Category Archives: digital transformation

Traditional approach to data security hindering digital transformation initiatives

Security professionals who adopted a more traditional or reactive approach to their data protection and security program did not believe they would reach their digital transformation goals, according to a TITUS report. The report, “The Vital Role of Security in Digital Transformation,” is based on a survey conducted by Market Strategies International of more than 600 IT decision makers at leading brands across a diverse set of industries in the United States, Canada and the … More

The post Traditional approach to data security hindering digital transformation initiatives appeared first on Help Net Security.

The six biggest cybersecurity risks facing the utilities industry

The utilities industry is rapidly modernizing its infrastructure, adding more digitized equipment and connectivity across devices, plants, and systems. This evolution to “smart infrastructure” represents a positive, paradigm shift for the industry. Unfortunately, the security policies of many utilities have not evolved along with it, leaving them incredibly vulnerable. Utilities are investing heavily to modernize infrastructure. In fact, ABI Research projects that the industry will spend US$14 billion a year between 2018 and 2023 — … More

The post The six biggest cybersecurity risks facing the utilities industry appeared first on Help Net Security.

Cybersecurity, privacy and technologies still top challenges for IT audit teams and leaders

Cybersecurity, privacy and technologies—from mission-critical to digitally transformative—top the list of challenges IT audit teams and leaders grapple with every day, according to a study conducted by ISACA and Protiviti. An executive summary of the study notes the growing role and responsibilities of IT audit in digital transformation, partnerships between the IT organization and IT audit function, and differences in how IT audit leaders operate compared to other IT audit professionals. The 2019 IT Audit … More

The post Cybersecurity, privacy and technologies still top challenges for IT audit teams and leaders appeared first on Help Net Security.

e-Crime & Cybersecurity Congress: Cloud Security Fundamentals

I was a panellist at the e-Crime & Cybersecurity Congress last week, the discussion was titled 'What's happening to your business? Cloud security, new business metrics and future risks and priorities for 2019 and beyond", a recap of the points I made.
Cloud is the 'Default Model' for Business
Cloud is now the default model for IT services in the UK; cloud ticks all the efficiency boxes successful business continually craves. Indeed, the 'scales of economy' benefits are not just most cost-effective and more agile IT services, but also include better cybersecurity (by the major cloud service providers), even for the largest of enterprises. It is not the CISO's role to challenge the business' cloud service mitigation, which is typically part of a wider digital transformation strategy, but to ensure cloud services are delivered and managed to legal, regulatory and client security requirements, and in satisfaction of the board's risk appetite, given they ultimately own the cybersecurity risk, which is an operational business risk.

There are security pitfalls with cloud services, the marketing gloss of 'the cloud' should not distract security professionals into assuming IT security will be delivered as per the shiny sales brochure, as after all, cloud service providers should be considered and assessed in the same way as any other traditional third-party IT supplier to the business.

Cloud Security should not be an afterthought

It is essential for security to be baked into a new cloud services design, requirements determination, and in the procurement process. In particular, defining and documenting the areas of security responsibility with the intended cloud service provider.

Cloud does not absolve the business of their security responsibilities

All cloud service models, whether the standard models of Infrastructure as a Service (IaaS), Platform as a Service (PaaS) or Software as a Service (SaaS), always involve three areas of security responsibilities to define and document:
  • Cloud Service Provider Owned
  • Business Owned
  • Shared (Cloud Service Provider & Business)
For example with a PaaS model, the business is fully responsible for application deployment onto the cloud platform, and therefore the security of applications. The cloud service provider is responsible for the security of the physical infrastructure, network and operating system layers. The example of the 'shared' responsibility with this model, are the processes in providing and managing privileged operating system accounts within the cloud environment.

Regardless of the cloud model, data is always the responsibility of the business.


A "Trust but Verify" approach should be taken with cloud service providers when assuring the security controls they are responsible for. Where those security responsibilities are owned by or shared with the cloud service provider, ensure the specific controls and processes are detailed within a contract or in a supporting agreement as service deliverables, then oversight the controls and processes through regular assessments.