Security Certification Helps Cloud Service Providers
If you are a cloud service provider (CSP), you know your customers have a choice as to who to work with, but do you know what will help tip the scales in your favor? It’s not just robust security or scalability. Much of your credibility will come from a heightened level of transparency that will resonate with the internal IT department and the C-suite.
It is a given that the concept of cloud technology has become more normalized over the past few years. Most companies now have a plan in place for migration and operation, and much of the discussion centers around which types of cloud to focus on: private, public or hybrid, and who to use as the provider. But this still requires a commitment on the part of a company to let go of its data and its processes, and hand it all over to an outside party.
Consequently, this places a requirement on the CSP to not only make good on the physical end of the deal – having a robust and secure platform to host the data – but also to remain transparent and provide solid evidence of its trustworthiness. A key point here is that robust security is not enough. There must be clear proof of this security, delivered in a fashion and frequency that will satisfy. It is not negotiable.
Part of the reasoning may stem from high-profile leaks and breaches that occur with disturbing frequency, but a major part of the concern will come from the fact that CSPs are external companies with their own rules and governance. Clients will constantly worry about a cloud provider’s ability to remain secure and reliable in all areas of its operations, and they will compare it to what they know best – their own in-house rules, regulations, and security. A CSP that fails to prove that it is equal or better than their clients’ own systems will not succeed.
The Problem with Being Focused on Security
Often a company that is a specialist in one area will inevitably lack somewhere else. It is expected that a CSP will focus intently on robust security, scalability, and accessibility, but this makes it easy for it to overlook the bedside manner that clients expect. Also branded as “customer experience” (CX), bedside manner is the art of communicating with the client and managing their customers’ expectations and worries. CSPs must be able to deliver on this.
Rich Campagna the CEO of cloud security provider Bitglass. “If you compare cloud security to premises security,” he says, “often the two types of services are solving similar issues with similar technology, like encryption and data. But the big challenge and difference with cloud is that in the premises world you can stack or layer many security technologies together, which you cannot do in the cloud.” This is just one example of the types of security concerns a customer will experience, and which need to be clearly communicated by a CSP to prove they have a better, more secure method.
With security being such a multi-layered and ever-evolving challenge, it only makes sense that a cloud service provider should reach out and work with cloud security specialists whose sole purpose is to be the go-to expert and problem solver. This is precisely what a Certified Cloud Security Professional (CCSP) does.
In addition to a wealth of up-to-date technical knowledge around security issues and threats, a CCSP can also deliver strategic awareness and communications skills to the CSP’s management team. This in turn can help the CSP to communicate, strategize, and deliver to their own customers the necessary evidence of superior security and permanent transparency.
The CCSP designation was co-created by (ISC)² and Cloud Security Alliance, and is a globally recognized credential representing the highest standard of cloud security expertise. The certification attests to deep, up-to-date knowledge and hands-on experience with cloud security architecture, design, operations, and service orchestration.
To qualify, candidates must already possess a minimum of five years cumulative, paid, full-time work experience in information technology, of which three years must be in information security and one year in one or more of the six domains of the CCSP Common Body of Knowledge (CBK).
The need for such actions might seem self-evident, but as is often the case in busy, high-tech companies, the human touch goes missing due to the sheer busy-ness of the operation. What cannot be overlooked, however, is that this type of “human-touch” is not superficial feel-good verbiage. It is the tangible proof that a company’s most valuable asset – its data – is safe.
A recent report released by the Enterprise Management Association (EMA) points out that “annoyance with lack of vendor support” is a key source of disappointment among customers. It continues, “executives were not aware that the monthly or annual subscription they purchased did not include full support…[and even] customers purchasing higher-end support may still have difficulty getting access to adequate levels of hands-on expertise.” This is another example of where CSPs can “drop the ball.” The consequent disappointment felt by a nervous customer will radiate out into its sense of trust, and this has the capacity of completely destroying whatever reputation the CSP has already worked hard to build.
It may be unfair to suggest that a CSP drops a few points down the scale even when its security is already top-notch. But this is the truth of the matter. Customers must feel confident, and if the evidence of rock-solid security is not there, they won’t. Negative experiences tend to turn customers’ eyes either toward the horizon, looking for a new supplier to take care of the next stage of their cloud journey, or inwards, to bring everything back in-house.
A CCSP provides a CSP with some of the transparency and credibility skills to mitigate this risk, and ensure the relationship between CSP and customer remains as secure on the trust front as it does on the technical one.
By Steve Prentice