AI is already being utilized in not only our daily lives, but even in cybersecurity and IT auditing. For example, a tool I used called Wiz.IO utilizes some AI in determining the risk factors of cloud assets. AI will become one of the most powerful tools in the future, but it takes time for it to be used in great ways. As to how long it will take, I would imagine before the end of the decade we will see it constantly being a part of our daily lives.
AI has greatly impacted our lives in many ways in the past few years, but I believe that there has to be guidelines in place to avoid overdependence on it. There is inherent risk that comes with AI and some of it were addressed in the NIST AI 100-1: Artificial Intelligence Risk Management Framework (AI RMF 1.0). If handled wisely, we can truly maximize AI for its benefits.
AI to me, is one of those things that we have no choice but to accept. So given that it’s unavoidable, we have three options. Accept it, ignore it, or fight it. We also can choose when/how we apply each option as we don’t have to just accept one part of it. For example, the actors guild decided to fight AI as it was a direct threat to their livelihood. However, those same people are fully accepting to AI for personal creative reasons. I don’t think AI in our lifetime will be a threat to anything outside of entertainment. I think if the time comes that AI does go after our livelihood, like the actors guild, we can fight it. But for now, I think it’s great to accept it. and if we find that it makes us too lazy, we can also choose to ignore it.
How can we learn to better anticipate human needs, requirements and behavior in our IT structures? Is it possible to more thoroughly adapt our systems to human unpredictability and adaptability
I believe it is possible to a certain extent to anticipate human needs, requirements and behavior through something like AI. As I mentioned in Erskine’s question, AI is already being used in some parts of IT management and auditing, and really the best way to cover as much as possible for human behavior is by training AI to be as prepared as possible for the different scenarios that human error can lead to. Although it’s impossible to prepare for everything as we are all complex, but I would say that we can try to do as much as possible to adapt our systems to deal with this unpredictability.
A business-critical system has a high critical vulnerability, but the Engineering team are not willing to patch it, saying the application will break down completely if they patch it. What would you do or suggest in this situation as a cybersecurity analyst?
Why do the levels of impact vary in the life of a contract? For example, some start out as moderate confidentiality but end as a low impact level when contract is completed.
Because security needs and risks evolve over the course of a contract or work project, the risk and need for security may develop over the course of its installation and use. A good example would be setting up encryption, where an initially unencrypted drive or system would pose a high risk for confidentiality breaches but may receive a lower risk status once comprehensive encryption is added
Hi Jeffery, I think that contract impact levels change due to evolving factors such as project progression, diminishing sensitivity, and alterations in scope or stakeholders. Furthermore, I think that this demonstrates that regular assessments are vital to adapt security measures to the contract’s shifting dynamics.
The seventeen security-related areas covered by the minimum security requirements are as follows:
(i) Access control (AC)
(ii) Awareness and training (AT)
(iii) Audit and accountability (AU)
(iv) Certification, accreditation, and security assessments (CA)
(v) Configuration management (CM)
(vi) Contingency planning (CP)
(vii) Identification and authentication (IA)
(viii) Incident response (IR)
(ix) Maintenance (MA)
(x) Media protection (MP)
(xi) Physical and environmental protection (PE).
(xii) Planning (PL)
(xiii) Personnel security (PS)
(xiv) Risk assessment (RA).
(xv) Systems and services acquisition (SA).
(xvi) System and communications protection (SC).
(xvii) System and information integrity (SI).
For minor applications or systems with lower risk levels, organizations may choose to apply a risk-based approach to determine the level of security documentation required. In some cases, a full-fledged System Security Plan might be deemed unnecessary due to the relatively lower risk associated with the application. Instead, organizations may opt for more streamlined or simplified documentation based on the level of risk and the criticality of the system.
Hi Kenneth, I think thorough security planning and controls are fundamental for a robust cybersecurity foundation, offering proactive defense. However, the importance of responding swiftly to new threats is equally critical in the dynamic cybersecurity landscape. Balancing comprehensive planning with agile responses is a delicate process that is sometimes difficult to get right.
In what ways do you think the security categorization process outlined in NIST SP 800-60 could be improved or adapted to better address the evolving challenges of information security in today’s digital landscape?
I think one of the reasons for Inaccurate security categorization may result from a lack of understanding of the sensitivity and criticality of data or systems within an organization. This can be reduced by educating employees about the importance of security categorization and how to apply classification criteria effectively.
What strategies or tools do you think are most effective in identifying and prioritizing potential risks during the SDLC, and how can we ensure that risk management remains an integral part of an organization’s cybersecurity practices over time?
Hi Hashem, This is a good question. They both have their challenges but I’m going to go with paper can be difficult to protect and here are the reasons:-
1. With Paper it’s hard to have a non-repudiation while with digital we can implement that and know who accessed the resources at what time and what changes they made.
2; Paper can easily be destroyed, loss or subjected to theft and not have a backup. With digital we can have offshore backups
I know digital copies come with their challenges however we can implement proper security controls to protect the assets
Erskine Payton says
Artificial intelligence, with AI becoming more and more prevalent in our lives, how do you feel about that? Are you for, against, or does it matter?
Kenneth Saltisky says
AI is already being utilized in not only our daily lives, but even in cybersecurity and IT auditing. For example, a tool I used called Wiz.IO utilizes some AI in determining the risk factors of cloud assets. AI will become one of the most powerful tools in the future, but it takes time for it to be used in great ways. As to how long it will take, I would imagine before the end of the decade we will see it constantly being a part of our daily lives.
