Streamline Your Financial Services with Cloud Contact Management Systems

How to create outlook signature

[Music] hi i'm colin schwartz i'm the general counsel and chief regulatory officer for truesight which is a third party vendor assessment company primarily servicing the financial services industry today we'll be talking about strategies for success in leveraging cloud platforms and how the risks and security threats may impact customers in third parties today i'm joined by ronnie erbass who is the global head of enterprise trust for google cloud as well as jim rivas co-founder and ceo of the cloud security alliance okay let's jump right in jim in the view of csa what is the future of cloud risk and security hold great question colin so i think what's really important for us to realize is that cloud really with its adoption become the default it system worldwide cloud first it's where things are at and so certainly when you think about cyber security its foundation is cloud security so the the threat actors the malicious people out there they're certainly engineering more specific cloud native attacks you might say and that's certainly an area that we have to be very vigilant about from understanding that and the threat intelligence that we're sharing but i think also what we should expect is that from a cloud user tenant side we expect a lot of the breaches and concerns to be related to what you might call the basic blocking and tackling and the overall cloud hygiene have an understanding of where all your workloads are all of the sorts of things to make sure that you are doing a a reasonably good job in all of the the basics of cloud security are very important while we look to actually engineer more resilient security defenses so i think from a government organizational policy maker perspective you can certainly see that there's so much more action here you could point to the activities in europe gdpr and so many other areas to assure privacy and to make sure that that we are protecting citizen data customer data the sec recently has issued some guidance on what they're proposing for new rules in terms of breach disclosure and how the board actually looks at cyber security there's a lot of cloud native very interesting security technologies like xero trust i think are going to be very important as we see cloud being this default area we've got to take that sort of least privilege model to be able to make sure that we are securing our assets appropriately great thanks jim ronnie my next question is for you how should risk and security professionals be thinking about managing their risks in the cloud either whether they've adopted cloud already or whether they're on that journey for transition to the cloud that's a great question particularly coming out of this pandemic digital transformation and cloud adoption is accelerating among our customers really across the board but we see it a lot you know in the financial services industry and the adoption of cloud is an increasing imperative for our customers to remain competitive and to fully realize the technology the data you know the benefits of using this type of technology to further their business objectives and as businesses speed up their digital transformation it's really putting pressure primarily in very constructive ways of course on our customers security risk compliance and audit functions risk management in the public cloud must match the technology fitness of the rest of your organization so but then to suggest however that your organizations adoption of cloud introduces just a new series of risks to manage would not really be an accurate statement the adoption of cloud technologies is a significant opportunities for organizations to re-imagine how whole classes of enterprise risks can be managed better adopting cloud technologies and adjusting business practices processes operating models to fully realize the advantages of the cloud really provides our customers with an opportunity to step change their management of operational risk now you know these risks can be addressed and mitigated using cloud in ways that were either technically organizationally or economically not viable with traditional on-premise and managed service systems so there are really three areas that i think about colin for this question one is the area of cyber security as jim has already talked about how important it is um you know i think that cloud providers really typically have global scale infrastructure that was designed from inception ground up to provide security through the entire stack in the entire information processing life cycle right the sheer scale of cloud service providers in terms of personnel volumes of data the extent and reach of global networks means that we're able to invest in approaches to security that are really beyond technical and commercial means for most private organizations or public organizations the scale of what we're doing allows us to drive down the unit cost to our customers the second area that i want to talk about is in the area of resilience and cloud providers operate data centers with advanced physical security in locations around the world now the scale of these data centers and the abstraction of physical technology from customer applications means that customers can benefit from the layers of built-in resilience our customers are shielded from the effects of component failure and to mitigate the concentration risk organizations can leverage open source technologies and control planes to build exit strategies and thereby also meeting the requirements of their regulators now in the area of technology risk it is apparent that many organizations are at an inflection point regarding their technology it's been at least 50 years since large organizations started using mainframes and many trillions of dollars have been invested largely on on-premise self-managed technology now historically