CSA Community Spotlight: Contributing Something Meaningful with Head of Security Partha Chakraborty

For the last 15 years, CSA has been contributing to the cybersecurity community with our many research publications, trainings, blogs, in-person and virtual webinars and events, and many other initiatives based on top-of-mind security concerns. This thought leadership and event content is produced by our vast network of dedicated members, volunteers, subject matter experts, chapter leaders, and trainers. So to celebrate CSA’s 15th anniversary this year, we’re interviewing 15 longtime partners that have been integral to the success and growth of the CSA ecosystem.

Today we’re speaking with Partha Chakraborty. Partha is the Associate Vice President, Head of Security Architecture, Engineering & Innovation at Humana. He has over 20 years of cybersecurity leadership experience in the financial services and healthcare industry. An active speaker and panelist at major cybersecurity conferences, he is also Chair of the CSA Cloud Key Management Working Group. He is currently researching security challenges in API, microservices, key management, and posture management. Below, learn more about Partha’s contributions to the cybersecurity community and his perspective on the legacy of CSA.

What are the various ways you’ve been involved with CSA over the years?

I have been regularly speaking at Cloud Security Alliance conferences, even last year at SECtember. I'm also the Chair of the Cloud Key Management Working Group. Last year we published three artifacts and this year we are working on two. And I'm really grateful that the Cloud Security Alliance recognized me as a Juanita Koilpillai Service Award winner last year. The last three years have been a great journey and I’m looking forward to the continued relationship and more meaningful contributions in this field.

What’s your favorite memory of the CSA community?

The award at the SECtember event last year came as a surprise. I was not expecting an award or anything. It was a really very great gesture from your selection team.

Plus, during that event I was able to meet with a lot of the people I interact with on the working group calls. There are people all over the US, and that was the first time I met in person with many of them, including my Co-Chair in the Key Management Group, Sam. The kind of interaction and the vibes in that environment are great, where everybody's passionate about contributing something meaningful when it comes to cloud security.

It's not easy - contrary to what people think, “Okay, if you move to cloud, it’s more secure.” Yes, there are a lot of things cloud security providers take care of on your behalf, but again, when you're dealing with multi-cloud, it's not easy. And I learned a lot of new things from the people who were interacting with me and sharing their experiences. So that has been by far the best engagement and experience I had in person at one of the CSA events.

Why do you continue to be a part of the CSA ecosystem?

The first thing is that CSA is cutting-edge when it comes to cloud security best practices. I mean, there is a lot of other vendor-specific guidance. If you go to a website, they have their cloud security best practices architecture framework and all. But what CSA does a phenomenal job at is keep it vendor-agnostic.

There are industries which I have been a part of that had one specific cloud security provider. Whereas now I work for healthcare, we have multiple cloud security providers. So having an independent perspective from an organization like CSA - which does not have any vendor bias and these are truly the best practices - it is very helpful for making decisions as the technology consumer.

And being a part of the organization, I can also share my learnings, my pain points, and do cross-collaboration. So it is mutually beneficial for me, as well as my peer group that I interact with. CSA gives me that platform. So that is why I intend to continue this engagement in future as well.

What do you see as one of CSA’s most significant contributions to the cybersecurity industry?

All the publications I have seen so far are great, including the net-new things coming up like Generative AI risk and anything that is very novel technology. I feel like CSA publishes, if not first, at least around the same time when others first publish, when people struggle with new concepts. Like, “Okay, this is a new thing that has come up. Is it a buzzword? Or do I need to do something around it? I have no idea where to go and how to start.” At that point in time, CSA publications and artifacts are kind of eye opening and show the right guidance.

So that is the best contribution, aside from bringing all the industry experts together to provide unbiased vendor-agnostic guidance. I would say being vendor-agnostic and unbiased about novel technologies in a complex area like cloud security are truly the shining factors for me.

What are your predictions for CSA in the next 15 years?

I think it’s going to get more grounded in terms of the way people use it, like the NIST assessment. Whenever a CISO joins a company, they want to get a NIST assessment. Maybe this will happen with CSA guidelines when it comes to cloud security.

I mean, there are CSA frameworks that we publish. People follow them as guidance. There is a likelihood when it comes to cloud security, CSA frameworks can become even a de facto standard like the way people use NIST CSF.

One thing I would like to see is this: I also teach in college. I am an Adjunct Professor of Cybersecurity at Northwestern University. I teach three cybersecurity courses for the master's program in cybersecurity. Right now, CSA is doing a lot of great work with the industry for sure, but getting more into academia would be great to see. Building a pipeline for the students, making some of the awareness material and content accessible to universities free of cost. Seeing more engagement from the students. That will really help build and broaden the Cloud Security Alliance for the next generation of the workforce that is coming into our industry.

Question from interviewee Vishwas Manral: What cloud-shattering initiatives can CSA launch to elevate research and awareness around AI?

That is a very good and timely question because AI and GenAI are no longer buzzwords. People are using it, it has opened up like a floodgate, and you have to actually know how to secure it. The controls are not very mature. As an enterprise customer, we struggle with that. We still keep on blocking a lot of the access to AI because we are concerned our intellectual property may get out and, lacking proper control on the prompt engineering, inadvertently people can reveal a lot of critical information.

CSA actually has AI and GenAI working groups, some of my colleagues are also working on those groups. But I think it could be good to do some more webinars or sessions that can increase awareness. CSA is still working on those areas and working on publications.

I would also like to see more specific guidelines. For example, when you talk about controlling the prompts, “These are the five things you can do and these are the possible ways of doing them.” Right now the scope is very broad. We are talking about a 20,000-foot view. I want it narrowed down. I’m waiting for that level of publication, and when it comes, I'll probably be one of the first to review it. I can't wait to have a meaningful engagement on this front.

Make sure to check out more insights from the CSA community here.