Chidiebere Okafor says
AI has greatly impacted our lives in many ways in the past few years, but I believe that there has to be guidelines in place to avoid overdependence on it. There is inherent risk that comes with AI and some of it were addressed in the NIST AI 100-1: Artificial Intelligence Risk Management Framework (AI RMF 1.0). If handled wisely, we can truly maximize AI for its benefits.
Hashem Alsharif says
AI to me, is one of those things that we have no choice but to accept. So given that it’s unavoidable, we have three options. Accept it, ignore it, or fight it. We also can choose when/how we apply each option as we don’t have to just accept one part of it. For example, the actors guild decided to fight AI as it was a direct threat to their livelihood. However, those same people are fully accepting to AI for personal creative reasons. I don’t think AI in our lifetime will be a threat to anything outside of entertainment. I think if the time comes that AI does go after our livelihood, like the actors guild, we can fight it. But for now, I think it’s great to accept it. and if we find that it makes us too lazy, we can also choose to ignore it.
Michael Obiukwu says
Why is the N-tier architecture multi-layered?
Andrew Young says
How can we learn to better anticipate human needs, requirements and behavior in our IT structures? Is it possible to more thoroughly adapt our systems to human unpredictability and adaptability
Kenneth Saltisky says
Hi Andrew,
I believe it is possible to a certain extent to anticipate human needs, requirements and behavior through something like AI. As I mentioned in Erskine’s question, AI is already being used in some parts of IT management and auditing, and really the best way to cover as much as possible for human behavior is by training AI to be as prepared as possible for the different scenarios that human error can lead to. Although it’s impossible to prepare for everything as we are all complex, but I would say that we can try to do as much as possible to adapt our systems to deal with this unpredictability.
Ikenna Alajemba says
A business-critical system has a high critical vulnerability, but the Engineering team are not willing to patch it, saying the application will break down completely if they patch it. What would you do or suggest in this situation as a cybersecurity analyst?
Jeffrey Sullivan says
Why do the levels of impact vary in the life of a contract? For example, some start out as moderate confidentiality but end as a low impact level when contract is completed.
Andrew Young says
Because security needs and risks evolve over the course of a contract or work project, the risk and need for security may develop over the course of its installation and use. A good example would be setting up encryption, where an initially unencrypted drive or system would pose a high risk for confidentiality breaches but may receive a lower risk status once comprehensive encryption is added
Nicholas Nirenberg says
Hi Jeffery, I think that contract impact levels change due to evolving factors such as project progression, diminishing sensitivity, and alterations in scope or stakeholders. Furthermore, I think that this demonstrates that regular assessments are vital to adapt security measures to the contract’s shifting dynamics.
Samuel Omotosho says
What are the 17 security-related areas covered by the minimum security requirements related to protection?
Chidiebere Okafor says
The seventeen security-related areas covered by the minimum security requirements are as follows:
(i) Access control (AC)
(ii) Awareness and training (AT)
(iii) Audit and accountability (AU)
(iv) Certification, accreditation, and security assessments (CA)
(v) Configuration management (CM)
(vi) Contingency planning (CP)
(vii) Identification and authentication (IA)
(viii) Incident response (IR)
(ix) Maintenance (MA)
(x) Media protection (MP)
(xi) Physical and environmental protection (PE).
(xii) Planning (PL)
(xiii) Personnel security (PS)
(xiv) Risk assessment (RA).
(xv) Systems and services acquisition (SA).
(xvi) System and communications protection (SC).
(xvii) System and information integrity (SI).
Mariam Hazali says
Why SSP is not required for minor applications?
Ikenna Alajemba says
For minor applications or systems with lower risk levels, organizations may choose to apply a risk-based approach to determine the level of security documentation required. In some cases, a full-fledged System Security Plan might be deemed unnecessary due to the relatively lower risk associated with the application. Instead, organizations may opt for more streamlined or simplified documentation based on the level of risk and the criticality of the system.
Kenneth Saltisky says
How important is thorough security planning and security controls compared to the importance of responding quickly to new threats?
Nicholas Nirenberg says
Hi Kenneth, I think thorough security planning and controls are fundamental for a robust cybersecurity foundation, offering proactive defense. However, the importance of responding swiftly to new threats is equally critical in the dynamic cybersecurity landscape. Balancing comprehensive planning with agile responses is a delicate process that is sometimes difficult to get right.
Nicholas Nirenberg says
In what ways do you think the security categorization process outlined in NIST SP 800-60 could be improved or adapted to better address the evolving challenges of information security in today’s digital landscape?
Chidiebere Okafor says
What factors can contribute to inaccurate security categorization and how can these factors be reduced?
Mariam Hazali says
I think one of the reasons for Inaccurate security categorization may result from a lack of understanding of the sensitivity and criticality of data or systems within an organization. This can be reduced by educating employees about the importance of security categorization and how to apply classification criteria effectively.
Alex Ruiz says
What strategies or tools do you think are most effective in identifying and prioritizing potential risks during the SDLC, and how can we ensure that risk management remains an integral part of an organization’s cybersecurity practices over time?
Hashem Alsharif says
In regards to protection of company media, what do you think is more difficult to protect? paper or digital information? Why?
Mariam Hazali says
Hi Hashem, This is a good question. They both have their challenges but I’m going to go with paper can be difficult to protect and here are the reasons:-
1. With Paper it’s hard to have a non-repudiation while with digital we can implement that and know who accessed the resources at what time and what changes they made.
2; Paper can easily be destroyed, loss or subjected to theft and not have a backup. With digital we can have offshore backups
I know digital copies come with their challenges however we can implement proper security controls to protect the assets