The European Union General Data Protection Regulation (GDPR), which took full effect in May this year, solidifies the protection of data subjects’ “personal data,” harmonizes the data privacy laws across Europe and protects and empowers EU citizens’ data privacy, in addition to changing the way data is managed and handled by organizations.
The GDPR regulation affects people across the globe. The scope of GDPR is quite wide-ranging, and can apply to many global institutions with operations in Europe. Certainly, GDPR has created more power for data regulators, due to the severe potential financial penalties for non-compliance (maximum of 4 percent of annual global turnover or €20 Million, whichever is higher).
The regulation governs how institutions collect, record, use, disclose, store, alter, disseminate, and process the personal data of individuals in the EU.
If a breach involves personal data, the Data Protection Authorities must be notified within 72 hours.
It governs the rights of data subjects, including rights to access, rectification, erasure, restricting processing, data portability, and rights in relation to automated decision-making and profiles.
How do I assess my GDPR compliance?
All these are essential reasons for institutions to ensure that the proper governance and tactical steps are taken for compliance with GDPR regulation. The GDPR Audit Program Bundle developed by ISACA does just this by helping provide institutions with a guide for assessing, validating, and reinforcing the GDPR regulations by which institutions must abide. The audit program was developed to provide enterprises with a baseline focusing on several key areas and their respective sub-processes, that covers all key components of GDPR, including:
Data governance
Acquiring, identifying and classifying personal data
Managing personal data risk
Managing personal data security
Managing the personal data supply chain
Managing incidents and breaches, create and maintain awareness
Properly organizing a data privacy organization within your institution
Also included are key testing steps involving control category types and frequency to help facilitate the effective discussion and analysis as it fits your institution. The important thing to remember is that there is no absolute right way to go about becoming GDPR-compliant. However, a robust and thorough review of your GDPR environment as it pertains to data processing for your institution is required to ensure a proper baseline is used to assess compliance and successfully execute a GDPR compliance program.
Editor’s note:ISACA has addressed both general and particular audit perspectives for GDPR through its new GDPR Audit Program Bundle. Download the audit program bundle here. Access a complimentary white paper, “How To Audit GDPR,” here.
Mohammed J. Khan, CISA, CRISC, CIPM, Global Audit Head – IT, Privacy, Medical Device Cybersecurity
The recent ISACA-CMMI Institute cybersecurity culture research illustrates the accomplishments and gaps that are seen in organizations’ cybersecurity culture. The survey-driven research focuses on culture and continuous improvement, both essential components to a successful cyber risk management program.
In this blog post, I will highlight some of the survey’s findings and then discuss ways you can improve your organization’s cybersecurity culture.
Some positive steps I noticed:
75% of organizations are getting management more involved with cybersecurity culture
Most organizations can identify business benefits realized through better cybersecurity
87% think that better cybersecurity would improve profitability or viability
Some gaps:
60% of organizations do not have very successful employee buy-in
42% of firms do not have a cybersecurity culture plan
55% think the CISO owns cybersecurity culture
Achieving a strong cybersecurity culture requires action on many fronts: people, process, technology and outside partners. Culture is people and process. Technology and outside partners are supporting players. Details matter. It’s great that most organizations are getting management more involved. However, it is important that the C-level regularly communicates the importance of security to management and to employees. An annual communication to all employees will not work.
Continuous, incremental improvement is vital. In fact, the root of the word “culture” is “to grow.” Incremental improvement applies to both overall culture and specific elements, like risk management. An effective risk management program is the basis for a good cybersecurity culture.
What factors inhibit continuous improvement of risk management programs (and associated cyber security culture)? Humans can grow but do not accept dire reports of impending disaster – think of Cassandra and the Trojan Horse. Humans may, however, accept incremental adjustments in risk awareness or mitigations. Another reason risk management programs fail to get support is that the CISO is not seen as a “business partner” with other top executives. A promising metric for me was that 87% of respondents believe that better security can lead to better business outcomes. CISOs need to speak in terms of business benefits in order to be a business partner with other CXOs. CISOs also need to build personal relationships with their C-level peers.
