Transforming IT
Showing results for 
Search instead for 
Did you mean: 

Cloud usage 4 to 10 times higher than reported, according to CSA CEO Jim Reavis


Kelly: Jim, thanks for taking some time to speak with me today. I’m fascinated to learn more about the Cloud Security Alliance and its founding. When did you officially form, and what were the problems that CSA was intended to address?

Jim: We incorporated in 2009, to form Cloud Security Alliance or CSA. In 2008, I and a few other people had observed that computer virtualization and cloud computing was in the early adopter stage. It was just emerging. There was enough there, though, that I and others could see it was compelling and that it had the possibility to be big.

I’d been in information security for a long time. I had noticed a pattern that when new technologies and models are introduced to the market, that information security function is the part that tends to slow down the enterprise.

There are good reasons for enterprise teams to be cautious, and especially enterprise IT. However, what tends to happen that I had seen before, is that the business goes and adopts the model anyway – and then the IT teams are scrambling to try to keep up with the business.

So, my thought was, let’s organize to try to help IT teams solve tomorrow’s problems today. And, in the case of cloud security, CSA was formed in order to try to make that happen.

Kelly: So, in 2008, what were tomorrow’s cloud security problems to solve?

Jim: Right, so in 2008 tomorrow’s problem was to look at 2012 and 2013 timeframe. We asked ourselves, you know, how can we manage the security for this cloud computing that we’re using quite a bit if we don’t have a good set of best practices defined?

To get best practices defined, we decided to base it on our own original research. And, in April 2009, we launched CSA at the RSA event and introduced our first set of best practices for cloud security management.

Kelly: That’s excellent – and I imagine the crowd at RSA was receptive to the introduction?

Jim: Yes, it was one of those viral success stories. A lot of people told us that this was exactly what they had been looking for at that time. I think we tapped into the big emerging problem, with cloud. And it’s just sort of grown from there.

Kelly: Tell me more about CSA’s operating model. Are you a standards body? A research firm?

Jim: We are a global non-profit. We defy simple categorization, because we combine a few different approaches in our mission. First, we try to help organizations to improve overall skill sets in cloud security for the organization by publishing open standards and training. Second, we conduct original research on which to base the standard.

I like to describe us as being a standards incubator rather than an open standards body, strictly speaking, though. We will go do quick research, and provide that to other teams – like an ISO – and they will then put it into their formal taxonomy.

Maybe we’re also some form of a trade association. We try to represent the interest of cloud providers and cloud users.

Kelly: Do people join CSA? Do you offer membership?

Jim: Yes, individual people do join CSA. We also have corporate members, like Hewlett Packard Enterprise, which then helps to fund the research that we do in cloud security. HPE was one of our original first-year members, from the beginning of CSA.

HPE actually sponsored the very first research that we did, on the top threats in cloud. We first published that in 2010, and we’ve had a few versions over the years – the “Notorious 9” threats in 2014, and just recently we updated it to the “Treacherous 12” threats for 2016.

Kelly: How have your membership numbers grown over the years, and what do the trends in terms of growth in your membership tell you about how cloud security threats are perceived by organizations?

Jim: Yes, so our current global membership for individuals stands at around 76K and it’s still growing, and increasing its rate of growth every year.

In terms of corporate memberships, the really interesting thing is that in the previous year for the first time in our history, the fastest growth is not from cloud solution providers – technology companies – but rather now it’s coming from traditional enterprises. That ranges from financial institutions, retail, insurance, manufacturing, and transportation companies. The reason that we are seeing this, I think, is that cloud adoption is now among the top priorities for these types of organizations. We see that they are now actively in the process of working with cloud – and getting up to speed on the best practices on cloud security is a key part of that effort.

What we see and predict, is that within a very short period of time now, that cloud is going to be the default primary platform for new applications.

Kelly: Going back about four years ago now, we heard consistently from analysts that cloud was in the early adopter stage of being at about 13% of the market. Then, about two years ago we seemed to reach a tipping point at which the early majority market arrived – and virtually every organization had a cloud project of some type actively going on. Is that consistent with what you’ve seen?

Jim: Yes, you know, I think that there is actually a fair amount of under reporting on cloud adoption. The reason for this is because of the ease of use of the procurement – the so-called shadow IT. And it threatens traditional IT. So, it’s not really reported accurately. In fact, for large companies, teams are trying to figure out how much cloud is actually already in use within their own organizations.

