Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
Member Portal
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
Member Portal
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Get 50% off the Cloud Infrastructure Security training bundle with code 'unlock50advantage'

CSA Community Spotlight: Auditing Cloud Security with CEO David Forman

Published 12/12/2024

Home
Industry Insights
CSA Community Spotlight: Auditing Cloud Security with CEO David Forman
Written by Megan Theimer, Content Program Specialist, CSA.

As we celebrate 15 years of advancing cloud security, the Cloud Security Alliance (CSA) reflects on our role as the world’s leading organization dedicated to establishing and promoting best practices in cloud computing. Among our many initiatives, our auditing and compliance efforts stand out as critical pillars for ensuring a secure and transparent cloud environment. Through programs like the Security, Trust, Assurance, and Risk (STAR) Registry and our collaborative work on global standards, we’ve empowered organizations to demonstrate their security and compliance posture effectively.

These initiatives—along with our research, training, and certifications—would not be possible without the dedication of our global network of members, volunteers, partners, and experts. Throughout 2024, we’ve celebrated the stories of 15 longtime partners who have been instrumental to our mission. We close this series by shining a light on CSA’s auditing and compliance achievements and the profound impact they’ve had on shaping a secure future for cloud computing.

David Forman headshot

This final interview of the year is with David Forman, Chief Executive Officer at Mastermind, a certification body accredited to assess and certify governance programs against standards established by the International Organization for Standardization (ISO). Mastermind is the first company in the United States to focus exclusively on ISO certifications. David is a certified Lead Auditor for ISO 27001 (information security), 9001 (quality), 27701 (data privacy), 22301 (business continuity), and 42001 (artificial intelligence). Below, learn how David’s auditing background led him to CSA and how he has stayed involved since then.


What are the various ways you’ve been involved with CSA over the years?

My journey with the Cloud Security Alliance began in 2015 when I was a staff auditor at EY in Atlanta, diving into ISO 27001 and related information security standards. One of my clients based in Phoenix expressed interest in STAR Certification, prompting me and my assigned engagement partner to explore the scheme in greater depth.

About a month later, we took the CCSK exam, aiming to bring back more specialized expertise to address our client's needs. That engagement became my first experience with STAR Certification and opened up a wealth of knowledge around shared responsibility models and public cloud infrastructures—skills I’ve continued to build on throughout my decade in cybersecurity and data privacy.

Since that initial exposure, I was promoted to a practice leader position at Coalfire, overseeing their in-house certification body from mid-2017 to early 2024. In this role, I led the development of competency matrices for all certification body staff, which included the CCSK credential as a core pillar for establishing public cloud knowledge before any team member could be approved as an auditor for standards like ISO 27001, ISO 27017, and ISO 27018.

Around the same time, my interest in standards development took root, and I joined the United States Technical Advisory Group for ISO/IEC JTC 1/SC 27 as an observer. I also became an active participant in the Cloud Security Alliance Open Certification Framework (OCF) Working Group, where I continue to contribute today.


What’s your favorite memory of the CSA community?

In October 2020, I was invited to join the STAR 1000 webcast alongside Daniele Catteddu and John DiMaria from the Cloud Security Alliance and Ron Tse, CEO of Ribose. The event marked a significant milestone, celebrating the 1,000th submission to the STAR Registry—a moment that felt especially meaningful to me, having only been introduced to the STAR program five years prior. It was a clear sign that our combined commitment to the CSA community was beginning to yield compounding effects across cloud service providers and cloud customers.

The webcast was recorded during the height of the pandemic, but I still vividly remember our weak efforts to figure out how to launch fireworks animations in Zoom to commemorate the achievement.


Why do you continue to be a part of the CSA ecosystem?

In recent years, I have remained actively engaged with the OCF Working Group. My continued involvement is driven by the diversity of projects we address and the high level of expertise among participating volunteers.

My prior experience with global standards development has shown that the effectiveness of such groups often hinges on the dedication and skill of their members. The strength of the OCF is further supported by its members, many of whom also contribute to ISO/IEC JTC 1 committees. This dual participation enables them to incorporate updates from ISO committees and proactively adapt the certification schemes and knowledge resources authored by CSA to align with revisions to these international standards.


What do you see as one of CSA’s most significant contributions to the cybersecurity industry?

The Cloud Security Alliance has always prioritized fostering a community-driven approach. Since its inception, it has successfully drawn the attention of leading cloud security architects and governance experts worldwide.

With the launch of its Circle community, CSA created a global platform for its individual and corporate members to collaborate openly. This space encourages research, feedback, and discussions on critical topics like artificial intelligence safety, Zero Trust, and emerging trends identified by security leaders. A well-aligned community can be a powerful force, and the connections CSA has built through Circle and its working groups are poised to sustain its legacy for decades to come.


What are your predictions for CSA in the next 15 years?

The STAR program stands out as the most impactful initiative in the history of the Cloud Security Alliance. Over the next 15 years, I anticipate its associated Cloud Controls Matrix gaining even greater global recognition and adoption, with expanded applications to address emerging risk areas such as data privacy and artificial intelligence.

Building on milestones like Singapore's recognition of the Level 2 STAR Certification through its Multi-Tier Cloud Security scheme in 2014 and Italy's Agency for National Cybersecurity incorporating these standards into its Polo Strategico Nazionale in 2022, I foresee growing alignment with these security practices among both international oversight organizations and national regulators.


Make sure to check out more insights from the CSA community here.

ComplianceOpen Certification FrameworkStandardsSTAR

Share this content on your favorite social network today!

Cloud Assurance
Related Resources
STAR
The industry's standard for security assurance in the cloud.
Cloud Controls Matrix & CAIQ v4
The standard cybersecurity control framework.
Trusted Cloud Provider
Demonstrate your commitment to holistic security.
Latest from CSA
Register for CSA’s Virtual FinCloud Security Summit
Cyber Resiliency in the Financial Industry
Register for the Virtual AI Summit 2025
Audit Cloud Providers with Confidence & Enroll in STAR Lead Auditor Training
Related Articles:
The European Union Artificial Intelligence (AI) Act: Managing Security and Compliance Risk at the Technological Frontier

Published: 12/10/2024

Why Continuous Controls Monitoring is Not GRC: Transforming Compliance and Risk Management

Published: 12/09/2024

CSA Community Spotlight: Filling the Training Gap with Dr. Lyron H. Andrews

Published: 12/06/2024

Upcoming CPPA Meeting and Proposed Data Broker Rulemaking Made Public

Published: 12/04/2024