By Fouad Khalil, Senior Director, Compliance
Security must be part of everything that we do. Whether we’re moving into a new facility, bringing on new talent, designing new solutions, deploying software and hardware, publishing to the cloud, managing customer installations, etc.
Security is simply part of it all.
Organizations (across all levels and industries) continue to struggle with ensuring security as part of business as usual activities. Whether you deploy on premise, off premise, off shore or in the cloud, we are faced with varying risks requiring compliance mitigation and security controls implementations.
The everyday question is “how do I keep up?” or better yet, “how do I sleep better at night?”
As a security and compliance practitioner for many years with a background as a change agent, I strongly believe that you can only manage risks we face with continuous monitoring, continuous compliance, continuous security and continuous assurance.
As of late, organizations across the globe are moving to a cloud IT strategy on top of on-premise deployments. Many factors come into play as we evaluate the potential impacts of:
- The BYOD strategy (even pre-pandemic days)
- Rapid expansion and use of IoT devices
- Emerging AI
- The security of my cloud infrastructure,
- Regulatory impacts, and last but least,
- Privacy laws and legislations that are now business as usual.
Risk identification, ownership, remediation and prevention is everyone’s responsibility. Establishing an essential and complete foundation for your security, compliance and privacy program is the path to establishing continuous oversight.
Controls are implemented within a company's perimeter and enforced with vendors, partners and 3rd (4th, ...Nth) party service providers. Controls implemented based on risk to “protected data” have the potential for success. This is only possible when a workflow based, complete and up-to-date inventory of all data is made available (and refreshed at least annually).
The establishment of effective controls over protected data across its entire lifecycle is the basis for achieving continuous compliance. Merge that with the ability to continuously monitor and continuously audit these controls, establishes the foundations for continuous assurance. You have what is referred to “out-of-the-box” compliance independent on where your production environment is housed.
Rest assured that when all is said and done and you can proudly attest that you have a mature security and compliance program that is continuous and part of everything you do, that good night sleep might happen after all!
Allow me to wrap up my thoughts here by sharing my recent article titled “The landscape from above: Continuous cloud monitoring for continuous assurance” that was published in the 2020-2021 Henry Stewart Publications Cyber Security: A peer-reviewed journal Rev 4. The article dives into a great detail on how to establish true continuous assurance in the cloud.