Process is the next critical piece of the cultural puzzle. I’m not talking about cybersecurity processes like “patch management” or “privileged identity management.” I am referring to the processes to build a cybersecurity culture. One thing I noticed in the survey is that 55% of respondents think the CISO is responsible for corporate cybersecurity culture and only 6% assign this to HR. I believe that any cultural change must be supported by a partnership involving HR or other “people-focused” centers of influence. Cybersecurity culture is really not different than any other type of culture and established cultural transformation processes can be harnessed for cybersecurity. Businesses have been changing or reviving cultures for years; there is no need to reinvent the wheel.
One resource for cultural transformation is John Kotter’s eight-step model for transformation. Cultural change is the last step in the transformation process. It is preceded by defining a sense of urgency, forming a powerful coalition and five additional enabling steps. Another model for organizational change is Jay Galbraith’s Star model. He highlights the five functions needed in designing an organization: strategy, structure, processes, rewards and people.
These functions can be utilized to create or transform the security organization and culture that you want in your business.
Frederick Scholl, Ph.D., Cyber Security Program Director, Quinnipiac University
The cloud computing market is growing ever so rapidly. Affordable, efficient, and scalable, cloud computing remains the best solution for most businesses, and it is heartening to see the number of customers deploying cloud services continue to grow.
From the beginning of cloud’s existence, cloud service security has been among the top concerns of deployment. In order to deal with this, various organizations have invested huge efforts on cloud service security standards and researching best practices development and enforcement. Thanks to the efforts of cloud service providers (CSPs), cloud service security has reached an acceptable level. But from the cloud customers’ perspective, it is still somewhat lacking in best practices on how to secure their cloud services. The availability of such guidelines can be especially helpful for small and medium enterprises (SMEs) that constantly face shortages of professional security manpower. With this in mind, the Cloud Security Services Management (CSSM) Working Group developed the “Guideline on Effectively Managing Security Service in the Cloud” that applies to various cloud deployment models, from private, public, hybrid to community cloud.
The shared security responsibility model is no stranger to the cloud security community. Every leading CSP has published whitepapers or statements on shared security responsibility, explaining their roles and responsibilities in cloud provisioning. In other words, there are certain security responsibilities that are left to the cloud customers and are written down in cloud service agreements. The complexity is that in reality, given the same concept of shared responsibility, there are different interpretations and implementations among different CSPs. In many cases, it is challenging for cloud customers to clearly understand and bear their responsibilities in practice.
Cloud service security: A how-to
The Guideline provides an easy-to-understand guidance to cloud customers on how to design, deploy, and operate a secure cloud service with respect to different cloud service models, namely IaaS, PaaS, and SaaS, helping them ensure the secure running of service systems. With a distinct separation of responsibilities, cloud customers can clearly understand security responsibilities of their own and of CSPs, what security assurance features should be provided to bear these security responsibilities, existing gaps, and how to develop related capabilities to address such gaps.
Additionally, the Guideline provides guidance for CSPs in building cloud platform security assurance systems which can also be used by cloud service security integrators.
Not forgetting third-party security service providers that play important roles in securing cloud services, although according to the shared security responsibility model, they will have no responsibilities in cloud, these providers can leverage on the Guideline to better fit their services to CSPs and/or cloud customers.
The CSSM WG hopes that this effort allows for better understanding of cloud security responsibilities from both customers and CSPs, and through this create a more immaculate cloud security ecosystem.
Even as more organizations migrate to the cloud, there’s still a concern as to how well those cloud services are being secured. According to an article by Forbes “66% of IT professionals say security is their greatest concern in adopting a cloud computing strategy.”
As you embark on your quest to fill this skills gap, you may benefit from learning how other professionals have used certificates to expand and validate their cloud knowledge. In this blog we are going to explore how Certificate of Cloud Security Knowledge (CCSK) is being used in the wild. As the first step into this exploration we surveyed current holders to ask them how their certificate impacted their job, career and overall professional development. A summary of findings from the survey, job board postings and testimonials is shared below.
