Information Week

Earlier this year, China-linked threat group Salt Typhoon allegedly breached major telecommunications companies, potentially gaining access to US wiretap systems. The full scope of the breach remains unknown, and the hackers are potentially still lurking in telecommunications networks.   This breach is hardly the first time a group associated with China targeted critical infrastructure in the US. Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), and Christopher Wray, director of the FBI, have both been vocal about the threat China poses to US critical infrastructure. In a 2024 opening statement before the House Select Committee on Strategic Competition Between the United States and the Chinese Communist Party, Easterly said, “Specifically, Chinese cyber actors, including a group known as ‘Volt Typhoon,’ are burrowing deep into our critical infrastructure to be ready to launch destructive cyber-attacks in the event of a major crisis or conflict with the United States.” In April, Wray brought up this concern at the Vanderbilt Summit on Modern Conflict and Emerging Threats. “The fact is, the PRC’s targeting of our critical infrastructure is both broad and unrelenting.” At the Cyberwarcon conference, Morgan Adamski, executive director of US Cyber Command, chimed in with a warning about how China’s position in critical infrastructure could cause disruptive cyberattacks if the two countries enter into a major conflict, Reuters reports. Related:What Do We Know About the New Ransomware Gang Termite? If conflict does erupt between China and the US, what could disruptive cyberattacks on critical infrastructure look like? What can the government and critical infrastructure leaders do to prepare?   The Possibility of Disruptive Cyberattacks  The US has 16 critical infrastructure sectors. “All of them are called critical because they would impact society to some degree were they to be taken offline,” says Eric Knapp, CTO of OT for OPSWAT, a company focused on critical infrastructure cybersecurity. “And they’re all susceptible to cyberattack to some degree.”  Telecommunications and power could be prime targets for China in a conflict. “Back from the dawn of time when people would go to war, you would try to eliminate your opponent’s ability to communicate and their ability to power their systems,” says Knapp.   But other sectors, such as water, health care, food, and financial services, could be targeted as well.   “The intent of these kind of operations may be to provide a distraction in order to … slow down a US response, if there was to be one, in any sort of conflict involving Taiwan,” says Rafe Pilling, director of threat intelligence for the counter threat unit at cybersecurity company Secureworks. Related:Finding Your Shadow: Can Shadow IT Be Controlled? While it is uncertain exactly how these attacks would play out, there are real-world examples of how adversaries can attack critical infrastructure to their advantage. “Unfortunately, there’s a roadmap that we can look at that’s happening in the real world right now in the Russia-Ukraine conflict,” says Knapp.  Leading up to and following Russia’s invasion of Ukraine, Russia executed many cyberattacks on Ukrainian critical infrastructure, including its power grid.   If China were to use its positioning in US critical infrastructure to carry out similarly disruptive attacks, they would be dealing with very distributed systems. It would be very unlikely to see something like a nationwide power outage, Knapp tells InformationWeek.   “What you’d likely see is a cascade of smaller localized disruptions,” says Pilling.   Those disruptions could still be very impactful, potentially causing chaos, physical harm, death, and financial loss. But they would not last forever.  “Many of these sectors, for reasons completely unrelated to cyberattacks, are used to being able to resolve issues, work around problems, and get services up and running quickly,” says Pilling. “Resiliency and quick restoration of services, particularly in the energy sector, [are] an important part of their day-to-day planning.”  Related:Why SOC Roles Need to Evolve to Attract a New Generation Threat Actors  Salt Typhoon and Volt Typhoon are two widely recognized, Chinese cyber threat groups that target US critical infrastructure.   “All [of] these different Chinese threat actor groups, they have different motivations, different goals, different countries that they’re attacking,” says Jonathan Braley, director of threat intelligence at nonprofit Information Technology-Information Sharing and Analysis Center (IT-ISAC).   In addition to pre-positioning for disruptive cyberattacks, motivations could also include intellectual property theft and espionage.   While Salt Typhoon is the suspected culprit behind the major breach in the US telecommunications sector, it actively targets victims in other sectors as well. For example, the group reportedly targeted hotels and government, according to FortiGuard Labs.   “Targeting hotels and targeting telcos is often to get information about people’s movements and what they’ve been saying to each other and who they’ve been communicating with. So, it’s part of a collection for a wider intelligence picture,” says Pilling.   Volt Typhoon has targeted systems in several critical infrastructure sectors, including communications, energy, transportation, and water, according to CISA.   “They combine a number of tactics that make them quite stealthy,” says Pilling. For example, Volt Typhoon makes use of living off the land techniques and will move laterally through networks. It often gains initial access via known or zero-day vulnerabilities.   “In some cases, they would use malware but for the vast majority of cases … they were using built-in tools and things that were already deployed on the network to achieve their aims of maintained persistence in those networks,” Pilling shares.   Salt Typhoon and Volt Typhoon are just two groups out of many China-backed threat actors. IT-ISAC has adversary playbooks for threat actors across many different countries of origin.   “We have about 50 different playbooks for different Chinese nation state actors, which is a lot,” Braley tells InformationWeek. “I think if we look at other countries there might be a dozen or so.”  While China-linked threat groups pose a risk to critical infrastructure, they are not alone.  “As we approach various global conflicts, we need to be prepared that not only we’re going to have these nation states coming out, [but] we also [have] to watch some of these hacktivist groups that

The Federal Trade Commission (FTC) on Tuesday announced action against Gravy Analytics and Venntel Inc. and a separate action against Mobilewalla that would ban the companies from selling sensitive location data. The FTC’s complaint against the companies alleges Virginia-based Gravy Analytics and its subsidiary Venntel violated the FTC Act by unfairly selling sensitive consumer location data, and by collecting and using consumers’ location data without consent for commercial and government uses. Gravy Analytics, the complaint says, also sold health and medical decisions, political activities, and religious views collected from location data. In the case of Georgia-based Mobilewalla, the FTC alleges the company collected more than 500 million unique consumer advertising identifiers paired with precise location data between January 2018 and June 2020. The company sold the raw data to third parties, including advertisers, data brokers, and analytics firms, the FTC says. In a statement, FTC Chair Lina Khan said, “Persistent tracking by data brokers can put millions of Americans at risk, exposing the precise locations where service members are stationed or which medical treatments someone is seeking. Mobilewalla exploited vulnerabilities in digital ad markets to harvest this data at a stunning scale.” In a message to InformationWeek, Mobilewalla CEO Anindya Datta pushed back on the FTC’s case, but accepted the results. “Mobilewalla respects consumer privacy and has been evolving our privacy protections throughout our history as a company,” he says. “While we disagree with many of the FTC’s allegations and implications that Mobilewalla tracks and targets individuals based on sensitive categories, we are satisfied that the resolution will allow us to continue providing valuable insights to businesses in a manner that respects and protects consumer privacy.” FTC had strong words for the companies’ practices. “Surreptitious surveillance by data brokers undermines our civil liberties and puts servicemembers, union workers, religious minorities, and others at risk,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a statement. “This is the FTC’s fourth action taken this year challenging the sale of sensitive location data, and it’s past time for the industry to get serious about protecting Americans’ privacy.” The FTC also alleged Gravy Analytics and Venntel obtained consumer location information from other data suppliers and claimed to collect, process, and curate more than 17 billion signals from a billion mobile devices daily. The complaint also alleges Gravy Analytics used geofencing to create a virtual geographical boundary to identify and sell lists of consumers who attended certain events related to medical conditions and places of worship. The unauthorized data brokering put consumers at risk of stigma, discrimination, violence, and other harms, according to the complaint. “You may not know a lot about Gravy Analytics, but Gravy Analytics may know a lot about you,” reads a joint statement by FTC commissioners Alvaro M. Bedoya, Rebecca Kelly Slaughter, Melissa Holyoak, and Khan. Gravy Analytics merged with Unacast last year. The company’s website says it offers “location intelligence for every business.” Mobilewalla’s website says its products “make your AI smarter with high-quality, privacy compliant consumer data and predictive feature …” InformationWeek has reached out to Gravy Analytics and Mobilewalla for comment and will update with any response. source

Regulators across the world are in a helter-skelter scramble to get a hold on AI — but what, and whom exactly are they trying to regulate? A patchwork of laws and guidelines are emerging. While some aim at the LLM developers, others target AI users. Some focus on data governance, others on issues related to safety, labor, or property rights. Some are focused on IT automation, while others look ahead to artificial generalized intelligence. How should CIOs and CISOs plan for this new landscape? Forrester principal analyst Enza Iannopollo will discuss this in greater detail at the 2024 Forrester Security and Risk Summit Dec. 9 – 11 in Baltimore and online in a session called “A Fun (Yes Really) Crash Course in AI Regs and Frameworks).” She gave InformationWeek a preview. source

