Cloud adoption continues to grow in organisations across industry within South Africa. Organisations have realised that a ''cloud-ready' security and compliance programme is a necessity in order to manage risk and compliance effectively.
The ITWeb Events team spoke with Regional manager of sales engineering at Mimecast, Brian Pinnock about the what organisations should consider before moving their governance, risk and compliance to the cloud. Pinnock will be presenting at ITWeb Governance, Risk and Compliance 2018 on 20 February.
ITWeb: What key things should organisations consider before moving their governance, risk and compliance to the cloud?
Pinnock: The move to cloud is inevitable for most organisations, so it's merely a question of how much and by when. Key considerations include understanding and quantifying the new types of risks before attempting to mitigate them. In order to do this, it is a good idea to adopt a governance framework that accommodates both the cloud architecture and the roadmap.
ITWeb: What would the potential benefits be to these organisations?
Pinnock: The main benefits of cloud are the lower long-term costs and greater business agility. This is because organisations are able to leverage a cloud platform's ability to elastically expand and contract services as business cycles dictate. Business functions (including GRC) can also focus higher up the technology stack on the application and the business process rather than managing technology and technology cycles.
ITWeb: How does managing the governance, risk and compliance in the cloud differ from traditional management of governance, risk and compliance?
Pinnock: Obviously all the same GRC principles apply. However certain considerations become much more prominent in the cloud. Data sovereignty becomes a key consideration as you could be dealing with multiple legal jurisdictions if cloud providers are spread data across different geographical locations. On-premises based GRC has a bounded and to a large degree controllable relationship with third party providers. In the cloud, the role of third party providers of various aspects of the technology eco-system can be almost unbounded and GRC has limited influence and control.
ITWeb: What key points do you hope to leave delegates with after the conference in February?
Pinnock: I would like to leave the delegates with the following facts: GRC in the cloud is not about adopting a cloud-based GRC platform (although that could be part of the process), GRC in the cloud is about managing an organisation's journey to the cloud in a way that gains an understanding and accommodation of new risks. Every organisation and industry vertical is different, and the generic cloud benefits touted by sales people don't always apply. Additionally, the risks are often hidden, sometimes, the promised business benefits of cloud are achieved only at the expense of a much greater risk exposure and finally to limit the risk exposure it is necessary to add extra layers of services, such as security layers, to mitigate the risks.
Share