CSA CxO Trust Initiative: Understanding the Priorities of the C-Suite
CSA’s CxO Trust Initiative is a broad-based, forward-looking initiative to elevate the knowledge of cloud computing and cybersecurity. Its core mission is to help Chief Information Security Officers (CISOs) better understand the priorities of their peers within the C-Suite and effectively communicate issues of cloud computing. The CSA Security Update podcast is hosted by John DiMaria, CSA Assurance Investigatory Fellow, and explores STAR, CSA best practices, research, and associated technologies and tools.
This blog is part of a series where we’ll be editing key CSA Security Update episodes into shorter Q&As. In today’s post, John interviews the President of CSA, Illena Armstrong. She answers questions about the CxO Trust such as: What is the purpose of the CxO Trust? What unique challenges do CISOs face? How can we foster healthy cloud security communication within the C-Suite?
Listen to the full podcast here.
Dissecting the CxO Trust
John DiMaria: I have the pleasure today of interviewing the person who's responsible for spearheading this project. Illena Armstrong was previously the VP Editorial of SC Magazine and is now the President of CSA. She was named one of the Cybersecurity Defense Magazine's Top 25 Women in Cybersecurity for 2019.
The C-Suite is something that I have been pushing for quite some time. I think the top down approach and objectives-driven system is really important. We have a diverse audience, so can you briefly talk about the CxO Trust Initiative and the main objectives behind it?
Illena Armstrong: Our CxO Trust is about bringing together members of the C-Suite who have a vested interest in ensuring that their cloud infrastructures are managed effectively, safely, and securely. CSA is well positioned to do this because we've spent the last 12 years helping the industry secure the cloud through our vendor-neutral nonprofit leadership position.
We've created and regularly update and release a bevy of resources covering all things cloud. We have extremely well-established training programs that can help industry practitioners obtain our professional certificates. Through these contributions and our overarching passion for the space, we're uniquely situated to further support and roll up our sleeves with CISOs and their partners at the C-level.
Security Challenges Facing CISOs
JD: I know that when you talk to C-level people versus your IT managers, there's really a gap. People at the C-level have different challenges than some other areas. What security challenges do you see that are unique to C-level people versus the historical day-to-day issues of IT?
IA: Members of the C-Suite really have to have that holistic view of the business and the prowess to tactically manage it day-to-day, as well as strategically guide it long term. They really need to have the temperament and acumen to rally the troops in a very clear decisive direction that garners success for all involved.
How these roles are different from mid-level or other managers and staff is that burnout is a thing. Not to say that staff and middle managers don't see that too, but research shows that an average commitment for a CEO might last maybe seven, eight years. We get to CISOs and forget about it. The stats show that they might last a year or two in a role. Cyber attackers are relentless. You have to take into account the geopolitical scene. What's happening there can impact businesses and their related security controls.
If you look at those security controls and resiliency strategies, there's complexity and the need for constant attention and oversight, given the systems and the differing environments on which businesses rely. You throw into the mix regulatory mandates, governance concerns, this dearth of cloud security expertise, trying to train up your teams, working with others, and the job isn't really getting easier. Maybe it's because of that rush to the cloud and maybe also because of the much more high profile cyber and ransomware attacks, but there does seem to be more urgency than ever before.
There seems to be more acknowledgement and understanding that the CISO’s role and the need for it to be positioned prominently in the hierarchical structure is going to get the business the greatest impact.
Creating a Working Group
JD: I want to concentrate on CSA’s Top Cloud Priorities for CxOs research paper for a minute. This was published to equip C-level executives with industry guidance to build pragmatic cloud security projects and really bring added value to the business.
Complexity has been a big issue as well. Dr. Ron Ross, a senior research fellow at NIST, has written several papers on how reduced complexity possibly is going to reduce risk. You did mention some of the objectives, but what's the bottom line? What's the expected outcome of the working group?
IA: Our Chief Trust Officer in Residence, Pete Chronis, our Global VP of Research, John Yeoh, and our CEO, Jim Reavis, led the charge and readied that paper for release at our CISO Summit during the RSA conference this year. We had other contributors, which just reaffirms that robust bench of experts to whom we can turn.
We still have more topics we haven't even covered in that initial release, and likely we'll see the participants of our working group share other critical areas that we should be delving into. In tandem with the release of this particular research document, we put out a call for participation for our CxO Trust Advisory Council, which will be composed of CSA members’ CISOs. We'll be looking to this group to also help us finalize the makeup of our working group. That working group is open to CSA member organizations as well as practitioners in the wider community who might not be members of the CSO community.
We already have 31 active working groups now, which will see the release of around 50 publications a year. We publish about 200 blogs and we hold about 80 webcasts. I have no doubt we'll have a very strong showing when it comes to helping the C-Suite community get more insights and advice on particular priorities.
JD: There was a press release a little while back. In that, you mentioned that CSA interviewed a large number of CISOs and other C-level stakeholders about their pain points. Over the past year, the adoption of cloud has really grown exponentially, and cloud security has become cybersecurity for most of us. In terms of risk, what is the importance of the CxO Initiative in mitigating risk in the cloud?
IA: This is a very robust initiative that we are creating. Executives working with us will receive a wealth of information, insight, and advice that they will be able to apply in their own environments within their organizations.
We cater to both corporate members and service provider members. We can facilitate more robust discussions and talks to make sure that needs are being met. Then we want to have a seat at the table when it comes to any possible implementation of mandates that might have an impact on our members in the wider community.
Fostering Communication Within the C-Suite
JD: I noticed you mentioned mandates a few times and that's really what drives a lot of these things we do. The other issue is ensuring a top-down approach and communication with everyone in the organization. I'm sure there's a lot of IT managers and stakeholders that are listening. In your experience, what are some tips? How do you engage high ranking officers of a company? What's the language you need to use to really get their attention?
IA: In speaking with CISOs and other C-level executives about where they are in their journeys, it is surprising to me that there are some who are extremely advanced. There are some still in the middle of their journeys, and then there are some that are only just beginning. I still get surprised at some of the large organizations that are only just getting started.
In conversations with C-Suite leaders involved in their digital transformation, there's a very strong understanding that cloud enables business, as does cloud security. These things enable innovation, scalability, and agility. They can afford their organizations with cost savings and more. They definitely can up an organization's game from a competitive standpoint, and can improve a company's ability to address the risks, privacy woes, security problems, and even the go-to-market challenges.
I think it's incumbent on those in the C-Suite to educate their boards and executive leaderships on the myriad benefits that come with these digital transformations. They must be plainly speaking about the challenges along the way and the requirements and support needed to get there. It's all about speaking the truth about the value and risks when embracing the cloud and making sure that the buy-in for the entire transformative trip is whole, sincere, and fully supportive.
JD: The STAR Registry and certification process is a CSA tool that really helps organizations understand sector-specific requirements and where they stand as far as a baseline is concerned. Those tools allow organizations to reach transparency and trust and also address a number of mandates that are requiring STAR at some level.
All this really comes together with CSA providing that full package of communications, efforts, research, and tools to help people meet their requirements and include all of their organization in these initiatives. I think it's something that's long overdue, and it's good to see we're kicking this off.
here for more information regarding STAR certification and the different levels of STAR.