Rainmaking From The Cloud - CIOs Struggle To Keep Pace With IT Demands

Rainmaking From The Cloud – CIOs Struggle To Keep Pace With IT Demands

Rainmaking from the Cloud In the digital era, where customers can select virtually anything with a click of a button, they are demanding more choice; not only in products, but in how and when they pay for them. They expect flawless service and require instant
Google Cloud Platform: Enabling APIs

Google Cloud Platform: Enabling APIs

Enabling Google APIs The Google Cloud Platform is a comprehensive tool that helps companies manage their IT resources. Completing software projects, built from scratch, is an incredibly time-consuming and wallet-ending endeavor. The cost of this development is due to the nature of the technology as

CONTRIBUTORS

Get Used To It – Artificial Intelligence For Real-time Gas Pricing

Get Used To It – Artificial Intelligence For Real-time Gas Pricing

Real-time Gas Pricing Get used to it – we will extract every dollar you can afford at your friendly … ...
Cloud Services Are Vulnerable Without End-To-End Encryption

Cloud Services Are Vulnerable Without End-To-End Encryption

End-To-End Encryption The growth of cloud services has been one of the most disruptive phenomena of the Internet era.  However, ...
How To Be Data Compliant When Using The Cloud

How To Be Data Compliant When Using The Cloud

Data compliant Companies using the cloud for data storage, applications hosting or anything else, have to carefully consider data compliance ...
When it Comes to the Communications Cloud, You Cannot Manage What You Cannot Measure 

When it Comes to the Communications Cloud, You Cannot Manage What You Cannot Measure 

The Communications Cloud As more and more real-time communications – whether voice, messaging, video or collaboration – move to distributed software ...
Imminent IoT Eye-Tracking Technologies To Transform The Connected World

Imminent IoT Eye-Tracking Technologies To Transform The Connected World

IoT Eye Tracking Smelling may be the first of the perceptible senses, but the eye is the fastest moving organ ...
Part 2 - Identity Assurance by Our Own Volition and Memory

Part 2 – Identity Assurance by Our Own Volition and Memory

Identity Assurance by Our Own Volition and Memory We believe that the reliable identity assurance (See part 1) must be ...
Mitigating the Downtime Risks of Virtualization

Mitigating the Downtime Risks of Virtualization

Mitigating the Downtime Risks Nearly every IT professional dreads unplanned downtime. Depending on which systems are hit, it can mean ...
The Lighter Side Of The Cloud - Connection
business-audit

Security Audits, Cyberattacks and other Potential Front Line Issues

Defending the Organization

When people talk about security audits in an organization, thoughts immediately go to malware, cyberattacks and other front line issues. These appear as the most obvious types of threats and are consequently given the greatest attention. As essential as these responses are, companies need additional layers of audit and defence further up the hierarchy if they are to build a culture of perpetual and successful self-governance. The problem is, internal compliance and control – the key elements of self-governance – are falling woefully behind the times thanks to traditions that have not yet received a full overhaul. This is bad news for business in the private and public sectors, since the enemies they face have already stepped up to the speed of “now.”

Traditionally, businesses have relied upon three lines of defence for standing up against risk. Called the “Combined Assurance Model,” it relies first on line managers to watch over the business processes. The second line belongs to internal risk managers and assurance providers, and then thirdly comes the internal and external auditors.

Security Audits

Such a structure has not always proven to be reliable. In 2013, Financial Times journalist Howard Davies quoted British lawmakers as suggesting the model “promoted a wholly misplaced sense of security.” He added, “Far from complementing each other as happy teammates, they think the second and third lines are in the chocolate teapot category of uselessness, with “the front line, remunerated for revenue generation, dominant over the compliance risk and audit apparatus.” 

These are the types of issues that worry Shrikant Deshpande, senior banking technology, risk and assurance professional and (ISC)2 Certified Cloud Security Professional. He suggests there seems to be a gap between Internal Audit, GRC (Governance, Risk management, and Compliance) and Cyber Security in terms of formalized methods of defining risks, monitoring and assurance. “There is certainly a meeting of minds and policy level agreement on objectives,” he states, “however a formal process of risk mapping and traceability of assurance outcomes to agreed high level risk needs to improve.

What this means in the most straightforward terms is that audit and GRC education must keep up with the times, and with the new technologies now impacting business globally, like cloud, big data and IoT. There needs to be greater investment in security monitoring technologies and in internal education, and this requires getting through to executive decision makers in a way that effectively conveys both urgency and importance.

Shrikant highlights the recommendations of a 2010 research paper published by the Institute of Chartered Accountants in Australia, outlining a process of continuous assurance for the digital world. Central to its thesis was the notion of “better matching internal and external auditing practices to the reality of the IT-enabled world, to provide stakeholders with more timely assurance.” The authors advocate “audit automation,” to move the audit process away from a “manual, periodic paradigm” to something more real-time.

Shrikant points out that a variety of cloud technology neutral assurance methods and processes already exist, such as COBIT, ISO 27k , ISO 30k, and NIST. The challenge is that audit and GRC professionals need to mature their skills and knowledge to apply these in specific technology environments like the cloud.

This is where a combination of techniques like assurance mapping, combined assurance and continuous auditing can coexist and assist.

He adds, “the gap between risk management stakeholders and those who are actually monitoring risk and creating assurance continues to exist. There is a legacy of division that must be overcome if businesses and organizations hope to thrive in the extremely fast-paced world of cyber-connected business.” His advice: formally engage. Organizations need formal programs, formal assurance mapping and an up-to-speed monitoring program. The luxury of waiting no longer exists.

For more on the CCSP certification from (ISC)2, please visit their website. Sponsored by (ISC)2.

By Steve Prentice

Steve Prentice

Steve Prentice is a project manager, writer, speaker and expert on productivity in the workplace, specifically the juncture where people and technology intersect. He is a senior writer for CloudTweaks.

View Website

Cloud Community Supporters

(ISC)²
Cisco
SAP
CA Technologies
Dropbox

Cloud community support comes from (paid) sponsorship or (no cost) collaborative network partnership initiatives.