March 31, 2022

Even before the pandemic, the majority of businesses were already moving to the cloud. 

Now, it seems you can’t do business without it.

Which means cloud security and compliance is more important than ever. 

That’s why I’m speaking to one of the authorities on cloud security, John DiMaria, Assurance Investigatory Fellow at Cloud Security Alliance, in today’s episode — to demystify cloud security.

Join us as we discuss:

  • How CSA’s STAR program can help you strengthen your cloud security
  • The biggest vulnerabilities organizations face when operating in the cloud
  • How landing on CSA’s CCM registry can give your organization more visibility

 

To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.

If you don’t use Apple Podcasts, you can find all our episodes here.

Listening on a desktop & can’t see the links? Just search for The Virtual CISO Podcast in your favorite podcast player 

 

Automated Voice (00:06):

You’re listening to the Virtual CISO Podcast, a frank discussion providing the best information security advice and insights for security, IT and business leaders. If you’re looking for no-B.S. answers to your biggest security questions or simply want to stay informed and proactive, welcome to the show.

John Verry (00:25):

Hey there and welcome to yet another episode of Virtual CISO Podcast, with you as always, your host John Verry, and with me today, a dear old friend, I shouldn’t have said old friend, long time friend, John DiMaria. Hey John.

John DiMaria (00:39):

Hi, John. How are you? Good to be here.

John Verry (00:42):

Good man. It’s good to catch up.

John DiMaria (00:46):

Yeah, it’s been a while for sure.

John Verry (00:46):

Yeah. So, I’m looking forward to this conversation, for those of you don’t know, John’s somebody who I’ve respected for quite a long time in this industry so, he’s going to bring some really good stuff here, I’m looking forward to chatting with him. So, let’s start simple, tell us a little bit about who you are and what is it that you’re doing every day now?

John DiMaria (01:04):

Yeah, so nowadays I am the assurance and investigatory fellow and research fellow for the Cloud Security Alliance. I essentially are co-founders of open certification framework that manages the CSA, STAR Program. I retired from British Standards Institution at the end of 2018 as the head of information security, business continuity for BSI. So, now I’m with CSA, STAR obviously is my passion so I’m managing that now and I’m doing what I love to do best.

John Verry (01:42):

Yes. Well, the STAR is what we’re going to talk about. Actually, do me a quick favor, explain the Cloud Security Alliance to anybody that might not be familiar with it?

John DiMaria (01:49):

Yeah. So, Cloud Security Alliance is a not-for-profit better neutral organization. Probably, it’s definitely the largest cloud security association in the world, as far as we know. We have about 120,000 followers and single members, over 400 corporate members and our research, which is free to everyone, put out an incredible amount of research every day. If you look at our volunteers and our experts, we’ve had over 9,000 contributions from individuals and organizations. So, essentially we try to use industry to do research and help industry in terms of cloud security and helping organizations understand cloud security, how we keep it relevant, how we stay on top of all the newest things and the moving targets that we see every day. And so, between our research STAR Program and volunteers and experts, we cover just a wide- range about 45 different areas of research at CSA and as I said, it’s all free to download. Obviously, there’s more perks for members but even as a non-member there’s just a huge amount of information that’s available for free.

John Verry (03:26):

Yeah. I look at the CSA right up there with people like [inaudible 00:03:30]. I mean, where I go when I want data. So, thank you, I do appreciate you making all that research available. Before we get down to business, we have a tradition of asking, what’s your drink of choice?

John DiMaria (03:43):

Well, there was a day when I would tell you that me and uncle Daniels were good friends.

John Verry (03:50):

Jack?

John DiMaria (03:51):

Yeah, but now for me, it’s more wine and cognac. I enjoy a good cognac as well, so.

John Verry (03:51):

All right. So, two questions there. So-

John DiMaria (04:04):

Yeah.

John Verry (04:05):

I had a cognac recently and I can’t remember the name of it and I was surprised how much I enjoyed cognac. So, one of the questions and I’ve started drinking a little, this is called [Bembe 00:04:15], which is cognac is one of the two blended. Right.

John DiMaria (04:19):

Right.

John Verry (04:20):

[inaudible 00:04:20]. Yeah. So, what’s a good cognac if I’m going to-

John DiMaria (04:24):

Courvoisier is my favorite.

John Verry (04:27):

Courvoisier, okay.

