As the cybersecurity industry works to address a shortage of skilled workers, an advertisement backed by the UK government may provide an example of what not to do.

The ad, which encouraged people working in the arts to retrain in cybersecurity, has been abandoned amid backlash online and even within the government, according to reports from The Guardian, The Washington Post and MarketWatch.

Although pulled from the official website, the ad was still easily viewable after going viral on social media with the hashtag “#SavetheArts.” The image displays a ballet dancer tying her shoes. The caption reads, “Fatima’s next job could be in cyber (she just doesn’t know it yet),” followed by the tagline “Rethink. Reskill. Reboot.”

Posted on the website of training firm QA, the ad was part of the UK cybersecurity agency’s Cyber First campaign, which promotes tech training for young people. Oliver Dowden, the British culture secretary, tweeted that the ad was “crass” and did not come from his agency. A spokesperson for the prime minister said, “This particular piece of content was not appropriate and has been removed from the campaign.”

The UK government’s volte-face followed widespread criticism that the ad showed disrespect toward the culture sector, which has been suffering catastrophic job losses. The author Caitlin Moran tweeted: “I don’t know if the government know they appear to have recently created a ‘Hopes & Dreams Crushing Department,’ but for a country already depressed and anxious, I would suggest it’s a bit of a ‘Not now, dudes’ moment?" The shadow health minister, Rosena Allin-Khan, chimed in: “Fatima, you be you. Don’t let anyone else tell you that you aren’t good enough because you don’t conform to their preconceived social norms.”

Meanwhile, a recent survey finds that most people say a career in cybersecurity isn’t for them, despite the sector’s demand for talent. Among 2,500 U.S. and UK workers surveyed by (ISC)2, 69% said that while cybersecurity seems like a good career path, it isn’t the right personal fit.

The world of analytics is changing.  Self-Service Analytical tools like Tableau, Qlik, and Power BI are enabling business users to perform reporting and analytics on their own with little to no support from the IT organization. This trend has evolved due to several factors including:

1)    Organizations are flooded with data and IT organizations are not able to keep up
2)    Easier to use Business Intelligence tools make it more efficient for business users to directly create their reports rather than go through IT for a project
3)    IT organizations analytical projects can take several months when a business needs this information in weeks

This trend has caused the efforts of IT Business Intelligence (BI) teams to spending most of their energy gathering, cleaning, and structuring data for the business to perform their own analytics through a self-service model. In special cases, they provide industrial strength reporting that can scale to thousands of users where trusted verified data is needed.  However, they are still being shown the door when it comes to some of the more interesting work.

What can IT BI teams do to stay relevant and valuable to the business? We have several suggestions that relate to embracing self-service analytics as the new reality and transitioning core competencies of the Business Intelligence team away from purely descriptive reporting and moving to diagnostic & predictive analytics.

Let’s explain that last concept before prescribing several solutions. The current state of most analytics is descriptive in nature and helps answer questions of, “what occurred?” Diagnostic and Predictive Analytics help answer the questions of, “Why did it occur?” and sets the stage to answer, “What can I do about it?”  Diagnostic Analytics helps organizations to not only understand what, but also why and what decisions and actions can be taken to solve for the issue. This type of analytics is more valuable to the business and requires competencies that IT BI teams are uniquely qualified to bring from their years of building analytical solutions.

To enable IT Business Intelligence teams to move up the value chain from providing commodity reports to business driving analytics, we recommend adding these four components:

