CCSK Success Stories: From an Information Systems Security Manager

By the CSA Education Team

This is the third part in a blog series on Cloud Security Training. Today, we will be interviewing Paul McAleer. Paul is a Marine Corps veteran and currently works as an Information Systems Security Manager (ISSM) at Novetta Solutions, an advanced data analytics company headquartered in McLean, VA. He holds the CCSK, CISSP, CISM, and CAP certifications among others and lives in the Washington, D.C. area.

Can you describe your role?

I am an ISSM at Novetta Solutions and am primarily responsible for certification and accreditation, continuous monitoring, and the overall security posture of the information systems under my purview. Novetta is also partnered with AWS and that partnership continues to grow so it is a very exciting company to work for.

What got you into cloud security in the first place? What made you decide to earn your Certificate of Cloud Security Knowledge (CCSK)?

My first InfoSec position was with First Information Technology Services, a Third Party Assessment Organization (3PAO) supporting Microsoft. I was part of the Continuous Monitoring Team, and part of my job was providing adequate justification of open vulnerabilities and depicting mitigation for cloud environments. Understanding cloud security was imperative in performing my job. I was seeking more of a foundational understanding focused primarily on cloud security. I heard about CCSK through CSA and ISC(2) after doing some research on the best and most valuable Cloud certifications. After reviewing the certification outline and expectations, I decided to review the material and prep for the exam.

“Open book means nothing when it comes to this exam. There are too many questions that requires a deep understanding of the material…”

Can you elaborate on what the exam experience was like? How did you prepare for the CCSK exam?

The CCSK was not an easy exam by any means. Not only was it a requirement to get 80 percent to pass, but there were only 90 minutes to answer 60 questions. The exam required a deep understanding of the CSA Cloud Security Guidance, as well as the ENISA Cloud Computing Risk Assessment Report. At least for me, it was imperative to read through all of the course material and ensure I understood everything listed in the exam objectives to pass the exam.

If you could go back and take it again, how would you prepare differently?

If I could prepare differently, I would have devoted more time to studying and reading the CSA Guidance and ENISA Report a second time through. To me, one read-through isn't enough for the depth of this exam and the style of questions the exam presents. It is a hard exam to prepare for. To gain a full understanding of what is expected, it's important to go through the material more than once and to take notes on your weak areas and subsequently come back to the sections that you feel weakest on and focusing on those areas.

Were there any specific topics on the exam that you found trickier than others?

Topics on the exam that I found trickier than others included questions that pertained to governance within the cloud and understanding the various security as a service (SecaaS) requirements and the different services regarding SecaaS implementation.

What is your advice to people considering earning their CCSK?

I highly recommend the CCSK for anyone seeking a deeper understanding of cloud security. My advice to people considering the CCSK is to study for the exam like you would any other certification that wasn’t open book. In other words, don’t rely on the fact that it is open book.

Lastly, what part of the material from the CCSK have been the most relevant in your work and why?

The most relevant material from the CCSK for my career has been Compliance and Audit Management, which was Domain 4 of the CSA Guide v3 when I took the exam. I believe that domain related more to my work experience than any other domain due to my cloud compliance role at the time of my certification. I definitely took the most away from the topics discussed in that domain, such as issues pertaining to Enterprise Risk Management, Compliance and Audit Assurance, and Corporate Governance. The Information Management and Data Security domain was also a very relevant domain for my work.

Interested in learning more about cloud security? Discover our free prep-kit, training courses, and resources to prepare to earn your Certificate of Cloud Security Knowledge.