I’ve led organizations at every stage of growth, encountering unique challenges and opportunities at each step. The backbone of any successful venture has always been a cohesive team pursuing a mission that matters, and a perpetual dissatisfaction with the status quo.   As I connect with tech business peers and IT leaders, they frequently remark on how difficult it is to foster a healthy and resilient team culture. Burnout is at an all-time high, industry competition demands constant innovation, and it can be hard to build team connections that fuel fulfillment and a shared purpose.   I’m happy to share my lessons learned — which have culminated in a “World’s Fair” mentality at my current company, GrowthLoop — to help them attract and nurture the best talent.  The Challenges of Hiring Tech and IT Talent  The job market for top tech talent is extraordinarily competitive. Hiring teams cannot give every applicant the attention they deserve, and hiring managers face tough tradeoffs between selecting seasoned professionals or highly skilled newcomers.  When we hire, we focus on finding candidates who are eager to work on the cutting edge of technology. We look for team members who believe in our mission and want to push boundaries. In return, we invest in ongoing learning opportunities instead of “perks” like cold brew on tap and catered lunches.  Related:8 Things That Need To Scale Better in 2025 It’s easy to get lost in the shiny offerings at some companies, but these freebies rarely lead to lasting happiness and fulfillment. That’s why it’s crucial to ensure every job description and interaction with a new candidate promotes the long-term professional development and career growth opportunities you provide.  Attracting a Diverse Talent Pool  Selecting the ideal candidates requires focused attention at each step in the recruitment and hiring processes, including your job location, listing language, and interview strategy.  Avoid being confined to only in-person office work. Remote and hybrid setups open the door for a wide range of individuals who deserve consideration regardless of their location.   Use inclusive language in job descriptions. Our recruiting team has gone through bias training to put this into practice, which has helped increase our candidate pool diversity by over 30%.   Conduct a detailed technical skills audit and soft skills evaluation with cross-functional team members during the interview process.   Fostering a “World’s Fair” Culture  Hiring the right talent is one thing. You then need to build a culture that allows them to thrive. We want every member of our team to:   Related:Tech Company Layoffs: The COVID Tech Bubble Bursts Know – Be educated on what’s happening and how they can shape the company.  Feel – Be invigorated by celebratory actions and constant collaboration.  Do – Be empowered to help achieve our goals.  We accomplish this by championing a “World’s Fair” mentality, a concept inspired by Chicago — the hometown of our co-founder (and perhaps Chicago’s biggest fan), Chris Sell. If you’re unfamiliar, Chicago was home to the 1893 World’s Fair, which showcased 50,000 architectural exhibits from around the world. It celebrated groundbreaking ideas and iconic designs, drawing international acclaim.   We’ve channeled the fair’s principles to guide our culture of collaboration and innovation. There are several ways we do this:  AMAs: Every member of our senior leadership participates in Ask Me Anything (AMA) sessions to allow employees across the company to ask questions directly and learn more about each leader’s passions, skills, and vision for the future.   Cross-team sharing: We dedicate time weekly for every team to celebrate their wins, discuss challenges, and brainstorm how they can move forward with everyone behind them.   Monthly town halls: We host a monthly town hall meeting where anyone can ask tough or “spicy” questions that move us forward.    Related:What Enterprise IT Predictions Actually Mattered in 2024? Peer recognition: Team members express gratitude and give their colleagues shout-outs. These are real, personal acknowledgments of hard work and collaboration. They drive our success and are something I look forward to every week.   Quarterly hackathons: Every quarter, we take a week to work in cohorts and focus on new and innovative ideas. These have been so valuable to the company — in fact, many of our best product features have come out of these Hackathons.  Each of these activities helps people feel heard and empowered to do the best work of their lives.  The Rewards of a Diverse and Collaborative Culture  A successful business relies on diverse viewpoints. Diversity and the broad perspectives that come with it will reduce groupthink and fuel creativity that ultimately drives better business outcomes.   When people are motivated and feel safe to lend different perspectives and problem-solving approaches, they find solutions faster and unlock innovation. Encourage collaboration and idea-sharing at every level to nurture this culture. Executives should work alongside the team, guide them through challenges, and take their feedback to heart.  And last but not least, daily efforts and consistency are vital for helping this culture flourish. By doing so, you can continue to attract the best talent who will help you grow and stay resilient no matter what challenges you face.   source