1. Build out a Data Science capability– Data Scientists are starting to appear in analytical groups within companies. However, they are still not pervasive and the function is understaffed. In addition, most groups within a company cannot justify the cost of a full-time data scientist. By adding data scientists to the IT BI organization, you are creating a centralized team that can provide analytics to underserved parts of the organization.  This team is already focused on creating analytical data structures and reports and adding the ability to derive insights from the data is a natural extension.   
2. Make it about the Decision– In your requirements process, add Decision Architecture Methodology as a capability. Most methodologies for capturing analytical requirements focus on the questions asked of the data to surmise the Dimensions and Facts.  While this gives us great descriptive analytics, but it does not move the company along the analytical maturity curve.  A deeper focus on the decisions that the business makes and thereby centering analytical capabilities around helping to enable actionable insights will move the needle.
3. Add Decision Theory to your analytics– If Data Science helps you turn information into actionable insights, Decision Theory helps you structure the decision process to guide a person to the correct choice. Decision Theory, along with Behavioral Economics, is focused on understanding the components of the decision process to explain why we make the choices we do. It provides a systematic way to consider tradeoffs among attributes that helps us make better decisions. Tools such as thresholds, alerts, decision matrixes, and choice architecture should be considered important capabilities to add to your team’s tool chest.
4. Create a Report Certification process– As report proliferation occurs with self-service analytics, creating a standard for the health and validity of a report is going to be important if the analytics are to be consumed by a broader audience and are to be trusted.  For example, you may have one group create a report with key metrics sourced from uncertified data sources. By putting reports from individual departments through a certification process similar to UL labeling on electrical products, broader consumers will know the level of scrutiny that has been put on the report by Data Governance and IT teams and thereby trust the data and metrics contained within it.

As IT Business Intelligence teams look to move up the value chain in the capabilities they offer to their internal customers, adding addition skillsets, methods, and tools will be a necessity. The capabilities outlined are a great fit for a centralized team to own and this transformation in IT BI teams can speak to the value these enhanced capabilities provide to the business.

Andrew Roman Wells is the CEO of Aspirent, a management-consulting firm focused on analytics. Kathy Williams Chiang is VP, Business Insights, at Wunderman Data Management. They are the co-authors of Monetizing Your Data: A Guide to Turning Data into Profit-Driving Strategies and Solutions. For more information, please visit www.monetizingyourdata.com.

It’s no surprise that big data is on the rise in businesses around the world. Companies routinely use big data to analyze common trends in their practice; enabling them to make sophisticated decisions to ensure their businesses prosper. According to Statista, an online statistics, market research and business intelligence portal; companies routinely use data to drive process and cost efficiency; drive strategy; and to monitor and improve financial performance. When used in these ways, data has the ability to save the company a significant amount of money because they are able to spend their money efficiently.

While data does have the ability to improve a company’s performance; companies just aren’t catching up on the trends as fast as one would assume.  Big Data software company, Quoble along with Dimensional Research; recently published an e-book, “An In-Depth Look at Big Data Trends and Challenges”. As the name suggests, the data looks at global data trends in the workplace and the problems that businesses often face.

Among the issues that the research uncovered was, “the realization of value from big data in on-premises environments has lagged expectations, largely due to complexity, cost overruns, steep demands for specialized talent, and need for powerful computing platforms.” While companies may understand the value that big data brings their company; finding qualified candidates and obtaining funds to purchase the computing platforms needed to manage data sets are among the set backs employers are facing today. Nearly 75% of those surveyed sighted a gap between the necessary resources and tools that are available to them. And while 50% of businesses plan to moderately increase their data headcounts in the next year; 83% find it difficult to find the right candidate.  Not only does it take time to find the money to pay for data headcounts; finding the right candidate can often times be complex and time consuming.

The survey found that big data teams’ lack of experience creates a slow progress to get things done. 42% also sight that it is hard to keep up with big data trends and new data sources.  Big Data is constantly expanding. Five years ago machine learning and AI weren’t as mainstream as they are now. BI tools were available but not widely used and companies didn’t have big data teams. In fact their “team” often consisted of one or two data scientists. Big Data’s continuous growth has lead to expansion that many businesses can’t keep up with.

The intention of Quoble’s “An In-Depth Look at Bid Data Trends and Challenges” is  not to solve these problems, but to bring awareness to the issues that companies are facing when it comes to data.  As big data continues to surge, so will an influx of knowledgeable employees and efficient software that will guide the business to succeed in an age where big data is becoming the norm.

To view the full report, go to Quoble’s website and download the free e-book.

Colleagues think of data analysis much in the same way they think about marketing. Which is everyone thinks they are data analysts. With little to no practice they can put together graphs and visualize data at the drop of a hat. When interviewing Dave from accounting he made sure you knew that he has Tableau reader on his desktop which totally means he’s one step away from Tableau certification. Karen from Sales also discussed her extensive knowledge when it came to Excel. Yes, that same Karen who emailed you a month ago and asked how a pivot table worked.

