What is compliance and why is it important? Part 2

Share this post:

If you missed out on part 1 of the interview then please click here. I touch upon what compliance is and the risks related to a lack thereof.

In conversation with Frank Oestergaard – Part 2 out of 2

Frank Oestergaard is a digital visionary and an experienced leader. He is the Director for Executive Customer Success at IBM Nordic. Frank has a wealth of experience with working with businesses across Nordic and Europe, enabling their business and digital journeys by recently working with Hybrid Cloud and AI. 

Frank is passionate about leveraging AI to improve business services, experiences and the outcome, with a great admiration for ethics, transparency and more. Frank is always willing to share his many years of experience and the following interview will cover the topic of compliance for businesses: the different types of assurances, how to move to cloud, and an insight of which vendor provides the most secure cloud. 

Would you say that the different types of assurance are related to different types of data as well? 

It depends on the sensitivity of the data and the systems that you are working with. It is a risk and control assessment – where you then evaluate, to what level or extent do I need to mitigate this risk? Do I need to put in place assurances? So sometimes, contractual assurance can be good enough. Sometimes you need to have this third-party certification, which makes sure that the good processes and best practices are constantly maintained. 

It all depends on the situation, but I would also recommend that you implement this in what I would call a programmatic approach around compliance and security. 

Here you start with identifying your risk.  So what information is being processed?  Where is it being processed? Is it in Europe?  Is it outside?  What is the purpose?  And by whom? Then you analyse that risk, evaluate your risk and you choose a strategy to handle the risk. 

My strong advice is to apply continuous compliance and automate because if you are not doing so, your compliance processes will lag behind those of the IT development.

How should one move to cloud and stay in control? 

That is a good question. I think what I just described is my strongest advice.  There are fundamentally two things you need to think about.  It comes back to the three levels of assurance and what is potentially good enough. Who am I partnering with and on which platform?  I would also think about the business model of the cloud provider. Are they here to provide clouds and deliver IT? Or are they here for the sake of the data? 

Anti-money laundering is an issue which we are experiencing a lot right now. You need to seek advice from providers of these type of systems. IBM can certainly help on this and can come up with a whole assessment, then you can decide to which level and which ambition you want to implement this. 

We discussed in a session once, that it is safer to be with a good cloud provider than not be with one.  Moving to cloud does not necessarily mean that you are putting the rest of the responsibility on somebody else.  Yes, there is probably somebody who will take care of the base infrastructure. However, when you move your application, when you move your data, when you move your middleware to cloud, it is affecting in many situations, because you are still responsible for the cloud within the company. Just because you move to cloud, you are not necessarily doing a transition of the responsibility.  The cloud vendor will provide the platform resources that you need, but you are still managing your data, you are still managing your systems and so on. 

At IBM, we believe that a hybrid cloud gives you a lot of flexibility and a lot of other great IT benefits. One thing it allows you to do is to have a very strong ability to deal with risk and also, reverse strategies, exit strategies and resiliency, building through your platform. One of the things we are hearing from some of our very big customers is “We like your platform, we will stay with you, but you need to work with us.” We can move from your platform in less than one month to another platform. This is about reversibility and exit strategies.  You are going to have an exit strategy and, for many reasons, you could say one of them is mitigating risk again. But it can also be that over time, the vendor that you are betting on sees a financial benefit of increasing prices; and if you could exit and move somewhere else, you are in a much better position, than if you were stuck with that platform.  I therefore strongly advise that you need to have reversibility strategies and you need to have exit strategies.  Then you need to have resiliency in your platforms i.e., where you are not putting all the eggs in one platform. You need the ability to play that risk and move around and make sure you have minimized risk on the individual platform as well.

In your opinion, which vendor provides the most secure cloud?

This is a very biased answer you are going to get. I think we need to look at what is out there and, in my book, it is definitely IBM right now.  But with the industry cloud, we are calling out for different industries, where we have designed the implementation to living up to the standards and compliance requirements in these specific industries.  

At IBM we have ‘keep-your-own-key’ and if I look across the industry, I do not see anybody else with that. When we look at the hybrid tech services, we have the highest level of industry standards. 

Hardware encryption is taken care of in the cloud by some of the biggest mainframes that we have that have been managing critical data for many, many years. These services are hosted in the cloud, on a mainframe, from a security point of view – and the fact that we can secure not just IBM technology, but we can apply this technology to any cloud. 

Do you have any final comments or remarks?

If I could emphasize anything at the end, it is what we mean with hybrid, and that is really to manage. You do not need to replicate all the work you do in one silo, and then redo all your governance and risk and control posters in another way in another silo, and so on. That would be costly, extremely costly – even if you are very careful today, a lot of that work would still be manual. 

But if I must repeat one thing it’s that it depends on all the different systems – this is going to grow exponentially, and it will not be efficient. You need to implement it as a security and compliance platform that is truly your own and which is truly hybrid and can deal with all these. You could say platforms and or silos or whatever you want to call the different systems. I think that is one very important thing I would like to emphasize.

Find out more:

Hybrid Cloud Solutions

IBM Hyper Protect Services – Overview