CCSK Success Stories: From a Regional Information Security Officer

This is part of a blog series interviewing cybersecurity professionals who have earned their Certificate of Cloud Security Knowledge (CCSK). In these blogs we invite individuals to share some of the challenges they face in managing security for cloud computing and how they were able to leverage knowledge from the CCSK in their current roles. In this blog, we'll be interviewing Giridhar Rao, Regional Information Security Officer, APAC at ZEISS.

1. Can you tell us about what your current role involves?

I am the head of the regional ZEISS Information Security Organization and am the initial point of contact and escalation for all security related matters in the region. My responsibilities include designing and driving policies, standards, and processes to maintain and improve the overall security posture; information security assessments; approval authority with veto rights; involvement in projects from the design stage; assessing security concepts of various business solutions; and evaluating technical risks.

2. Can you share with us some complexities in managing cloud computing projects?

Various business solutions in APAC with multiple office locations add more complexity and come with their own challenges. Implementing solutions and providing security in the cloud needs a different mindset. As the saying goes, there is no lift and shift. Doing all that and still “managing” risk and ensuring governance and compliance is worth the effort.

3. In managing (outsourced) cloud projects, what are useful tips you could share with IT professionals to avoid common pitfalls?

Understand the shared responsibility model clearly (I cannot stress this point enough). Identifying data and information ownership helps with data classification, which then leads to the mechanism of protection. Over time, I have come to understand that as the security controls remain the same, the implementations vary. Lastly, never ever compromise security controls in favor of cost. Regional difference is something that needs attention due to compliance reasons.

4. What made you decide to earn your CCSK? What part of the material from the CCSK has been the most relevant in your work and why?

As the CCSK is a vendor-neutral approach to cloud security, I personally see this as a good starting point. As cloud security is an integral part of most of our solutions, it’s better late than never to be able to speak the right language. There are 14 domains in the CCSK and every domain is an integral part that allows me to analyze security concepts. However, domains 6, 7, 9, and 12 are major attractions for me.

5. How does the CCM help communicate with customers?

The Cloud Controls Matrix (CCM) helps with our due diligence process; we have a cloud security questionnaire in place along the lines of the CCM. This helps organizations or customers to assess the risk associated with CSPs through a comprehensive cloud security standard. It helps lend clarity on what is expected of both sides. Mapping the CCM controls to various standards like ISO 27001 improves the tasks at hand.

6. What’s the value in a vendor-neutral certificate like the CCSK or CCSP versus getting certified by AWS? In what scenario are the different certificates important?

The CCSK or CCSP provide the right mindset to address security related issues. In total, how I see things would be for a professional to have clarity on the relevant security controls first, and then look towards the necessary solutions operationally that would follow them.

7. Would you encourage your staff and/or colleagues to obtain the CCSK or other CSA qualifications? Why?

For sure, without a doubt. With a multi-cloud strategy, it has become important to adapt a vendor-neutral approach. This enables us to look into the details of demands and security concepts and what are the necessary controls that should be designed.

8. What is the best advice you will give to IT professionals in order for them to scale new heights in their careers?

With rapid technology changes, it is necessary to be on our toes and adapt the concept of continuous improvement/education. I strongly believe that our roles are to support the business to run securely.