CIO OPINION the cloud and subscribing to Software- as-a-Service ( SaaS ) offerings . Many of these apps make use of microservices , which breaks the code into small chunks that can be delivered to customers securely and efficiently across a variety of platforms and use continuous integration and delivery ( CI / CD ) methods to automate the never-ending flow of tiny changes .
The result of these changes is that many long-standing regulations are now hopelessly mismatched for today ’ s dynamic , highly automated modern software operations . Many security and compliance regulations , for example , require documentation of which person approved a particular software update – a practical impossibility for companies that do hundreds of updates a day .
The Australian Cybersecurity Center ’ s Essential Eight Maturity Model endorses adoption of technologies that can help , particularly regarding security . But even the ACSC acknowledge the limitations of the existing model , explaining that : ‘ While the principles behind the Essential Eight may be applied to cloud services and enterprise mobility , or other operating systems , it was not primarily designed for such purposes and alternative mitigation strategies may be more appropriate to mitigate unique cyberthreats to these environments .’
To truly keep up with the changes wrought in the cloud , we need a new regulatory philosophy , one that focuses on technology agnostic principles and workflows , helping rather than hindering companies ’ efforts to adopt Zero Trust and other leading-edge security approaches .
There are five core principles that should be considered in order for Australia to truly lift their resilience for the cloud-first digital age .
1 . Require adoption of modern security methods , not obsolete ones . Cyber-regulations should drive companies to adopt development methods and security practices , like Zero Trust , that ensure security is built into products and systems from the get-go , not as an afterthought . Many companies in Australia and New Zealand are already planning to implement some form of Zero Trust , according to Okta . Regulators should consider mandating more aspects of the Essential Eight model or the NIST Cybersecurity Framework , which lays out voluntary best practices .
2 . Free companies from a broken compliance model . While current regs usually don ’ t specify exactly how companies should prove their systems are secure , many of the auditing firms they hire have fallen into the habit of requiring particular security implementations that were designed to protect against on-premises threats and do not require controls that are appropriate for the public cloud . Organizations frequently want to adopt cutting edge approaches to security but struggle to get approval from their auditors . Government could encourage the auditing industry to modernize its approach . Whether through education campaigns , mandatory training requirements , or other
www . intelligentcio . com INTELLIGENTCIO APAC 45