Finding the Business Value of Cybersecurity with DevOps Value Streams

November 2020

Cybersecurity is always a controversial problem. No one wants to mess with cybersecurity! But, what is the business value of security investments? How do you measure success? Let me provoke the debate: what does cybersecurity mean to you? What do you value for the security initiatives? Do other stakeholders agree with you?

7 Strategic Decisions for Cloud Security

Dec 2019

When the cloud era promised cost-reduction and speed-to-market in the early days, it worked well for startups to build IT in the cloud from scratch without heavy investments upfront. It was not necessarily the case for traditional enterprises as they already had invested in their IT estate along with their staff educated and processes optimized to build and run IT on the premises. Those days are long gone since startups and innovators disrupted the market place of traditional enterprises. Cloud technologies evolved significantly and it is no longer a discussion of cost reduction or operational excellence, but more of new technologies, agility and innovation. Today, some form of cloud adoption is inevitable for any enterprise to thrive, otherwise survive, in the digital era.

What is different about Cloud Security?

Dec 2018

Develop a cloud security strategy? I am always puzzled when I face with open questions with the word strategy involved. Strategy, by definition, is the plan of actions to achieve long term goals. In the case of an enterprise, these goals are naturally driven by the business context; vision, priorities, opportunities, risks. etc. Cloud is just another way of sourcing technology infrastructure and application services. Clearly, choices are more versatile than ever and bring opportunities to the enterprise for agility, resiliency and economy (if only you do it right). Business strategy should drive the choices for the cloud, not the other way around, and Cyber Security (as an IT function) just need to follow the service model, i.e., protect the components you control, and get warranties from the provider for the components outside your control. So, what is different about cloud security?

Cyber Security for Agile Organisations

July 2018

There is no doubt in today's digital world that agile methods for software development have been successful. Organisational agility refers to applying these methods to the whole organisation (a.k.a the enterprise) to create an agile operating model across strategy, structure, people, process, and technology. The essence of all these is to be able to adapt and respond to the quickly changing environment of disruptive business models and technology.

Numerous examples of startups proved that being agile is imperative for the successful digital business. On the other hand, there is an ongoing debate if/how these methods could be scaled up in large organisations while maintaining their stability. Cyber security is one of the top concerns for many and new models and practices are needed to adapt cyber security to support agile ambitions and deliver assurances concurrently for security governance, risk, and compliance activities.

Security Architecture is superior to Control Frameworks — here's why

January 2018

Adapting a security control framework is a common response for an organisation when cyber security is a concern. This may be driven by an operational security function, a risk & governance function or a regulatory directive. I presume the readers of this article are familiar with abbreviations such as ISO, NIST, PCI, SANS, CIS, ISF, etc. These are the well-known organisations that published cyber security control frameworks (along with many other good things). They all provide good reference to build and organize security controls in a structure, facilitate maturity and risk assessments, and support gap analysis and remediation works as per a benchmark.

Some run these programs with internal resources, some bring external consultants to transfer the know-how from unbiased eyes. Regardless of the source of workforce, the control framework is the handbook of a security professional as the complex cyber security ecosystem can now be broken into simpler components with a clear taxonomy. This reductionist approach takes one piece of the problem (i.e. the control domain) at a time and isolates external factors so that it could be worked within the domain and results could be obtained quickly. Such an exercise typically reveals gaps for security controls or their effectiveness, usually obtained from qualitative interviews with domain stakeholders and evidence hunted thru information repositories. This is valuable work without doubt as organisations are able to evaluate and plan changes accordingly for remediation and improvement.

Adapting Enterprise Architecture for Digital Transformations

July 2017

This is the digital era. This is about transforming behaviours and expectations with disruptive business models and technologies. These are challenging times for traditional enterprises as disruption starts from inside the organisation, to build the culture of agility and flexibility so that they can offend (or defend) the market place.

Adapting Agile methods is imperative to provision services fast and respond to continuous wants and needs of the business, hence the (r)evolving market place. While many argue the pros and cons of Agile (that I am following with interest), I will discuss how Enterprise Architecture (EA) should be adapted for organisations embracing Agile development and delivery.