Information Security, IT Security, Technology Security, IT Risk and Security and IT Risk Services are all names that organisations use to define a functional unit within their enterprise that is responsible for the security, integrity and operational assurance of their information assets and operating environment.

Over the last 2-3 years cloud computing has promised, and in many instances delivered, a lower total cost of ownership. This has helped organisations return the focus of operation to their core activities—reducing the effort spent on managing IT infrastructure and applications.

In theory at least, there is the promise of saving money, faster turnaround time, no lengthy requirements gathering, purchasing of equipment, following project management life-cycle, no architects getting in the way debating good design, lengthy hardware and software procurement cycles just basic business requirements and a PO, in other words Credit Card IT. Sounds familiar, sounds easy, excellent.

The steady rise of cloud over the last few years across the software, infrastructure and platform domains has forced most technology business leaders to stop and take note. The voracity with which the perceived value and adoption of cloud computing and cloud Services has grown should be viewed and actioned as a strategic initiative and not a tactical undertaking with short term goals and limited benefits. To move things along and provide context I turn to Sun Tzu's "The Art of War", that helps identify strategy elements required by executives and senior management grappling with the challenge of cloud.

As the world of cloud computing grows and becomes part of organisational growth strategies, procurement of cloud computing services has also reached front of mind.

Cloud computing today is no longer a buzzword associated with universities or advanced technology organisations at the bleeding edge of innovation. It is now a mainstream sourcing model that most organisations are looking to as part of their broader IT strategy.

The word governance derives from the Greek verb κυβερνάω [kubernáo], which means to steer, and was used for the first time in a metaphorical sense by Plato (according to Wikipedia). Wikipedia further expands on the term, rightly calling it “the act of governing”. Governance relates to decisions that define expectations, grant power, or verify performance.

With major restrictions and inherent limitations in most IT environments, it’s become an attractive option for businesses. Concerns such as spending restrictions; immature capacity management; uncertain demand forecasting; duplication of capability; slow delivery of infrastructure and slow business application delivery all lead businesses to look wistfully at cloud computing.

In today’s uncertain times, cost-savings are a primary focus for executives. Cloud services do seem to offer a silver bullet solution when it comes to infrastructure and ancillary IT services.

In the world of data leaks and cybercrime, why is it that selling information security is considered a hard task? Is it because information security is pitched as a tool—buy software and it will fix everything—or is there a lack of understanding about what a healthy information security posture will achieve for an organisation.

Security Operations, as a capability, was discussed in the first article of this series: Security Operations the Final Frontier. This was a response to media coverage of a other operations in which information was compromised and data assets were stolen - Operation Shady RAT, Operation Aurora and Operation Night Dragon.

Business agility and the demand for quick turnaround to infrastructure and application requirements to service organisational growth have fuelled the rise of cloud services. For organisations that have had their IT system requirements held back by traditional sourcing and project based delivery of information technology, cloud seems to be the answer.

I have created my own interpretation of what a good pragmatic Security Operations Model (SOM) would look like. This has been adapted from a number of Security Frameworks and Industry Good Practices like ITIL, COBIT, NIST, OCTAVE, OWASP and the ever present ISO 27001/2 all of which have an input into the structure and makeup of an effective security operations framework or security operations model.

Operations Shady RAT, Operation Aurora, Operation Night Dragon sounds like names out of a WikiLeaks memo or even more a Hollywood action blockbuster. Sadly not, these are the three names that have done the rounds in the last 2 – 3 years where information security defenses of organizations were not only breached but data assets were stolen for sure.