CIO CIO

As businesses increasingly migrate to the cloud, chief information security officers (CISOs) face numerous critical challenges in ensuring robust cloud security. Don’t believe me? Experts highlighted this at the recent Gartner Security & Risk Management Summit. Gartner projects a significant 24% increase in spending on cloud security, positioning it as the fastest-growing segment within the global security and risk management market. Adapt, adjust, execute The bottom line is that shifting to cloud computing necessitates fundamentally rethinking security. Organizations strive to integrate the cloud into standard business operations, however, this transition has more pitfalls than most CISOs understand. I’ve seen this in my research and my experience as a consultant for 20 years, cloud and prior. Issues that have been present in traditional IT environments persist in the cloud, such as governance, misconfiguration, insecure supply chains and pipelines, data loss or exfiltration, and failures in secrets and key management. The cloud introduces unique risks, including limited visibility, dynamic attack surfaces, identity proliferation, and misunderstandings around shared responsibility, compliance, regulation, and sovereignty. And this is just the tip of the iceberg. Most CISOs tell me they have yet to understand exactly what should change. Many feel misled by the cloud provider regarding the work required to secure their cloud deployments. I’ve written plenty of advice to the contrary, but it’s never a good idea to say “I told you so” to someone struggling, so we need to figure out how to do better. The shared responsibility model Many CISOs and security teams need clarification about the shared responsibility model used by major public cloud providers such as Amazon Web Services (AWS) and Microsoft Azure. This model delineates the security responsibilities of the cloud provider and the customer and is normally on the first slide of any cloud security presentation since 2008. Challenges often arise from assumptions related to technology and the extent of the cloud providers’ security obligations. Compliance, visibility of sensitive data, business continuity, and confusing service-level agreements (SLAs) become problems CISOs did not see coming. As one CISO friend of mine said after 12 years of dealing with cloud security: “It was never about ‘shared responsibility,’ it was always all my responsibility, period.” CISOs often encounter several key pitfalls in managing cloud security: Business lines have inadequately addressed security needs. The cloud is more complex than initially understood. Cloud strategy, architecture, or transformation initiatives often proceed without input from the CISO, who is then expected to make it all secure. Failure to collaborate with CIOs to integrate security into platform engineering and devops bottlenecks development pipelines with outdated security processes. Old security patterns are applied to new technologies. No substitute for hard (boring) work I recommend several strategies for navigating these challenges. Utilizing automated tools to manage cloud environment security is crucial. Automation is your friend. Moreover, establishing robust cloud security governance can help prioritize alerts and secure service edges. Running around in circles for every anomaly doesn’t scale, and the risk of being “the boy who cried wolf” will likely cause a breach. Consolidating security efforts and working towards immutability are also essential best practices. Additionally, reskilling and upskilling the security workforce is critical to adapting to the evolving landscape of cloud security. Most breaches are caused by a lack of training and not a lack of technology. CISOs understand they can have the best cloud security technology available, but they can’t fix stupid. Misconfigurations are the primary cause of cloud breaches. Of course, specific issues have to be addressed for your unique needs. CISOs often adopt good ideas from analysts and consulting firms that are the wrong fit for them. Cloud security is never a “one size fits all” solution, and it needs to be systemic to all systems, not installed during the last step of deployment. Enterprises often get into trouble because security is loosely coupled and thus ineffective. I wish I had a magic formula to give CISOs looking for better cloud security, but it’s about doing things smartly and purposefully to win the game. People hate to hear that—it means more boring planning and research. But there is no substitute. source

Adobe today announced the general availability of Adobe Experience Platform (AEP) Agent Orchestrator and six AI agents for building, delivering, and optimizing customer experience and marketing campaigns. The company also announced the coming release of Experience Platform Agent Composer for customizing and configuring AI agents based on brand guidelines and organizational policy controls. “These agents allow customer experience teams to significantly up-level, by orders of magnitude, what they’re doing,” says Daniel Sheinberg, senior director of product and strategy for Adobe Experience Cloud. “Maybe you’re managing tens of customer journeys right now. You ought to be able to manage hundreds of journeys going forward.” Adobe previewed Agent Orchestrator and a number of agents at Adobe Summit in March. Agent Orchestrator leverages semantic understanding of enterprise data, content, and customer journeys to orchestrate AI agents purpose-built to deliver targeted, immersive experiences with built-in data governance and regulatory compliance. It’s intended to help customers manage agents from Adobe and across third-party ecosystems. source

People are sneaking AI into work, risks and all. But with smart guardrails, companies can turn shadow AI into a winning edge. source

