ISMS Consulting

Security, Compliance and Governance in the Cloud—How Do They Relate?

ep105.1
Reading Time: 2 minutes

Last Updated on January 4, 2023

Cloud-native applications and DevOps practices promise a plethora of benefits. But with this modern approach comes a whole new set of security and operational issues that must be solved at cloud-native speed.

What are the most critical cloud security challenges that enterprises seek to address? And what are the forward-looking approaches to solving those challenges?

To talk about reducing security and compliance risk associated with cloud-native, a recent episode of The Virtual CISO Podcast features Fausto Lendeborg, co-founder and Chief Customer Officer at Secberus. John Verry, Pivot Point Security CISO and Managing Partner, hosts the show.

Going beyond cloud security posture management

The Secberus solution is part of the cloud security posture management (CSPM) market space. But in Fausto’s view their technology goes beyond conventional approaches to automating cloud risk remediation.

“[CSPM] is a component of our platform,” Fausto explains. “But I think we like to look at it a little bit different. There are bigger problems to solve, which enterprises are now starting to understand they need to solve.”

Connecting security, compliance, and governance

Managing cloud requirements involves three interconnected disciplines: Security, compliance and governance.

“We look at governance as the umbrella domain and right under that security and compliance,” shares Fausto. “Governance for us is a top-down approach. It’s a business approach to solving the security and compliance problems. We like to say that governance is how the enterprise aligns their requirements, their risk, and their intent into security and compliance.”

“It’s really about combining and flipping the problem upside-down,” continues Fausto. “Before, we used to rely on security to provide governance—and that was a bottom-up approach. Put a tool in the engineering box, and eventually we’re going to get compliance out of it.”

But transitioning to cloud-native comes with an imperative to maintain a focus on business goals.

“We’re starting with governance as a business language to security and compliance, and then security and compliance come in as an enabler to that governance,” says Fausto. “So, it’s all working together at the same time.”

Tone at the top

John brings up the concept of “tone at the top,” which is ultimately what governance is (or should be).

“Governance is indeed a business function because these applications exist for one reason, to serve the needs of the business or to drive the business forward,” John relates. “If the business isn’t governing, if we’re not governing [the cloud] from a business perspective, then we’re not going to achieve the business objective.”

 

What’s next?

To listen to this podcast episode with Fausto Lendeborg from Secberus, click here.

How does moving to the cloud impact database security? This post overviews the issues: How Moving to the Cloud Impacts Your Database Security

SOC 2 vs ISO 27001SOC 2 vs ISO 27001 (Or Both)

What every Software-as-a-service (SaaS) firm needs to know in order to acquire/maintain independent validation of their security posture.

View our guide today

Back to list

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *