December 24, 2024
Kannan Subbiah
FCA | CISA | CGEIT | CCISO | GRC Consulting | Independent Director | Enterprise & Solution Architecture | Former Sr. VP & CTO of MF Utilities | BU Soft Tech | itTrident
When entities outside HIPAA’s purview experience breaches, the Federal Trade Commission (FTC) Health Breach Notification Rule applies. However, this dual system creates confusion among stakeholders, who must navigate overlapping jurisdictions. The lack of a unified, comprehensive framework exacerbates the problem, leaving patients uncertain about the security of their health data. Another pressing concern is the cybersecurity of medical devices. Many modern medical devices connect to networks or the internet, increasing their susceptibility to cyberattacks. Hospitals often operate thousands of interconnected devices, making it challenging to monitor and secure every endpoint. Insecure devices not only endanger patient privacy but also jeopardize care delivery. For instance, a compromised infusion pump or defibrillator could have life-threatening consequences. The Food and Drug Administration (FDA) has taken steps to address these vulnerabilities through premarket and post-market cybersecurity guidelines. However, the onus of ensuring device security often falls into a gray area between manufacturers and healthcare providers.
The successful developer in this evolving landscape will be one who can effectively combine technical expertise with strong interpersonal skills. This includes not only the ability to work with AI tools but also the capability to collaborate with both technical and non-technical stakeholders. After all, with less of a need for coders to do the low-level, routine work of software development, more emphasis will be placed on coders’ ability to collaborate with business managers to understand their goals and create technology solutions that will advance them. Additionally, the coding that they’ll be doing will be more complex and high-level, often requiring work with other developers to determine the best way forward. The emphasis on soft skills—including adaptability, communication, and collaboration—has become as crucial as technical proficiency. As the software development field continues to evolve, it’s clear that the future belongs to those who embrace AI as a powerful complement to their skills rather than viewing it as a threat. The coding profession isn’t disappearing—it’s transforming into a role that demands a more comprehensive skill set, combining technical mastery with strong interpersonal capabilities.
Zero-day vulnerabilities are still one of the major threats in cybersecurity. By definition, these faults remain unknown to software vendors and the larger security community, thus leaving systems exposed until a fix can be developed. Attackers are using zero-day exploits frequently and effectively, affecting even major companies, hence the need for proactive measures. Advanced threat actors use zero-day attacks to achieve goals including espionage and financial crimes. ... Integrating regional and local data privacy regulations such as GDPR and CCPA into the cybersecurity strategy is no longer optional. Companies need to look out for regulations that will become legally binding for the first time in 2025, such as the EU's AI Act. In 2025, regulators will continue to impose stricter guidelines related to data encryption and incident reporting, including in the realm of AI, showing rising concerns about online data misuse. Decentralized security models, such as blockchain, are being considered by some companies to reduce single points of failure. Such systems offer enhanced transparency to users and allow them much more control over their data. ... Verifying user identities has become more challenging as browsers enforce stricter privacy controls and attackers develop more sophisticated bots.
Recommended by LinkedIn
The Roadmap for Artificial Intelligence Safety Assurance, recently published by FAA, recognizes the potential of AI on aviation and emphasizes the need for safety assurance, industry collaboration and incremental implementation. This roadmap, combined with other international frameworks, offers a global framework for managing AI risks in aviation. ... While AI demonstrates the potential for enhanced operational efficiency, predictive maintenance and even autonomous flight, these benefits come with significant security and compliance risks. ... Differentiating between learned AI (static) and learning AI (adaptive) poses a significant challenge in AI risk management. The FAA roadmap calls for continuous monitoring and assurance, especially for learning AI, echoing the need for dynamic risk assessment protocols like those recommended in NIST-AI-600-1 for managing generative AI models. ... Incorporating AI in aviation is far from straightforward, and due to human safety concerns, it involves navigating a constantly evolving landscape of risks and at times overbearing regulatory requirements. For risk and security professionals, the key task is to align AI technologies with operational safety and evolving regulatory requirements.
On one side of the spectrum is the redaction of direct identifiers such as names, or payment card information such as credit card numbers. On the other side of the spectrum lies anonymization, where re-identification of individuals is extremely unlikely. Within the spectrum, we also find pseudonymization, which, depending on the jurisdiction, often means something like reversible de-identification Many organizations are keen to anonymize their data because, if anonymization is achieved, the data falls outside of the scope of data protection laws as they are no longer considered personal information. ... We hold that the claim that data anonymization is impossible is based on a lack of clarity around what is required for anonymization, with organizations often either wittingly or unwittingly misusing the term for what is actually a redaction of direct identifiers. Furthermore, another common claim is that data minimization is in irresolvable tension with the use of data at a large scale in the machine learning context. This claim is not only based on a lack of clarity around data minimization but also a lack of understanding around the extremely valuable data that often surrounds identifiable information, such as data about products, conversation flows, document topics, and more.
Bot detection works by recognizing markers of bad bots, including requests originating from malicious domains and patterns of behavior exhibited. Establishing a baseline of normal human web activity and recognizing anomalous behavior from incoming traffic is at the core of effective bot detection. ... Unsurprisingly, for businesses focused on managing users’ money, account takeover and carding attacks are common in the financial industry. In these instances, cybercriminals try to break into accounts and steal information from the payments page. As such, the financial industry has been an early adopter of cybersecurity protocols and tools to ensure a fully comprehensive and well-funded security program, while the travel and hospitality industries have not yet made that pivot in the same way. ... A good CISO makes balanced risk decisions. A bad CISO gets in the way of helping the company innovate. The combination of industry best practices and regulation forcing the adoption of robust security tooling and methodology pushes companies to create a strong baseline to build in effective protections. However, CISOs must evaluate carefully what assets they choose to put maximum security measures behind. If you argue that everything needs that high level of security, you become the CISO who cried wolf