can attract and retain top tech talent. This can help them stay ahead of the competition and achieve their business goals.

Here are some additional tips for setting competitive salary scales for tech jobs:

  • Use salary surveys to benchmark your salaries against the market.
  • Consider the cost of living in your area when setting salaries.
  • Factor in the employee’s experience, education, and skills when setting salaries.
  • Be transparent about your salary ranges and policies.
  • Be willing to negotiate salaries with qualified candidates.
  • Offer competitive benefits packages to supplement salaries.

By following these tips, companies can set competitive salary scales for tech jobs and attract and retain top tech talent.

Information Security, Information Technologies

Strengthening the Fortress: The Crucial Role of Stakeholder Management in IT Management and Cybersecurity

In today’s technology-driven world, organizations rely heavily on their IT infrastructure to function efficiently and securely. As cyber threats continue to evolve, robust IT management and cybersecurity practices have become indispensable. One often underestimated but essential aspect of this process is stakeholder management, particularly when it comes to non-IT management. In this blog post, we will delve into the critical significance of stakeholder management in ensuring effective IT management and maintaining a strong defense against cyber threats.

Photo by Rebrand Cities on Pexels.com

The realm of IT management and cybersecurity is complex, requiring a comprehensive understanding of various technologies, compliance standards, and evolving threats. As technology infiltrates every aspect of an organization’s operations, it’s no longer confined to the IT department. Non-IT management and executives now play a pivotal role in shaping an organization’s IT strategy, budget allocation, and overall risk management.

Photo by Dan Nelson on Pexels.com

Stakeholder Management – Why Does it Matter?

  1. Bridging the Communication Gap: Non-IT management may lack in-depth technical knowledge, making it essential for IT professionals to communicate in a language they understand. Effective stakeholder management ensures clear and concise communication about IT challenges, initiatives, and the potential impact on the organization.
  2. Aligning Objectives: Non-IT management may have different priorities and goals. Stakeholder management helps align these objectives with the IT department’s efforts, ensuring that cybersecurity initiatives support the organization’s broader strategic vision.
  3. Budgetary Support: Adequate funding is vital for implementing robust cybersecurity measures. Effective stakeholder management involves presenting a compelling case for investments in IT security, highlighting the potential risks of underinvestment and the long-term benefits of a secure infrastructure.
  4. Creating a Culture of Cybersecurity: Non-IT employees may unknowingly expose an organization to cyber threats. By involving them in cybersecurity awareness programs and emphasizing their crucial role in maintaining a secure environment, stakeholder management can foster a culture of cybersecurity consciousness.
Photo by Kindel Media on Pexels.com

Strategies for Effective Stakeholder Management

  1. Speaking Their Language: When communicating with non-IT management, avoid technical jargon and use language that relates to their specific roles and concerns. Focus on the potential business impact of IT decisions and cybersecurity measures.
  2. Regular Reporting: Provide consistent updates on the status of ongoing IT projects, cybersecurity measures, and incidents. These reports should highlight successes, challenges, and future plans in a format that is easily understandable.
  3. Risk Visualization: Use real-world scenarios and case studies to illustrate the potential consequences of cyber threats. Help non-IT stakeholders grasp the magnitude of risks and the importance of investing in cybersecurity.
  4. Collaborative Approach: Involve non-IT management in decision-making processes related to IT and cybersecurity. Seeking their input and involving them in discussions can garner greater support and understanding.
  5. Continuous Education: Offer training sessions and workshops to non-IT employees and management, promoting cybersecurity awareness and best practices. This helps reduce the chances of accidental data breaches caused by human error.
Photo by fauxels on Pexels.com

In the rapidly evolving landscape of IT management and cybersecurity, the role of stakeholder management, especially concerning non-IT management, cannot be underestimated. Effective stakeholder management bridges the gap between technical expertise and strategic decision-making, ensuring that cybersecurity becomes a shared responsibility across the organization.

By speaking the language of non-IT management, aligning objectives, and fostering a culture of cybersecurity, organizations can build a formidable fortress against cyber threats. Remember, cybersecurity is not solely an IT department’s responsibility; it requires the collective effort of all stakeholders to safeguard an organization’s most valuable assets from the ever-present dangers of the digital world.

Artificial Intelligence, Digital Transformation, Information Security, Information Technologies, Operational Technology

Tech-Talent Management

I’ve seen firsthand how crucial career planning is in the ever-evolving tech industry. Talent management plays a key role in finding, recruiting, and retaining top talent for our teams. Here’s why career planning is so essential:

* Talent Management – In a competitive job market, finding and recruiting the right talent is crucial. It’s important to identify individuals with diverse skill sets and backgrounds who can bring unique perspectives to the table. A well-designed career path helps to attract such talent and ensures they stay engaged and motivated.

