AI in the Technical Industry

The rapid advancement of Artificial Intelligence (AI) is a topic that has been gaining significant attention in the pas year. As AI continues to evolve, it is increasingly impacting various sectors, particularly in technical career fields.

AI’s Impact on Job Security

The rise of AI has sparked concerns about job security in technical career fields. As AI systems become more sophisticated, they are capable of performing tasks that were once exclusively done by humans. This has led to fears that AI could replace human workers, leading to job losses.

However, it’s essential to understand that while AI can automate certain tasks, it cannot replace the creativity, critical thinking, and problem-solving skills that humans bring to the table. AI is a tool that can enhance productivity and efficiency, but it cannot replicate human intelligence. Therefore, rather than viewing AI as a threat, it should be seen as an opportunity for workers to upskill and adapt to the changing technological landscape.

The Need for AI Literacy

With AI becoming more prevalent in the technical career fields, there is a growing need for AI literacy. This means understanding the basics of AI, how it works, and its potential applications and implications. This knowledge is crucial for both workers and employers in the tech industry.

For workers, AI literacy can open up new career opportunities. As AI continues to evolve, there will be a growing demand for professionals who can develop, manage, and maintain AI systems. For employers, understanding AI can help them make informed decisions about integrating AI into their operations and investing in AI training for their employees.

Ethical Considerations

The advancement of AI also brings about various ethical considerations. These include concerns about privacy, bias, and transparency. As AI systems become more integrated into our lives, it’s crucial to ensure that they are designed and used in a way that respects individual privacy and avoids bias.

Moreover, there is a need for transparency in how AI systems make decisions. This is particularly important in fields like healthcare or finance, where AI decisions can have significant impacts on individuals. Ensuring ethical AI use requires ongoing dialogue and collaboration between tech professionals, policymakers, and society at large.

The advancement of AI is indeed a growing concern in the technical career fields. However, it’s important to approach this issue with a balanced perspective. While AI does pose challenges, it also offers opportunities for innovation, growth, and progress. By focusing on AI literacy and ethical AI use, we can navigate the AI revolution in a way that benefits everyone.

Risk Centered Security

Implementing security in Information Technology is not about locking down and protecting a system.  After all, the best way to secure a computer is to power it down, unplug it, remove all storage devices, and lock them in a vault.  The second you power that computer on, even in an air gapped faraday cage, you begin to assume some level of risk.  The trick to security is knowing your risk and mitigating any unwanted risk.

Risk Analysis

Risk is what we are trying to understand and mitigate against in a cyber security program.  If we are not calculating risk within the organization and using the same formula or even definitions within an organization, we will be approaching security from completely different understandings.

With risk analysis, we need to identify the threat and understand what vulnerability that threat would be compromising.  Then we need to understand the impact that would have to the overall business function and the likelihood of it occurring.  Once we have those variables understood, we can have a healthy conversation of what levels of security in which we should be investing.

Cost Effective Risk Mitigation

Risk. Loss. Impact. Likelihood of threat.  These are all important, and at times, overlooked in a security program.  We need to make sure we are applying the right level and budget into a security program to help the business while not hurting the business.

Imagine if you inherited a bag of gold doubloons valued at $500,000.  This would be an extremely valuable and a prized possession.  Naturally, you would want a secure place to protect your bag of gold.  In your search for a vault to store the gold in, you come across a extremely advanced, high tech vault with a small army standing by to react to any alarm.  This, this is the solution, and it is only $5 million.

We cannot be spending more in security than the value of the asset and this is what we need to do in Information Security.  Your local, family-owned pizzeria does not need to invest in a next-gen firewall and a robust security information event monitoring solution.

This is where we start looking into cost effective solutions to mitigate the risk.  Some of these solutions require some creativity, out-sourcing, and perhaps elbow grease to implement.

Risk Acceptance

As we start maturing our organization and analyze risk from the threats that are circling around us, we are going to come to a situation in which it does not make sense to mitigate.  In these cases, it is important to know that there is an option to assume or accept the risk.

When reviewing a security framework or a best practice, perhaps we will come across a security control that does not make sense to implement.  Perhaps you are a medium-sized organization with 200 employees, you likely do not need to hire 6 individuals to build out a 24/7/365 security operations center.

Risk acceptance is another important component to a security program.  There are elements that should be included when assuming risk.  First, make sure the right person is assuming the risk.  The junior systems engineer should not be making the assumption to continue to have the organization run on Windows XP desktops.  Ensure the acceptance is documented and reviewed on a routine basis or after an event that affects the risk that was assumed.  Also, when possible, implement any possible mitigating controls to limit the risk to the organization.

As your organization centers its security program around risk acceptance/risk mitigation, the program will go from holding the organization back to helping it thrive.

Importance of Security Frameworks

If I had to build an IT organization from scratch, I would absolutely make an applicable security framework the backbone. Why? A security framework (such as NIST Cybersecurity Framework or CIS20) is a methodology featuring security controls that ensure not just a well-balanced security program, but also a well-balanced IT program.  

Security is Woven into Every Functional Area of a Company

My understanding of the makeup of an IT department came atypically.  I was in the United States Air Force when Uncle Sam desired that I become a network engineer. At that time, I couldn’t tell you the difference between an IP address and a subnet mask. It took me a couple of months to understand how those in the help desk, desktop team, virtualization engineers, Linux administrators, Windows administrators, network engineers, security engineers, and project managers all contributed to a functioning Information Technology organization. I observed that while all the verticals work together, they only interact at the edges of each particular service. The lone exception was security.  Security is integrated into each and every other discipline, and for good reason. 

