Virtualization Technology News and Information
TraceSecurity Predictions: 2013 is the Year GRC Takes Hold in the Cloud

VMblog Predictions

Virtualization and Cloud executives share their predictions for 2013.  Read them in this series exclusive.

Contributed article by Brady Justice – Director of Systems Engineering at TraceSecurity

2013 is the Year GRC Takes Hold in the Cloud

Security is a funny thing. There are always new threats poised to take down civilization and not far behind are a myriad of companies ready to sell their product to help you sleep at night. That is, until the next big threat hits. Countless vendors are ready to prey off of fear and offer a quick fix to a particular problem, especially for cloud and virtual environments. A real information security strategy, one that analyzes and quantifies real risk to your organization, can be these vendors' worst nightmare. Those who truly understand risk and the effectiveness of an organization's existing risk management techniques are much less likely to succumb to fear tactics and the unknown.

Due to the inherent difficulty in formalizing an information security program, small to medium-sized enterprises (SMEs) tend to be even more susceptible to this behavior of fear-based IT risk management. While large enterprises have invested hundreds of thousands, if not millions, into IT governance, risk, and compliance solutions (IT GRC) and security experts, SMEs have been left to fend for themselves without access to unlimited resources.

During the process of adopting IT GRC, many organizations are forced to take a step back before they can take one forward. They have to be disciplined enough to stop bailing water out of the ship and concentrate on finding the leak. The traditional on-premise approach requires IT overhead - including database setup, application deployment, backup logistics, business impact analysis, DR/BCP planning, and all of the other cycle-heavy dependencies of deploying a new application. This is all before they even get to the IT GRC acronym, or consider GRC in the cloud. With some solutions taking up to a year or more to configure and to start realizing value, the concept is a tough sell to the average SME.

In 2013, IT GRC is next in line to make the successful jump to the cloud, and will be driven by SME's desire for more sophisticated, manageable and affordable information security and risk management programs. SMEs have many of the same compliance requirements (PCI, SOX, state privacy requirements, etc.) as their Fortune 1000 siblings, the same data security issues, and most times relatively less budget. After decades of spending money on band-aids and quick fixes, in 2013 SMEs will take a more organized and strategic approach to risk management. As long as proper vendor due diligence is performed, there is nothing in an IT GRC program that is hindered by the cloud or made less convenient or valuable because of it.

2013 will also bring about more formal and standardized due diligence processes for cloud providers and vendors providing security in the cloud. As is true with existing cloud technology, many controls that are supposed to secure this information are completely outside of the customer's direct management capabilities. Cloud security functions reside with the cloud providers and individual vendors. Cloud providers and vendors will have to prove that their security controls meet customer expectations and are agile enough to keep pace with future requirements.

While forward progress continues with standards such as ISO and NIST putting forth cloud security standards, organizations that look to make the jump to the cloud still have to create their own due diligence processes. They are ultimately responsible for their own cloud security. With this being an arduous task for both the customer and the vendor, companies in 2013 will capitalize on this in the form of cloud certifications, canned due diligence questionnaires that are specifically tailored to cloud applications, and vendor specific risk assessments.

Next year is the year we will see SMEs really formalize their information security programs and ensure they maximize their security spend, especially as they expand to the cloud. With increased IT complexities and the ever-growing threat landscape, organizations of any size cannot afford to blindly tackle threats in a reactionary manner. While the benefit of IT GRC is certainly nothing new, many SMEs are exploring its possibility for the first time. Existing IT GRC providers will need to learn how to take advantage of cloud deployment and design their solutions to work better within the resources of the SME world - or be forced to stay in the Fortune 1000 stratosphere. 2013 is the year we will see this start happening.


About the Author

As Director of System Engineering, Brady Justice is a key member of TraceSecurity's management and strategic teams, and supports the sales department through pre-sales technical consultations, prospect and customer software presentations and demonstrations, and provides technology training to internal staff. As a member of the TraceSecurity strategic team, Mr. Justice provides innovative vision for product roadmaps, strategy, design, and management, as well as marketing and sales strategy.

Mr. Justice is fast becoming a thought leader in the industry through webinars, speaking engagements, analyst briefings and press briefings. He understands where the market is moving and helps keep TraceSecurity and its customers one step ahead. 

Mr. Justice currently holds a CISM certification and has more than 11 years experience in the information technology field. Prior to TraceSecurity, Mr. Justice was a senior security engineer for Garrison Technologies.  

Published Thursday, November 29, 2012 6:56 AM by David Marshall
Comments - Virtualization Technology News and Information for Everyone - (Author's Link) - January 15, 2013 7:00 AM

First, I'd like to personally thank everyone for being a valued member and reader of VMblog! Once again, with the help of each of you, VMblog has been able to remain one of the oldest and most successful virtualization and cloud news sites on the Web

To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<November 2012>