7 Strategic Decisions for Cloud Security

Dec 2019

When the cloud era promised cost-reduction and speed-to-market in the early days, it worked well for startups to build IT in the cloud from scratch without heavy investments upfront. It was not necessarily the case for traditional enterprises as they already had invested in their IT estate along with their staff educated and processes optimized to build and run IT on the premises. Those days are long gone since startups and innovators disrupted the market place of traditional enterprises. Cloud technologies evolved significantly and it is no longer a discussion of cost reduction or operational excellence, but more of new technologies, agility and innovation. Today, some form of cloud adoption is inevitable for any enterprise to thrive, otherwise survive, in the digital era.

What is different about Cloud Security?

Dec 2018

Develop a cloud security strategy? I am always puzzled when I face with open questions with the word strategy involved. Strategy, by definition, is the plan of actions to achieve long term goals. In the case of an enterprise, these goals are naturally driven by the business context; vision, priorities, opportunities, risks. etc. Cloud is just another way of sourcing technology infrastructure and application services. Clearly, choices are more versatile than ever and bring opportunities to the enterprise for agility, resiliency and economy (if only you do it right). Business strategy should drive the choices for the cloud, not the other way around, and Cyber Security (as an IT function) just need to follow the service model, i.e., protect the components you control, and get warranties from the provider for the components outside your control. So, what is different about cloud security?

Cyber Security for Agile Organisations

July 2018

There is no doubt in today's digital world that agile methods for software development have been successful. Organisational agility refers to applying these methods to the whole organisation (a.k.a the enterprise) to create an agile operating model across strategy, structure, people, process, and technology. The essence of all these is to be able to adapt and respond to the quickly changing environment of disruptive business models and technology.

Numerous examples of startups proved that being agile is imperative for the successful digital business. On the other hand, there is an ongoing debate if/how these methods could be scaled up in large organisations while maintaining their stability. Cyber security is one of the top concerns for many and new models and practices are needed to adapt cyber security to support agile ambitions and deliver assurances concurrently for security governance, risk, and compliance activities.

Security Architecture is superior to Control Frameworks — here's why

January 2018

Adapting a security control framework is a common response for an organisation when cyber security is a concern. This may be driven by an operational security function, a risk & governance function or a regulatory directive. I presume the readers of this article are familiar with abbreviations such as ISO, NIST, PCI, SANS, CIS, ISF, etc. These are the well-known organisations that published cyber security control frameworks (along with many other good things). They all provide good reference to build and organize security controls in a structure, facilitate maturity and risk assessments, and support gap analysis and remediation works as per a benchmark.

Some run these programs with internal resources, some bring external consultants to transfer the know-how from unbiased eyes. Regardless of the source of workforce, the control framework is the handbook of a security professional as the complex cyber security ecosystem can now be broken into simpler components with a clear taxonomy. This reductionist approach takes one piece of the problem (i.e. the control domain) at a time and isolates external factors so that it could be worked within the domain and results could be obtained quickly. Such an exercise typically reveals gaps for security controls or their effectiveness, usually obtained from qualitative interviews with domain stakeholders and evidence hunted thru information repositories. This is valuable work without doubt as organisations are able to evaluate and plan changes accordingly for remediation and improvement.

Adapting Enterprise Architecture for Digital Transformations

July 2017

This is the digital era. This is about transforming behaviours and expectations with disruptive business models and technologies. These are challenging times for traditional enterprises as disruption starts from inside the organisation, to build the culture of agility and flexibility so that they can offend (or defend) the market place.

Adapting Agile methods is imperative to provision services fast and respond to continuous wants and needs of the business, hence the (r)evolving market place. While many argue the pros and cons of Agile (that I am following with interest), I will discuss how Enterprise Architecture (EA) should be adapted for organisations embracing Agile development and delivery.

Architecting Cyber Security?

March 2017

Cyber Security is a controversial field. It is difficult to measure performance or demonstrate value. It is therefore considered later and relegated to a few add-on fixes when all design decisions have been made. Typical arguments are;

  • Security hinders the business process rather than helping - just focusing upon "security" rather than real business value?
  • Security tries to deliver controls in isolation without clear understanding of service context, priorities, risks or opportunities?
  • Security leads to increased complexity and cost of delivery and support?
Traditional approaches to Security often contribute to these arguments when;
  • Security (process & technology) design is isolated into domains (or control sets) and incapable of being integrated together (tactical approach).
  • Security and business strategy is loosely coupled (i.e. weak traceability / justification of security investments for business value).
  • Checklist / compliance approach - just checking the links (security controls) in the chain exist but do not test that the links actually fit together to form a secure chain.
Architectural approach to Security will resolve above by bringing disconnected pieces together within a structured framework that breaks down the complexity into modular blocks of simplified views. This is achieved by layering techniques and modular representations of security capabilities and reference solutions managed in an organised repository altogether.