John DiMaria (04:27):

And it’s-

John Verry (04:29):

And on the wine, any particular varietal or blend? Which-

John DiMaria (04:33):

No, I like them all as long as it’s red and it’s dry, I’m good to go.

John Verry (04:33):

Got you.

John DiMaria (04:33):

All right-

John Verry (04:38):

Got you. I got, yeah, [crosstalk 00:04:41]. I’m a red guy as well. And I do like them dry but I do like them bold a little bit fruit forward in a dry wine. Right. Some people refer them as sweet but they’re technically not sweet, but anyway, so yeah, a good glass of red wine is a gift.

John DiMaria (05:01):

Absolutely.

John Verry (05:01):

There you go with your, so for the record, John tried to disable that nine times. So [inaudible 00:05:07].

John DiMaria (05:11):

Yeah, I don’t know what it is [inaudible 00:05:12].

John Verry (05:11):

It might be a bullshit detector. It [inaudible 00:05:13]. Every time it does that.

John DiMaria (05:15):

I hope not. 

John Verry (05:17):

If that’s the case, it’s going to be a bad [inaudible 00:05:20], all the time. All right. So, to frame today’s conversation, right. The cloud and its adoption continues to escalate at what I perceive to be an amazing rate. And you see crazy statistics, right? 90% of all companies, plus percent of all companies are now leveraging the cloud, 60 plus percent of companies have highly confidential data stored in the cloud. 79% of companies have experienced some type of cloud related data breach. What are we getting right that is driving all of these workloads and the use of the cloud? And at 10,000 feet, what are we doing wrong that is causing all these security challenges?

John DiMaria (06:03):

Well, I think, especially since COVID, I think cloud has actually become compute in many cases that this is what people have done, I mean, everybody rushed to the cloud during the, especially during COVID, we saw just an incredible increase of inquiries and downloads of information and asking for technical assistance, so on and so forth. It’s like everything else like the pandemic itself we didn’t see it coming and obviously we’re not prepared for the amount of home computing that has taken place in some cases. Some companies have gone to total home based computing and I think that the real issues is just that transition. I mean malicious attackers love a crisis, right? So, they weren’t stupid, the first thing they start doing is they know everybody’s working from home, there’s huge gaps in security there, obviously in your home, everything’s connected in a lot of homes. 

So, you have these different platforms, these different in some cases, different ISPs for different areas of your house that you use or different remote type access, we found traditional VPNs aren’t cutting it anymore, right? Because traditional VPNs weren’t taken into consideration these different types of computing and home type based systems that are going down and all that came up because of that. So time is another issue, our lack of standard times where if we’re all working 9:00 to 5:00, which most of us don’t anymore that much, but you know that the standard business hours of 8:00 to 5:00 or 9:00 to 5:00 whatever, all of a sudden you got these huge issues with connectivity and slowed assistance and data not being moving fast enough.

So, it’s all IoT another issue, we are so connected as well, I guess the entire world, we’re just so connected. There’s so many different things that connect together that we really didn’t have contingency plans when you think about it for something like this. But who would’ve thought, right? I mean, before 9/11, who would’ve thought that we should plan for a plane finance inside of a building, right. Same thing with this, who would’ve thought, who sits down and thinks, Oh, gee, what happens if 70% of the world’s workforce now stays home? 

John Verry (09:12):

Right. But so, that drove the utilization up, right? 

John DiMaria (09:12):

Yeah. 

John Verry (09:18):

But and it explains some of the security challenges, right? In terms of, let’s call it a plumbing, architectural perspective but then we also have a lot of, I still think we do have a lot of challenges with the cloud security providers themselves and I think people understand the shared responsibility matrix, would you agree?

John DiMaria (09:35):

Oh, absolutely. And as a matter of fact, when we released the cloud control matrix, which is the cloud specific controls for cloud service providers, that was one of the things we released a version for, that’s one of the things that we implemented was the shared responsibility model. It’s a tough area for cloud service providers because many of them don’t understand what that is and more importantly, users don’t understand what their responsibilities are. So-

John Verry (10:07):

Which is where we’re getting in trouble, right? It’s the gap in those two levels of understanding, right? The service provider, isn’t doing a good job of communicating to the end user what their responsibilities are and the end user, isn’t either understanding that or isn’t intimidating it if it’s not being defined to them. And that gap in the middle is where a lot of the bad crap happens, right?

