The Cloud Security Alliance (CSA) raised the curtain Wednesday on a new credential and training materials to enable security professionals to build the knowledge they will need to implement and manage a zero-trust strategy in their organizations. “From industrial control systems to cloud computing to generative AI, the world of pervasive technology has outraced legacy security models,” CSA co-founder and CEO Jim Reavis said in a statement. “Zero-trust ‘never trust, always verify’ principles are clearly the path forward,” he continued, “and we anticipate virtually all organizations to apply this strategy to diverse technological environments in order to protect strategic assets and prevent breaches.”
According to the CSA, the new Certificate of Competence in Zero Trust (CCZT) will provide its holder with an in-depth understanding of zero trust architecture, its components, and its functioning. It also includes foundational zero-trust best practices released by leading authoritative sources such as CISA and NIST, innovative work around the software-defined perimeter (SDP) by CSA Research, and guidance from zero-trust experts such as John Kindervag, founder of the zero-trust philosophy.
Certificates create a baseline of knowledge and competency
In launching its certificate program, the CSA is stepping into an area that’s become muddy over time. “Zero trust is a compelling construct that if done properly delivers great security value to organizations who embrace it,” says Nick Edwards, vice president of Menlo Security, a zero-trust web security company. “Unfortunately, like many things in the technology industry, industry frameworks get over-hyped and abused by the vendor community, resulting in a dilution of value and overall skepticism toward the original idea.”
“Certificates can be a good way to create a baseline of knowledge and competency that help organizations execute zero-trust properly and focus on the ‘signal’ from the ‘noise’,” Edwards adds.
Gartner Senior Director for Security and Risk Management Wayne Hankins agrees. “The cybersecurity paradigm is often obscured by vendors who present their products as single [zero-trust] solutions,” he says. “To execute their corporate zero-trust strategy without getting caught up in vendor noise, organizations will require the guidance of experienced thought leaders.”
More zero-trust certificates needed
It may take some time, but certificate programs will have an impact on the spread of zero-trust strategies. “This certificate program won’t have an immediate impact on the adoption of zero-trust architectures because cybersecurity investments are not aligned with current corporate incentives,” says Shane Miller, a senior fellow at the Atlantic Council’s Cyber Statecraft Initiative. “There is a dramatic, global change on the horizon, led by organizations like CISA in the United States, that will begin to address this misalignment.”