Modern Workplace

Cloud Security Alliance President on addressing the cyber skills gap (interview)

Oct 31, 2023
Cloud Security Alliance President on addressing the cyber skills gap (interview) Cloud Security Alliance President on addressing the cyber skills gap (interview)

The Cloud Security Alliance (CSA), Zscaler, and other partners are leading providers of zero trust and cyber training and educational content, available for anyone looking to expand their knowledge, from practitioners to technology leaders.

As a capstone to Cybersecurity Awareness Month, we interviewed the president at CSA, Illena Armstrong, to gather actionable advice on being change agents. Illena acts as a beacon for our industry through her unabated pursuit of spreading cybersecurity education far and wide through the CSA and additional roles.

Her insights and solutions on closing the talent gap can help future generations of cyber risk defenders steward the safe digitalization of business and society. 

Editorial Team: Illena, officially, Cybersecurity Awareness Month is a “collaborative effort between government and industry to enhance cybersecurity awareness, encourage actions by the public to reduce online risk, and generate discussion on cyber threats on a national and global scale.” Why is this critical for organizations globally and for CSA?

Illena Armstrong: Cybersecurity Awareness Month is all about educating the public on cybersecurity threats and giving them some basics on what they can do to avoid becoming victimized by bad actors, as well as furnishing them with some ways to adopt a more cyber-savvy stance while at home, work, and on the road. 

This year, the CSA has created a “CyberSavvy Kit” geared towards entry-level cloud folks to help empower them and their teams to navigate the threat landscape and understand how its dynamism impacts them and their organizations’ cloud infrastructures. 

We’ve curated a collection of essential cloud security tools from our research publications, events, and educational courses in this kit that hopefully will help security pros strengthen their knowledge to be strong contributors to and supporters of their organizations’ security postures, as well as their own. 

That is the foundational element of Cybersecurity Awareness Month for groups like ours and companies like yours – to extend our knowledge and experience to those who might need it so they can make sound decisions when confronted with cyber threats that, if carried out successfully, could impact their companies, their home networks or the wider critical infrastructure. 

Editorial Team: The CSA has made great strides with the foundation of the Zero Trust Advancement Center (ZTAC) since its inception in 2022. How is the CSA continuing to create the future generation of cyber risk defenders?

Illena Armstrong: With the launch of our global non-profit some 15 years ago, a crucial part of our mission is to offer a steady flow of professional educational programs and certifications.

In addition to our Zero Trust educational program and the Certificate of Competence in Zero Trust (CCZT),which we’ll officially launch and cover in our Zero Trust Virtual Summit on November 15-16, our new Cloud Infrastructure Security Training self-paced courses cover critical cloud security areas that build on an existing baseline of cybersecurity knowledge. 

Not only are these helpful in crystalizing certain aspects of cloud security and introducing them to other critical areas with which they may be unfamiliar, but they also furnish other organizations’ team members – from executive leaders and board members to procurement, HR, or other business professionals – with solid foundational knowledge about essential components of cloud security. With the successful completion of each one-hour course, students receive a certificate that can be submitted for possible Continuing Education Credits. 

Alongside our Certificate of Cloud Security Knowledge (CCSK) educational program and Certificate of Cloud Auditing Knowledge (CCAK) training program, the Advanced Cloud Security Practitioner (ACSP) Training expands on the basics of the CCSK program to provide advanced, hands-on, in-person training covering practical cloud security and applied DevSecOps for enterprise-scale cloud deployments. 

Yet another offering, our STAR Lead Auditor Training program, bolsters our Security, Trust, Assurance, and Risk (STAR) ecosystem. In partnership with the British Standards Institution (BSI), we developed this self-paced training course for assessors, service providers, and consultants to gain a more robust understanding of ways to manage the security of cloud services, as well as to furnish them with the necessary credentials to become a qualified STAR Auditor. 

Finally, our final vision of our AI Safety Initiative is now coming into focus while we execute the components of our plan, such as launching working groups. This marks the beginning of an AI educational and certification program, as well as a professional services attestation program that will be yet another component of our STAR ecosystem. 

We’ll continue innovating to ensure we stay ahead of vital cloud-related needs. 

Editorial Team: We all know that security leaders and organizations can lack resources to properly educate and train their entire organizations on cybersecurity awareness when their main priority is firefighting threats. What recommendations do you have for security leaders to ensure these educational opportunities occur?

Illena Armstrong: It’s incumbent on executive leadership to fund, establish, and maintain robust cybersecurity awareness programs that address their own vertical’s particular needs and risks. 

This training should be part of the onboarding process for new employees and should happen regularly to keep team members informed. Continuous training should include employee tests and assessments to help validate their knowledge but also show executive and cybersecurity leaders where they may have gaps that future training offerings can cover.

They can leverage peers or experts to deliver talks, sign on with a cybersecurity consultant or provider of educational offerings, and have their tech team members lead sessions and lunch-and-learns. 