Topics we’ll discuss in this blog:
Survey Findings
CCSK in Job Postings
Overview of Testimonials
Survey Findings
Of the individuals who had successfully passed the exam, over 40 percent reported that the CCSK helped directly progress their career- either via a salary increase, promotion, or new job/role.
In some cases CCSK holders were given new responsibilities and moved from a more generic security role into a cloud-focused position. Specialization is a key, whether it be through a certification or other learning program. Mike Rosa, Sr. Director Public Sector Security at Salesforce affirmed this saying, “The CCSK sets me apart as an expert in Cloud Security, not a security generalist. The world is moving to cloud, and my resume should reflect this change.”
Another common way the certificate helped was building credibility with clients, and helping individuals work within more specialized roles. Since it offered proof of knowledge and established trust, respondents reported being able to better serve their clients’ needs.
One of the more tangible benefits of a certificate is the possibility of a salary increase. Taking a look at those who reported a salary increase, we saw that 15.61 percent saw an increase between 8 percent to 10 percent. Below you can see the distribution of individuals who received an increase in salary of some kind.
Types of Jobs
What types of jobs do a CCSK holders have? We found that 22 percent of the people who received a promotion were promoted into a managerial, VP/Director, or Executive role. Titles varied, but the graphic below lists the top keywords listed in respondent’s job titles.
Complementary Certifications
What types of complementary certificates did they hold or pursue? Of the people who took our survey, 52.46 percent also have their CISSP. Certificates and certifications focus on a select area of knowledge, and earning complementary certificates can be valuable. Below are some of the other certifications commonly held.
The flipside of this question also yielded interesting results. When asked which other certifications peopleintend to pursue we received mixed results. The percent interested in earning their CCSP was over 30 percent compared to the 15 percent who already held their CCSP when they took the exam.
As you may already be aware, one year of experience for the CCSP is covered by earning your CCSK since the two certificates complements each other. Whereas the CCSK is more tactical, the CCSP has more of a strategic focus. You’re free to draw your own conclusions, but if you’re interested in learning more about the differences between the two, you can read CCSK vs CCSP: An Unbiased Comparison.
Job Board Searches
A question we often get is whether or not employers are looking for the CCSK and how frequently it shows up in job boards. For job postings, HPE recently conducted a search of posts listing cloud certifications as a credential. They conducted the search for the CCSS, CCSP, PCSM and several other cloud certifications on the market. Below is a summary the results they gleaned for the CCSK.
February 2018 Job Search
Certificate
SimplyHired
Indeed
LinkedIn
LinkUp
Total
CCSK
180
224
145
132
681
These results vary depending on location and time of year, however, it gives a good estimate of what to expect. In an informal search during October, we discovered the following results for the United States.
October 2018 Job Search
Certificate
SimplyHired
Indeed
LinkedIn
LinkUp
Total
CCSK
89
321
231
258
899
The amount of postings went up, but the actual number of listings varies throughout the year. As with all things, it is best to do your own research before determining if the CCSK is right for you. Job titles listed included: Network Security Engineer, Security Consultant, Information Security Cloud Governance Engineer, Cloud Security Architect and Sr. Security Engineer, to name a few.
Overview of Testimonials
Last but not least we collected written feedback on how earning the cloud certificate specifically helped in people’s jobs or career. To make it easier we grouped the responses into the following categories.
Survey Testimonials Revealed
How their career progressed
How CCSK helped build credibility with clients
What makes the CCSK unique from other certificates.
How it helped them on the job
Benefits of a vendor-neutral certificate
In following blog posts we will be exploring some of these topics more in-depth. For now we’ve listed snippets from testimonials we received that give you an idea of what people said.
How has the CCSK helped progress your career?
Whether or not you opt for a cloud certification there are plenty of ways to learn more about cloud security. A couple of free resources that CSA has available for you to use include: CloudBytes webinars, research artifacts and the CCSK Prep-Kit.
Interested in going deeper? Learn how to earn your Certificate in Cloud Security Knowledge by visiting our website.
