Event Recording

CCAK - Aim for the Clouds


Log in and watch the full video!

The knowledge and skills gap in the cybersecurity industry is a problem that has been identified and discussed for the past 20 years. However, with the rapid acceleration of technology development, the skills gap seems to worsen as time goes by and may soon become a systemic deficiency. In this presentation, I will talk about the first-ever, technical, vendor-neutral credential for cloud auditing. It fills a gap in the industry for vendor neutral, technical education for competent professionals to help their organizations reap the full benefits of cloud environments.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
2004. When I started my professional career as an auditor, I started educating myself, you know, getting couple of certifications under my belt, like CSA system. When I moved from the auditing and advisory role into the banking sector, to the association group, I also started being interested into the cloud in 20 20 11. This is really when the cloud has kind of started gaining traction. I'd looked at the cloud cloud security Alliance, they, their certificate of cloud security knowledge. And I did a lot of volunteering, both for ISCA and C CSA. So basically in 2014, my day job became cloud security Alliance. So I was a program manager and a researcher there for the next period. Like over six years, I did a couple of more educations because we always need to update our knowledge and skillset. And since 2020 I joined will ours Watson. So what really is important here is we should never forget about the training.
So I was lucky enough to be part of the audit expert group, as you can see from the certificate I'm sharing on the screen. You remember, you know, when there are those t-shirts and all I got is this lousy t-shirt, you know, when you do some cool stuff, I never even got the lousy t-shirt right. So for me, I got this lovely certificate, which I can use as CPEs 15 hours can be accredited to my certifications. So that's something, you know, I didn't get paid for it, but really for the pleasure of helping the community, the global security community and audit community, as you know, I'm a, I'm a auditor by D DNA. That's how I started my career. So I really want to talk about some things today, but just for the background, we are talking clouds. We've, we've had some very nice presentation throughout the day.
So just to sum up the day with some numbers, really, you know, when we are talking about the cloud, we are really talking about a large market by some studies, they, they are assessing that by 2024, over 660 billion, us dollars will be the market of cloud services. And then when, when we are talking about the hosting data and workloads in the cloud, we are talking about 70% of organization being a witness of a, of a security incident in the last year, which is quite scary. Basically seven out of 10 organization had an incident in a public cloud. So what should we do about it? Are we ready to tackle those problems? And then another interesting statistic, 59% of enterprises are expecting cloud usage to exceed their plans because, because of COVID 19. So this pandemic has even actually made our cloud efforts to, to speed up.
And the digital transformation just got the boost because of it. And then the, the last figure that I wanted to share, we were talking about over 100% increase in cloud computing jobs in the us, in the period from 2016 to 2019. So, which really means that our profession is very sought. So we, we should uplift our skills. We should be up to date to the cloud because the community at large needs us. They really are counting on us to tackle all the, all the, all, all of the challenges that we are dealing with. And then as I mentioned, challenges, so what are some of the challenges posed by the cloud migration? So I'll start with the technical challenges. You know, obviously cloud is, you know, another step in the evolution of computing. You know, we have some of the challenges related to technology stacks. We have things such as microservices, serverless computing, software, define perimeter.
Some of those things that we wouldn't be discussing 10 or 15 years ago, when we talk about deployment frameworks, you know, we have hybrid clouds. Multi-cloud we talk about DevOps, you know, like let's say, when I started my auditing days, if someone would tell me dev and ops are the same person, you know, I would write them a recommendation letter. No, no, no. You know, dev is one part ops is the other part, but with the evolution, things are changing. And also when we talk about continuous integration, continuous development, we cannot just apply waterfall model into the DevOps approach because we just lose all of the benefits of the cloud. And then obviously one of the benefits is also automation. So are we ready for that? Are we updating our skillset to be able to, to address those challenges? And then we have things such as encryption, collocation, you know, all the skillability of the clouds and things, things like that while.
And then obviously while technical is always fun and, you know, engineers and security professional always love the technical bits and the technical challenges. Here we come, you know, the, the, the boring compliance guys, we start talking about, you know, the challenges with the governance and compliance. You know, one of the biggest challenges that we have as an, as an industry, you know, we are used with the on-prem environment that we have direct control over our systems, but really in the cloud, we need to adopt the new governance mindset where we actually shift from the direct to indirect control. And you know, how, how do we deal with that? And then we need to educate the audit committee effectively and all of the compliance challenges that have come along when we have multiple applicable laws and regulations, you know, just to name few like HIPAA, GDPR, CCPA, P C I DSS and so on and so on.
So it, it really is something that we have not been dealing with when we were in on-prem environment to such extent. And then obviously last but not least, I would even say, you know, we always start with the business and the business challenges that they might be having. We need to understand that we might be increasing some of the risks and we need to address the organization silos mindset that we have had traditionally within the organizations, how we, how we deal with that and how we make sure that we uplift the, the knowledge within the organization, how we educate our stakeholders about the new cloud computing terminology, how do we work? You know, like what does now DevOps mean? What does different delivery models mean? And yeah, basically a lot of time, it's also a lack of internal knowledge for effective cloud evaluation before we step into the cloud.
So how we make sure we don't, you know, get into the mine field. And then obviously additional business challenge is that with, with the cloud, we also get the increasing cost of audit management and non-compliance with cloud migration as well. So these are all the things that we are dealing with. So how do we address them? I would say, you know, let's start with developing an auditing mindset, so, okay, easy. Right. Maybe we can do this approach. Sure. You know, someone told us, you know, to monitor the cloud. So we don't really have an idea. So we will do as good workers. We will do the best efforts, whatever that is, might be good, might not be that good. So what I wanted to talk a bit about today is a CCA K, which stand of a certificate of cloud audit knowledge and what this really is, is a unique vendor neutral solution.
So I participated in this effort as a volunteer, as one of the experts, I'm a member of ISCA for more than 15 years, I've been at CSA for over 10 years. And with very good world renowned experts, I was humbled and honored to be part of the expert group where we built a first ever credential of its kind. And really the idea is to bring together cloud security, expert auditing, and risk compliance expert to work together and build a base of knowledge and develop a certificate that fills the need for vendor neutral technical training. So really this certificate prep prepares it professionals to be able to basically get their skill set and knowledge in order to support their organizations on their cloud journeys. So talking about who this certificate is for, it really is for a broad, broad community of people. We are talking about it auditors.
We are talking about the internal it and security practitioners, internal auditors, the risk management personnel, internal control practitioners, third party service provider, CSPs, auditors, security consultants, and so on and so forth. It really is a certificate with a broad set of knowledge included. It has a very big industry support. Just couple of testimonials here that I had the honor of working with. For instance, you know, you can read it for yourself, but Craig is a dear friend of mine. He has been a head of cyber risk for a global bank where the security head count was over 1200 people and so on. So different people really acknowledging how CCA K and the body of knowledge that we have built is really something that is valuable. And as ISAC and CSA have been working on this, I am proud to also say that international systems, security association Issa also one of the non-profit organizations for the cyber professionals has agreed to collaborate on basically supporting and strengthening the cybersecurity profession with, with promoting CCA, K as such.
So I guess you are all curious what I'm really talking about as I'm mentioning the certificate of cloud auditing knowledge. Sorry. So just to give you a quick peek into the CU curriculum and the structure, what we really wanted to put together. So what we really want everyone to learn while, you know, studying for the CCA, K we've obviously built a, a body of knowledge, and we want you to learn about how to understand the difference in assessing and auditing cloud environments compared to the traditional it infrastructure, how to basically do proper evaluations, how to discover how these cloud security assessment methods and techniques can be used. And then obviously when we are talking about governance, how existing governance policies and frameworks are affected by the introduction of cloud into our ecosystem as such then compliance, we always love to talk about the compliance. It's really about understanding the unique requirements of compliance in the cloud due to this shared responsibility model that was mentioned a couple of times today, because it really is about the shared responsibility between cloud providers and customers, but this is really important to understand very well.
And then when we are talking about the security, it really is important to learn how to use cloud specific security controls framework to ensure security within the organization. Because in many cases we can actually learn from example that cloud can uplift our security posture. And then one of the things also that I I've had a great interest over the last five or so years is continuous. Continuous monitoring is like, how can we architect in a way that allows us to measure controls, effectiveness through the metrics? And then basically, I, I, I personally believe that the future really is in continuous monitoring. So we don't do the audits, let's say once per year, and then we need to wait for another period to understand if we are compliant or not. So really the continuous monitoring aspect of it, and then last but not least cloud security Alliance as a global non for non for profit organization has developed many tools, such as cloud control, matrix, consensus, assessment, initiative questionnaire, and the whole star program.
Those are all freely available tools that you can get on the website of cloud security Alliance. And it's very, very useful for everyone to have a look at if you are not familiar with those already. So talking about the, the, obviously the, the content, the curriculum about the training and the preparation. So what we really worked on is to put together a body of knowledge study guide, and it's, it's an ebook that you can get on ISACA's websites, almost 400 pages of very good content. And once, once you feel confident about it, obviously you can do the self-paced study course, you get 16 plus CP for that. You can have virtual instructor led courses as well. Even the let's say the, the sample questions are available, but then at the end, if you're interested in, how do I get the certificate simple it's two hour exams, 75 multiple choice questions, the, the in order to pass the exam, you need 70% correct answers.
So just for you to understand the, the timing of the CCA K it's a very fresh thing that I'm talking about here. The study guide was really introduced just in the beginning of this year, as well as the, the trainings and the question bank with the simple question has been introduced just earlier this summer. So yeah, this is really something that I feel very proud to be part of the story. That was what I wanted to deliver to all of you to take something away and I'm available. If there are any questions or comments, I'm more than happy to hear, but I would instruct you to go further to the websites either of ISAC or cloud security Alliance. If you want to learn more about specific certificate.

