Big Interview – Hillary Baron

Rebecca Spayne of Security Buyer talks exclusively with Hillary Baron, Senior Technical Director, CSA and Tyler Young, CISO for BigID 

Could you provide us a background into the history and heritage of the CSA?  

The idea for Cloud Security Alliance was born in 2008 at the ISSA CISO Forum, and by the 2009 RSA Conference, the group counted dozens of volunteers ready to research, author, edit and review CSA’s first whitepaper. The following year, CSA released the Cloud Controls Matrix (CCM), the industry’s de facto cybersecurity control framework for cloud computing, along with the first and only user credential for cloud security, the Certificate of Cloud Security Knowledge (CCSK). In 2013, CSA launched the CSA Security, Trust, Assurance and Risk (STAR) program, a powerful program for security assurance in the cloud. In the years that have followed, CSA has opened offices in the UK, APAC, and Europe, and remains an organisation dedicated to defining standards, certifications and best practices to help ensure a secure cloud computing environment. 

The CSA recently released, in coordination with BigID, the results of a survey on cloud data security. Why was this survey conducted initially? 

Security strategies focusing on data security have been gaining attention over the past year. CSA and BigID decided we needed to dig into the topic further to understand what organisations are currently doing for cloud data security, what aspect they are prioritising, and the concerns and challenges these organisations are facing with cloud data security.  

What were some of the key findings of the survey? 

One of the biggest takeaways from this survey shows organisations consider cloud data security a top 3 priority when protecting data, and that cloud data security posture management (DSPM) is critical to addressing gaps.  

  • Only 4% believe all of their cloud data is sufficiently secured and over a quarter of organisations aren’t tracking regulated data. 
  • Organisations are struggling with securing and tracking sensitive data in the cloud, especially in SaaS platforms. 

Another key takeaway is that most security professionals believe their enterprise will experience a data breach in the next year. Only 17% say that a breach is very unlikely. 

  • Third-party vendors have too much access to sensitive data. They’re being granted almost the same level of access as employees are, which can result in breaches. 
  • It’s all going to boil down to the notion that data breaches aren’t an if, but a when—whether it’s malicious or accidental, whether the entry point is a phishing attempt, a back door, or a misconfiguration. Data is the new perimeter these days, so cybersecurity across all of these organisations needs to take a data-up approach. 

The pandemic forced digitalisation on many businesses, however, it also forced innovation and subsequent popularity of emerging technologies. Do you think IoT, AI, Blockchain etc will play a bigger role in the security industry?  

Short answer, yes, especially with the skills gap and the recent pandemic in the security industry, organisations are having to rely on and be more innovative with how they’re using technology. These types of technologies are also being integrated into products that we already use in technology, which means there will be a direct impact on security. To use IoT as an example, almost anything can be an IoT device including the breakroom coffee maker and even lightbulbs, which means the security of that device has a direct impact on your enterprise’s overall security. 

Attackers are leveraging AI in terms of identifying targets and changing their TTPs—this is nearly impossible for a human to keep up with, and thus we will be forced to leverage machine learning and AI for combating threats. 

What is a zero trust strategy, and what training do you provide in this area?  

A Zero Trust strategy follows the model of least privilege, which says that no part of a computer and networking system—including the people operating it—can be implicitly trusted. This means access is withheld until the user, device, or individual packet has been inspected and authenticated. When access is granted, the least amount of necessary access is provided and there is continuous monitoring for suspicious user activity. Because it incorporates several: including identity, devices, networks, applications, and a Zero-Trust strategy isn’t achieved through a single product. 

In 2022, CSA, with Crowdstrike, Okta, and Scaler, established the Zero Trust Advancement Center (ZTAC) to create Zero Trust research, training, professional credentialing, and an online center for curated resources. The ZTAC includes the Zero Trust Resource Hub showcasing the most important, curated Zero Trust publications in the industry and the online Zero Trust Training program, which gives users the knowledge and skills they need to understand and implement a Zero Trust strategy. Eight areas of Zero Trust knowledge will be covered and are being rolled out, beginning with Introduction to Zero Trust Architecture, which covers such foundational topics as Zero Trust’s relevance, definitions, components, requirements, tenets, pillars, goals, objectives, and benefits. Introduction to Software Defined Perimeter and SDP Key Features and Technologies and SDP Architectures and Components will follow later this year. 