John DiMaria (10:27):

Yeah. Yeah. So, it’s, yeah. It’s one of those things that we’re talking about zero trust now. Right. Which, and in my opinion is it’s a new concept but it’s become of age because now we realize that we need to start implementing that. And those are some of the things that came to the surface because of the vulnerabilities that we have as organizations and as just our systems that we use at home as well. And so, some of these things have matured over the years but some of these things were just sitting out there and it wasn’t their time or it didn’t seem like it was worth discussing. We always had the trust with verify attitude and now it’s like verify first and then you trust.

So, it’s changed a little bit in our thinking but I think that the issues that we’ve come up in terms of security risks really boil down to the individuals that we employ and that we work with and that we train because ultimately they’re the first line of defense and there was actually just a step back for a second, when COVID first started, believe it or not, there was some twisted morality I guess, amongst hackers that they were going to stay away from healthcare records and that lasted about two days, I think. And then we started-

John Verry (12:15):

You mean, there’s no honor amongst thieves?

John DiMaria (12:17):

Yeah.

John Verry (12:19):

I’m shocked, John really? Is that what you’re trying to tell me?

John DiMaria (12:23):

Yeah. So, it’s, yeah, so it’s really become a major issue and it’s amazing that amongst all the breaches that we have had, that it hasn’t been worse.

John Verry (12:43):

All right. So, we know there’s a significant security challenge in the cloud, in our use of the cloud with our service providers, so that ties directly into today’s conversation. So, can you describe what the CSA STAR Program is and why do you think that most organizations should be aware of it at this point?

John DiMaria (13:03):

Yeah. So, CSA STAR Program is really about transparency and trust in the cloud. There’s very specific rules and regulations around cloud specific environments. And so, what CSA STAR is, it’s a multifaceted, multi-tiered approach to, depending on where you’re at in a risk appetite perspective, how you want to prove your compliance posture to organizations. Compliance really requires a pretty comprehensive review related to the cloud, especially when it’s the cloud is virtually pretty much invisible to most of us. So, we’re not totally assured of what they have in place and how well they doing it. So, cloud computing has really rapidly been accepted globally as enterprise levels of how to transfer data and so on and so forth. 

So, we created STAR as a service to help cloud service providers understand where they’re at in terms of compliance posture, meeting regulatory requirements and compliance with local and state government regulations. That was really specific to the cloud because most of your platforms, do not address the cloud specifically. So, you take ISO 27001, for instance, who’s fairly generic and while if you do things right, you can make a case for saying, well if I do my risk assessment, right, I’ll put in the right controls, but just like [ANXA 00:14:53], 27001, how do you know? What are you referencing as the best practices? What are you referencing as security controls that need to be in place? How do you know you’ve covered everything?

So, the cloud control matrix and the STAR Program help you measure that and benchmark that against those best practices and controls, not understanding the shared responsibility model and then what is your security posture and why is it the way it is, and is scalable because you have a self-assessment, self-attestation and then you have a level two, which is third party certification based on 27001 and [SOC 00:15:35], two and then we’re updating what’s called level three, which is continuous monitoring and essentially that is metrics based analysis and real time monitoring of organizations against certain metrics as well.

John Verry (15:54):

I say the last one is interesting, that’s new or not yet published, right?

John DiMaria (16:00):

Yeah.

John Verry (16:00):

I haven’t seen that yet.

John DiMaria (16:01):

It’s always been part of the program but we were really struggling with the, at the time was a little bit ahead of its time, because we’re really struggling with the whole direct, real time analysis of data flowing from one person system into another system, grading you against your metrics. That’s a thought that people don’t feel comfortable with a lot of times so, some of the CSPs home service providers weren’t really buying into it to begin with, but we’ve refreshed the program, we’re reworking it, we’re getting ready to launch a proof of concept and from there also a pilot program. And so, it’s ramping up but we’re taking a little different approach and we’re evolving a good cross-functional team of organizations and people to get that-

John Verry (16:01):

Got you-

John DiMaria (16:01):

Trust, yeah. 

John Verry (17:02):

Is that going to be tied into some type of a [GRC 00:17:04], Platform?

John DiMaria (17:05):

No, it’ll just be a, it’s very simple, it’s just a direct feed through an [at-rest 00:17:11], API that flows from a security tool of your choice into the CSA platform and then-

John Verry (17:21):

Okay. 

John DiMaria (17:22):

It basically-

John Verry (17:23):

So, you’re publishing an API that we’re going to push our evidence to?