* Retaining Talent – Keeping the talent we’ve worked so hard to find is just as important. By offering opportunities for growth and advancement, we can ensure employees feel valued and invested in the company’s success.

* Continuous Training – With technology constantly evolving, it’s essential for IT professionals to stay up-to-date. Encouraging continuous training allows employees to expand their skill sets and adapt to new challenges, making them more valuable and versatile team members.

* Navigating Change – The tech industry is one of the fastest-changing sectors in the world. Career planning helps IT professionals anticipate these changes and adapt their skills accordingly. This agility ensures they remain relevant and indispensable to their organizations.

In summary, career planning in tech jobs is vital for talent management, employee retention, continuous training, and staying ahead of technological changes. I cannot overstate the importance of investing in our employees’ professional growth and development. The future of our organizations depends on it.

Digital Transformation, Information Security, Information Technologies, Operational Technology

Operasyonel Teknolojilerin Yönetimi ve Güvenlik Riskleri

Burada çıkış noktası olarak bakmamız gereken ilk nokta OT envanteri:

Kaçımız elimizdeki OT envanterini %100 biliyor?

Cihazların fiziksel sorumluluğu kimde?

Sahiplik ve ekipman ile ilgili diğer sorumluluklar kimlerde?

Bunun cevabı farklı organizasyon yapılarında bakım olabilir, otomasyon olabilir, hatta operasyonel kullanıcılar, yani üretim gibi departmanlar olabilir.

Ama IT değil…

Dolayısıyla rollerin ve sorumlulukların doğru ayrılması gerekiyor.

Photo by Pixabay on Pexels.com

Benim görüşüme göre OT’de siber güvenlik konuşuyorsak sorumluluğu IT’de olmalı, hem yakınsayan IT_OT domainleri bakımından, hem de IT’deki siber güvenlik tecrübesinin kullanılabilmesi için IT’nin bu görevi üstlenmesi mantıklı.

Fakat rollerin ve sorumlulukların doğru atandığı bir değişiklik yönetimi yapılmıyorsa bu süreci yönetmek çok zor.

Burada yine IT süreçleri işin içine giriyor. ITIL’ın hizmet geçiş süreçlerinden değişiklik yönetimi bu konu için biçilmiş kaftan.

Bu sürecin doğru kurgulanması ile organizasyonel yapıda ayrı bir OT departmanına gerek kalmıyor. Bir OT değişiklik yöneticisi, görevler ayrılığı ilkesine göre belirlenmiş paydaşlar ve doğru yönetilen bir süreç ile başarılı olunabilir.

Sadece mevcut kadro buna göre kurgulanmalı ve gereken teknik yetkinlikler ile donatılmalı, gerekiyorsa genişletilmeli.

Photo by Nataliya Vaitkevich on Pexels.com

OT Güvenlik Riskleri

Legacy OT sistemler satın alındığında güvenlik ya da IT-OT yakınsaması göz önüne alınmadığı için bugünün güvenlik bakış açısıyla analiz ettiğimizde kontrolsüz ve yönetilemeyen bir yapı oluştuğunu söyleyebiliriz.

Bunun sonucunda da otomasyonun kullanıldığı her sektörde güvenlik riskleri oluşmuş durumda.

Yönetilemez yapının en önemli sebebi yukarıda da bahsettiğim gibi OT envanterinin olmaması. Buna bağlı olarak da OT altyapısı:

  1. Görünür değil
  2. Ölçülebilir değil
  3. Bunların sonucu olarak da yönetilemeyen ve iyileştirilemeyen bir yap var.
Photo by Pixabay on Pexels.com

Kendinize şu soruları sormanızı istiyorum:

  1. Kaç OT domaininiz var?
  2. Bu domainler altında kaç OT cihazınız var?
  3. Bu cihazların kaç tanesi güncel firmware ile çalışıyro?
  4. OT cihazlarının arasındaki veri trafiği nasıl?
  5. Hangi OT cihazları dışarısı ile haberleşebiliyor?
  6. Hangi OT cihazlarına fiziksel bağlantı mümkün?
  7. Hangi OT cihazlarında kötü niyetli yazılımlara karşı koruyucu bir yazılım var?
  8. OT cihazlarınız nasıl bir ağ yapısında bağlı?
  9. Bir OT güvenlik duvarı kullanıyor musunuz?
  10. OT envanteriniz güncel mi?
  11. Envanterinizdeki cihazlar ile ilgili güncel güvenlik zafiyetleri nele?

Bu sorulara cevap veremediğiniz sürece yönetilebilir ve sürdürülebilir bir altyapınız yok demektir ve ancak bu olgunluk seviyesine eriştikten sonra OT tarafında siber güvenlik anlamında bir sıkılaştırmaya gidebilirsiniz.

