CSA Community Spotlight: Filling the Training Gap with Dr. Lyron H. Andrews

2 weeks ago 8
News Banner

Looking for an Interim or Fractional CTO to support your business?

Read more

Written by Megan Theimer, Content Program Specialist, CSA.

Now celebrating 15 years of advancing cloud security, the Cloud Security Alliance (CSA) is proud to be the world’s leading organization dedicated to defining best practices for a secure cloud computing environment. Since our incorporation in 2009 and the release of our inaugural Security Guidance, CSA has expanded our impact through a broad portfolio of initiatives, including industry-leading training programs and certificate offerings.

These programs, including the foundational Certificate of Cloud Security Knowledge (CCSK) and the award-winning Certificate of Competence in Zero Trust (CCZT), have set global benchmarks for cloud security expertise. These efforts are complemented by hands-on training courses, webinars, and educational resources designed to equip professionals with the knowledge and skills needed to address evolving cloud security challenges.

None of this would be possible without our vibrant network of trainers, subject matter experts, volunteers, and advocates. To mark CSA’s 15th anniversary, we’re celebrating throughout 2024 by spotlighting 15 longtime partners whose collaboration has been pivotal to the success and growth of our various initiatives.

Lyron  headshot

Today we’re speaking with Dr. Lyron H. Andrews. His technology career spans three decades as an engineer, cybersecurity adviser, executive, author, researcher, and social justice entrepreneur. He teaches several cybersecurity certifications, including CCSP, CISSP, CISM, SSCP, CRISC, CCSK, and CCZT. His roles have included Network Manager for the New York City Department of Education, Senior IT Director for BMG Direct, and Dean of Technology at BNY Mellon. Below, learn about Dr. Andrews’ experiences as a CCSK and CCZT trainer, and why he continues to support the CSA community.


What are the various ways you’ve been involved with CSA over the years?

My original way of being involved was as a trainer. My training capacity started off with CCSK, which has just been updated to version five. I also recently started doing training for the CCZT.

A couple of years back, my organization Profabula became a partner with the Cloud Security Alliance, so I've been working as a sub facilitator for Cloud Security Alliance training as well.

I've also done some work with them related to editorial activities, such as version five of the CCSK, and a lot of feedback work with the Zero Trust program. I believe I also wrote a couple of courses for their Train the Trainer capabilities.

What’s your favorite memory of the CSA community?

I think my favorite interactions would be during conferences. CSA has always been part of the RSA Conference. The seminars that they put on for the full CCSK training with labs, done in two days, may have been my largest classes ever. I believe one time it was about 85 people. That was pretty amazing. It was also the last time for over a year that anyone would see anybody in person again. It was right before things shut down for COVID.

Getting together with the inside folks who help develop and manage the materials, having dinners with them, lunch breaks, catching up, seeing what's going on - I think that is always the most rewarding.

Why do you continue to be a part of the CSA ecosystem?

The Cloud Security Alliance definitely brings value to the cybersecurity world. Believing in the way in which they approach security and manifest security has been the thing that keeps me coming back.

I think they've really done a great job of reinvigorating this new version of the CCSK, making it so that it is caught up to where we are in the cloud. I believe in the Cloud Security Alliance to stay relevant. And then with Zero Trust, no other organization is doing as comprehensive a job at making that a part of learning.

What do you see as one of CSA’s most significant contributions to the cybersecurity industry?

What they did with the Cloud Controls Matrix and CSA STAR is groundbreaking. Still to this day, I can mention CSA STAR or bring up version three of the Cloud Controls Matrix and amaze a few people with the best use of an Excel spreadsheet in history!

It’s cool to be able to be a part of this certain energy that CSA has. The energy of people that are looking for answers to what is still not really a largely adopted path - manifesting a set of controls in your cloud environment as easily as you manifest them in your data center.

People are still resistant to transitioning security controls to the cloud. I think it's honestly a lack of curiosity in a lot of cases. The other case is a lack of realization that organizations need to make an investment in training and give people time to imagine things differently and to learn things differently.

What are your predictions for CSA in the next 15 years?

This is not really a fair prediction because of conversations I’ve been a part of, but the Cloud Security Alliance will do the same thing for AI that they’ve done with STAR.

I also think they'll replicate that same alliteration with the Top Threats to Cloud Computing. Doing it with AI has been extremely helpful in classrooms, to dig down into the failures that happen, not so much from the cloud service providers, but from the cloud service consumers.

Question from interviewee Avani Desai: What’s one lesson you’ve learned from the CSA community that has had a lasting impact on your approach to cybersecurity?

This might be a little weird, but to think about where the gaps are and then how to fill them. I believe the Cloud Security Alliance did that with the STAR Audit and the STAR Registry. I try to figure out how that lesson may manifest with other opportunities for myself.

I am currently pursuing a couple of clients with a new certification that I have for Artificial Intelligence Management System Implementer. I was in conversation with a representative from a Fortune 100 company a couple of days ago, and she was saying that they had an assessment done by one of the big four auditing firms that was not even a true assessment of their artificial intelligence management system.

People haven't really built the infrastructure for operationalizing artificial intelligence. When I say infrastructure, I mean not the hardware and software components, but the administrative and the operational capabilities and components. To me, that represents a huge opportunity to get in on, to be an advisor for. The analogy of the Cloud Security Alliance being first in when it comes to cloud controls is very useful. It's a behavior that I admire.

Do you have a question for the next interviewee to answer?

What form of training do you or your clients find to be most effective? Is it online or in the classroom? What goes on that makes it a successful facilitation?


Make sure to check out more insights from the CSA community here.

Read Entire Article