Just when IT managers thought they had accounted for and addressed all possible threats to the health and well-being of their network sites, an unforeseen challenge has emerged. That is the rise in cooper thieves who turn copper lines into gold. The cash-for-copper phenomenon is not new, but it has evolved into a nationwide problem, resulting in knocked-out lights, interrupted traffic, downed countless websites, and transportation nightmares. In some cases, crimes are committed by drug addicts looking to get some quick cash. In other cases, crimes are committed by organized groups or opportunistic thieves, such as employees of businesses that work with metal. Ohio ranks first among the top five states with the most insurance claims for metal thefts, followed by Texas, Georgia, California, and North Carolina. Utilities will pass increased insurance costs to businesses and consumers. The U.S. Department of Energy has estimated that metal theft costs U.S. businesses around $1 billion a year. From January 1, 2010, through December 31, 2012, NICB analysts identified 33,775 insurance claims for the theft of copper, bronze, brass, or aluminum—32,568 of them (96 percent) for copper alone. This shows a 36 percent increase in claims when compared with the 25,083 claims reported between January 1, 2009, and December 31, 2011. Cash for copper thieves have expanded their mainstay powerline targets to include harvesting the metal from ground and roof-mounted HVAC units and systems, raising concerns among telecom service providers that disrupting cooling could cause challenges to switching systems, data centers, and POPs without adequate backup systems. Most communications service providers offer service-level agreements (SLA) under which businesses are promised a certain amount of uptime and a mean-time to repair problems, which, if unmet, can result in financial compensation or cancellation of the contract. How Copper Thieves Disrupt Critical Infrastructure The FBI reports that electrical substations, cell towers, telephone landlines, railroads, construction sites, and vacant homes are all targets. This can disrupt electricity, telecommunications, transportation, water supply, heating, security, and emergency systems. Network service resiliency at risk. Examples of the scope of the disruptions abound, including: Washington State: Copper thefts near Seattle-Tacoma International Airport disabled the approach lighting for one of the airport’s runways. Thieves are also stealing copper-based EV charging cords. Lumen, a global communications service provider, has already shelled out $500,000 due to copper thefts in 2024 in Washington alone. California: In late August, 82 suspects were arrested after tens of thousands of pounds of copper were recovered as part of a crackdown by Los Angeles police and staff on thieves. Mississippi: Five tornado warning sirens didn’t alert residents of impending storms because their copper wires had been stolen, according to a blog by Ooma. Texas: Metal thieves stole over $10,000 of copper from the Garland, Texas, area before being pursued and arrested by police. Virginia: After a spike of copper thefts from copper-carrying trucks traveling along Virginia highways, state authorities in Virginia, working with National Insurance Crime Bureau (NICB) special agents, arrested a man at the center of the thefts. A spike in copper cable thefts in recent months has left AT&T customers in South Dallas, Texas, without phone and internet service on more than a few occasions. (Credit: FPI / Alamy Stock Photo) Telcos React to Cooper Thieves AT&T is collaborating with local officials and the police in the Dallas area. The company offered residents a $10,000 reward for information leading to an arrest and conviction in connection with copper cable thefts. Smaller carriers in less densely populated areas, such as Kinetic, have also offered a $10,000 reward. Although notifying law enforcement and your service provider(s) when hit by a loss of power to parts of your business seems like a normal reaction, IT managers may want to consider problem prevention. Beset by copper for cash attacks, an industry coalition put together a list of tips to thwart these metal thieves. It is summed up below. To prevent copper thieves from carrying out their mischief, consider taking the following steps: Develop a security plan for your business that identifies vulnerabilities. Ask your local law enforcement professionals to assist you with this process. Deny access by adding fences and gates to contain this private property. Ask your local law enforcement for help in enforcing the law on private property. Add security lighting to areas where thieves and other criminals may hide. Deny access to your roof-mounted HVAC units by removing fixed ladders (do not remove fire escapes) and other step-ups, including tree branches. Consider the use of steel cages to enclose your AC units. The heavier the gauge of steel, the longer it will take to cut. For example, 10–12-gauge steel can take one to two hours to cut. Avoid standard chain link fencing as it can be cut quickly. Use security cameras, but they must be properly protected, installed, and monitored. Use alarms mounted to your HVAC units. If the unit is tampered with, including cutting of refrigerant and power lines, an alarm will sound. A Final Word on Copper Thieves and Net Resiliency Although law enforcement entities are cracking down on copper thefts, it remains a growing problem across the nation. Hopefully, with enhanced awareness and preventative measures, organizations can sidestep business interruption. source

Truly secure software supply chains require the IT industry to do much more than a stitch together a patchwork of SBOMs — as speakers at this week’s Forrester Security and Risk Summit will discuss. Yet, what role do software bills of materials play today, and what else must CISOs, software developers, regulators, and others do to avoid widespread security incidents? Janet Worthington, Forrester principal analyst, gave InformationWeek a preview of her keynote panel session, “From Fragile to Agile: Reimagining Software Supply Chain Security,” taking place both live in Baltimore and online Wednesday, Dec. 11. Worthington will be joined by Rosa Underwood, acting Senior Cybersecurity Advisor for the U.S. General Services Administration, Cassie Crossley, Vice President, Supply Chain Security in the Global Cybersecurity & Product Security Office, of Schneider Electric, and Dr. Allan Friedman, Senior Advisor and Strategist of Cybersecurity and Infrastructure Security Agency (CISA). source