If you’re interested in a career in big data it shouldn’t be daunting, but you should take the time to research and learn the tools and software needed to excel (pun intended) at the job. Data analysis is so much more than filtering data and pretty graphs. It takes someone who is curious and can think analytically to thrive in the job.

In his 2009 book, Now You See it: Simple Visualization Techniques for Quantitative Analysis; author and information technology innovator Stephen Few lists 13 key traits of a data analyst. Among those traits include, self-motivation; open-mindedness; and the ability to spot patterns. An average data analyst can access a data set; scrub the data; and visualize it using one of numerous data visualization platforms available. She then comes to conclusions based on those visualizations and calls it a day. An exceptional data analyst can use that same data set and visualization tools and come to the same conclusions. The difference is that he will ask different questions and hypothesize about why conclusions are what they are. An exceptional data analyst asks why 9 out of 10 dentists prefer Colgate or why Rugby is becoming a more popular youth sport in the United States while lacrosse youth teams are declining.  For them, it isn’t enough that the data shows an increase in Rugby youth teams. They have to know why. Which will ultimately bring them to more questions which will lead to more data sets and more visualizations. In essence, is a data analyst’s job ever really done?

Another factor that separates a mediocre from an excellent analyst is the ability to tell a story. Unless you are speaking to a fellow analyst, chances are spewing out data isn’t going to capture the attention or the comprehension of what the statistics show. In fact, if you go that route, you may be met with a lot of blank stares. It’s important to tailor a narrative to the audience you are speaking to. Crafting a story beforehand makes it easy for your audience to follow and will help you answer any follow up questions that you might receive.

While you may have the skills that make an excellent data analyst, without practice you’ll never truly be outstanding at your job. And with data analysts and scientists being critical to the success of a company, it’s important that you push past mediocrity and aim for excellent. So tomorrow when you go into work remember that not everyone can be an analyst but by methodically thinking, crafting a perfect story from your data sets and asking questions, you’ll be on the road to greatness.

Manufacturers would be required to adhere to cybersecurity standards for Internet-connected devices under new legislation that has been proposed by the European Union’s executive body. So reports Claims Journal.

The Cyber Resilience Act, as the law proposed by the European Commission is known, seeks to block products from the EU’s single market if they are not bolstered enough against cyber threats.

The 27-nation bloc said that Europe alone loses 180 billion to 290 billion euros (about $185 billion to $298 billion) annually to cyberattacks.

Read the full article from Claims Journal.

A recent settlement between the Federal Trade Commission and Drizly, a liquor delivery app owned by Uber, has upped the ante for executives who oversee lapses in cybersecurity.

The FTC’s enforcement action named CEO James Cory Rellas personally, as well as the company. Notably, the action applies to Rellas even if he leaves Drizly, where a breach allegedly exposed the data of 2.5 million customers. The FTC said that under the proposed consent order, “Rellas will be required to implement an information security program at future companies if he moves to a business collecting consumer information from more than 25,000 individuals, and where he is a majority owner, CEO or senior officer with information security responsibilities.”

As Law360 reports, industry lawyers say that FTC Chair Lina Khan and Democratic Commissioners Alvaro Bedoya and Rebecca Kelly Slaughter probably will keep leveraging their majority to tighten the screws on executives they see as shirking their cybersecurity obligations. Sean Griffin of law firmt Dykema Gossett told the news service, “​​If CEOs aren’t paying attention to data security, the FTC and other agencies will be more than happy to make them pay attention.”

As Security Boulevard notes, if the FTC can take aim at a CEO, then it could theoretically target chief information security officers who suffer data breaches, as well. There’s concern that regulators could effectively “blacklist” certain CISOs from their profession, given that companies would be unlikely to hire CISOs who are subject to FTC sanction for their past breaches. Another worry is that companies anxious to reach a settlement with regulators might feel pressure to throw their CISOs under the bus.

“Our proposed order against Drizly not only restricts what the company can retain and collect going forward but also ensures the CEO faces consequences for the company’s carelessness,” said Samuel Levine, director of the FTC's Bureau of Consumer Protection, in a statement. “CEOs who take shortcuts on security should take note.”