John DiMaria (17:27):

Right. And it’s a pass fail report. There’s no confidential information that’s traded, it’s just either you’re meeting the requirements or you’re not.

John Verry (17:37):

That’s pretty cool. Yeah, that’s pretty cool. And that’s really where the whole industry’s going right. Is we’re going from five years ago where it was enough to pass out an annual audit to, it’s funny because the cloud is driving the cloud. Right. We’re almost to that point where robots are creating robots.

John DiMaria (17:56):

Yeah. 

John Verry (17:56):

In that the faster that we develop the cloud, the faster that we need these tools to keep up with that. Right. This idea continuous compliance is driven by these Azure workflows.

John DiMaria (18:06):

Yeah. And it’s also important to note that the STAR Program, the cloud control matrix is the foundation on the STAR Program. And version four now maps to, Oh gosh, I don’t know, probably 20 plus different regulations and standards and it’s growing every day. And so, my whole premise even before CSA, my whole thought process personally has always been this implement once comply money approach to information security. You have some larger organizations that are certified through 15 different standards. There has to be a way of this multiparty recognition, which is what we’re working on now, it’s where we’re working with different organizations, like we work with the CIS, which you probably remember used to be the [inaudible 00:19:02], top 20, and now the-

John Verry (19:04):

CISCSC. Yes.

John DiMaria (19:08):

CIS took it over and they not-for-profit and now it’s controlling 18 controls, but we work with them on their version eight. They adopted the CCM four for cloud specific requirements. CRI, which is the financial institution organization, I think they have, Oh, gosh, hundreds of financial institutions, they’ve adopted a CCM in their framework for financial institution. So, it’s all about understanding that, Hey, I don’t need to do things 10 times. I can do it once, act on the deltas and then comply to everything rather than redoing and actually, you see this in your travels and implementation where there’s just a lot of redundancy that you can reduce by using a framework like this, that brings it all together for you.

John Verry (20:04):

Right. And just to be clear, right. And you mentioned at one point, the CSA STAR Program is based on the cloud control matrix which has been in existence for quite a long time. [crosstalk 00:20:15]. Right. Yeah. So, it’s 10 years ago and so you guys were ahead of the curve, if you will. And to me, it’s analogous to other good security frameworks like an ISO 27002 an example is you do a great job of breaking up cloud security across 17 domains and you give 197 different control objectives that need to be achieved in order to be A, secure and compliant and B, in order to be conforming with the standard. Correct?

John DiMaria (20:45):

Right. Exactly.

John Verry (20:47):

So, CSA STAR compliant equals CCM v4 compliant. Is that fair or is there more to being CSA STAR compliant than just CCM v4?

John DiMaria (20:57):

Well, you have to be either 27, [crosstalk 00:21:00], certified or SOC 2, but yeah, using the ISO yeah, you have to be certified to ISO 27001 and then this is a, what we call an extension to scope for ISO 27001. And so, it’s really integrated, you can call it integrated or combined audits, it’s just different in nomenclature, but it’s filtering that into your [inaudible 00:21:26], for instance either embellishing upon the controls you have or adding a new control that you don’t have. So, you talk about yeah, 197 controls or whatever. It’s not as bad as it sounds, it’s a lot of stuff is just like I said, just a balance sheet upon your current controls that you have through your statement applicability, justifying things that aren’t applicable and then that’s audited by your auditor the same way they would audit 27001. 

John Verry (22:06):

Yeah, so in a lot of ways, right, it would be like using ISO 27017. I mean, it’s ISO 27017 augments, it’s a list of controls, but it isn’t a bolt on, if you will, some of those controls are relatively new. Many of those controls are just additional guidance for existing controls. CCMs all works the same way, correct? It’s a set of controls. Many of those controls exist at some level already within the ISO 27002 framework. What you’re doing is giving what I would say is better and more prescriptive guidance for some of those controls that are specific to cloud use?

John DiMaria (22:45):

Yeah, exactly. Exactly. Yeah. 

John Verry (22:45):

Okay. 

John DiMaria (22:45):

Breaks it up for you.

John Verry (22:46):

Cool. And then having that concept right. Understanding that this is idealized for cloud service providers, who do you see as being like right now, if I would ask you, are there particular verticals, industries, particular types of cloud service providers that have embraced CSA more than others or and I also asked you, are there any specific types of CSPs that should be using it that aren’t?