COMMENTARY When I began my career, the security operations center (SOC) analyst role seemed like an exciting entry point into a promising career. And for me, it was. However, the job is increasingly perceived as thankless and high-stress, filled with repetitive tasks, high stakes, and limited opportunities for professional growth.  High turnover and talent shortages are common, so if businesses want to retain skilled analysts and appeal to the next generation of talent, the SOC role needs a serious rebrand.  Why SOC Roles Are Losing Their Appeal I won’t sugarcoat it: The SOC Tier I analyst role is incredibly challenging. In a typical day, analysts receive thousands of alerts, many of which are false positives.  This constant flood of data leaves analysts struggling to sift through the noise and focus on real threats, a task that demands both accuracy and a clear rationale for every action taken. Dismissing an alert too quickly risks missing a critical event, while escalating a low-risk alert could divert resources away from more urgent priorities. This pressure, coupled with the fear of making mistakes that could affect the team or your own credibility, often leads to burnout. The pressure, the sheer volume of alerts, and the feeling of always being under scrutiny make this role uniquely taxing. Another significant issue I’ve encountered is the lack of growth opportunities. With so much time dedicated to the constant alerts, analysts rarely have time to develop new skills. Despite the extensive training and certifications many analysts bring, they’re often stuck with monotonous tasks like reviewing phishing emails, limiting exposure to broader infrastructure or skills required for senior roles.  This lack of growth and evolution leads to disengagement and, eventually, many talented analysts leave the role entirely. Leveraging AI and Career Development to Transform SOC Jobs The key to transforming the status quo for SOC analysts lies in reimagining these positions to make them more dynamic, rewarding, and sustainable.  One solution is thoughtfully integrating AI to enhance — not replace — human expertise. By doing so, organizations can: Automatically resolve false positives, allowing SOC analysts to focus on more critical, actionable alerts Automate repetitive tasks that can be time consuming, like threat intelligence enrichment, false positive filtering, and alert triage prioritization  Provide 24/7 monitoring to alleviate the strain of on-call shifts and cover gaps by allowing AI to investigate and escalate alerts Triage the flood of alerts to surface only the most critical and relevant issues, empowering SOC analysts to proactively threat hunt rather than only react to alerts  These applications of AI not only reduce the workload but help prevent human error, which is more likely when analysts are overwhelmed by large volumes of data.  But AI alone doesn’t fix everything. While AI can free up analysts’ time by automating many entry-level tasks, businesses must then provide the appropriate structure and growth opportunities to align with these changes.  To help SOC analysts grow and avoid stagnation, while also providing the necessary support, businesses should do the following: Provide mentorship opportunities after taking steps to ensure senior analysts aren’t bogged down with the same repetitive tasks as junior analysts. In many cases I found that no one on the team had bandwidth for anything beyond alert response.  Invest in training and upskilling so analysts can perform more sophisticated tasks and advance in their careers rather than becoming pigeonholed in low-level tasks. Implement regular evaluations to assess the well-being and development needs of SOC analysts. These evaluations are commonplace in the public sector, but I’ve rarely encountered them in the corporate world.  Foster a culture of continuous improvement throughout the organization, empowering all team members to seek out new skills and opportunities. Secure a permanent seat for security in strategic decision-making. SOC teams are often seen as blockers and are typically the last to learn about key business changes. By integrating security early, security teams can influence strategies, ensuring that protocols are built in from the start and reducing future risks. Investing in Tools, Training, and the Future of SOC Roles Budget constraints and organizational inertia often prevent companies from investing in the tools and training needed to make analyst roles more meaningful and sustainable.  However, the cost of not investing is far greater — high turnover leads to gaps in security coverage, increased vulnerability to cyberattacks, lost institutional knowledge, and longer incident response times. Plus finding, hiring, and training replacements only consumes more time and resources. The solution lies in rethinking the SOC analyst role — embracing AI to reduce stress and improve efficiency while providing better support and growth opportunities. Forward-thinking businesses that face these challenges head-on will be better equipped with the highly skilled, motivated analysts ready to tackle the threats of the future. I want to see SOC analysts succeed. These days, I love that I’m able to help SOC analysts as a solutions engineer, working with them to implement and adopt tools to alleviate the stress and alert fatigue that can come from working in a SOC.  Companies that fail to address these issues risk losing not only their analysts but also their security edge against attackers. source