that meant that organizations built their own data centers their global networks they manage hundreds and thousands of servers and pcs but by migrating to the cloud organizations can ensure that their technology teams are focused on delivering high quality services and experiences for their customers and not just operating and maintaining foundational technologies oh by the way that also reduces their technology risk profile and let me just share one very quick example with you by migrating to the cloud customers no longer have to dedicate resources to managing data centers physical service network equipment nor do they have to worry about patching applying security fixes and maintaining core operating systems all of that reduces technical debt some great insight for our security professionals thank you jim there's a lot of discussion around the requirements around cloud and how we've been borrowing from pre-existing requirements that aren't necessarily specific to cloud but so my question is how would adopting a standardized framework such as csa's cloud controls matrix help with you know the due diligence and risk assessment for our security professionals yeah happy to address that colin so the cloud controls matrix which has been around now for i think close to 12 years was something that we created with inspiration with all of the knowledge that's out there about risk management and controls frameworks previously but really understanding a few things like what areas of security and the mitigating controls get greater emphasis in a cloud environment and you can look at identity as being a critical area you could look at administrative access the stakes are much higher there and so we emphasize certain areas we also introduced in it that that shared responsibility model in there so organizations understand this complexity that which are the areas that the cloud provider really needs to take the first line of responsibility for like the physical security of the data center for example what are the things that might be another third party a sas application what are the areas that they need to be responsible for and what ultimately does the the end user enterprise need to be responsible for and so we help provide that and then we do something that is i think very beneficial which is mappings where we try to say hey here's existing frameworks out there that you may be using here's where they relate one-to-one or very closely here's where some of the gaps are and so ultimately what this does is it gives an organization that maybe has a an excellent information security management system a really a bridge towards what they need to be doing specifically in cloud so they can leverage what they've already done they can add some of the new things that they must emphasize and by using something that's standards standards-based it's something that likely the cloud providers are already well familiar with and so it just accelerates and simplifies the the cloud adoption the procurement and the risk assessment ronnie how has google's work with third parties such as csa or truesight enabled your customers to meet their due diligence requirements yeah it's an excellent question now at google we're really committed to find the safest and the most comprehensive security solution in the cloud core to our goal of delivering security innovation is the ability to offer powerful features as part of our cloud infrastructure and making it easy removing the complexity for our customers to implement and use those features and that really helps our customers manage better manage their risk management and regulatory compliance requirements now as part of working with our partners like csa and and truesight we really enable our joint customers to satisfy scale and really i want to focus on accelerating their due diligence requirement in a very sustainable way and that really directly translates to a more safe coordinated and consistent approach to their digital transformation across the different business units within the organization now you know we work a lot with tprm exchanges like like truesight and that's really helped our financial services customers you know streamline this effort and tprms perform rigorous assessments of google cloud not just google cloud platform but also other google services like google workspace and google common infrastructure services to really validate the design and the implementation of hundreds of controls the validation process includes detailed reviews of and inspections of our design documents policies procedures programs the validation of supporting evidences really results in a very comprehensive and independent due diligence assessment now we're also committed to supporting customers risk management programs and our partnership with organizations like csa exemplifies that commitment providing customers with a comprehensive framework in order to identify measure their risks to achieve their business objectives is what you know csa and standard bodies would like to do and so we really want to work hand in hand to make sure that any new standards and frameworks are robust they are cloud native and covers the risks that are most pressing and pertinent for our financial services customers so we really value our partnership with you know both truesight and csa and other tprms because they really provide our customers with very strong cross-functional and industry expertise on compliance and risk management and that all of that translates to enabling our customers to accelerate their digital transformation great so i'd like to open my last question to both of you given your unique perspectives either as a deliverer of frameworks or as a cloud service provider but what trends are we seeing in the cloud space that are specific to the financial services industry that will impact your customers great question and certainly with financial services often being an early adopter or leader in cyber security from a an end user enterprise perspective it's something that we we do take a look at so i think as as you adopt more cloud and you get more central into cloud and we recently had a survey that showed that there's a lot more of the crown jewels going into cloud in terms of workloads and we actually just released a study that was jointly done with google that showed that a lot of cloud adoption can actually reduce some of the risks if you do it very thoughtfully and there were a fair amount of financial services organizations that were part of that but what we hear again and again right now are the ideas of systemic risk and what do we need to be doing about that so even some of the largest financial institutions may have some dependencies on sas organizations or other technology providers that can be smaller and and you can look at the fintech industry as being an example of it can vary quite a bit in the security maturity so the the ideas of third party and fourth party risk are very important right now for financial services and and there is a real focus on that that you can't make your organization resilient by ignoring the partnerships that's really important and so i think another trend we're seeing is is more of this harmonization with cyber security and best practices on a horizontal level and understanding that a lot of the risks that we have do actually happen in other industries as well and so something csa's done recently to that end is a partnership with cyber risk institute which is a spin-off out of bits for people who are familiar with them to really look at financial services specific protection profile that they provide and having that inclusive of our cloud controls matrix so that financial services industry can actually benefit from some of those best practices and control objectives that come from the broader industry as well right yeah so future trends you know it's a really good question as the saying goes the future depends on what we do in the present so even as we talk about future trends um that will impact us you know down the road this discussion is i believe a more immediate call to action so as as jim said and i want to really emphasize and amplify what jim just said about cyber security it is top of mind for every one of our customers at c-level board agenda and given the increasing prominence of software supply chain exploits and data breaches ransomware you know and other attacks this is unprecedented security challenges for really all organizations in every industry and so earlier this year we formed the google cyber security action team which is the security cornerstone of google cloud's commitment to be the best partner to our customer and in addition google has dedicated another 10 billion dollars over the next five years to strengthen cyber security including expanding zero trust that jim had mentioned zero trust programs securing software supply chain frameworks really enhancing our open source security and strengthening the the digital skills of the american workforce we're we're committed to that and also with this increased focus on cyber security coupled with the pandemic has forced really all of us to work very differently including you know closing of trading floors and sending scores of employees to work from remote locations it's not surprising that financial services regulators are requiring a higher level of scrutiny into the cloud environments and the supporting technology stack um you know that includes threat detection encryption protocols you know and a lot more and as a result we see more of our financial services customers adopting a zero trust approach network where all access requests require verification of user identity device identity device location and really effectively enabling location independent secure access that jim had also touched on the other trend that we see is around supply chain scrutiny we saw that financial services regulators are really focused and globally they are focused on more accountability for third-party supplies and subcontractors and sub-processes we saw an increased scrutiny on third-party risk management encapsulating really everything from the vendor due diligence to customer-led audits and um and third-party on third-party and secondary relationships another trend that we've noticed with our fsi customers was greater partnerships that they are that we're seeing in the industry with third-party it vendor management companies like tprms like truesight working more with csa and adopting you know global standards now these relationships provide uh really very concrete ways for our customers to to really march on the modernization path of their of their data and their business systems and also accelerate their risk assessment best practices to keep up with the business units within their organization so privacy risk compliance landscape we all know this being in the industry has been very fluid will continue to be very fluid changes constantly and rapidly and at google cloud we have successfully demonstrated our commitment to financial services customers over the years and we continue to invest and innovate to better support our customers not just with their security requirements but really with their cloud digital transformation requirements too you know we've seen i think in the past the trend has been for financial services to take a more deferential approach to their regulators in how they should manage their risks how they should manage security threats and what we're seeing today i think is more an internal push from the industry itself to address these issues because they are so critical well that concludes our discussion today on managing risks and security threats in the cloud i'd like to thank ronnie and jim for providing their insight on the topic and you for joining us and listening in today thank you [Music] [Music]