CSA Community Spotlight: Establishing Cloud Security Standards with Dr. Ricci Ieong

CSA began establishing standards for cloud security assurance and compliance back in 2009, when the company was officially incorporated and we released the first version of our cloud security best practices. The following year, we developed the Cloud Controls Matrix (CCM), and in 2012, the CSA Security, Trust, Assurance and Risk (STAR) Registry. Finally, when it comes to cloud assurance, our most recent launch was the Certificate of Cloud Auditing Knowledge (CCAK) in partnership with ISACA.

These standards and certificates, along with CSA’s numerous other activities, would not be possible without our vast network of dedicated members, volunteers, subject matter experts, speakers, chapter leaders, and trainers. So in celebration of CSA’s 15th anniversary, all throughout 2024, we’ll be interviewing 15 longtime partners that have been integral to our success and growth.

Today’s interviewee is Dr. Ricci Ieong, Principal Consultant at Hatter Company and eWalker Consulting (HK) Ltd. Ricci has over 20 years of industry experience in information technology and security, where he specializes in security risk assessment, IT audit, penetration testing, and computer forensics investigation. Below, get Ricci’s perspective on CSA standards and the development of our CCAK program.

What are the various ways you’ve been involved with CSA over the years?

I'm currently the Vice Chairman for Professional Development of the CSA Hong Kong & Macau Chapter, as well as a CCSK and CCAK Trainer. I'm also one of the contributors to the Cloud Incident Response Working Group and the CCAK.

What’s your favorite memory of the CSA community?

Participating in the content development of the CCAK. I joined the CCAK development committee in 2020. During that time, I participated as a specialist to provide input regarding the cloud auditing practices and knowledge that should be included in the exam.

During discussions with the project team, I think everyone had chances to learn together. In fact, CCAK definitely contains some of the most interesting and advanced content on cloud auditing. With support from various team members at CSA Global, CSA APAC, and CSA HKM, we worked and learned together as we prepared the content for the CCAK.

Why do you continue to be a part of the CSA ecosystem?

I consider CSA to be an important organization that affects the cloud computing security arena. Because cloud computing is an ever-changing industry, CSA empowers us to learn and lead changes. As CSA is a worldwide-accepted expert organization, its cloud security standard, checklist, and practice guides are normally taken as standard to many companies in HK and APAC.

What do you see as one of CSA’s most significant contributions to the cybersecurity industry?

CSA defines a number of cybersecurity standards - CCM, CAIQ, CCSK, CCAK, and certification standards. As stated above, CSA standards are already considered as the norm for cloud service customers. We have actually assisted some companies in HK to adopt CCM and CAIQ as their standard checklist. And as a CSA Trainer, we are very aware that many companies send in their staff to learn and prepare for the upcoming waves in the ever changing Cloud Era.

What are your predictions for CSA in the next 15 years?

CSA standards will be included in all the default standards for all organizations.

Make sure to check out more insights from the CSA community here.