John DiMaria (23:12):

Yeah. So, it covers all this cloud service categories but by sheer numbers, SAS organizations seem to be leading the pack because there’s probably, I mean, nobody knows a number of cloud providers there are in the world but our best estimation is there’s probably a good million or so SAS providers, but when you look at IS or infrastructure, you’re talking about more of the larger organizations so, therefore the numbers go down quite a bit. So, yeah. SAS companies lead the pack in terms of on service providers, but they also lead to pack in terms of risk in a lot of ways because they’re outsourcing a lot of their services to third parties, they don’t have the shared responsibility as much deeper, more detailed because I’ve talked to SAS companies that serve, I don’t know, million people, they’ve got three employees.

So, it’s tough from a security perspective to get a handle on all this when, so those are the numbers and for my perspective, anybody that’s a cloud service provider needs to look at some level of STAR, even if it’s just self-assessment, which is free by the way, it doesn’t cost anything to submit a self-assessment to the STAR registry. So, anybody can do that or even use it as a benchmark even if you don’t want to upload it, you could use the self-assessment as a benchmark internally to see where you need to strengthen your systems at.

John Verry (25:14):

Yeah, I would, and if you’re listening to this and you’re not a CSP and you’re about to hit stop, don’t. I would say that you should also be thinking about using this, if you are a consumer of the cloud and 90% of you by definition are. Right. Because understanding that an organization that’s invested the time, energy and effort into a full CSA STAR certification or even a self-assessment Oh, is somebody who is serious about security and is likely a better choice and using this as a gating criteria as you’re going to market to look for a particular type of cloud service provider. 

John DiMaria (25:54):

Yeah. 

John Verry (25:55):

If you can pick one that’s ISO and CSA versus one that’s got nothing or just ISO, you certainly better off with one that’s got CSA STAR in place.

John DiMaria (26:02):

Yeah, and great point that you brought up because enterprise organizations use the self-assessment program, particularly in their procurement process. And I talk to enterprise organizations every day that are downloading it and having mandating that their suppliers fill this out, send it back to them or in some cases they are mandating third party certification but the very minimum, they’re looking for that self-assessment because it really allows them to get a snapshot of where you are and the integrity of that self-assessment by the way is pretty good because when you think about it, you’re putting out something that is available to everyone in the world, it’s all publicly available. So, it’d be ridiculous to think that you could lie and get away with it because anybody can call you out on it. Anybody could ask for evidence. So, it has a pretty high level of integrity.

John Verry (27:07):

Quick question for you. Is it allowable use of the CCM for somebody to use it as effectively like a vendor due diligence questionnaire? If I didn’t have a vendor due diligence questionnaire, I was going to procure services from a SAS App and I send them that as my security questionnaire, please fill this out so I know if you’re secure. Are people allowed to do that? Is that available to them to be used in that way? Or is that within acceptable use?

John DiMaria (27:35):

Yeah. So, you can use the CCM and [Cake 00:27:38], as internally. You can use it any way you’d like. You can send it out to your suppliers, ask them to fill it out and send it back. We always try to get enterprise organizations to, if they’re going to do that is to have their suppliers post it on the registry because it’s easier for them to manage as well. Right. Now they’ve got everything in one place and you can go there periodically and see if they’ve updated it or what have you. So, yeah. I mean it’s being used very heavily as a procurement tool and organizations are free to do that. What they can’t do is, if you’re going to use it as a revenue generating tool, then you have to purchase a license for that.

John Verry (28:30):

Got you. 

John DiMaria (28:31):

Yeah. 

John Verry (28:33):

So, that’s win-win right? So, if somebody got sent that and they filled it out and then posted it up on your registry that’s a win-win. Right. Because the first entity’s getting a high degree of assurance and the second entity is getting what I’m going to refer as security marketing and transparency and trust in the marketplace because they’re taking that information and putting it up on your registry?

John DiMaria (28:55):

Yeah. I mean, you don’t know if you’re not on the registry, people may not know that you exist in some cases. I mean, there’s so many cloud service providers out here. Sure, I could say Microsoft Azure, AWS, and anybody can name off the big ones. Right. But that’s not the largest number of cloud service providers. So, there’s many that, like I said, they wouldn’t even be on the radar screen if they weren’t on the registry. I mean, because I work with organizations that a lot of cases, they joined CSA as a member for a lot of reasons. One of those reasons is when you look at marketing and marketing budgets and things like that, our membership is not even a fraction of what most people spend on marketing. Right? 