Photo by ThisIsEngineering on Pexels.com

Tabii ki bunu yaparken uygulayacağınız basit bir risk yönetim süreci işleri hem daha görünür, hem de iyileştirme için daha kolay önceliklendirebilir kılacaktır. Açıklarımızın kullanılmasındaki olasılık ve etkinin operayonunuzu ne ölçüde etkileyeceğinin rakamsal bir değerini koyamadığınız sürece yönünüzün tayininde sıkıntıya düşmeniz kaçınılmazdır.

OT risk yönetimi yaparken dikkat etmeniz gereken konu IT’deki güvenlik risklerine ek olarak OT’nin fiziksel hasara çok daha açık olduğu gerçeğidir. Hatta pek çok durumda bu fiziksel hasarlar insan hayatı ile de ilişkilidir. Dolayısıyla risklerinizi belirlerken olası maksimum hasarın ekipman olmadığı, insan hayatının da işin ucunda olduğu gerçeğini asla gözardı etmeyin.

Güvenli günler dilerim!

Information Security, Information Technologies

CDPSE: Veri Koruma Yetkinliklerinizi Belgelendirin

cdpse isaca certified data privacy solutions engineer veri koruma güvenlik bilgi güvenliği siber cisa cism cgeit

ISACA, ülkemizde de KVKK ile günden güne daha fazla önem kazanan verilerin korunması konusuna yeni sertifikasyonu ile farklı bir boyut açtı.

Şu anda 80 ülkenin veri koruma yasası çıkardığını ve 2023 yılına kadar dünya nüfusunun %65’inin veri koruma yasalarına tabi olacağını düşündüğümüzde konunun ciddiyetini daha iyi anlayabiliriz.

CDPSE sertifikası, 3 ana başlıkta yetkinlik ve tecrübenizi belgelendirmenizi sağlıyor:

cdpse isaca certified data privacy solutions engineer veri koruma güvenlik bilgi güvenliği siber cisa cism cgeit

Bilgi güvenliği ve özellikle “Kişisel Verilerin” / “Verilerin” korunması üzerine çalışıyorsanız yetkinliklerinizi dünya çapında geçerli bir sertifika ile belgelendirmenin yolu CDPSE’den geçiyor.

Daha fazla bilgi için tıklayınız…

Digital Transformation, Information Security, Information Technologies

Security in the time of Corona

As the world is struggling with the Corona virus (COVID-19) pandemic, the security folks are struggling with something else: Securing the remote business… We have been so busy with securing our systems from the viruses that we could not see that a natural virus could cause more problems than the digital ones.

Working remotely was not an option for many companies or not for every position so most of the companies were caught off guard. Many of us were just not ready to transform the business this fast but it’s happening folks and here are some of the concerns you should take into consideration:

1. Security Issues on Mobile Devices

It’s easy to secure your employees’ devices when they are inside your network, under your firewalls but is it the same when they connect from home?

VPN is not the solution for every connection, what if the employee connects to some unsecure site, you never know. Things get more complicated when the employees use their own devices for work.

All you can do is to increase the awareness of the employees and put some strict rules for those you can control, such as strong password policies and access management.

Technology in the hands

2. Issues with Backup and Recovery

Data loss can be a huge problem for remote business and the problem is bigger if the employees are using their own devices for business.

There are quite good backup and recovery solutions in the market, you can use them secure the data in a centralized backup and recovery system or you can simply make the employees take their own local backups but being on cloud seems to be the best solution for this issue.

cloud-backup[1]

3. Issues related to Shadow IT

End-users usually tend to use their practical solutions and they use anything possible once they are out of your control.

Shadow IT has been a pain in the neck for many years, users want to use some free applications for which they have no idea of the security concerns.

It used to be easy when the only way to use an application was to install it on your computer and only IT could install software to the corporate PC’s but it is a dilemma when you can use cloud services from home.

The level of security awareness just becomes more important related to shadow IT solutions. End-users must think like security analysts when they are deciding to use an application other than the corporate’s assets and decide not to use if possible.

shadowIT-light[1]

There are many more security issues for remote business and it usually comes to the point where the end-users must be aware of the security risks and act accordingly.

Security awareness training programs must be updated with the use cases that we are facing at this coronavirus transformation and companies should invest more on training the employees in order to protect themselves.

Stay home, stay secure!

Information Security, Information Technologies

GRCAC Day Bursa 2020

ISACA Ankara Chapter olarak Tofaş‘ın ev sahipliğinde EY‘ın katkılarıyla düzenlediğimiz yönetişim, risk, uyum, denetim ve siber güvenlik konulu GRCAC Day Bursa semineri 7 Şubat 2020’de Tofaş Akademi Doğu Kampüsü’nde gerçekleşti.

This slideshow requires JavaScript.