CCSK Success Stories: From a Senior Executive
This is part of a blog series interviewing cybersecurity professionals who have earned their Certificate of Cloud Security Knowledge (CCSK). In these blogs we invite individuals to share some of the challenges they face in managing security for cloud computing and how they were able to leverage knowledge from the CCSK in their current roles. In this blog we'll be interviewing Noorsila Nabasha, Senior Executive at MDEC.
1. In your current role as a Senior Executive at MDEC, you handle public sector cloud adoption. Can you tell us about what your job involves?
My role is basically to engage the public sector in using cloud for the day-to-day job and services; this is aligned with Malaysia Cloud First policy which was announced in 2017. We facilitate and provide support i.e. advise and create awareness on matters such as cloud security, data protection, data sovereignty and data residency to the public sector.
2. Can you share with us some complexities in managing cloud computing projects?
We do not directly manage cloud computing projects ourselves. Such projects are handled by the other government agencies such as MAMPU. We ensure that the overarching environments and frameworks are conducive for cloud adoption in Malaysia.
MDEC has worked with CSA to undertake the mapping of the Malaysian Personal Data Protection Act to CSA CCM v3 to identify the gaps between them. In this way, CSPs that are certified to CSA STAR also need to ensure that the mitigating security controls identified for the missing gaps are provisioned for. Such CSPs can then offer cloud services to Malaysian enterprises with the assurance that the cloud security and data protection concerns have been addressed.
MDEC and CSA also undertook a cloud adoption survey for the financial service sector in Malaysia to identify the challenges that the commercial banks face in their cloud adoption journey.
3. What made you decide to earn your CCSK? What part of the material from the CCSK has been the most relevant in your work and why?
Last year, MDEC collaborated to equip IT professionals who completed CCSK via learning management system (LMS), access provided courtesy of CSA, so that they can continue with their learning during the COVID-19 pandemic lockdown (aka Movement Control Order in Malaysia). While on WFH, I made use of this opportunity to equip myself with the knowledge of cloud and cloud security technology in order to be better placed to convince the government users to adopt cloud services. I was successful in passing the CCSK examination.
I think the topics of shared responsibility, data government and contract management are most relevant as we need to be transparent to the government agencies and include all clauses/information to protect the government users.
4. How does CCM help communicate with customers?
The Cloud Control Matrix (CCM) provides a level of confidence to the public sector as it supports the security controls in many industry information security standards. Government users could also use the CCM as a checklist for their internal audit assessments.
5. What’s the value in a vendor-neutral certificate like the CCSK or CCSP versus getting certified by AWS? In what scenario are the different certificates important?
This is important as we are a government agency that cannot be seen as biased or showing favor to any particular CSP. However, a vendor certificate can be important when the CSP‘s cloud services are widely used.
6. Would you encourage your staff and/or colleagues to obtain CCSK or other CSA qualifications? Why?
Yes. CCSK covers the security aspects of cloud and it is a vendor-neutral certificate. Both elements are important as the topmost concern in public sector cloud adoption is about security (or its lack thereof).