And, while we’ve also spearheaded sessions on handling sensitive data, safe browsing habits, mobile device security, strong password management with a focus on MFA, zero trust, phishing awareness training, social engineering, and more, today’s training must also include how AI is helping to make these types of security issues much more challenging to address.

Regarding AI, training should cover other specific threats beyond AI-generated phishing, including deepfakes, AI-driven social engineering tactics, polymorphic malware, attack escalation, and more.

As a part of these robust cybersecurity awareness training programs, organizations must establish clear and easy-to-follow procedures for reporting security incidents or suspicious activities and encourage employees to report any potential security threats promptly. These are critical components to the success of any awareness training program. 

Reward and recognition programs can showcases team members following procedures, reporting potential threats, and actively participating in training and contributing to the organization’s security posture. 

It’s an ongoing process that will include different training and objectives for different departments and employees–including executive leaders and board members–that will employ other tactics as needed. Organizations must keep at it, and support for this much-needed awareness training should come from the top down. 

Editorial Team: How should a CXO at a company embarking on a zero trust transformation articulate what they are aiming to accomplish to technology partners?  

Illena Armstrong: Organizations must proactively protect their vital assets in today's ever-changing digital landscape. Zero trust is a security framework that goes beyond traditional perimeter-based security to verify the identity and security posture of every user and device accessing the network.

Zero trust assumes no user or device can be trusted. It’s vital to any organization that has set a course to meet successfully and even exceed their year-to-year objectives to be equipped to implement the robust security measures required from taking a zero trust approach. 

As our organizational partners, you play vital roles in this course to success. Although implementing zero trust requires a deep understanding of its principles, processes, and strategies, we will need your robust support to embrace zero trust principles that will safeguard all our infrastructures and ensure we maintain a strong cybersecurity and resilience posture that can adapt to constantly evolving technological advances and requirements. 

Editorial Team: In the CSA report from last year, “CISO Perspectives and Progress in Deploying Zero Trust,” the top business barrier to adopting a zero trust strategy was “lack of knowledge and expertise.” With the years of effort our organizations have invested in addressing this issue, what is still missing?

Illena Armstrong: While the concept of zero trust is far from new, organizations generally seem still to be playing catch-up when it comes to adopting more advanced cybersecurity strategies to address today’s threats and vulnerabilities. 

One reason is that they are still trying to contend with various challenges orchestrating, integrating, and managing the multiple cloud services on which their businesses rely. Also, ensuring consistent security and governance policies holistically across growingly complex multi-cloud and legacy infrastructures is a massive challenge due to problems finding and hiring pros with cloud expertise, training current staff on multiple platforms, resource allocation, effective cost management, and more. 

Of course, adopting a zero trust strategy certainly could help confront some of these lingering problems, but there also is a palpable need for expertise on this front. This fact is not just reserved for cloud, cybersecurity, and other technical team members but also the C-level executives who lead them. 

This is why we launched ZTAC and are set to announce the release of our Certificate of Competence in zero trust. The need for independent, practical, and actionable guidance and frameworks about zero trust strategy and implementation, alongside educational training, became evident when talking to members and industry friends in 2021 about their legion of cybersecurity needs and challenges.

And, to be sure, our zero trust initiative and the offerings that underpin it is a collaborative effort. We can furnish our corporate members, chapters, and the broader industry with all of our ZT-related offerings – from research and practical guidance to training to events – without the support from our ZTAC founding partners, which, of course, includes you, thought leaders like the “Father of Zero Trust” John Kindervaag, our research working group volunteers, NIST, CISA, the DOD and an array of other enterprises. 

Collaboration with industry experts, leading enterprises, service providers, government entities, additional non-profits, and other organizations is foundational to everything CSA does.   

Editorial Team: If you leave our audience with one recommendation for what we can action now to improve our education on cyber, what would that be?

Illena Armstrong: Armed with an understanding of your team’s knowledge gaps, start exploring educational and certification programs from organizations like CSA to get foundational and advanced vendor-neutral training on cloud security, zero trust, AI, and more. 

We’ve heard from our corporate members, industry friends, executive leaders, and professionals attending our events that the dearth of cloud knowledge on their teams must be addressed. They haven’t filled critical cybersecurity positions at their organizations because candidates lack the necessary cloud knowledge, and they need a much stronger understanding of zero trust or artificial intelligence. 

With this in mind, CSA and other groups, with the volunteer help of thousands of industry experts, are creating solid training programs that will strengthen one’s professional credentials and know-how to take on meaningful, vital, and fulfilling gigs in this space. And that’s pretty cool for professionals wishing to level up their knowledge and nurture a desirable career path. It’s also awesome for organizations hungering for their expertise and cutting-edge cyber-savvy. 

That’s a good thing for us all.   

What to read next

Zero trust a ‘blueprint’ for next version of the internet, says CSA’s Jim Reavis

CSA and the pursuit of a zero trust ‘gold’ standard (podcast)

Why CXOs should go all-in on Cybersecurity Awareness Month