The breach occurred, according to the FTC, after Drizly gave an executive access to the company’s Github repositories so he could participate in a one-day hackathon. Drizly didn’t shut down the executive’s access after the event, and hackers guessed the executive’s password, which was used on other sites. The breach allegedly gave hackers access to 2.5 million personal records. Boston-based Drizly was acquired by Uber in 2021 for $1.1 billion.

The settlement won’t be final until after a 30-day public review period.

The state of New York has fined Zoetop $1.9 million due to a data breach. Zoetop is the parent of fast fashion brands Shein and Romwe. So reports The Verge.

The state’s Office of the Attorney General claimed that Zoetop failed to secure customers’ data or properly inform them of the breach.

A 2018 hack resulted in the theft of credit card and personal information affecting 39 million Shein and 7 million Romwe accounts, according to the OAG.

Read the full article from The Verge .

Federal regulators have announced that Twitter will pay a $150 million fine to settle allegations that it illegally used people’s phone numbers and email addresses to sell targeted advertising. So reports NPR.

In a complaint filed in federal court, the Federal Trade Commission and the Department of Justice claimed that Twitter broke a 2011 deal with regulators.

The latest settlement still requires a judge’s approval.

Read the full article from NPR. 

Cybersecurity experts are ringing alarm bells about potential concerns for Twitter after the social media company’s $44 billion takeover by Elon Musk, the world’s richest person.

As USA Today reports, one source of concern relates to the Musk’s stated plans to transform Twitter into an “everything app.” While prior Twitter breaches compromised email addresses and phone numbers, selling products or services would involve collecting users’ payment information—and cyber pros said the company needs to gain trust that such data will be safe.

Peter Singer, a strategist at left-leaning think tank New America, wrote for Defense One that some of the cybersecurity risks of Musk’s Twitter takeover stem from the mercurial tech honcho himself. Singer notes that Tesla—another company Musk serves as CEO—depends heavily on staying in the good graces of authoritarian China. Singer points out that Saudi Arabia’s rulers are also Twitter’s second-biggest shareholders.

What’s more, Singer contends, Musk’s track record on cybersecurity is particularly abysmal—“worse than Tesla’s autopilot.” Breaching a Tesla has been commonplace at hacker events for a decade, and the company allegedly has failed to stay ahead of bad actors.

As The Washington Post reports, Twitter has plenty of pre-existing cybersecurity issues. Prominent cybersecurity player and Twitter whistleblower Peiter “Mudge” Zatko said the company failed to safeguard user data and even deceived the Federal Trade Commission, although Twitter has denied the claims and attacked Zatko’s job performance.

Musk’s publicly stated views are shifting and unpredictable, but recently announced job cuts at Twitter represent another security concern, experts say. And it remains to be seen how Musk’s plan to charge a subscription fee for Twitter’s blue “verified” check marks will affect security. As The Hill reports, Christopher Krebs, first director of the Cybersecurity and Infrastructure Security Agency, said that the plan would “create a very chaotic environment” empowering threat actors.

Cybersecurity pros do seem to have formed a near-consensus in favor of one aspect of Musk’s apparent goals for Twitter. He has called for encrypting the service’s direct messages, a move that cybersecurity wonks have long supported.

The Cybersecurity and Infrastructure Security Agency will focus on hospital, school, and water cybersecurity in the year ahead, CISA Director Jen Easterly said at Mandiant’s recent mWISE 2022 conference in Washington, D.C.

Easterly’s insights on the federal cybersecurity agency’s priorities for 2023 were among the key developments from the industry confab previously known as the Cyber Defense Summit, according to multiple reports.

As The Record reports, Easterly said water, hospitals and K-12 schools are “target-rich, resource-poor entities.” She pointed to a late-September cyberattack on the Los Angeles Unified School District, lauding the school system’s requests for help from CISA and the FBI. “We were working with them very early on and they were very transparent,” Easterly said.

Health IT Security notes that Easterly also said CISA was on track to release cybersecurity goals for critical infrastructure soon.

