Virtualization and Cloud executives share their predictions for 2013. Read them in this VMblog.com series exclusive.
Contributed article by Brady Justice – Director of Systems Engineering at TraceSecurity
2013 is the Year GRC Takes Hold in the Cloud
Security is a
funny thing. There are always new threats poised to take down civilization and
not far behind are a myriad of companies ready to sell their product to help
you sleep at night. That is, until the next big threat hits. Countless vendors are
ready to prey off of fear and offer a quick fix to a particular problem,
especially for cloud and virtual environments. A real information security
strategy, one that analyzes and quantifies real risk to your organization, can
be these vendors' worst nightmare. Those who truly understand risk and the
effectiveness of an organization's existing risk management techniques are much
less likely to succumb to fear tactics and the unknown.
Due to the
inherent difficulty in formalizing an information security program, small to
medium-sized enterprises (SMEs) tend to be even more susceptible to this
behavior of fear-based IT risk management. While large enterprises have invested
hundreds of thousands, if not millions, into IT governance, risk, and
compliance solutions (IT GRC) and security experts, SMEs have been left to fend
for themselves without access to unlimited resources.
During the
process of adopting IT GRC, many organizations are forced to take a step back
before they can take one forward. They have to be disciplined enough to stop
bailing water out of the ship and concentrate on finding the leak. The
traditional on-premise approach requires IT overhead - including database
setup, application deployment, backup logistics, business impact analysis,
DR/BCP planning, and all of the other cycle-heavy dependencies of deploying a
new application. This is all before they even get to the IT GRC acronym, or
consider GRC in the cloud. With some solutions taking up to a year or more to
configure and to start realizing value, the concept is a tough sell to the
average SME.
In 2013, IT GRC
is next in line to make the successful jump to the cloud, and will be driven by
SME's desire for more sophisticated, manageable and affordable information
security and risk management programs. SMEs have many of the same compliance
requirements (PCI, SOX, state privacy requirements, etc.) as their Fortune 1000
siblings, the same data security issues, and most times relatively less budget.
After decades of spending money on band-aids and quick fixes, in 2013 SMEs will
take a more organized and strategic approach to risk management. As long as
proper vendor due diligence is performed, there is nothing in an IT GRC program
that is hindered by the cloud or made less convenient or valuable because of
it.
2013 will also
bring about more formal and standardized due diligence processes for cloud
providers and vendors providing security in the cloud. As is true with existing
cloud technology, many controls that are supposed to secure this information
are completely outside of the customer's direct management capabilities. Cloud
security functions reside with the cloud providers and individual vendors.
Cloud providers and vendors will have to prove that their security controls
meet customer expectations and are agile enough to keep pace with future
requirements.
While forward
progress continues with standards such as ISO and NIST putting forth cloud
security standards, organizations that look to make the jump to the cloud still
have to create their own due diligence processes. They are ultimately
responsible for their own cloud security. With this being an arduous task for both
the customer and the vendor, companies in 2013 will capitalize on this in the
form of cloud certifications, canned due diligence questionnaires that are
specifically tailored to cloud applications, and vendor specific risk
assessments.
Next year is the
year we will see SMEs really formalize their information security programs and
ensure they maximize their security spend, especially as they expand to the
cloud. With increased IT complexities and the ever-growing threat landscape,
organizations of any size cannot afford to blindly tackle threats in a
reactionary manner. While the benefit of IT GRC is certainly nothing new, many
SMEs are exploring its possibility for the first time. Existing IT GRC
providers will need to learn how to take advantage of cloud deployment and
design their solutions to work better within the resources of the SME world -
or be forced to stay in the Fortune 1000 stratosphere. 2013 is the year we will
see this start happening.
##
About the Author
As Director of System
Engineering, Brady Justice is a key member of TraceSecurity's management and
strategic teams, and supports the sales department through pre-sales technical
consultations, prospect and customer software presentations and demonstrations,
and provides technology training to internal staff. As a member of the
TraceSecurity strategic team, Mr. Justice provides innovative vision for
product roadmaps, strategy, design, and management, as well as marketing and
sales strategy.
Mr. Justice is fast
becoming a thought leader in the industry through webinars, speaking
engagements, analyst briefings and press briefings. He understands where the
market is moving and helps keep TraceSecurity and its customers one step ahead.
Mr. Justice currently holds
a CISM certification and has more than 11 years experience in the information
technology field. Prior to TraceSecurity, Mr. Justice was a senior security
engineer for Garrison Technologies.