Chat directly with me if you want. Go to my
Chat page to find a web messenger!
Today, I had the opportunity to talk to a group of partners on Cloud and security. The goal was to make them ready for the Cloud and make them ready to answer the customer’s questions. One block – obviously – was about security and as I look at it (and as I said), this starts with the customer's processes. In addition, you need a clear and implemented data classification scheme. I am convinced that a Cloud provider, which offers the needed transparency and a secure environment (and does not only tell you that they are as secure as e.g. a bank) will often reduce your risk exposure if your overall IT organization is mature enough.
Now, I read this study: New Study Says Senior Leaders are Increasingly Distant from Security, Privacy – a study by Carnegie Mellon and therefore not from a consulting company who wants to sell services. To look at some data and quote the article:
Westby says a comparison of the level of board participation in key areas for IT security governance show the facts:
And these are the customers who want to move to the Cloud? In my opinion the board is key, when it comes to risk management and they have to get involved and take part of it.
Is this the board’s fault? This would be too easy from my point of view. This is just the way a lot of security professionals handle this problem and complain that the board is not interested in such themes. What did we as a community do to change this? In the best case we implement risk management process and include the board in those processes – and speak techie language, not the board’s language. We rarely show how a risk might affect the business process but how it affects the technology. Last but not least we never show the board how we could use security to help the business to grow.
Let’s stick with the Cloud for a second. The standard security person tells his/her board that we cannot go to the Cloud because of security (heard that very, very often). Why do we not approach it the other way round: We should actually move our “company internal” data to the Cloud to reduce cost and increase security? This is actually true in a lot of cases.
All of a sudden security becomes an asset instead of a blocker – we have to change our attitude! It starts with us!
Very nice post, I agree with your comments. This is one of the challenge I see quite often where professionals always find hard to translate their technical terms into management language and therefore not able to highlight appropriate risks in front of management.
I hear this all the time from the business, users used to complain and say "Bloody Security", we can't do this now but now this is changing, my approach is that we need to be business enabler along with security in mind.