Today’s IT departments have an amalgamation of DevOps, Waterfall, artificial intelligence, and OS/new release software, so quality assurance must be able to test and to verify the “goodness” of all these variegated systems. Yet, those of us who have led IT departments know that the QA function is habitually under-appreciated.  Understanding that QA must broaden its reach to test such a broad spectrum of different systems, vendors have rolled out QA tools like the automated execution of test scripts that QA designs.  This has generated a steady market in QA testing software, which Global Market Insights pinpointed at $51.8 billion in 2023, with a projected CAGR (compound annual growth rate) of 7% between 2024 and 2032.  What IT departments should do now is strategize how a limited QA staff can best use these tools, while also developing the knowledge base and reach allowing them to cover the broad array of new applications and systems that QA is being asked to test.  Performing QA With No ‘Single Pane of Glass’  If you are in system programming or network support, you know that there are over-arching software solutions that boast “single pane of glass” visibility. These systems provide an overall architecture that enables you to unify visibility of all of the different tools and functions that you have on a single screen. Not all IT departments invest in these expensive software architectures, but at least they do exist.  Related:Rethinking AI’s Impact on Software Development and Testing That isn’t the case for quality assurance.  In QA, the “test bench” is a hodgepodge of different tools and techniques spread out on a general tool bench. When a staffer performs QA, they pick whatever tools they choose to use from this tool bench based upon the type of application they are being called upon to test.  If the application area to be tested is DevOps, QA is an iterative “never done” function that might use some test automation for workflow execution, but that also requires a high amount of collaboration between QA, development and end users until everyone arrives at a consensus that the application is production ready.   In the AI environment, testing is also iterative and never finished. You work with development and user area subject matter experts to achieve the gold standard of 95% accuracy with what subject matter experts would conclude. Then you must periodically reaffirm accuracy because business conditions constantly change, and accuracy levels could fall.   If the application is waterfall, it routes through the traditional path of development, unit test, integration test, regression test, deploy.   Related:Meeting Demands for Improved Software Reliability If the system is a new database or operating or infrastructure system release from a vendor, the new release is first simulated in a test environment, where it is tested and debugged. The new release gets installed into production when all testing issues in the simulated environment are resolved.   Each of these test scenarios requires a different mental approach to QA and a different set of tools.  Make QA a Strategic Function and Elevate its Standing?  Test tool provider Hatica has stated, “In the past, QA engineers were primarily focused on testing — finding bugs and ensuring that the product worked as intended before it was released to users. However, this reactive approach to quality is no longer enough in today’s environment. Before long, QA engineers will shift from being testers at the end of the process to quality strategists who are involved from the very beginning.”   In Agile and DevOps development, there already is an emerging trend for QA that confirms this. QA is immediately engaged in Agile and DevOps work teams, and the QA team provides as much input into the end-to-end DevOps/Agile process as development and end users. As IT departments move more work to Agile and DevOps, QA’s role as a frontend strategist will expand.  Related:DevOps Testing Trends for This Year However, in waterfall and new infrastructure release deployments, QA’s role is more backend and traditional. It performs “end of the line” checkouts and is often not engaged in the initial stages of development. AI also presents a QA challenge, because a separate data science or subject matter expert group might do most of the system development and checkout, so QA’s role is minimized.   The Best Approach to QA  Thanks to the Agile/DevOps movement, QA now sees a more forward-thinking and strategic role.  Yet at the same time, applications in the AI, waterfall, and infrastructure areas engage QA as more of a backend function.   QA is also knee-capped by the lack of a single architecture for its tools, and by the brutal fact that most of the staff in QA departments are new hires or junior personnel. Quickly, these individuals apply for transfers into application development, database or systems, because they see these as the only viable options for advancing their IT careers.  Understanding these realities, CIOs can do three things:  1. Move QA into a more strategic position in all forms of application development. Like the IT help desk, QA has a long institutional memory of the common flaws in IT applications. If QA is engaged early in application development processes, it can raise awareness of these common flaws so they can be addressed up front in design.  Accept as well that most QA staff members will want to move on to become a developer or an IT technical specialist and use QA as a grooming ground. To this end, the more QA gets engaged early in application planning and development, the more IT software knowledge QA staff will gain. This can prepare them for development or systems careers, if they choose to take these routes later.  2. Ensure that QA staff is properly trained on QA tools. There is no “uber architecture” available for the broad assortment of tools that QA uses, so personalized training is key.   3. Foster collaboration. In the Agile/DevOps environment, there is active collaboration between QA, development and end users. In AI development, CIOs can foster greater QA collaboration

