The Knowledge Gap, Risk of the Unknown & the Certificate of Cloud Auditing Knowledge
Blog Article Published: 02/24/2020
By Daniele Catteddu, Chief Technology Officer, CSA
I have a business admin academic background and so I have always approached cybersecurity risk management using those lenses. The more I have looked at the issues in cybersecurity, the more I am convinced that if you want to manage your risk, you need to be able to make informed decisions which requires access to data and information as well as the skills and expertise to analyze and make good sense of it.
Cloud has never been only a change in technology; it has also introduced a new business model around how to produce and consume information and communication (ICT) services. This new business model is heavily permeated with business relationships that deal with untrusted parties (CSPs) that have a vital role for companies, often being the backbone and neural system of the organization.
This creates challenges in:
- Coordinating and integrating internal processes and tools with the third parties’ services and products
- Understanding the interdependencies within the supply chain
- Measuring trust and risk
Dangers of Interdependence
Referring to the wisdom of Dan Geer, one of my favorite security experts, interdependencies create complexity and complexity is an enemy of security. Complexity hides interdependencies and creates unacknowledged correlated risks, which are almost impossible to manage since they are, like a black swan, unexpected and unpredictable.
The real issue isn’t reliable data, it’s our ability to analyze the data.
When it comes to making informed risk-based decisions, we seem to have enough reliable information to base our decisions on (of course we can always increase the quality of data). Where we are lagging behind, is our analysis and evaluation capabilities; not because our current workforce is not intelligent enough, but rather because there are knowledge and mindset gaps.
The fact that after almost 15 years of cloud computing, we are still struggling with the shared responsibility model is symptomatic of the nature and magnitude of the problem we are facing.
Complex supply chains and the shared responsibilities model are at the core of the educational gap we are talking about. Cloud imposed a new governance approach based on indirect control. But as we all know, doing something yourself is not the same as managing someone who will do that for you.
It’s about being a good manager, not just being a technical expert.
Inside IT teams are often technologists, but not necessarily managers. Because of this, they often miss an accountability mindset. They need to not only understand the technical aspects of their cloud architecture, but also be able to select and manage their vendors by asking them to provide the right evidence to prove they are indeed doing what they claim they will.
In other terms, what the market requires is IT and security professionals who are also practitioners, managers and auditors. They need to be able to identify the right questions to ask third parties both during the vetting process and during the continuous monitoring of the service execution. They need to know how to read the contract and technical documentation made available by the CSPs, understand how to build and manage SLAs, be able to manage compliance, etc. In other words, they need to put themselves in the shoes of security auditor, assessor, or evaluator and develop an auditor mindset.
The knowledge gap is also a reflection of an educational offering gap.
The lack of educational offerings in this area has been one of the main reasons that pushed CSA to work on a professional credential for cloud auditing. We want to fill the gap by building a certificate and training that equips the ICT workforce in leading and managing the cloud journey of the company they work for.
The Certificate of Cloud Auditing Knowledge (CCAK).
In this CCAK program we’ll focus on cloud governance, risk management and compliance. It will ensure participants know CSA’s best practices for audit and assessment and understand how to build a cloud auditing program. Our security control framework, the Cloud Control Matrix (CCM), will also be an important component of the body of knowledge.
The education program is meant to:
- Extend existing IS auditor certifications like ISACA CISA and security auditor certifications like ISO27001 Lead Auditor by providing additional expertise on how to assess the cloud and how to build and execute a cloud auditing program.
- Extend existing cloud security certificates like the CCSK by expanding on their curriculum with additional resources on how to govern, assess and evaluate the cloud.
If you are a cloud security expert and/or a security auditor and interested in getting involved in the CCAK development, please reach out to CSA here.
About the Author
Daniele Catteddu, Chief Technology Officer, CSA
Daniele Catteddu is an information security and risk management practitioner, technologies expert and privacy evangelist with over 15 of experience. He worked in several senior roles both in the private and public sector. He is member of various national and international security expert groups and committees on cyber-security and privacy, keynote speaker at several conferences and author of numerous studies and papers on risk management, cyber security and privacy.
Currently he is the Chief Technology Officer, at Cloud Security Alliance, where he is responsible to drive, on a global scale, the adoption of the technology strategy roadmap within key CSA lines of business: Research, Membership Services, Standards, Education and Products. He identifies technology trends, global policies and evolving social behavior and their impact on information security and on CSA’s activities.