So, if you don’t have a huge marketing budget, CSA being on that registry and working with CSA provides you with a huge amount of visibility, which you wouldn’t have had along with technical support and a manager that stays with you through your home journey and makes sure that you get the benefits and so on and so forth. So, yeah. It’s a procurement great tool for cloud service providers, it’s really becoming the shopping mall for our cloud service providers when it comes to [inaudible 00:30:20].

John Verry (30:22):

Yeah. So, question for the other thing, which I thought was really interesting and I have to admit, I had not realized that you were doing this and I thought it was awesome, is you’re starting to have an answer. In the old days you had to have an answer as a vendor for the security question, prove to me you’re secure. Now you’ve got, prove to me you’ve got good privacy program. So, you guys added on a component for GDPR specifically. Can you talk a little bit about how that works? And then I would ask the follow-on question, are you guys going to do something more generic as well to address other standards like APAC and CCPA?

John DiMaria (31:02):

So, the GDPR program is a evidence based self-assessment and it provides you with the CSA code of conduct, provides you with the GDPR for the cloud controls and also ask questions of implementation so, we provide you with an implementation guide that says, this is best practice, implementing this how do you do it as an organization? And then they get to tell us how they do that. We don’t ask for a lot of confidential information but we do provide them with guidance of what do we looking for? What type of evidence do you need to have here? That’s then vetted by a independent third party who happens to be a international law firm that specializes in privacy. 

And they provide feedback on whether or not you provided enough evidence or they may ask for additional evidence so on and so forth. Once that vetting is completed, then you are issued a certificate that’s good for one year that says that you have to contest to your attestation, that it was vetted and so on. This year, we should target is we’re getting our code of conduct approved by the European Data Protection Board and when that happens, then we would be able to provide third party certifications against the code of conduct, which really exceeds GDPR requirements but it’s specific to the cloud so, it’s very unique in that respect.

John Verry (32:53):

So, I mean, I think that’s huge, right? Because these days provable security and provable privacy is important and there’s not really many good answers to provable privacy, right. I think ISO 27701 is a good answer to that. And I think what you guys are doing is also a good answer. And I think they’re the only two answers that I know at this point. And I guess actually a SOC 2 with the privacy principle would be a third alternative.

John DiMaria (33:20):

Yeah. 27701 is a good standard, still a [inaudible 00:33:26]. Right. So, technically doesn’t answer to all the requirements of GDPR although I think it’s being updated as we speak so, they might take care of some of that. There’s talk that once 27701 is completed and updated, that may seal the fate for 27018 because it no longer-

John Verry (33:56):

Yeah. I don’t know why it exists anyway.

John DiMaria (34:00):

So, we don’t know that for sure but because 27018 is not a specification, it can just exist. Right. I mean, it just won’t be a certification but it can still exist as a guidance document or some sort of, but we’re not totally sure what’s going on with that but I suspect it’s going to fade away and stay update to 27701. But, yeah. I mean, those are programs that are going to serve us very well. Just as a side note, we’re actually in the pilot testing of evidence based self-assessment for STAR for level one. So, that self-assessment we just talked about as the Cake, there’ll be an evidence based version of that as well. So, it fills the gap between level one, level two for organizations.

John Verry (34:58):

So, it’s like a one A, one B, so you’ll still have the normal assessment and then you’ll have an additional assessment that’s going to give someone an opportunity to provide evidence, which would obviously denote a higher level of assurance?

John DiMaria (35:11):

Absolutely correct. And no, we didn’t even talk about this before you said that. It was, yeah. It’s going to be, like I said, similar to what I just described for GDPR, it’s going to be same thing only for STAR. And that fills a gap for organizations that small, medium sized organizations, SAS organizations, organizations that don’t have a big budget or don’t have a business case necessarily to justify third party certification, but yet need to compete and need to be able to have a little bit more than that self-attestation which shows that yeah, somebody did actually vet our answers and we did prove that to some degree that these controls are in place. So.

John Verry (35:57):

I like that. You didn’t answer the one part of the question I asked, do you know yet, if there are any plans, so,  is your current extension to STAR, the GDPR is very GDPR specific. Do you know if you’ll be able to address other security frameworks, like APAC or CCPA?

John DiMaria (36:17):

That would probably more when it comes down to mapping against controls. 

John Verry (36:23):

Okay. 