The Consumer Financial Protection Bureau (CFPB) on Tuesday signaled it would move ahead with a plan to expand the Fair Credit Reporting Act (FCRA) to include data brokers, which would limit companies’ ability to sell sensitive personal information. The rule would use FCRA to police the sale of financial data and credit scores, Social Security numbers, addresses, and phone numbers. CFPB says the protections are especially important with the rise of artificial intelligence. “By selling our most sensitive personal data without our knowledge or consent, data brokers can profit by enabling scamming, stalking, and spying,” Rohit Chopra, CFPB’s director, said in a statement. “The CFPB’s proposed rule will curtail these practices that threaten our personal safety and undermine America’s national security.” But the plan could hinge on President-elect Donald Trump’s cost-cutting measures. Trump tapped Elon Musk and entrepreneur Vivek Ramaswamy to lead the Department of Government Efficiency with the goal of cutting “waste and fraud.” Musk directly attacked the CFPB last week on X (formerly Twitter), calling for action to “Delete CFPB,” adding, “There are too many duplicative regulatory agencies.” The data broker industry is a big business with a massive lobbying spend — doling out $143 million on lobbying from 2020-2022, according to research from data privacy firm Incogni. The CFPB’s budget reached $729 million in 2024 with a total of 1,758 employees. The agency, which was the brainchild of US Sen. Elizabeth Warren (D-MA), boasts $19.6 billion in consumer relief since its inception in 2011. Related:FTC to Ban Firms From Selling Sensitive Location Data Adopted in 1970, FCRA was a landmark piece of legislation aimed at protecting consumer privacy initially aimed at financial institutions. The proposed rule would broaden the law to include data brokers and apply the same standards to consumer reporting agencies like Equifax, Experian, and Transunion. The new rule would apply to data brokers obtaining personal data relating to credit and financial assessment, making them demonstrate “permissible purpose” for sharing that information, and limiting use without consent. What the Incoming Administration Could Mean for CFPB Adam Rust, director of financial services for the Consumer Federation of America, tells InformationWeek in a phone interview that the proposed rule would be a major win for consumers. “People shouldn’t have to worry about their data being sold everywhere just because they want to apply for a loan,” Rust says. “[CFPB’s proposed rule] actually addresses a real-world problem that affects all kinds of people … We have all kinds of problems with data brokers relating to how they store information, and that’s led to widespread breaches.” Related:Beyond Washington, DC: The State of State-Based Data Privacy Laws Rust thinks the issue should be nonpartisan, but CFPB has detractors who believe the government’s role should be limited. “There are enemies of the CFPB because the CFPB is so successful at doing what it is designed to do. Billionaires don’t like the CFPB because they have to return billions of dollars to consumers. The financial institutions that are held accountable because of the CFPB are doing their best find friends in Washington D.C. who can rally to their cause.” While Musk’s comments toward CFPB put the agency in cost-cutting crosshairs, finding enough support to kill its consumer protection efforts could be a difficult task. Data privacy efforts, especially concerning sensitive information, have gained broad support. Last year, Sen. Marco Rubio (R-FL) fought for a bill to protect data of military members, preventing sale by data brokers to adversarial nations. The bill didn’t reach a vote, but data privacy remains a hot-button topic. Rubio is Trump’s choice for Secretary of State. A Bipartisan Cause? While members of the new administration may be gunning to trim operations like CFPB, they may have a hard time getting the 60 Senate member votes needed to nix the agency. Republicans won a majority of the Senate seats in November, but they hold 53 seats and could still be stymied by filibuster. Related:DOJ Urges Google Breakup, Targets Chrome, Android and Data Sharing Emily Peterson-Cassin, director of Demand Progress Education Fund, said protections that keep data out of the hands of threat actors should be bipartisan. “The CFPB should be applauded for standing up to data brokers and working to rein in the sale of sensitive information about us,” she said in a statement. “All this data ends up in the hands of advertisers, scammers, stalkers and even foreign governments. This groundbreaking rule offers a needed solution for Americans who are sick and tired of being inundated by scam texts, calls and emails …” She added that the proposed rule “would be a major win for the privacy rights of Americans and is the kind of bipartisan, commonsense action that should be protected and encouraged by politicians in both parties.” source

