Monday morning.

9.04am.

Rain is hammering against your office window.

You take a sip of coffee as you scan through your emails.

That’s spam. *delete*

That’s spam. *delete*

That’s sp-… wait a second… what’s this?

An upcoming AUDIT?!?

FML!

Could this day get any worse?

Does this scene seem familiar at all?

Although I don’t work in GRC exactly, I have worked alongside it for many years now; certainly close enough to regularly get sucked into its gravitational pull. When I meet new people and tell them what I do for a living, they will sometimes ask “do you like audits?”, as if it’s a vocation or a calling. And the answer is… No. Of course not. Not even auditors “like” audits. They just like things to be done right, and I do too.

But why do we feel this way about audits, even when we know that they’re important? I think there’s a couple of reasons.

One is just the natural defensiveness that most people feel when their way of doing things is being evaluated and challenged by somebody else. Nobody likes to be judged and we can all fall into the trap of taking things personally. That’s a trap that can be avoided as long as you’re aware of it, and the more experience you get, the easier it becomes to detach yourself from that mindset.

The second reason why I think audits annoy us (and what I think is the main reason) is that they take up SO. MUCH. TIME.

You start out by reading the scope of the audit. Then you start to prepare, and it’s a scramble to gather the relevant documentation and evidence, constantly chasing people who’ve become suspiciously hard to track down since the audit was announced.

When you finally get hold of them, maybe you find out the documentation isn’t good enough, or worse still, that it doesn’t exist at all. You have to chase people some more, pressuring them, even encouraging them with cake where necessary (that last one sure works for me).

You think you’ve done all you can and then you meet with the auditors and show them all that you’ve prepared… only for them to tell you that it’s still not good enough. You’re thrust back into that cycle of scrambling, and all the while you’re thinking that this is just a distraction from your “real job”.

And finally, in the end, what do the audit results show? It’s nearly always just a case of telling you to do something you already knew you should have done, but you were too busy doing your “real job” to get to it. So, yeah… nobody “likes” audits.

But what if you didn’t need to scramble? What if all the information you needed was ready-to-go, up-to-date and accessible at the click of a button? That’s where Akeero can help — whether your organisation is big, small, or somewhere in-between.

Our platform identifies security and compliance requirements for complex architectures in minutes, and can effortlessly produce all the documentation you need to show an auditor that your team is doing things the right way.

Our intuitive user interface, combined with native integrations, allows your organisation to do this, with minimum impact to existing security and development toolsets and processes. We believe that Akeero delivers:

• Secure and compliant architecture designs
• Increased team and resource efficiency
• Reduced security spend and effort
• Increased speed to market for secure products and services

We can’t promise you’ll grow to like audits, but we can definitely take a lot of the pain away, leaving you with more time to concentrate on your “real job”.

Akeero automates product security design and compliance for cloud-native environments, enabling teams to deliver secure apps and networks better, faster.

In my last blog I wrote about FOGO — or the Fear Of Getting Owned, and it got me thinking about fear in general. Fear is one of the most primitive human emotions, and despite the largely negative connotations, it can be a healthy thing.

Imagine a cliff-face of sheer rock, stretching hundreds of feet towards the sky. You look to the top and you see that it’s so high that it’s actually in the clouds.

Now imagine that you’re suddenly halfway up the cliff, clinging to the rock with your fingers and your toes. You probably feel very afraid of falling. This is a natural reaction, and one designed to keep you safe.

What precautions could you have taken before you started climbing? Would you feel better if you had some safety ropes attached? Certainly. What if you were kitted out in some proper climbing gear? That would help too. And what if your route to the top had been marked out in advance by an expert climber, who was on hand to guide you along the way? Yes, please!

Even with these precautions in place, you’re probably still afraid, but maybe now the climb to the clouds seems like a risk worth taking. Sure, it’s going to be tough and scary, but the view from the top will be magnificent.

For many companies, they know that they could benefit from moving their infrastructure to the cloud, and yet they find themselves paralysed by fear. Will we be in control of our data? What if there’s a breach? How do I know my infrastructure is secure? All valid concerns… although if you stop to think, these risks already exist with on-premise solutions too. It’s just that we’re more used to managing them; what we’re really talking about here is the fear of the unknown.

