CCSK Success Stories: From an IS Control and Audit Partner
This is part of a blog series interviewing cybersecurity professionals who have earned their Certificate of Cloud Security Knowledge (CCSK). In these blogs we invite individuals to share some of the challenges they face in managing security for cloud computing and how they were able to leverage knowledge from the CCSK in their current roles. In this blog we'll be interviewing Budi Hermawan, IS Advisory, Control, and Audit Partner at PT Adikarya Tata Informasi.
1. In your current role at PT Adikarya Tata Informasi, as an IS Advisory, Control, and Audit Partner, you provide independent and objective assurance to your customers. Can you tell us about what your job involves?
In the context of an information system audit, I am responsible for providing independent and objective assurance to our customers regarding the adequacy of information system control, information system performance in supporting the achievement of business objectives, and information technology governance and management compliance with laws and regulations, frameworks, best practices, and standards they must adhere to.
In the context of information technology consulting, I am responsible for providing and/or assisting customers in designing, implementing and/or carrying out various information technology architectures and/or controls. This ensures that the use of information technology is aligned and supports the achievement of business goals effectively and efficiently and in accordance with regulations that must be obeyed.
2. Can you share with us some complexities in managing cloud computing projects?
The complexity of cloud computing projects occurs because cloud computing is relatively new and has not been comprehensively understood by many companies in Indonesia. The main thing that often causes the complexity is the issue of data security for data that is stored and processed in the cloud, outside the company's data center which involves another party, that is, the cloud service provider (CSP).
3. In managing (outsourced) cloud projects, what are useful tips you could share with IT professionals to avoid common pitfalls?
I have managed cloud computing projects using:
a) References to laws and regulations, frameworks, best practices, and/or standards on cloud computing that are relevant to the company; for example CSA Security Guidance and CSA Cloud Controls Matrix.
b) Assistance from certified cloud computing experts, for example CCSK and CCAK, as a consultant.
4. What made you decide to earn your CCSK? What part of the material from the CCSK has been the most relevant in your work and why?
CCSK is conceptual and vendor-neutral. All the CCSK materials are relevant and support the completion of all consulting and audit engagements regarding cloud computing from customers. This gives me the flexibility to be able to provide cloud computing consulting and auditing services to more customers without having to be limited by the CSPs used by each customer.
5. How does CCM help communicate with customers?
The characteristics of CCM, as a result of research and best practice global cloud computing controls, are vendor-neutrality and structured and easy-to-understand formatting, allowing me to easily give customers assurance that the scope of cloud computing control that I recommend and evaluate is comprehensive and standardized.
6. What’s the value in a vendor-neutral certificate like the CCSK or CCSP versus getting certified by AWS? In what scenario are the different certificates important?
The vendor-neutral certificate gives added value to me, especially in 2 ways; it:
a) provides flexibility for me to be able to provide consulting services to more customers without having to be limited by the CSP they use;
b) supports me in applying the principles of independence and objectivity that an auditor must have.
7. Would you encourage your staff and/or colleagues to obtain CCSK or other CSA qualifications? Why?
Yes, for sure. CCSK and CCAK will improve the competence and work quality of my staff and colleagues in providing consulting and auditing services for our customers, especially those who have adopted cloud computing. In addition, customer trust in PT Adikarya Tata Information Services’ quality will also increase because the assigned experts have obtained CCSK and/or CCAK.