Welcome!

Cloud Security Authors: Elizabeth White, Liz McMillan, Pat Romanski, Zakia Bouachraoui, Yeshim Deniz

Related Topics: @CloudExpo, Java IoT, Cloud Security

@CloudExpo: Blog Post

Staying Compliant in the Cloud Without a Cybersecurity Attorney By @BThies | @CloudExpo #Cloud

Compliance can be achieved without them

Cybersecurity is a complex field, and with laws varying across states and countries, keeping cloud usage compliant can become a real headache for enterprise security decision-makers.

As regulations continue to lag behind the rapid pace of technological advancements, many IT security professionals turn to the expertise of cybersecurity lawyers, who not only understand the ambiguities of the law, but are also able to secure and protect their employers' interests in the case of a breach.

When Is a Cybersecurity Attorney Needed?
There are times when cybersecurity lawyers are essential. Given recent developments such as Edward Snowden's National Security Agency leaks, the exponential growth of the Internet of Things, and the throwing out of Safe Harbor Rules, privacy is an ever-evolving concern for businesses. Every company must ensure the safety of its users' data, and a qualified cybersecurity attorney should review privacy policies and programs to ensure proper compliance.

The use of such legal experts should be incorporated into the incident response plan in addition to having the experts review procedures. When a breach does occur, the public relations team cannot be left to draft communications on its own.

Each state has its own laws on what is required when making a breach public. The laws set thresholds for dollars and numbers of affected records, and even criteria relating to the level of data encryption, to help determine whether a breach must be reported. This means companies have to be careful when disclosing breaches, as poor communication can risk litigation.

Staying Compliant Without One
Cybersecurity attorneys are not necessary, however, for everyday operations. While they play an important role in dealing with specific crises, it is possible for a company's security officials to cope with most situations on their own. Many companies would be better served by hiring someone to manage their information security teams and train up their general counsel to address typical security risks than by spending top dollar on an attorney specializing in cybersecurity.

The creation of an information security plan, for instance, is a task far better suited to IT security professionals and chief security officers than to lawyers, as are decisions regarding cloud strategy. When it comes to ongoing monitoring of the environment and cloud services, unbelievable technologies are available to support information security management and to serve as the eyes and ears preventing a serious compromise of data.

A cybersecurity attorney is not equipped with the experience of running governance programs or of managing risk and compliance activities for all aspects of cloud computing. The CSO must instead take the lead on those.

Performing a Risk Assessment
Before proper compliance can be built into the system, all business risks and technical controls must be reviewed. How mature are the security management practices? Organizations generally fall into three maturity levels:

  1. Basic protocol is the blocking and tackling of security. It is understaffed and lacks reporting metrics, controls, policies, and processes. It may even lack executive support for security budgeting.
  2. Compliance-driven cloud security goes beyond the basic and looks toward compliance frameworks, such as ISO 27001/2, to drive security. This is better but still lacks the focus of a proper and authoritative security system.
  3. Risk-based security is multilayered. It can correlate events, such as security incidents, across multiple disciplines and business environments to rank and respond to them. It uses dynamic information security and IT audit controls to ensure that data are safe, secure, and routinely inspected.

Once the security environment has been assessed and its maturity defined, companies must look to implement a framework that improves security in the following elemental areas:

Source: KPMG LLP's Security Maturity Continuum

Several IT governance, risk and compliance tools can be used when building the best security management programs. These help the system to run smoothly and also aid adaptation to changes in personnel, ensuring that employee turnover doesn't lead to a breach.

Cybersecurity attorneys are still important in times of crisis, but for day-to-day security they are an expensive luxury. Compliance can be achieved without them.

More Stories By Brad Thies

Brad Thies is the founder and president of BARR Advisory, P.A., an assurance and advisory firm specializing in cybersecurity, risk management, and compliance. Brad speaks regularly at industry events such as ISACA conferences, and he is a member of AICPA's Trust Information Integrity Task Force. Brad's advice has been featured in Entrepreneur, Cloud Computing Journal, Small Business CEO, and Information Security Buzz. Prior to founding BARR, Brad managed KPMG's risk consulting division. He is a CPA and CISA.

IoT & Smart Cities Stories
Tapping into blockchain revolution early enough translates into a substantial business competitiveness advantage. Codete comprehensively develops custom, blockchain-based business solutions, founded on the most advanced cryptographic innovations, and striking a balance point between complexity of the technologies used in quickly-changing stack building, business impact, and cost-effectiveness. Codete researches and provides business consultancy in the field of single most thrilling innovative te...
Atmosera delivers modern cloud services that maximize the advantages of cloud-based infrastructures. Offering private, hybrid, and public cloud solutions, Atmosera works closely with customers to engineer, deploy, and operate cloud architectures with advanced services that deliver strategic business outcomes. Atmosera's expertise simplifies the process of cloud transformation and our 20+ years of experience managing complex IT environments provides our customers with the confidence and trust tha...
With the introduction of IoT and Smart Living in every aspect of our lives, one question has become relevant: What are the security implications? To answer this, first we have to look and explore the security models of the technologies that IoT is founded upon. In his session at @ThingsExpo, Nevi Kaja, a Research Engineer at Ford Motor Company, discussed some of the security challenges of the IoT infrastructure and related how these aspects impact Smart Living. The material was delivered interac...
Intel is an American multinational corporation and technology company headquartered in Santa Clara, California, in the Silicon Valley. It is the world's second largest and second highest valued semiconductor chip maker based on revenue after being overtaken by Samsung, and is the inventor of the x86 series of microprocessors, the processors found in most personal computers (PCs). Intel supplies processors for computer system manufacturers such as Apple, Lenovo, HP, and Dell. Intel also manufactu...
Darktrace is the world's leading AI company for cyber security. Created by mathematicians from the University of Cambridge, Darktrace's Enterprise Immune System is the first non-consumer application of machine learning to work at scale, across all network types, from physical, virtualized, and cloud, through to IoT and industrial control systems. Installed as a self-configuring cyber defense platform, Darktrace continuously learns what is ‘normal' for all devices and users, updating its understa...
At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throug...
OpsRamp is an enterprise IT operation platform provided by US-based OpsRamp, Inc. It provides SaaS services through support for increasingly complex cloud and hybrid computing environments from system operation to service management. The OpsRamp platform is a SaaS-based, multi-tenant solution that enables enterprise IT organizations and cloud service providers like JBS the flexibility and control they need to manage and monitor today's hybrid, multi-cloud infrastructure, applications, and wor...
The Master of Science in Artificial Intelligence (MSAI) provides a comprehensive framework of theory and practice in the emerging field of AI. The program delivers the foundational knowledge needed to explore both key contextual areas and complex technical applications of AI systems. Curriculum incorporates elements of data science, robotics, and machine learning-enabling you to pursue a holistic and interdisciplinary course of study while preparing for a position in AI research, operations, ...
CloudEXPO has been the M&A capital for Cloud companies for more than a decade with memorable acquisition news stories which came out of CloudEXPO expo floor. DevOpsSUMMIT New York faculty member Greg Bledsoe shared his views on IBM's Red Hat acquisition live from NASDAQ floor. Acquisition news was announced during CloudEXPO New York which took place November 12-13, 2019 in New York City.
Codete accelerates their clients growth through technological expertise and experience. Codite team works with organizations to meet the challenges that digitalization presents. Their clients include digital start-ups as well as established enterprises in the IT industry. To stay competitive in a highly innovative IT industry, strong R&D departments and bold spin-off initiatives is a must. Codete Data Science and Software Architects teams help corporate clients to stay up to date with the mod...