Can you share any best practices for managing compliance risks in a hybrid-cloud environment?

Regulatory ComplianceGovernance, Risk & Compliance
747 viewscircle icon3 Comments
Sort by:
Director of Information Security5 months ago

Implementing a CNAPP and using a shift-left strategy are both necessary and, from a compliance standpoint, adopting a zero-trust model is also critical. This ensures that every user is properly authenticated and authorized, allowing for effective compliance monitoring. Robust identity and access management (IAM) tools are vital for managing access to cloud environments and conducting regular reviews. Automation in policy management is also key, enabling automatic management of cloud policies, data encryption, and protection. Collaboration among security, compliance, and IT teams is essential to maintain secure environments and address compliance needs, including third-party risk management.

Information Security Manager5 months ago

I would emphasize the importance of a secure-by-design approach. This involves examining the architectural schematics and blueprint of cloud solutions, whether they are vendor-hosted or self-managed. In many enterprises, there's often a challenge with managing already deployed cloud workloads. It's crucial to maintain visibility and ensure that new solutions or additions to the environment undergo thorough architectural reviews. This ensures the right baselines are established, which then supports continuous monitoring after deployment.

Field CISO in IT Services5 months ago

Implementing a cloud native application protection platform (CNAPP) is a fundamental step to manage compliance risks. This is comparable to having a firewall in your on-premise environment. In a cloud environment, a CNAPP is essential not only for compliance but also for general security. It helps prevent misconfigurations and provides compliance benchmarks, which are excellent for continuous monitoring of your settings to ensure they remain compliant and avoid configuration drift.

Content you might like

What are the biggest risks of poor Public Key Infrastructure (PKI) execution?

Downtime and Outages35%

Fail to issue/renew/revoke certifications55%

Failed Audits28%

All of the Above33%

None of the Above3%

View Results

We are currently evaluating a new Infosec awareness platform to replace or augment our existing solution with the goal of aligning with our strategic shift toward Human Risk Management. 
This initiative is driven by the need to: 
1. Deliver tailored, real-time awareness based on user behavior and risk profile 
2. Improve training relevance through role-specific content and interactive formats 
3. Ensure compliance through automated consequence management & lifecycle integration 
4. Consolidate LMS platforms and reduce duplication 
5. Host all training modules on our training content hosting platform which requires SCORM compatibility 
The platform must integrate with our existing identity and access management tools (Entra, SailPoint etc), support phishing simulations with Outlook integration, and provide access glass screening capabilities. We are also looking for customizable content aligned with Organisation look and feel, and automated reinstatement of access upon compliance.
Does any one have any experience or recommendation for such as tool?

I’m in the process of developing and formalizing the Risk Appetite Statement (RAS) for my organization, a public transport operator. Before we bring the draft to the Board, I’d appreciate your views on the best approach for engaging the Senior Leadership Team (SLT): Is 1:1 engagement more effective to gather candid input? Or would a group workshop be better to align perspectives and drive collective ownership? If anyone has experience developing a RAS specifically for a public transport or infrastructure-focused entity, I’d love to hear your lessons learned or key considerations. Appreciate any tips or tools!

Read More Comments

The CEOs of Amazon, Apple, and Microsoft are set to meet with Biden at the White House to discuss cybersecurity today. What do you hope to see prioritized by the federal government coming out of the meeting?

Hiring/Cyber Talent32%

Data Breach Reporting68%

Ransomware Prevention64%

Infrastructure Security35%

Other (please comment below!)1%

View Results

CISO here at a large enterprise—between NIS2, DORA, the Cyber Resilience Act, and growing internal pressure around shadow AI and ransomware response, it feels like we’re constantly balancing compliance overhead with real operational risk. What’s the one thing you’re losing the most sleep over in 2025?