CCSK Success Stories: From the Head of IT at a Financial Services Company
Written by Faisal Yahya, Head of IT - Cybersecurity and Insurance Enterprise Architect, PT IBS Insurance Broking Service
This is the fifth part in a blog series on cloud security education, in which we will be interviewing Faisal Yahya, Head of IT - Cybersecurity and Insurance Enterprise Architect at PT IBS Insurance Broking Service. In this blog he shares some of the challenges he faces in managing cloud computing in his current organization, common pitfalls and how to avoid them, and his experience earning the Certificate of Cloud Security Knowledge (CCSK).
In your current role at PT IBS Insurance Broking Service, as Head of IT – Cybersecurity and Insurance Enterprise Architect, you oversee the IT and security aspects in your organisation. Can you tell us about what your job involves?
I am responsible for all IT strategies and operations of the company. My position is not limited to internal activities but also covers how to connect the current architecture with multiple insurance companies, clients, and reinsurance companies in various countries. As changes in the insurance business are very dynamic; this requires planning an agile and effective IT strategy.
Can you share with us some complexities in managing cloud computing projects?
Working in the financial services industry is challenging because there are many government regulations, especially if we talk about privacy and cybersecurity. On the one hand, cloud technology makes it convenient to respond to this. On the other hand, it is not easy to transform on-premise architecture so it can be moved to the cloud. The CCSK provides comprehensive guidance on everything needed for IT professionals to build effective, efficient, and secure cloud architecture.
In managing (outsourced) cloud projects, what are useful tips you could share with IT professionals to avoid common pitfalls?
The expenditures for any cloud service remains the most significant drawback, and storage is no different. Unforeseen costs include snapshot costs and unplanned automatic growth in storage. It is vital to ensure that you have the right resources to direct you and enforce strict deployment and budget guidelines.
- Cloud storage also does not require much time to prepare, build, and check properly. And still, companies can benefit from the cloud provider’s wide-range of experience. Although, by having experience in software development, we can still leverage cloud storage usability and functionality better than on-premise, including the archiving process required by compliance.
- Data size is another challenge. Data has bulk, which means that when it has to transfer, there is no shortcut. Failure to take sufficient account of data volume poses significant business issues. Industry experts have expressed their concern about cloud backup data.
- In many situations, cloud storage can make sense, but this does not mean that all your infrastructure follows. It's not a trivial task to establish a secure and robust link with your cloud provider. Many features are taken for granted in the company that are not provided with cloud storage.
- The security of any IT project should be at the forefront, and cloud storage is no different. Any resident, his data, and supporting infrastructure can be seen or removed by a lost encryption key or leaked administration account. Too often, companies are stuck in the cloud, and it is the responsibility of the provider.
What made you decide to earn your CCSK? What part of the material from the CCSK has been the most relevant in your work, and why?
Compliance, governance, and architecture. These three are the most relevant to my working situation. Working together with many companies outside of Indonesia requires a broad understanding of these areas, especially compliance. CCSK helps us a lot to ease the learning processes. CCSK fits all the related information under one useful framework. This framework greatly supports anyone who wants to study cloud security without any previous background.
How does CCM help communicate with customers?
Cloud Security Alliance Cloud Controls Matrix (CCM) offers a precise security mechanism to guide cloud providers. The CCM has become a general practice among many financial services (my industry in general) firms for how they manage cloud use. It is especially helping with how we can communicate the standards among peers.
What’s the value in a vendor-neutral certificate versus getting certified by a vendor like AWS? In what scenario are the different certificates important?
Cloud is about orchestrating resources. I believe, in the future, this will broaden and expand into various cloud service providers (CSPs). Meaning that, when we talk about cloud, we will be primarily talking about designing architecture that enables the connection of several different CSPs. We cannot discuss this by just referring to one specific CSP since they are all connected. We need to have standard best practices that work for all CSPs, and hence the importance of having a vendor-neutral certification.
Would you encourage your staff and/or colleagues to obtain CCSK or other CSA qualifications? Why?
Yes, of course. Refer to my previous answer. Cloud is not only a technology but also a platform for which we can connect to various CSPs. To efficiently and effectively design the architecture, we cannot rely on one CSP only. We need to have a vendor-neutral source from which we can learn the best practices.
What is the best advice you will give to IT professionals in order for them to scale new heights in their careers?
Technology is changing so fast. Broaden your expertise in one specific domain you are passionate about that will keep you in the spotlight. Do not take shortcuts, and certification is just one step to gain expertise. You need to practise and practise as much as possible. And lastly, network with professionals in the same domain area to advance your skill from other learning experiences.
Interested in earning your CCSK? Download our guide to the Certificate of Cloud Security Knowledge (CCSK).