What is different about Cloud Security?

Dec 2018

Develop a cloud security strategy? I am always puzzled when I face with open questions with the word strategy involved. Strategy, by definition, is the plan of actions to achieve long term goals. In the case of an enterprise, these goals are naturally driven by the business context; vision, priorities, opportunities, risks. etc. Cloud is just another way of sourcing technology infrastructure and application services. Clearly, choices are more versatile than ever and bring opportunities to the enterprise for agility, resiliency and economy (if only you do it right). Business strategy should drive the choices for the cloud, not the other way around, and Cyber Security (as an IT function) just need to follow the service model, i.e., protect the components you control, and get warranties from the provider for the components outside your control. So, what is different about cloud security?

Cyber Security for Agile Organisations

July 2018

There is no doubt in today's digital world that agile methods for software development have been successful. Organisational agility refers to applying these methods to the whole organisation (a.k.a the enterprise) to create an agile operating model across strategy, structure, people, process, and technology. The essence of all these is to be able to adapt and respond to the quickly changing environment of disruptive business models and technology.

Numerous examples of startups proved that being agile is imperative for the successful digital business. On the other hand, there is an ongoing debate if/how these methods could be scaled up in large organisations while maintaining their stability. Cyber security is one of the top concerns for many and new models and practices are needed to adapt cyber security to support agile ambitions and deliver assurances concurrently for security governance, risk, and compliance activities.

Security Architecture is superior to Control Frameworks — here's why

January 2018

Adapting a security control framework is a common response for an organisation when cyber security is a concern. This may be driven by an operational security function, a risk & governance function or a regulatory directive. I presume the readers of this article are familiar with abbreviations such as ISO, NIST, PCI, SANS, CIS, ISF, etc. These are the well-known organisations that published cyber security control frameworks (along with many other good things). They all provide good reference to build and organize security controls in a structure, facilitate maturity and risk assessments, and support gap analysis and remediation works as per a benchmark.

Some run these programs with internal resources, some bring external consultants to transfer the know-how from unbiased eyes. Regardless of the source of workforce, the control framework is the handbook of a security professional as the complex cyber security ecosystem can now be broken into simpler components with a clear taxonomy. This reductionist approach takes one piece of the problem (i.e. the control domain) at a time and isolates external factors so that it could be worked within the domain and results could be obtained quickly. Such an exercise typically reveals gaps for security controls or their effectiveness, usually obtained from qualitative interviews with domain stakeholders and evidence hunted thru information repositories. This is valuable work without doubt as organisations are able to evaluate and plan changes accordingly for remediation and improvement.