What I didn't know about IRAP Assessors
To all those in my network who took time to drop me little notes of cheer, and all the shoutouts of congratulations for my new role in Cyber Security, I would like to say a big thank you. My heart has been so moved by everyone's kindness. Especially since everyone did this out of goodwill. Kindness is something not to be taken for granted especially in this day and age when time is moving so quickly and it is so easy for the busyness of life to just take over.
Day 2 of being entrenched in the cyber world.
Yes, I have had many curious people asking me what it is like to fully transit into this industry. Well for starters, my mindset has changed towards how I view GRC. :) I am going to be real here and admit that I was influenced before when someone said GRC is boring. Well this is apart from the fact that this person was comparing it with pentesting which he/she believed is alot sexier. Although I did have a Bachelor of Computer Engineering (Hons) and thought ethical hacking was cool, I realised today that boy was I wrong.
I was plunged into the IRAP world and attended a scoping session for one of our clients. And I must say that I have a newfound respect for IRAP assessors after the meeting. So much so that I actually looked up to see what are the requirements to be one! They are far and few to come by in Australia. And much lesser in Sydney.
Even more rare are those who have found a way to do it right by the ASD Australian Signals Directorate (ASD) which means that they have successfully shortened the processing time because of the individual ownership they have taken, their due diligence in ensuring constant communication with the ASD, combined with the years of credibility in the relationship they have built with them.
I have also learnt today that it is not just the government agencies handling government information that are required to comply with the Information Security Manual (ISM). For ICT and Cloud Providers (or to-be Providers) to have an advantage over their competitors and be able to provide services to the Australian Government, they need to comply with the ISM. And it can take anywhere from a year to 1.5 years to get your business ASD certified. Of course with the right IRAP assessor, the processing time can be shortened down considerably, which allows the business to expand and grow without being hindered by the waiting time, or just by the fact that they are not compliant. This also makes everyone's lives a lot easier as they are able to build solutions for customers knowing that the right controls are in place.
To sum it all up, essentially I saw what it means to be building with the future in mind, and it pays in the long run to put in the painstaking effort first (side note: the 945 controls that the IRAP assessors have to work through is no joke!) in ensuring the foundation is there and thinking ahead with compliance. I definitely left that meeting enlightened, and glad to know that I am now working together with one of the rarer breed. :)