A few years ago, one very large energy company characterized this to us as an investigation – and they were surprised how much cloud was already in use for them. Second, they were trying to then get some policies in place to accelerate their use within IT. Now, most teams are trying to get to a cloud-first policy. These organizations are trying to be opportunistic and accelerate their use of cloud, with a directed top-down policy to encourage IT to consider cloud first.

This is a little bit of an uncomfortable situation for these teams. I liken it to trying to build the runway while the planes are already taking off because cloud is already there. But, that’s what we’re finding. There can be a factor of 4 to 10 times as much cloud already in use as compared to what is known or being reported by an IT department.

Kelly: I see. And, with the top-down, directed cloud-first policy, is this type of policy typical with most of the organizations with which you work?

Jim: I’d say it’s becoming mainstream. It’s on the verge. The leaders in IT are directing this now, and every year that goes by the IT teams are becoming more prepared for this. This is the common majority policy.

We see a little push-back. Usually, highly regulated industries will have some training and compliance issues. But, that’s changing as teams get better prepared and embrace the best practices.

Kelly: In terms of that, what is the role that your CSA Congress events play in helping IT people to get prepared for cloud security?

Jim: Yes, we do three of these large CSA Congress events every year in addition to our more frequent local CSA chapter meetings. And, yes, we try to encourage people to use those events to do deep dives on cloud security and to learn from each other with real case studies. We also put on technology-led discussions at the event for leading-edge topics. This year, for example, we have sessions on emerging technology like containerization and DevOps. We also have compliance and audit topics, so governance is covered, as well.

Kelly: Oh interesting. Do you cover general cloud technology topics then?

Jim: Always with the security angle. Containerization, for example – how does this new way of building applications for cloud need to be considered for security? How do we build security in at the container level? So, it’s always about how we leverage new cloud models for security.

Kelly: Do you present research at these events? Where does the event content come from?

Jim: It’s always a combination of places. We do present new research, and get industry feedback at the CSA Congress event. We also try to combine that with new best practice approaches and ways of doing security that have emerged from our membership.

Kelly: How many people do you expect at this year’s events?

Jim: I think that this year in the US, we will get 1200 people at this event. The US event is in Sept, in San Jose. The EMEA and APJ events, are a bit smaller – a few hundred. Those both happen in November, in Madrid and Bengaluru.

Kelly: Who are the types of people who would typically come to the event, and find value in the event?

Jim: Mainstream information security administrators are our primary people who attend. Security architects also attend; security architecture is a lot of the focus because this is where the changes need to be made. The titles of people attending run the gamut for information security, all the way up to the chief security officers. So, primarily, people who have security as part of their job responsibility. We also get risk managers, audit and compliance people, privacy people as well who have interest in this conference.

Kelly: What are you excited about, at this year’s events?

Jim: I get excited about the new topics. This year, we have IoT and experiences that people have had with security in those environments. I’m excited about the software defined perimeter that we are introducing. We’re taking a high-side classified model, take it out of the military, and bringing it to cloud for IoT. Containerization is another new topic which is interesting. Also, for this year, we have the head of security for Google explaining how they do things.

Kelly: Any new training opportunities at this year’s CSA Congress US (San Jose) event?

Jim: Oh, yes, we’re rolling out our Cloud Controls Matrix training at the event. We’ve had a lot of demand on this, and I’m excited to see how the community responds.

Also, of course, our CCSK training from HPE is also available at the event, as you know. CCSK goes back to 2010 and provides a standard that is critical. It’s the first cloud security program introduced to the market, and it’s grown over time. HPE is a great partner on this, and we have been happy to see the continuous strong interest to take the CCSK training at the event.

Note to our readers: HPE is the Master Training Partner for CSA.  For information on industry security training including CCSK, please visit

0 Kudos
About the Author


25+ years in high tech in various roles that include Consulting, Channel Mgmt, Product Mgmt and Marketing. Technology areas include storage and data management, high availability, cloud and hosting, networking, and mobility/wearable technology for enterprise, SMB , and channel business. Industries include healthcare, financial services, ISVs, Service Providers and telecos.

June 18 - 20
Las Vegas, NV
HPE Discover 2019 Las Vegas
Learn about all things Discover 2019 in  Las Vegas, Nevada, June 18-20, 2019
Read more
Read for dates
HPE at 2019 Technology Events
Learn about the technology events where Hewlett Packard Enterprise will have a presence in 2019.
Read more
View all