The Cloud Security Alliance (CSA) raised the curtain Wednesday on a new credential and training materials to enable security professionals to build the knowledge they will need to implement and manage a zero-trust strategy in their organizations. “From industrial control systems to cloud computing to generative AI, the world of pervasive technology has outraced legacy security models,” CSA co-founder and CEO Jim Reavis said in a statement. “Zero-trust ‘never trust, always verify’ principles are clearly the path forward,” he continued, “and we anticipate virtually all organizations to apply this strategy to diverse technological environments in order to protect strategic assets and prevent breaches.”
According to the CSA, the new Certificate of Competence in Zero Trust (CCZT) will provide its holder with an in-depth understanding of zero trust architecture, its components, and its functioning. It also includes foundational zero-trust best practices released by leading authoritative sources such as CISA and NIST, innovative work around the software-defined perimeter (SDP) by CSA Research, and guidance from zero-trust experts such as John Kindervag, founder of the zero-trust philosophy.
Certificates create a baseline of knowledge and competency
In launching its certificate program, the CSA is stepping into an area that’s become muddy over time. “Zero trust is a compelling construct that if done properly delivers great security value to organizations who embrace it,” says Nick Edwards, vice president of Menlo Security, a zero-trust web security company. “Unfortunately, like many things in the technology industry, industry frameworks get over-hyped and abused by the vendor community, resulting in a dilution of value and overall skepticism toward the original idea.”
“Certificates can be a good way to create a baseline of knowledge and competency that help organizations execute zero-trust properly and focus on the ‘signal’ from the ‘noise’,” Edwards adds.
Gartner Senior Director for Security and Risk Management Wayne Hankins agrees. “The cybersecurity paradigm is often obscured by vendors who present their products as single [zero-trust] solutions,” he says. “To execute their corporate zero-trust strategy without getting caught up in vendor noise, organizations will require the guidance of experienced thought leaders.”
More zero-trust certificates needed
It may take some time, but certificate programs will have an impact on the spread of zero-trust strategies. “This certificate program won’t have an immediate impact on the adoption of zero-trust architectures because cybersecurity investments are not aligned with current corporate incentives,” says Shane Miller, a senior fellow at the Atlantic Council’s Cyber Statecraft Initiative. “There is a dramatic, global change on the horizon, led by organizations like CISA in the United States, that will begin to address this misalignment.”
“Zero trust is a corporate culture change, and like any culture change, it can only succeed if the outcomes are understood and valued,” Miller adds. “We still have a lot of education and advocacy to do for zero-trust principles and architecture, and initiatives like this certificate program incrementally move stakeholders forward. We need more programs like the Certificate of Competence in Zero Trust.”
Low cost of certification makes it ideal for self-starters
The key to industry-wide recognition and acceptance of this credential will be in corporate adoption, says Dean Webb, a solutions engineer with Merlin Cyber, a provider of cybersecurity, identity, and access management solutions. “As firms add CCZT to their list of desired and required certifications, it will drive IT professionals in general to seek the certification as a gateway to future opportunities. As that happens, firms will adopt more zero-trust practices simply because they have the staff on hand that understand them and want to see them in place.”
Webb praised the CSA’s decision to offer all the training materials for the CCZT for free online. “The low total cost of certification makes it ideal for self-starters who have their own personal goals,” he says. “People in other areas of IT that are looking to get into security would do well to snap it up.”