Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
Member Portal
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
Member Portal
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

CSA Community Spotlight: Creating Globally-Recognized Cybersecurity Assessments with Willy Fabritius

Published 11/27/2024

Home
Industry Insights
CSA Community Spotlight: Creating Globally-Recognized Cybersecurity Assessments with Willy Fabritius
Written by Megan Theimer, Content Program Specialist, CSA.

Celebrating 15 years of innovation, the Cloud Security Alliance (CSA) has established itself as the premier organization shaping the future of cloud security through the development of transformative security frameworks. Since the release of our inaugural Security Guidance for Critical Areas of Focus in Cloud Computing in 2009 and the subsequent Cloud Controls Matrix, CSA has continually pioneered frameworks that address evolving security challenges and set the global standard for cloud security practices.

Over the years, our efforts have expanded to include a rich portfolio of research publications, training and certification initiatives, global chapter networks, and industry events. At the heart of this progress is the unwavering support of our community, including members, partners, volunteers, and subject matter experts. To celebrate our 15th anniversary, we’re spotlighting 15 key collaborators who have played a vital role in the growth and success of CSA, honoring their contributions to advancing security in the cloud.

Willy Fabritius headshot

Today we’re speaking with Willy Fabritius, Global Head of Strategy & Business Development at SGS. For nearly 30 years, Willy has held management positions with organizations in the private sector. Willy has conducted several thousands of audits to a variety of standards: ISO 9001, ISO/IAF 16969 (now known as IATF 16949), ISO/IEC 27001, CSA STAR, ISO 27701, ISO 22301, and has audited multiple fortune 100 organizations to these standards. Willy has worked for several global certification bodies and delivered audits in APAC, Africa, Europe, and the Americas. Willy also is representing the International Independent Organization of Assurance (IIOA) on several ISO/IEC TC1 subcommittees, namely SC27 (Information Security) and SC42 (AI-related standards). Below, learn about Willy’s long history with CSA and the cybersecurity insights that he’s learned along the way.


What are the various ways you’ve been involved with CSA over the years?

My involvement with CSA goes back to when God was still a young man, when John DiMaria and I were working for BSI. That goes back to whenever the CSA STAR program was initialized. John was kind enough to get me trained on the program, get me introduced to it, and sooner or later I started auditing some major accounts to the CSA STAR requirements.

Then I got involved in all kinds of working groups, from the CAIQ, to the CCSK exam questions, to the Continuous Assurance Metrics Working Group, and then participating in the AI Summit. On a regular basis, I'm on working group calls trying to help and share my knowledge and wisdom.


What’s your favorite memory of the CSA community?

A few years ago, at the RSA Conference, we had this huge event that was pretty cool. It's about coming together - whether this is in person, which I, an old-fashioned guy, prefer, or whether this is remote. It's about coming together as a community of like-minded people.


Why do you continue to be a part of the CSA ecosystem?

I would like to say four points:

  • Intellectual exchange with like-minded people.
  • Contribution to the next security framework.
  • Constantly developing new things and providing thought leadership.
  • The strong belief that shared responsibility in cybersecurity starts with all stakeholders being involved in the development of assessment frameworks on a regular basis. When we are talking about shared responsibility, of course we have a shared responsibility to protect our systems, our organizations, and ourselves personally. But that really starts when we work together to define the frameworks and assessment criteria.


What do you see as one of CSA’s most significant contributions to the cybersecurity industry?

Creating a community that develops industry-recognized and globally-recognized assessments and certification solutions. It's really coming from that communicative perspective, and that creates credibility and recognition. Getting peers and the community involved creates recognition very early in the process. Once the product is out, it's already well known and people don't need to get educated about it because well, they were already involved.


What are your predictions for CSA in the next 15 years?

I think that in the future, CSA could be - and must be - more of a member-driven organization by individuals. In the future, I can see that there might be some kind of membership for individuals, with a nominal annual membership fee, that then also leads to some kind of recognition of the individuals, something like CSA Senior Member or CSA Fellow. At the end of the day, I think an individual membership-driven organization could really have benefits.


Question from interviewee Avani Desai: What’s one lesson you’ve learned from the CSA community that has had a lasting impact on your approach to cybersecurity?

What was reinforced for me is that there are no standard good practices. There's always some special situation, there's always an edge case.

But the majority of the issues we see in the field could have been prevented by basic cyber hygiene. When you look at all those well-known cybersecurity incidents, it's not rocket science. It's basic stuff where somebody got an email with an attractive attachment and clicked on it, and the next thing is KABOOM. That's the kind of stuff that is basic, that is obviously very important to reemphasize daily.

A lot of people think that cybersecurity is complicated and that it's only for the IT folks. That you need to have at least a master's degree in computer science, blah, blah, blah. But no, everybody can read that suspicious text message that says something like, “US customs - you have a USPS parcel being cleared due to detection of invalid zip code address. The parcel cannot be cleared and the parcel is temporarily detained.” It's not that complicated. It's obvious.

Basic cyber hygiene is essential. I think this basic knowledge is so hard to get across to people because of the fear that they need to learn how computers work. That's really not the case. You don't need to know about transistor functions and that they flip from one state to another state and blah, blah, blah. You don't need to know what the process for semiconductor manufacturing is. But people are fearing that. They shut down automatically without actually looking at how easy it is.

And then I think there is the fear that they start talking and then they reveal that they don't know a lot of stuff and embarrass themselves, so they don't even start talking. I think it's more of a psychological issue than anything else.

I'm hopeful that the kids that are in kindergarten right now will not have an issue once they’re grown up because it's natural to them, right? It's totally cool. For other generations, especially my generation and older, I can see that people have not grown up with computers. There is this impression that computers are super complex and complicated, which is the case, but that's not the point. The point is that cybersecurity is not that complicated.


Do you have a question for the next interviewee to answer?

From your perspective, what will be the first three use cases for using AI in assessments for CSA frameworks?


Make sure to check out more insights from the CSA community here.

C-LevelCloud Controls MatrixSTAR

Share this content on your favorite social network today!

Cloud Assurance
Related Resources
STAR
The industry's standard for security assurance in the cloud.
Cloud Controls Matrix & CAIQ v4
The standard cybersecurity control framework.
Trusted Cloud Provider
Demonstrate your commitment to holistic security.
Latest from CSA
Mark Your Calendar for Cyber Monday!
Map the Transaction Flows for Zero Trust
Advance AI Risk Management
Audit Cloud Providers with Confidence & Enroll in STAR Lead Auditor Training
Related Articles:
It’s Time to Split the CISO Role if We Are to Save It

Published: 11/22/2024

CSA Community Spotlight: Addressing Emerging Security Challenges with CISO Pete Chronis

Published: 11/18/2024

5 Best Practices for Executive Reporting

Published: 11/13/2024

The Future of Compliance: Adapting to Digital Acceleration and Ephemeral Technologies

Published: 11/07/2024