CISA plans to be more cooperative and detailed by sector and region in how it communicates threats, Easterly noted, as Cybersecurity Dive reports. “We have enormous power if we can work together collaboratively, and if we each take accountability and responsibility for our ability to defend cyberspace,” she said.

Elsewhere at mWISE, National Cyber Director Chris Inglis said that the Biden administration’s national cybersecurity strategy may still be some months off, as The Record reports separately. ​​“It’ll probably come out in the next month or two or three, given the processes that exist in Washington,” Inglis said. The strategy was reportedly expected from Inglis’s office in September but delayed by government and private-sector input.

As Security Brief Asia reports, supply chain risk and fighting cybersecurity-industry burnout were also hot topics at mWISE 2022. Mandiant’s chief marketing officer Vikram Ramesh said, “The bad guys don't take time off.”

A jury’s recent guilty verdict in the trial of Uber’s former chief security officer has renewed discussions about personal legal risks in the industry.

ACAs Ars Technica reports, ex-Uber security head Joe Sullivan’s conviction on charges related to concealing a massive data breach from regulators is seemingly the first hack-related criminal prosecution of an executive. When the Federal Trade Commission was investigating a different data breach in 2016, Sullivan discovered the second breach, which he kept hidden by paying the hackers through Uber’s bug bounty program.

Stephanie M. Hinds, the U.S. attorney for the Northern District of California, indicated that Sullivan’s case demonstrated what not to do in the event of a cyberattack. “We will not tolerate concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users,” Hinds told The New York Times in a statement. “Where such conduct violates the federal law, it will be prosecuted.”

As Wired reports, CSOs are already referred to as “chief sacrificial officers” or “chief scapegoat officers,” and many worry that Sullivan’s guilty verdict will make recruiting qualified executives more difficult. Anthony Vance, a professor and researcher at Virginia Tech who specializes in cybersecurity issues, told the magazine that the conviction will have “a chilling effect.” One concern is that the case will leave a false impression that security executives should never pay hackers to keep data safe.

The role of chief information security officer has changed as a result of the conviction, according to CSO. A big lesson for security executives, the website notes, is that they should document even their tiniest decisions and be ready to defend them to regulators if necessary. Such documentation could keep them out of court.

The conviction has also drawn attention to a lack of corporate transparency around hacking, as Bloomberg reports.

Sullivan’s case might not be the last. Ilia Kolochenko, founder of IT security firm ImmuniWeb, told eSecurity Planet, “In the future, we will likely see more CISOs, DPOs and board members civilly liable or even face criminal prosecution for security or privacy incidents.”

A new report by executive search firm Heidrick & Struggles shows the growing rewards, but also occupational hazards, for chief information security officers.

As Help Net Security explains, the report shows median CISO cash compensation (base and bonus) of $584,000. That’s up from $509,000 last year and $473,000 in 2020. Median total compensation, taking into account annual stock grants or long-term incentives, was $971,000, compared with $936,000 last year, according to Heidrick.

Pay particularly spiked for new CISOs, likely due to a friendly market for job seekers as companies compete to find qualified applicants for this crucial role. However, as CNBC notes, Heidrick also found some troubles in the world of CISOs. Asked the most significant personal risks CISOs face relating to their position, 59% of respondents cited stress, while 48% pointed to burnout.

Heidrick’s cyber practice leader Matt Aiello told CNBC that some security pros are quitting CISO positions at a phase in their careers when it’s obvious that they can take on a different operational job. Aiello is quoted as saying, “What we’re hearing in off-line conversations is that it’s a great role, but it’s very hard and the regulatory pressures are increasing, and that makes being a CISO even more challenging.”

CISO pay in Heidrick’s survey varies widely by industry, as Becker’s Hospital Review observes. Financial services or fintech led the way, with cash compensation of $847,000, followed by $656,000 for consumer, retail and media, $551,000 for technology and telecoms and 546,00 for healthcare, biotech and life sciences.

As Cybersecurity Dive notes, CISOs at the 95th percentile saw much higher remuneration. These outlier CISOs reported median cash compensation of $1.6 million and total compensation of $4.4 million.

The global survey was based on responses from 327 CISOs or people in CISO-equivalent roles.