John DiMaria (36:23):

We could, we’ll [inaudible 00:36:25], we haven’t done that obviously, but-

John Verry (36:28):

I mean, they’re very similar, right? I mean, so doing, I mean all of the frameworks are largely derivatives, I would say of GDPR that are probably 90% common or something to that nature, depending on which one you look at. So, I wouldn’t think it would be very hard and I could use the GDPR one as a CCPA alternative and I think we’re hitting all the major things, right? We’re hitting consent, and we’re hitting privacy policies and cookie policies. We’re hitting data subject access to address, we’re hitting data mapping ropes. Right. So, I think you have a lot of the commonality there, it’s just that I think some people might feel a little better at seeing the specific four letter acronym for what they’re doing versus GDPR, if it’s not relevant.

John DiMaria (37:05):

Yeah. Yeah. I mean it, yeah. I mean, that would be more what a working group project for mapping. 

John Verry (37:11):

Okay. 

John DiMaria (37:12):

To see what are the deltas there between their programs and ours.

John Verry (37:20):

Cool. Couple other questions that kind of looking forward, when you look at the STAR Program, some important things coming out of the government, zero trust, the secure software development framework both have cloud implications, thoughts on that? I know that you guys are coming up with a zero trust training program as well, I’ve heard.

John DiMaria (37:40):

Yeah.

John Verry (37:40):

That I know our team is very interested, I don’t know if you have any updates on that. And by the way, if anyone’s listening and you don’t know a lot about the cloud and you want to learn about cloud security, I’m undergoing personally, right now I’m taking the CCSK, I’m about halfway through it, I will tell you that content is excellent. But it’s really well done, I mean, I thought I knew a fair amount, there’s more I didn’t know- 

John DiMaria (38:02):

Yeah. 

John Verry (38:02):

Than I thought I did know.

John DiMaria (38:07):

Yeah, no, it’s a good program. And we have our CCS, CCAK, which is the on-team knowledge so, that would be another good program take. And there’s a lot of the STAR Program built into that toward the end of the module six, which I wrote module six and was co-authored some of the other chapters but that gets into a lot of the auditing perspective of things. And we cover STAR in there as well. As far as the [inaudible 00:38:46], something I didn’t ask.

John Verry (38:48):

About zero trust, zero trust I know you got training coming. 

John DiMaria (38:52):

Yeah. 

John Verry (38:52):

Will there be zero trust extension or is CSA CCM be updated to reflect zero trust or CSA STAR?

John DiMaria (38:59):

Yeah. So, the zero trust, yeah. It is a program [inaudible 00:39:02], we just had a call about that today and it’s being reviewed. The modules are there, it’s being reviewed and-

John Verry (39:13):

Excellent.

John DiMaria (39:14):

So, I don’t have a date unfortunately, or release, we probably have some internal target but I’m not sure about publicly what the extra target date is, but yeah. It’s a good program, it should be coming out pretty soon. We are partnering with another group so, that may slow things down a little bit but that shouldn’t be too long. And yeah, I mean, we’re just trying to give people an avenue to be the best that they can be from a security posture perspective. I know with the whole crisis going on in Ukraine right now, there’s just loads of information coming out about what you should be doing to protect yourself against cyber attacks now that that risk has really gone high and the risk profile.

So, we really try to be proactive and look at things ahead of time, rather than reacting to failures. We want to be able to be proactive and do it right the first time and make sure that it’s a lot easier to build something near being proactive than when you’re reacting to something, you’re just throwing money and resources at the problem. Right. So, we’re trying to help organizations get ahead of that. And so, that’s why our research department is just so active in those areas.

John Verry (40:53):

Excellent. Looking over my notes for today’s conversation, I think we beat this up pretty good. Anything we missed?

John DiMaria (41:02):

No, I think we’ve covered just about everything. Obviously there’s several webinars got the bright talk, you can see all the CSA webinars that covered pretty much everything in the cloud so, there’s just tons of information out there probably, but no, I think in terms of what we set out to do, this is probably pretty good.

John Verry (41:28):

Yeah. I mean, and yeah, and we haven’t touched on all of the great stuff that you guys have out there. I mean, CSA is a fountain of information. One of the other things that I like that you guys publish is your CSA IoT guidance, which I think is quite good, was developed by the same gentleman who developed the ISVs for [inaudible 00:41:45], so you guys are putting out some great content there as well. So, if you are listening, you haven’t used CSA guidance, I would strongly encourage you to get there. Not only do I think it’s great guidance, but even the, like I mentioned, the CCSK, A, great content B, you guys offered it at a very reasonable price. Its a $700 or something of that nature for fantastic training and a certification, which I think in the industry is really a pretty compelling price point for that much knowledge and a certification, which holds that much value. So, you guys are doing a lot, right.