What is your STAR Program? 

CSA’s STAR Registry is a publicly accessible registry of more than 1,800 providers that documents the security and privacy controls provided by popular cloud computing offerings. STAR encompasses the key principles of transparency, rigorous auditing, and harmonisation of standards outlined in the CCM. Publishing to the registry allows organisations to show current and potential customers their security and compliance posture, including the regulations, standards, and frameworks they adhere to. It ultimately reduces complexity and helps alleviate the need to fill out multiple customer questionnaires.  

To read the full exclusive see our latest issue here.

Never miss a story… Follow us on:
LinkedIn Security Buyer
Twitter logo @SecurityBuyer
Facebook @Secbuyer

Media Contact
Rebecca Morpeth Spayne,
Editor, Security Portfolio
Tel: +44 (0) 1622 823 922
Email: [email protected]

About Security Buyer

Security Buyer is the leading authority in global security content, delivering expert news, in-depth articles, exclusive interviews, and industry insights across print, digital, and event platforms. Published 10 times a year, the magazine is a trusted resource for professionals seeking updates and analysis on the latest developments in the security sector.

To submit an article, or for sponsorship opportunities, please contact our team below.

Rebecca Spayne picture 2025

Rebecca Spayne

Managing
EDITOR

Georgina Turner image

Georgina Turner

Sales
Manager

Afua Akoto image - Security Buyer

Afua Akoto

Marketing Manager

Read the Latest Issue

Follow us on X

Follow us on X

Click Here

Follow us on LinkedIn

Follow us on LinkedIn

Click Here

Advertise here

Reach decision makers and amplify your marketing

Advertise here

Click Here

Related News

Dallmeier - securitybuyer.com

Dallmeier presents the MK4 revision of the DMS 2400

With the new MK4 revision of the DMS 2400, Dallmeier introduces an even more powerful version of its proven video appliance.
security Institute - securitybuyer.com

Security Institute Announces New Directors

The Security Institute held its Annual General Meeting (AGM) on the 8th of July at the Millennium Hotel & Conference Centre…
ASSA ABLOY - securitybuyer.com

BG100 Speedgate Recognised with Red Dot Award

Combining an Aesthetically Appealing Design, Function and Innovation, the BG100 Speedgate Sets New Benchmark for …
Product Spotlight - Videx - securitybuyer.com

Product Spotlight – Era Series

VIDEX presents its new series of outdoor compact video door entry systems, Era Series, and showcases their durability, configuration…
Security Institute - SecurityBuyer.com

The Security Institute Hosts Second Young People’s Skill Building

The Security Institute was honoured to host its second annual Young People’s Skill Building Event on Monday 23rd June, held …
Hanwha Vision - Security Buyer

Hanwha Vision unveils powerful AI remote-head camera

Hanwha Vision, the global vision solution provider, launches the AI remote-head camera, featuring a single-body…
Christina Alexander Judge - SecurityBuyer

Christina Alexander Announced as Security Buyer Awards Judge

Security Buyer is proud to announce Christina Alexander as the latest addition to the distinguished judging panel for the Security…
Milestone - SecurityBuyer

Milestone Systems updates across XProtect, BriefCam, Arcules

Milestone Systems today announced updates across its complete security technology portfolio with releases for XProtect
Big Interview Abdullah Tanoli

Big Interview – Hero of Leicester Square

Rebecca Spayne of Security Buyer has the privilege of speaking with a real-life hero, Abdullah Tanoli, the hero of Leicester Square..
SentinelOne & AWS - Security Buyer

SentinelOne Teams with AWS to bring Cloud Security Protection

SentinelOne announced that it is a launch partner for the new AWS Security Hub. The new collaboration builds on a long standing..
Scroll to Top