All fears can be overcome, so if your organisation is ready to make the move to the cloud, it’s vital that you do so with a full understanding of what’s involved. Gartner predicts that through 2025, 90% of organisations that fail to control public cloud use will inappropriately share sensitive data. A scary thought. They also predict that 99% of those cloud security failures will be the customer’s own fault. That’s as unsettling as it is scary.

The good news is: you are in control. Provided you prepare in the right way, you can make sure that you realise all of the benefits the cloud has to offer — all that wonderfully scalable and cost-effective flexibility — without taking on any additional risks. In fact, I believe that if you do things the right way, your cloud infrastructure can be even more secure than any on-premise solution.

Akeero was designed with a clear goal of allowing teams to identify security and compliance requirements for complex cloud-native architectures in minutes. Our intuitive user interface, combined with native integrations, allows your organisation to do this, with minimum impact to existing security and development toolsets and processes.

We believe that Akeero delivers:

• Secure and compliant architecture designs
• Increased team and resource efficiency
• Reduced security spend and effort
• Increased speed to market for secure products and services

Reach out to me if you want more info on how Akeero can help you to do things the right way from the start, and ensure your organisation has the footholds it needs to take those first steps toward the cloud.

And yeah, it’s still a little scary… but the most worthwhile journeys are often the ones that take you out of your comfort zone!

Akeero automates product security design and compliance for cloud-native environments, enabling teams to deliver secure apps and networks better, faster.

You’ve probably heard of FOMO: the “Fear Of Missing Out”. It’s a well-established and oft-referenced social phenomenon, the kind which can commonly arise from seeing an Instagram post of someone you barely know drinking a cocktail on a sunny beach somewhere. Your heart sinks as you consider that everyone else in the world (EVERYONE!!!) is having more fun than you.

The past year has seen all of us miss out on various fun times, and as a result FOMO has receded, at least temporarily. You could argue that it’s one of the few upsides to the pandemic, but I think I’d take FOMO over lockdowns any day of the week.

What hasn’t receded — and in fact may be getting more severe — is a less well-known anxiety, but one that most organisations can relate to: FOGO, or the “Fear Of Getting Owned”.

As more and more companies adopt a “Cloud First” approach for hosting mission-critical products and services, their architectures are becoming increasingly complex and difficult to manage. Add in some lovely Agile development practices and a dash of Infrastructure-as-Code and it can quickly become overwhelming trying to securely design and deploy cloud native infrastructure.

No organisation wants to be headline news for all the wrong reasons, because it turns out there IS such a thing as bad publicity — just ask Volkswagen about “Dieselgate”. Managing and securing cloud-native infrastructure is challenging, especially at scale, so it’s almost a certainty that people in your organisation are suffering from FOGO. And if you’re lucky enough to have a dedicated security team, it’s likely that FOGO sometimes keeps them awake at night.

A quick Google search of a term such as “cloud data breach” will highlight how many organisations, large and small, are continuing to suffer critical data breaches as a result of insecure configurations for their cloud-native infrastructure. Even something as avoidable as “S3 public access” continues to rear its ugly head, again and again! The question is: with all we’ve learned, why does this continue to happen?

In my experience, there are a few reasons why organisations continue to experience challenges in cloud-native secure design:

• Lack of time and/or resources leading to inadequate or non-existent security or compliance design
• Agile engineering teams require too much time to identify security requirements at scale
• An over-reliance on security testing immediately prior to product or feature release, at which stage it’s often too late to fix all but the most critical issues (and sometimes it’s too late to even fix those!)
• Too great a focus on detection of security issues and too little focus on prevention
• Lack of organisation-wide visibility of deployed infrastructure

Of course, none of these problems are insurmountable, and that’s where we believe Akeero can help — whether your organisation is big, small, or somewhere in between. Our platform was designed with a clear goal of addressing these challenges by identifying security and compliance requirements for complex architectures in minutes.

Our intuitive user interface, combined with native integrations, allows your organisation to do this, with minimum impact to existing security and development toolsets and processes. We believe that Akeero delivers:

• Secure and compliant architecture designs
• Increased team and resource efficiency
• Reduced security spend and effort
• Increased speed to market for secure products and services

Come tell us why you have FOGO and find out for yourself how Akeero can help!

Akeero automates product security design and compliance for cloud-native environments, enabling teams to deliver secure apps and networks better, faster.