CCSK Success Stories: From an IT Security Auditor

This is part of a blog series interviewing cybersecurity professionals who have earned their Certificate of Cloud Security Knowledge (CCSK). In these blogs we invite individuals to share some of the challenges they face in managing security for cloud computing and how they were able to leverage knowledge from the CCSK in their current roles. In this blog, we'll be interviewing Ade Triangga, IT Security Auditor, Bank Mandiri.

1. In your current role as an IT Security Auditor, you provide independent assurance to your organization. Can you tell us about what your job involves?

My team and I have the responsibility to perform independent and objective assurance and advisory services on bank-wide IT/IS controls, particularly information security controls. We also adopt a risk-based approach in every assignment while ensuring compliance to the local banking regulation, relevant laws, and best practices.

2. Can you share with us some complexities in managing cloud computing projects?

I work in a state-owned company that provides financial services. This makes the adoption of cloud computing very challenging in terms of law and regulation. Many stakeholders have doubts about cloud computing adoption in terms of security, privacy, and integration with existing/legacy systems. In addition, challenges also come from the complexity and rapid development of cloud computing technology and security itself.

3. In managing (outsourced) cloud projects, what are useful tips you could share with IT professionals to avoid common pitfalls?

Identify and fully understand shared responsibility models. Identify, document, and mutually agree on each responsibility between the client and the CSP. This is the starting point in determining the appropriate control and who is responsible for it. Always apply a risk-based approach when defining and implementing controls. Consider periodically assessing and maintaining compliance with relevant laws and regulations. Ask an independent party to conduct an audit/assessment if necessary.

4. What made you decide to earn your CCSK? What part of the material from the CCSK has been the most relevant in your work and why?

For me, cloud and cloud security is one of the emerging technologies that everyone should learn. CCSK was my choice because it is the vendor-neutral cloud security certificate made by the world's leading cloud security organization. CSA not only provides certificates, but also provides many great resources about cloud security subjects that demonstrate their applicability, usability, and relevance in real-world cloud projects.

I frequently use the CSA Security Guidance and the Cloud Controls Matrix (CCM) as criteria and guidelines in my audit and consulting activities.

I found all of the cloud security domains in the CSA Security Guidance are relevant to my current role. However, I think compliance and audit management, infrastructure security, application security, data security, and incident response are the most relevant.

5. How does the CCM help communicate with clients?

The CCM provides comprehensive guidance in terms of security controls in the cloud. It also provides references to other standards, regulations, and best practices which will be very useful for any organization across industries when assessing controls and ensuring compliance.

This is very helpful in communicating with clients who may already have an implementation of a certain standard or best practices in their organization.

6. What’s the value in a vendor-neutral certificate like the CCSK or CCSP versus getting certified by a vendor? In what scenario are the different certificates important?

Vendor-neutral certificates are great as they can provide foundational knowledge to cloud security in an unbiased manner. Vendor-neutral certificates will help us when we need to learn the security aspects of specific CSP(s), including comparing security aspects between them.

7. Would you encourage your staff and/or colleagues to obtain CCSK or other CSA qualifications? Why?

Yes I would. CCSK definitely could help me and my colleagues to speak the same language when it comes to addressing cloud security best practices and issues. Also, CSA provides many great resources and communities when it comes to cloud security.

8. What is the best advice you will give to IT professionals in order for them to scale new heights in their careers?

Don’t stop learning and focus on building a professional network, especially when it comes to emerging technologies like cloud and its security controls. Do join professional communities and networks as they could enrich your perspective. Obtain professional certificates to challenge yourself in terms of self-development.