What you signed up for five years ago is not what the business expects of you today,” Jonathan Rickard told the NZ CIO Summit in Auckland. Rickard, chief technology officer Microsoft CX at Fusion5, says AI has pushed CIOs from back-office tech management into front-line strategic leadership. Their job is no longer about implementation alone but about steering digital transformation across the business. Today’s CIOs are now more involved in business areas such as innovation and revenue-generating initiatives. He says: “It’s no longer a matter of just keeping the lights on.” CIO is an evolving role More change is on the way with the CIO role becoming a people-focused, innovation-driven position. There is a strong emphasis on culture and measurable business outcomes. Rickard quoted research to support this view. Following this year’s Sydney CIO Summit, attendees were asked about their roles. Nearly half, 47 percent, say they focus on innovation and strategy. That’s double the number (23 percent) who said the same five years ago. The survey shows a majority of CIOs (85 percent) are involved in new revenue opportunities and a similar number (84 percent) say they have greater influence on business decisions. For Rickard, AI is a general-purpose technology that changes everything. He says some skepticism is understandable; only recently CIOs were told they would be leading their businesses into the metaverse by now. Instead, he compares AI with the steam engine, the internet, and smartphones. Each of these began with hype, which led to a negative reaction before the technologies were accepted and broadly adopted. Real gains from intensity of use What made the difference in each case was the intensity of use. Companies that merely swapped out old tools for new ones saw modest gains. Those that embedded the technology deeply into their processes and business models reaped outsized rewards. Rickard says the same will apply to AI: the real benefits will go to organisations that use it imaginatively and pervasively, not just at the margins. Troy Gerber, CTO conversational AI and Copilot at Fusion5, says: “In the next two years, 30 percent of our workforce will be digital agents. They’re not going to be replacing people. They’ll be working alongside people.” Gerber says CIOs will be responsible for integrating these digital agents into the workforce and ensuring they work alongside human employees. Pressure as expectations increase This will bring pressure as businesses will expect their AI investments to increase productivity. “The target is to gain two hours per employee every week. It will fall on CIOs to ensure the AI tools are not just implemented, but that they realise the expected gains”. In addition to dealing with digital employees, he says CIOs will also be asked to help build the talented culture within organisations that is ready and able to leverage the AI technologies as they are rolled out. The responsibility that once resided in an HR department will shift to the CIO. CIOs are widely expected to take ownership of innovation within a business. Gerber says the way this works will change. In the past, CIOs rolled out tools and applied guardrails in an orderly process. Now, innovation bubbles up from staff. In many cases, they might adopt consumer-style AI tools (such as ChatGPT) first before looking for support. Responsive to employee demands Gerber says the CIO role here will be to respond to demand from employees and shape secure, scalable platforms around it. This happened in the past with mobile phones. At first, they were telco or phone manufacturer-controlled. Then the smartphone arrived, and we shifted to the app-store-driven model. AI is going through the same change. These changes are not abstract. Gerber says Fusion5 is going through the process in its own business. “We think of ourselves as a frontier firm: We live that every day, and we take it to our customers. “Everyone in our organisation has to be AI literate. It’s mandatory. Staff have to go to our monthly AI training. We had a staff meeting last week where we showed a slide featuring our new joiners, and then we had a slide showing the new AI agents that had joined our organisation.” He says there were eight of them, and they were featured because they are integral to the business. “We don’t bolt AI onto our solutions; it is part of our strategy.” By showing staff the newcomers, they are able to see where they can be used in the company’s workflow. Leading teams that mix humans and AI agents requires new leadership styles. That means listening, asking questions, and encouraging participation, not traditional command-and-control. Gerber likes to quote Nvidia CEO Jensen Huang, who says success comes from strategic vision with executional discipline. “Success in the AI era belongs to those who can match strategic vision with executional discipline.” source

Need for speed Despite the ethical appeal of Apertus, it will still need to compete with rivals in terms of AI inference. The notion that organizations needed to go to large closed-source LLM makers to get this was mistaken, according to Antoine Bosselut, assistant professor at École Polytechnique Fédérale de Lausanne (EPFL), which also collaborated on the Swiss LLM. “Over the last few years, we heard this narrative that commercial LLM providers were light years ahead of anything that anybody else could create. What I hope we’ve shown here today is that that’s not necessarily the case and that this gap is far less wide than we had imagined,” he said in a promotional video. “Apertus demonstrates that generative AI can be both powerful and open,” said Bosselut. “The release of Apertus is not a final step, rather it’s the beginning of a journey, a long-term commitment to open, trustworthy, and sovereign AI foundations, for the public good worldwide.” source

That’s where risk-informed governance comes in. Think of it as your GPS for responsible AI implementation. Responsible AI isn’t just another buzzword to throw around in board meetings. It represents a systematic approach to identifying, measuring and managing AI risks before they explode into crises. Implementation Maturity measures how well your organization executes these principles in practice, not just on paper. This framework rests on four pillars: risk assessment, governance structures, implementation methods and global harmonization. Each builds on the previous one, creating a system that actually works. Risk taxonomy and assessment architecture Risk assessment starts with brutal honesty about what can go wrong. Technical risks hit first. Your model drifts from its original parameters. What worked last month fails today. Data quality degrades, introducing biases you never anticipated. Adversaries probe your system’s weaknesses, identifying vulnerabilities that your team may have missed. Track these through concrete metrics, such as model drift rates, bias detection scores and incident frequency of security breaches. Numbers don’t lie, even when stakeholders want them to. source

Should our cloud-first strategy be cloud-only? In short, no, says Mohan of TCS. Today’s organizations may find that hybrid or distributed cloud designs may make sense in situations with complex business, security, regulatory, or operational spending requirements. It’s about the right workload placement. AI is also having an impact on these decisions. “Traditionally, enterprises pulled data to a centralized location for orchestration, production, and deriving value,” says Mohan. “With AI now being applied to wherever the data resides across the IT estate, organizations can drive more impactful edge use cases and outcomes.” As such, CIO’s cloud strategies should consider hybrid and edge solutions. “With AI and cloud working together, CIOs can balance out their return on investment, since edge cloud reduces latency, improves reliability, lowers data transfer, and enables real-time decision-making, directly improving customer experience and ROI,” Mohan says. What happens if we need to move to a different service or provider? “In a time of rapid change and massive uncertainty it is critical for technology leaders to avoid technology dead ends. Sadly, it is hard to predict the form of those dead ends,” says Nickolaisen. “Anything in our world may be a barrier to agility — that includes cloud architecture and decisions.” source