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

A Comprehensive Approach to Solving SaaS Complexity

As businesses adopt cloud-based services as part of digital transformation programs to enable flexible working, boost productivity, and increase business agility to remain competitive, many IT and security teams are finding it challenging to gain oversight and control over the multitude of…

Webinar Recording

Multi-Cloud Permissions Management

Most businesses are adopting cloud services from multiple providers to remain flexible, agile, efficient, and competitive, but many do not have enterprise-wide control over and visibility of tens of thousands of cloud access permissions, exposing the enterprise to risk of security breaches.

Event Recording

Panel | Protocols, Standards, Alliances: How to Re-GAIN the Future Internet from the Big Platforms

In talking about a "Post Platform Digital Future", it is all about a Vision, or better: mission to not let the current platform dominance grow any further and create the foundations for a pluralistic digital society & business world where size would not be the only thing that matters.…

Event Recording

Enhancing Cloud Security Standards: A Proposal for Clarifying Differences of Cloud Services with Respect to Responsibilities and Deployment

Widely used cloud security standards define general security measures/controls for securing clouds while not differentiating between the many, well-known implementations that differ with respect to the Service and/or Deployment Model they implement. Users are thus lacking guidance for…

Event Recording

Panel | Decentralized, Global, Human-Owned. The Role of IDM in an Ideal (If there is One) Web3 World

The Internet had been created without an identity layer, leaving it to websites and applications to take care for authentication, authorization, privacy and access. We all know the consequences - username and password still being the dominant paradigm and, even more important, users not…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00