Blog post

Add some IT GRC to your Catalyst! (or cloud, or crypto)

By Erik Heidt | July 18, 2013 | 0 Comments

Risk ManagementReal World Information SecurityIT GRC+Cloud Risk Management

Late breaking news:

Just this week the opportunity to present an IT GRC session at Catalyst came up! As a result I will be presenting a 45 minute session discussing the most common struggles IT GRC practices experience organizing and executing their efforts. This is an outgrowth of the research conducted in authoring “Achieving IT GRC Success”. This content was very well received at the 2013 Security and Risk Summit and I am very excited to be able to bring this to Catalyst this year!

I have also included information on the other sessions I am involved with below. The IT Risk Cloud Manifesto workshop is full, but if you are a GTP seat holder please keep in mind that you can schedule a 1:1 at the conference or a post-conference Inquiry/Dialogue call with me to discuss the workshop results or any of these subjects.

The “To the Point: How to Assess Cloud Service Provider Security” is an extension of recently published “Determining Criteria for Cloud Security Assessment: It’s More Than a Checklist”, and is content I am also very excited to present and start a discussion about. This is a 25 min session, so it will move FAST – and as a result it is action oriented.

Here is a summary of the sessions I am participating in:

Tell Me, What’s IT GRC again? (Solutions to Common Challenges)
31 July 2013 (04:45 PM to 05:30 PM)

IT GRC practices continue to be a catch all for policy, risk, and compliance activities. No clear and complete vision of IT GRC has emerged, and GRC activities tend to be matrixed across the enterprise. In this session, we review a summary of current research on IT GRC practices, and provide recommendations for planning and executing IT GRC.

This session answers the following questions:

  • Is there a one-size-fits-all IT GRC practice structure you can adopt?
  • What are the key IT GRC processes common to mature practices?
  • What are the biggest pitfalls faced by new IT GRC efforts?

To the Point: How to Assess Cloud Service Provider Security
29 July, 2013 (5:00 PM – 5:30 PM)

Cloud security standards have emerged from the Cloud Security Alliance, the U.S. government FedRAMP and other groups. However, assessing providers takes more than a checklist, it takes an architecture. This presentation covers assessment in the context of real use cases, including hybrid cloud and multiprovider scenarios.

This session answers the following questions:

  • How do we model cloud risks for the use cases I have?
  • How do we develop solution architecture patterns to drive down exposure to failures in the cloud service?
  • How do we prioritize assessment criteria and develop questionnaires?

Workshop: Cloud Risk Manifesto 
31 July, 2013 (9:15 AM – 10:45 AM)

Adoption of cloud services has lagged expectations. In part, this is because cloud providers aren’t addressing the IT risks associated with hosting sensitive data, regulated or critical business processes. Furthermore, internal partners criticize IT for a “lack of adoption” without understanding availability, compliance, data disclosure and other risks. This workshop gives voice to the IT Risk Management issues that cloud providers, business partners and IT leadership need to understand and address in order to be able to tap into cloud value. Participants go away with requirements and policy statements that can be communicated to providers, business partners, sourcing and legal to level-set the expectations that must be addressed before these services can be more fully utilized, buy the enterprise or in its supply-chain.

The key questions answered in this workshop include:

  • What are the risks that I need my cloud supplier to address so I can go “all in”?
  • What are the risks I need my business patterns to understand?
  • What cloud usage can I tolerate in the offerings from service providers?

When Encryption Won’t Work: Implementing Practical Information Protection
31 July, 2013 (2:55 PM – 3:40 PM)

Enterprise data breaches are occurring all too often. Many enterprises have overestimated or misunderstood the protection provided by current, or planned, encryption deployments. This presentation focuses on the attacks that are resulting in these expensive and embarrassing data disclosures, and provides prioritized actions for you to consider for addressing these threats. (Portable media and data outside the data center is not discussed.) We explore the limitations of database, bulk storage and application encryption approaches. Recommendations include a solid mix of controls — sometimes including encryption — that complement and strengthen each other.

This session answers the following questions:

  • Is my encryption strategy poised to address likely threats?
  • Have I invested properly in database, bulk storage, or application encryption?
  • How do I leverage other preventative controls to complement or replace encryption?

Public Clouds: Action Planning and Next Steps
01 August, 2013 (8:30 AM – 9:30 AM)

This is a panel discussion including Gartner analysis Drue Reeves, Sean Kenefick, Kyle Hilgendorf, Bill Pray, Jamie Popkin and myself – and will summarize the key cloud content from the event.

It’s time for organizations to move past partial commitment when it comes to employing public cloud services. However, it’s easier said than done, and this week was like drinking from a fire hose. In this panel discussion, Gartner analysts highlight the top action items from the week and take your questions about where to go from here.

This session answers the following questions:

  • Public cloud “a-ha” moments from the conference
  • Prioritizing the key actions of a cloud strategy and action plan
  • An open Q&A for all attendees


Look forward to seeing you there!

Thanks, Erik


Comments are closed