• United States



Compliance And Cloud — Responsible Or Accountable?

Oct 13, 20112 mins
Data and Information Security

It’s interesting how many threads there are on the Internet which still debate the difference between these two words – “Responsible” and “Accountable”.  Oddly enough, today I stumbled across two definitions, from seemingly respectable sources, that hold diametrically opposite views!  To me, the answer is simple – you can delegate responsibility but accountability remains fixed.

This is a key point in the extended enterprises in which we now function.  Firms are now made up of a myriad of off-shored and outsourced services, running on systems that are similarly fragmented and distributed across vendors.  This complex tangle of people and data represents a huge challenge to the CISO who remains accountable for the security, and often compliance, of his employer yet is no longer responsible for their provision.

With a methodical & comprehensive process, and a surfeit of resource (please stop laughing at the back!), the CISO does however have the ability to follow the data trails and manage risk down in this regard.   Unfortunately, with the advent of cloud, things are taking a turn for the worse.  Cloud vendors are reluctant to be scrutinized and the security and compliance demands of the CISO can often go unanswered.  If cloud really is to be a mainstay of computing in the future, something has to give – we need to find a balance where compliance and security assurance requirements are met without fatally undermining the cloud model.  This is a key topic for 2012 and something we’ll be following with interest.  

As security professionals, we remain accountable for resolving these issues, no matter how much responsibility has been pushed to 3rd parties and cloud vendors.  So, how do you minimize the workload involved in managing the 3rd parties who make up your extended enterprise, and how do you gain assurance around cloud vendors?

Join us at our upcoming Security Forum, November 9-10 in Miami, where we will delve into these issues further. 

Andrew Rose is a Principal Analyst at Forrester Research, where he serves Security & Risk Professionals.

forrester research

Forrester Research is a technology and market research company that provides pragmatic advice to global leaders in business and technology.