By the CSA Education Team
This is the second part in a blog series on Cloud Security Training. Today we will be interviewing an infosecurity professional working in the financial sector. John C Checco is President Emeritus for the New York Metro InfraGard Members Alliance, as well as an Information Security professional providing subject matter expertise across various industries. John is also a part-time NYS Fire Instructor, a volunteer firefighter with special teams training in vehicular extrication and dive/ice rescue, an amateur novelist, and routinely donates blood in several adult hockey leagues.
Can you describe your role?
Currently I lead the “Security Innovation Evaluation Team” at a large financial firm where we forage and test emerging technology solutions that will build upon our security posture and fortify our resilience far into the future.
What got you into cloud security in the first place? What made you decide to earn your CCSK?
Whether you are in the automotive, engineering, medical, retail or the information security field, one needs to constantly stay abreast of emerging trends and hype – indeed, “cloud” was one of those emerging trends and hype combined which represented a logical transition from existing legacy infrastructures.
I am a lifelong learner; seeing the early explosion of “cloud providers” who really just wrapped an orchestration layer around virtualization rather than true holistic solutions, was the jumpstart I needed to understand how important the CCM (and CCSK) was.
The CCSK reflects both the operational knowledge of the CCM, as well as the strategic goals for the CSA. The CCM itself is a superset of many existing security control standards, which makes the CCSK all the more relevant to today’s security environment.
Can you elaborate on how the CCSK reflects the operational knowledge of the CCM? Why do you think this is important knowledge for infosec professionals to know?
The CCM builds upon existing NIST/ISO standards and produces new controls where existing controls cannot adequately cover the cloud paradigm. If one knows how to properly interpret and use the CCM standard, they most likely understand the non-cloud security standards as well. The CCSK is represents knowledge assurance of the CCM at an operational level; and having a shared origin to the CCM, the CCSK can truly test proficiency of the spirit of the CCM as it was designed, not just its definitions.
How did you prepare for the CCSK exam?
I was an initial member of the NY Metro Chapter of the CSA and aware of the Cloud Controls Matrix. Although my employer was not explicitly referencing the CCM as a security standard, I was pulling from it as a security controls guidance for my employer’s projects.
If you could go back and take it again, how would you prepare differently?
As information security has become more complex and more splintered, simply studying definitions is no longer an effective method to have lasting knowledge. I would suggest two additional study techniques:
- Understand the “WHY” of each control in the CCM: what was the originating problem statement, what is the scope of that problem statement, and was the control defined to resolve the problem or simply reduce the problem’s impact to a tolerable level? Once you have a good comprehension of the background, then there is no memorization needed … it becomes common sense to the learner.
- Get DIRTY with some hands-on experience – whether it be an existing work project or reworking an old personal project. Taking an old project and redeploying it using newer technologies and security controls gives the learner unimaginable insight into why a control is written in a certain way. The advantage of using an existing project is that you can focus on the coding, deployment and security control aspects rather than features and requirements. I have revamped my personal “Resume Histogram” project originally written in 1990 as a dial-up BBS site → to a CGI website → to a RoR web application (hey, not every decision was a good one) → to a social media plugin → to a containerized web API.
Were there any specific topics on the exam that you found trickier than others?
I suspect that everyone will have a different topic of weakness. Legal aspects were my weakness, and from the plethora of recent changes in standards and regulations – PCI DSS3, NIST revisions, NYS DFS 500, GDPR and the myriad of local regulations – I suspect it is not going to get any easier.
What is your advice to people considering earning their CCSK?
I have four points of advice:
- Get real-life quality experience before you attempt a certification … doctors, nurses, architects and engineers are required to, so why not InfoSec professionals?
- Make a habit of learning something every day … knowledge gets stale, intelligence doesn’t.
- Avoid the shortcuts, like boot camps, it’s a crash diet of ignorance;
- Be humble, keep an open mind, and listen before you speak … things change, so what you knew was right today may be turned on its head tomorrow. Nobody should want to gain a reputation of being “CIA” (certified, ignorant and arrogant).
Lastly, what part of the material from the CCSK have been the most relevant in your work and why?
Ironically, my work over the years has made my weakest area – legal – also the most important and relevant one; especially when it comes to contracts with cloud providers for enterprise projects as well as vendors and managed service providers who run in the cloud.
Interested in completing cloud security training at RSA? CSA is offering a CCSK Plus Course at the RSA Conference 2019 that offers students an extra day of hands-on labs to practice applying what they learn. Learn more or register here.