CSA Community Spotlight: Creating Globally-Recognized Cybersecurity Assessments with Willy Fabritius
Published 11/27/2024
Celebrating 15 years of innovation, the Cloud Security Alliance (CSA) has established itself as the premier organization shaping the future of cloud security through the development of transformative security frameworks. Since the release of our inaugural Security Guidance for Critical Areas of Focus in Cloud Computing in 2009 and the subsequent Cloud Controls Matrix, CSA has continually pioneered frameworks that address evolving security challenges and set the global standard for cloud security practices.
Over the years, our efforts have expanded to include a rich portfolio of research publications, training and certification initiatives, global chapter networks, and industry events. At the heart of this progress is the unwavering support of our community, including members, partners, volunteers, and subject matter experts. To celebrate our 15th anniversary, we’re spotlighting 15 key collaborators who have played a vital role in the growth and success of CSA, honoring their contributions to advancing security in the cloud.
Today we’re speaking with Willy Fabritius, Global Head of Strategy & Business Development at SGS. For nearly 30 years, Willy has held management positions with organizations in the private sector. Willy has conducted several thousands of audits to a variety of standards: ISO 9001, ISO/IAF 16969 (now known as IATF 16949), ISO/IEC 27001, CSA STAR, ISO 27701, ISO 22301, and has audited multiple fortune 100 organizations to these standards. Willy has worked for several global certification bodies and delivered audits in APAC, Africa, Europe, and the Americas. Willy also is representing the International Independent Organization of Assurance (IIOA) on several ISO/IEC TC1 subcommittees, namely SC27 (Information Security) and SC42 (AI-related standards). Below, learn about Willy’s long history with CSA and the cybersecurity insights that he’s learned along the way.
What are the various ways you’ve been involved with CSA over the years?
My involvement with CSA goes back to when God was still a young man, when John DiMaria and I were working for BSI. That goes back to whenever the CSA STAR program was initialized. John was kind enough to get me trained on the program, get me introduced to it, and sooner or later I started auditing some major accounts to the CSA STAR requirements.
Then I got involved in all kinds of working groups, from the CAIQ, to the CCSK exam questions, to the Continuous Assurance Metrics Working Group, and then participating in the AI Summit. On a regular basis, I'm on working group calls trying to help and share my knowledge and wisdom.
What’s your favorite memory of the CSA community?
A few years ago, at the RSA Conference, we had this huge event that was pretty cool. It's about coming together - whether this is in person, which I, an old-fashioned guy, prefer, or whether this is remote. It's about coming together as a community of like-minded people.
Why do you continue to be a part of the CSA ecosystem?
I would like to say four points:
- Intellectual exchange with like-minded people.
- Contribution to the next security framework.
- Constantly developing new things and providing thought leadership.
- The strong belief that shared responsibility in cybersecurity starts with all stakeholders being involved in the development of assessment frameworks on a regular basis. When we are talking about shared responsibility, of course we have a shared responsibility to protect our systems, our organizations, and ourselves personally. But that really starts when we work together to define the frameworks and assessment criteria.
What do you see as one of CSA’s most significant contributions to the cybersecurity industry?
Creating a community that develops industry-recognized and globally-recognized assessments and certification solutions. It's really coming from that communicative perspective, and that creates credibility and recognition. Getting peers and the community involved creates recognition very early in the process. Once the product is out, it's already well known and people don't need to get educated about it because well, they were already involved.
What are your predictions for CSA in the next 15 years?
I think that in the future, CSA could be - and must be - more of a member-driven organization by individuals. In the future, I can see that there might be some kind of membership for individuals, with a nominal annual membership fee, that then also leads to some kind of recognition of the individuals, something like CSA Senior Member or CSA Fellow. At the end of the day, I think an individual membership-driven organization could really have benefits.
Question from interviewee Avani Desai: What’s one lesson you’ve learned from the CSA community that has had a lasting impact on your approach to cybersecurity?
What was reinforced for me is that there are no standard good practices. There's always some special situation, there's always an edge case.
But the majority of the issues we see in the field could have been prevented by basic cyber hygiene. When you look at all those well-known cybersecurity incidents, it's not rocket science. It's basic stuff where somebody got an email with an attractive attachment and clicked on it, and the next thing is KABOOM. That's the kind of stuff that is basic, that is obviously very important to reemphasize daily.
A lot of people think that cybersecurity is complicated and that it's only for the IT folks. That you need to have at least a master's degree in computer science, blah, blah, blah. But no, everybody can read that suspicious text message that says something like, “US customs - you have a USPS parcel being cleared due to detection of invalid zip code address. The parcel cannot be cleared and the parcel is temporarily detained.” It's not that complicated. It's obvious.
Basic cyber hygiene is essential. I think this basic knowledge is so hard to get across to people because of the fear that they need to learn how computers work. That's really not the case. You don't need to know about transistor functions and that they flip from one state to another state and blah, blah, blah. You don't need to know what the process for semiconductor manufacturing is. But people are fearing that. They shut down automatically without actually looking at how easy it is.
And then I think there is the fear that they start talking and then they reveal that they don't know a lot of stuff and embarrass themselves, so they don't even start talking. I think it's more of a psychological issue than anything else.
I'm hopeful that the kids that are in kindergarten right now will not have an issue once they’re grown up because it's natural to them, right? It's totally cool. For other generations, especially my generation and older, I can see that people have not grown up with computers. There is this impression that computers are super complex and complicated, which is the case, but that's not the point. The point is that cybersecurity is not that complicated.
Do you have a question for the next interviewee to answer?
From your perspective, what will be the first three use cases for using AI in assessments for CSA frameworks?
Make sure to check out more insights from the CSA community here.
Related Articles:
CSA Community Spotlight: Filling the Training Gap with Dr. Lyron H. Andrews
Published: 12/06/2024
Top Threat #6 - Code Confusion: The Quest for Secure Software Development
Published: 12/02/2024
It’s Time to Split the CISO Role if We Are to Save It
Published: 11/22/2024