John DiMaria (42:21):

And being a not-for-profit, yeah. Our goal is to be of service, stay relevant, being able to maintain our systems and charge a reasonable price that keeps us afloat, keeps us where we need to go but yet not trying to fleece anybody, that’s really to make sure that everybody has as much education and information as possible, either free or at a very affordable price that helps us keep the programs going.

John Verry (43:00):

All right. So, did you do your homework? You see the next question I’m going to ask you, right? I warned you about this question. 

John DiMaria (43:06):

Yeah. 

John Verry (43:06):

So I’m going to ask you, give me a fictional character or real person that you think would make an amazing or terrible CISO and why? 

John DiMaria (43:14):

Yeah.

John Verry (43:17):

No. He’s [crosstalk 00:43:18].

John DiMaria (43:17):

I was thinking more of the horrible CISO, that’s probably a, I don’t know if it’s a longer list or shorter list, but I know a lot of CISOs, so I’ll just say its a shorter list. But when I think about these things and believe me, I actually probably thought about this longer than I thought about some of the other questions.

John Verry (43:43):

That’s because you knew the answer to the questions without having think about them. This is when no one’s ever asked you before.

John DiMaria (43:48):

Yeah. But I was thinking Michael Scott from The Office.

John Verry (43:52):

Yeah. Yeah.

John DiMaria (43:57):

Now, maybe I’m not jumping on the bandwagon with other people you’ve talked to, but.

John Verry (44:01):

I’ve probably heard Michael Scott before. In fact, I’m sure I have, but what’s your reason for Michael Scott being a terrible CISO?

John DiMaria (44:05):

When you think about it? I mean, the guy is just, I mean, he doesn’t have a clue, number one. His running of the organization is all about him and he just doesn’t operate anything like you would expect someone who runs an organization to operate. And he just, like I said, I guess he strikes me as he doesn’t have a clue. And that’s-

John Verry (44:41):

So, I don’t usually like to argue with my guests, but I might hear, I mean, you’re failing to account for his number two. I mean, he’s got [Dwight 00:44:49], as his number two, who knows how to operate with none chucks, which I think could be very-

John DiMaria (44:53):

Yeah.

John Verry (44:57):

Very irrelevant. I mean, he was a sheriff at one point, he was part of the fire patrol, I mean, he did have a pretty capable number two, are you giving him full credit for the [inaudible 00:45:04]?

John DiMaria (45:05):

Yeah. He’s capable, all right. Unfortunately, he’s capable of a lot of things.

John Verry (45:17):

But I mean, I’ve never seen the show, so I mean, I’m just going to swag in here. No, obviously I’m a huge Office-

John DiMaria (45:21):

Yeah.

John Verry (45:22):

Huge Office fan. I would’ve gone Jim, I could have gone Jim, I could have gone [Horman 00:45:30], not Horman was the gentleman who was, Stanley. I could have gone Stanley. So, anyway, listen this, if someone wants to get in touch with you, what’s easiest way to do that?

John DiMaria (45:40):

Oh, gosh. There’s just so many ways. I’m on LinkedIn, which is good generic way to get a hold of me so, you don’t have to write down any information you can contact me it’s a [email protected]. You can email our support [email protected]. So, those are probably the three best ways to get ahold of me, if you’re looking for more information or want to chat a little more about whatever you heard or debate it, we’re wide open. We don’t profess to be the end all as far as answers are concerned so, we love to have people join as volunteers, experts and of course think about the membership program.

John Verry (46:30):

Awesome. Well, listen, sir, as always, always good to speak with you and very much appreciate you coming on to chat about CSA STARS today.

John DiMaria (46:38):

Yeah, it’s been great. Thanks, John. Have a great rest of the week.

Automated Voice (46:43):

You’ve been listening to the virtual CISO podcast. As you probably figured out, we really enjoy information security. So, if there’s a question we haven’t yet answered or you need some help, you can reach us at [email protected] and to ensure you never miss an episode, subscribe to the show in your favorite podcast player, until next time let’s be careful out there.