The Certified Cloud Security Professional (CCSP) is a global credential that was co-created by nonprofit associations (ISC)² and Cloud Security Alliance, leading stewards for information security and cloud computing security respectively. Intelligent CIO spoke to Faisal Malik of (ISC)² about the role of the Certified Cloud Security Professional and the growing challenges of cloud security.
What are the key attributes required for an effective Certified Cloud Security Professional (CCSP)?
It’s awarded to people who demonstrate practical knowledge and experience reflecting the most current best practices for securing cloud computing environments from design to architecture, operation and service orchestration. Cloud computing is not just changing IT systems, but also the opportunities companies pursue. CCSPs are therefore supporting a phenomenal and fast-paced shift in how business is done, creating demand for people who are technically competent, eternally curious, ruthlessly organised, and sometimes even politically astute.
Are CCSPs increasingly required in the boardroom?
Cloud is now a discussion among C-suite executives and the board of directors, who are coming to understand that without cloud, an organisation cannot fully deliver on a digital transformation strategy. Findings from our Cloud Security Spotlight Report 2017 show that 76% of organisations are currently implementing or in active production of new cloud environments (either in planning or trial stages) and that 100% of organisations are using cloud in some way as part of a strategic endeavor to deliver growth; business agility and/or reduce cost.
The recent announcement from Amazon Web Services (AWS) of its intention to launch a hub in the Kingdom of Bahrain in 2019 demonstrates the strength of interest in the Middle East Region. “We see the region as ripe for digital transformation,” said Khalid Al Rumaihi, chief executive of the Bahrain Economic Development Board. “We wanted [AWS] to look at the Middle East now, not in three to four years.” News reports of the launch cite research firm Gartner’s forecasts for public cloud services in the Middle East and North Africa to reach $1.2bn this year, up by more than 22% from 2016, and for $2b by 2020.
Properly qualified professionals will be paramount to sustain such ambition. CCSPs are becoming an emerging voice within IT and the business. They increasingly find themselves responsible for significant projects, migrating to or advising on the integrity of major implementations to support core operations, including sales, office systems, and the like. They must be able to communicate effectively with all stakeholders, and be able to articulate the relevant concepts to non-technical teams and executives.
Why is cloud security an ever-growing challenge?
An organisation’s reliance on cloud computing can often be the outcome of varied initiatives that haven’t always benefited from the oversight of people with knowledge and skills in security. As more workloads move to the cloud, it is increasingly recognised that current security tools and controls are not designed for the unique challenges cloud adoption presents – the varied architectures and levels of access, for instance – and that security management and solutions must be designed specifically for a new agile working environment.
Pressure is also coming from governments and regulators concerned about security and particularly data breaches whether they are related to a cloud environment or not. As a result, concerns about cloud security remains high, particularly when it comes to data security: the top three concerns reported in our Spotlight Report included: protecting against data loss (57%), threats to data privacy (49%), and breaches of confidentiality (47%).
What are the main functions of a CCSP?
CCSPs can find themselves covering a wide range of duties that include working closely with product and platform teams to assess their organisation’s current cloud security posture, engineer security controls, advise on future architecture and service provision, provide recommendations for vulnerability remediation and risk reduction, and/or develop secure cloud-based applications and platforms. Given that cloud technologies are still relatively new, CCSPs can spend considerable time on the assessment of new security technologies, automated solutions for cloud delivery, container, and microservice technologies for large-scale cloud environments, and the like.
What are the biggest issues facing CCSPs?
According to the Spotlight Report, unauthorised access through misuse of employee credentials and improper access controls continue to be the single biggest threat to cloud security (61%). This is followed by the hijacking of accounts (52%) and insecure interfaces/APIs (43%). The latter underlines that organisations are grappling with a need to become fully aware of the extent to which cloud applications reach into their organisations. A smartphone’s location app, cloud-based file storage or file transfer services can create vulnerabilities, while the explosion of connection points from coffee pots, trucks, and even herds of livestock coming with the internet of things (IoT), opens new channels to companies’ systems and data, ostensibly in the name of improved service or efficiency.
What are the consequences of getting cloud security wrong?
The baddies are very good at pushing the button. Getting it wrong can result in a loss of governance, huge fines linked to data breaches, loss of customer trust, reputation damage and more. Our reliance on cloud computing continues to grow in volume, variety, and strategic importance, while expectation for getting it right from customers and legislators is developing rapidly. Companies can embrace recommended best practices, security standards and the common lexicon maintained by the practicing community by working with credentialed cloud security professionals.
About Faisal Malik
With over 13 years’ experience with the (ISC)² regional office, Faisal Malik has been a pivotal figure in the strategic direction and successful development of the EMEA Team. Responsible for overall business and market development in the EMEA region, he has played an integral role in the growth of membership, where numbers have swelled to over 22,000 certified professionals across Europe, Middle East and Africa.
With a clear focus on identifying, creating and managing partnerships across a multi-layered region, he has in addition successfully forged lasting relationships with key industry profiles to support and deliver solutions for global clients and government entities, enabling cyber security frameworks from academia through to industry.
As part of the EMEA Senior Management Team, he also contributes to setting regional strategy, aligning team KPIs and devising strategic partner objectives to achieve increasingly evolving goals. Faisal works closely with education, marketing, communications, events and membership services, resulting in significant growth across all areas and elevating their position as a market leader.