The emergence of generative AI over the past two years has fundamentally transformed how developers approach their craft, triggering both excitement and anxiety within the coding community. Coders, especially those in management, see the potential to offload routine tasks, but they also harbor anxiety about the technology’s implications for the future of the profession.  As development teams integrate GenAI into their workflows, while coding expertise remains crucial, the technology is also elevating the importance of interpersonal skills. The successful coder of today and tomorrow needs technical mastery and the ability to collaborate effectively with both human and AI partners.  The Soft Skills Revolution  Perhaps the most significant shift is the growing importance of soft skills — also known as foundational skills or innate traits. As GenAI handles more routine coding tasks, developers will increasingly need strong collaboration, clear communication, and interpersonal skills to thrive. Being a strong technical coder won’t be enough because, as we’ll show below, many of the routine tasks of day-to-day coding will eventually be primarily handled by AI. Instead, coders should embrace adaptability while looking to stay agile and responsive to rapidly evolving AI-powered tools and features.   Related:Let’s Revisit Quality Assurance As the AI-powered shift occurs, the work of future developers will revolve around three primary tasks: translating business goals and demands into a plan of action for creating code that delivers on these priorities, reviewing code created by GenAI, and working closely with other coders developing complex solutions and working with new technologies. All of these tasks require collaboration and effective communication not just with other coders but also with non-technical leaders on the business side.   Ironically, as GenAI takes over more routine coding tasks, the technical bar for developers is also rising. While the technology can handle many entry-level coding tasks, the oversight and high-level development work that remains requires deeper technical expertise. Tomorrow’s developers must be even more skilled than today’s to effectively leverage and supervise AI-generated code.  The AI-Powered Development Toolkit  Developers are discovering multiple ways to leverage GenAI to enhance their productivity. For routine tasks like creating data connectors or simple scripts, GenAI serves as an efficient first-draft generator. Code completion capabilities, similar to sophisticated autocomplete functions, are streamlining the coding process itself. In fact, the ability to write clear, precise prompts for GenAI tools has itself become a valuable skill, requiring both technical knowledge and clear communication.  Related:Is Open Source a Threat to National Security? Perhaps more significantly, GenAI is proving valuable in code review processes. Just as it can proofread written documents, GenAI can analyze code for errors and inconsistencies, helping catch bugs before they make their way into production. This capability doesn’t eliminate the need for human review, but it does add an additional layer of quality control.  Documentation, traditionally the bane of many developers’ existence, has become less burdensome with GenAI assistance. While the technology may struggle with highly complex systems, it excels at generating initial documentation drafts for straightforward code bases, which developers can then refine.  GenAI is also emerging as a powerful learning tool. In today’s rapid-fire development environment, new programming languages and frameworks appear with dizzying frequency. GenAI can help developers bridge knowledge gaps by explaining concepts and providing contextual examples. A Python expert needing to work in TypeScript, for instance, can use GenAI to understand how familiar concepts translate to the new environment.  Related:Develop an Effective Strategy for User Self-Help Portals Test creation, another time-consuming aspect of development, can also be streamlined through GenAI. Developers can use well-crafted prompts to generate initial test code, then iterate quickly with additional context-specific prompts. While the generated tests require human verification and refinement, the time savings can be substantial Despite these powerful capabilities, GenAI won’t replace human developers anytime soon. The technology, while impressive, still requires careful oversight. Developers should treat AI-generated code in the same way they’d treat code snippets taken from Internet sources such as Stack Overflow — they all need review from skilled professionals who understand both the technical requirements and the broader business context.  The New Development Paradigm  As GenAI continues to evolve, the profile of the successful developer is changing with it. Organizations now expect higher levels of technical expertise combined with strong interpersonal skills. Far from making developers irrelevant, AI is reshaping the role into one that requires a broader skill set.  The most successful developers in this new era will be those who can combine deep technical knowledge with strong communication and collaboration skills. They’ll need to be adept at working with both human and AI partners, understanding the strengths and limitations of each. The future belongs not to those who fear being replaced by AI, but to those who embrace it as a powerful tool in their development arsenal.  The coding profession isn’t disappearing — it’s evolving. And in this evolution, the combination of technical expertise and soft skills is becoming the new success formula for developers in the AI era.  source