In other words, security is the critical common thread. So, while not a conventional thought, but maybe not too surprising either, all teams across the IT department can benefit from a security-oriented tool. Specifically, I’m referring to security frameworks. Typically used to identify gaps, a security framework usually contains more than 100 controls that strengthen across the various areas of an IT organization. Implementation is typically driven by compliance, but, sadly, most organizations look for the minimum effort to save on time and investment. However, it’s those organizations that look to increase their security posture, and review a security framework to exceed the controls, that separate themselves from the vulnerable.  

Not Just Any Security Framework: The Right Framework

It should be noted, not all frameworks are created equal. Some more closely resemble a speed bump than a high jump event. HIPAA/HITRUST is one of these low-bar frameworks. To illustrate, the password requirements for HIPAA is that an organization must have a password policy. That’s it. No details on what that password policy should consist of with regards to complexity, rotation, etc. Other frameworks have a narrow focus, like NIST 800-171 or PCI-DSS. PCI-DSS, well known for protecting credit card data, only pertains to Cardholder Data Environments (CDE) and many organizations ignore security practices in other areas of their network. NIST 800-171 likewise focuses on Controlled Unclassified Information (CUI) and does not apply to the entirety of the network. Choosing the right framework would positively impact the outcomes.  

One of my favorite frameworks, because of how it is organized, is CIS20. CIS20 comes from the Center for Internet Security, also known for publishing the CIS benchmarks used as system hardening standards for various devices and operating systems. CIS20 is broken out into 20 high-level controls supported by a total of 171 sub controls. This framework further breaks the 20 controls down into three different sections: Basic, Foundational, and Organizational which illustrates the impact of those controls. Additionally, version 7.1 introduced implementation groups to assist with prioritization of roll out. The net result is that CIS20 presents a pretty self-evident roadmap to ensuring your IT organization is secure. 

Security Frameworks Lead to a Better IT Department

What’s not so apparent, is this approach also helps help focus on and develop different areas of IT support that your organization could be expecting from you. Asset Inventory, Administrative Privileges, Monitoring, Email and Web Browsers, Data Recovery, Data Protection, and Incident Response are all addressed by the CIS20 framework. While it also covers more obvious security functions like Firewall, Security Awareness Training, and Vulnerability Management; focusing on that previous list will help address the needed services and structure and IT organization should leverage to offer a quality service to your organization. 

Why would a security framework hit on some of these elements of IT delivery?  It has a lot to do with a basic security concept called the CIA triad. CIA stands for Confidentiality, Integrity, and Availability. All three of these elements are considered critical to security. Losing one of these elements causes the three-legged chair to fall. Importantly, these goals should sync with the goals of an IT department as a whole. Making sure that services are available and reliable should be equally weighed with protecting information and ensuring the integrity is not lost.  

While opportunities don’t come around often to build an IT organization in a greenfield scenario, leveraging a security framework can help provide a quick report card on gaps in your IT services. Based on the relationship between security and IT as a whole, closing these gaps will not only elevate your security posture, but also the level of service your IT department offers your organization.

IT is no longer a Utility

I walked into a meeting with a senior executive who brought us in to solve issues their IT department were trying to overcome.  The simplified request was, “I want to walk into the office in the morning and for it to work, like turning on the light switch and the light turns on.”  This is a very understandable ask but the response has been changing over the past couple decades.

ball bright close up clouds

When Information Technology came to the business table in the 90s, it was very straightforward requests, we want our computer to turn on, print, and if we were lucky, connect to the internet through a dial up modem.  As the internet grew in size and businesses became dependent on it’s access, the ask of the IT department grew as well.

Most IT departments are expected to not only ensure the computers function, print, and connect to the internet but store important files, keep hackers out, backup key systems, manage email systems, provide video conferencing, hosting web services, orchestrate systems managing production devices, and anything else that falls under the umbrella of technology.

So, why can’t the IT department just make it work?  They can.  First you could have very different definitions of ‘make it work’ from varying teams within the IT department and secondly, you are allowing a great resource to go untapped in your organization.

Over the past decade, the technologies under IT have gone from ‘working’ to having different flavors of ‘working.’  They are no longer a utility that offers a one dimensional level of support.  From how your organization collaborates to prioritizing systems and services, the IT department can really be an influential voice at the business table.

The engineers within your IT department often know of many emerging technologies and shifts in products that can help the operations of the business get to the next level. Bringing business problems to their awareness allows them to provide feedback on not only decisions on how much RAM to have in a new server upgrade but which software solutions can not only solve the problem but ease and speed up the workflow.

An example would be surrounding a place to back up important documents to include policies and emergency procedures. If the decision was made at an executive level and told to be carried out by the IT department to simply create a server to store data where the files are manually copied by the user to this server, it could be done. If the IT department was brought in on the issue, likely a document repository solution like Microsoft Sharepoint would be recommended (perhaps in the cloud). This would not only allow for these documents to be ‘backed up’ to Sharepoint, they could live in Sharepoint and allow for multiple users to be making changes to the same document, keep version histories, be checked in and out for offline modifications and then even become embedded in an internal policy website for all employees to access.

Creating an environment in which a representative from IT is at the decision making table allows them to better set up the systems to support your business initiatives and allows them to offer solutions to problems that arise. It should no longer be categorized as the decaying term of utility but as the business enabler they are.