CCSK Success Stories: From the Financial Sector

By the CSA Education Team

This is the second part in a blog series on Cloud Security Training. Today we will be interviewing an infosecurity professional working in the financial sector. John C Checco is President Emeritus for the New York Metro InfraGard Members Alliance, as well as an Information Security professional providing subject matter expertise across various industries. John is also a part-time NYS Fire Instructor, a volunteer firefighter with special teams training in vehicular extrication and dive/ice rescue, an amateur novelist, and routinely donates blood in several adult hockey leagues.

Can you describe your role?

Currently I lead the “Security Innovation Evaluation Team” at a large financial firm where we forage and test emerging technology solutions that will build upon our security posture and fortify our resilience far into the future.

What got you into cloud security in the first place? What made you decide to earn your CCSK?

Whether you are in the automotive, engineering, medical, retail or the information security field, one needs to constantly stay abreast of emerging trends and hype – indeed, “cloud” was one of those emerging trends and hype combined which represented a logical transition from existing legacy infrastructures.

I am a lifelong learner; seeing the early explosion of “cloud providers” who really just wrapped an orchestration layer around virtualization rather than true holistic solutions, was the jumpstart I needed to understand how important the CCM (and CCSK) was.

The CCSK reflects both the operational knowledge of the CCM, as well as the strategic goals for the CSA. The CCM itself is a superset of many existing security control standards, which makes the CCSK all the more relevant to today’s security environment.

Can you elaborate on how the CCSK reflects the operational knowledge of the CCM? Why do you think this is important knowledge for infosec professionals to know?

The CCM builds upon existing NIST/ISO standards and produces new controls where existing controls cannot adequately cover the cloud paradigm. If one knows how to properly interpret and use the CCM standard, they most likely understand the non-cloud security standards as well. The CCSK is represents knowledge assurance of the CCM at an operational level; and having a shared origin to the CCM, the CCSK can truly test proficiency of the spirit of the CCM as it was designed, not just its definitions.

How did you prepare for the CCSK exam?

I was an initial member of the NY Metro Chapter of the CSA and aware of the Cloud Controls Matrix. Although my employer was not explicitly referencing the CCM as a security standard, I was pulling from it as a security controls guidance for my employer’s projects.

If you could go back and take it again, how would you prepare differently?

As information security has become more complex and more splintered, simply studying definitions is no longer an effective method to have lasting knowledge. I would suggest two additional study techniques:

  • Understand the “WHY” of each control in the CCM: what was the originating problem statement, what is the scope of that problem statement, and was the control defined to resolve the problem or simply reduce the problem’s impact to a tolerable level? Once you have a good comprehension of the background, then there is no memorization needed … it becomes common sense to the learner.
  • Get DIRTY with some hands-on experience – whether it be an existing work project or reworking an old personal project. Taking an old project and redeploying it using newer technologies and security controls gives the learner unimaginable insight into why a control is written in a certain way. The advantage of using an existing project is that you can focus on the coding, deployment and security control aspects rather than features and requirements. I have revamped my personal “Resume Histogram” project originally written in 1990 as a dial-up BBS site → to a CGI website → to a RoR web application (hey, not every decision was a good one) → to a social media plugin → to a containerized web API.

Were there any specific topics on the exam that you found trickier than others?

I suspect that everyone will have a different topic of weakness. Legal aspects were my weakness, and from the plethora of recent changes in standards and regulations – PCI DSS3, NIST revisions, NYS DFS 500, GDPR and the myriad of local regulations – I suspect it is not going to get any easier.

What is your advice to people considering earning their CCSK?

I have four points of advice:

  1. Get real-life quality experience before you attempt a certification … doctors, nurses, architects and engineers are required to, so why not InfoSec professionals?
  2. Make a habit of learning something every day …  knowledge gets stale, intelligence doesn’t.
  3. Avoid the shortcuts, like boot camps, it’s a crash diet of ignorance;
  4. Be humble, keep an open mind, and listen before you speak … things change, so what you knew was right today may be turned on its head tomorrow. Nobody should want to gain a reputation of being “CIA” (certified, ignorant and arrogant).

Lastly, what part of the material from the CCSK have been the most relevant in your work and why?

Ironically, my work over the years has made my weakest area – legal – also the most important and relevant one; especially when it comes to contracts with cloud providers for enterprise projects as well as vendors and managed service providers who run in the cloud.

Interested in completing cloud security training at RSA? CSA is offering a CCSK Plus Course at the RSA Conference 2019 that offers students an extra day of hands-on labs to practice applying what they learn. Learn more or register here.

Invest in your future with CCSK training

CCSK Success Stories: Cloud Security Training from a CTO’s Perspective

By the CSA Education Team

Cory Cowgill headshotWe’re kicking off a series on cloud security training today with a Q&A with the Vice President and CTO of Fusion Risk Management, Cory Cowgill. With a background in enterprise software development spanning multiple industries, Cowgill has multiple certifications including Salesforce System Architect and Application Architect, Amazon Web Services Solution Architect, and Cloud Security Alliance Certificate of Cloud Security Knowledge (CCSK). He has presented at Dreamforce, the world’s largest enterprise software conference eight times, and is a member of the Salesforce MVP Hall of Fame.

What led you to the Certificate of Cloud Security Knowledge?

The research and work with the CCM (Cloud Controls Matrix) led me to the CSA Certificate of Cloud Security Knowledge. I am a lifelong learner so I decided to take the exam. I recently passed the CSA Certificate of Cloud Security Knowledge, and I found so much of the content directly valuable. I would recommend it to all IT security professionals. It provides a set of comprehensive and vendor-neutral cloud computing principles that are invaluable across security roles and responsibilities. The CSA Security Guidance v4 document will be required reading for all my engineering talent in our organization going forward.

You said you found so much of the CCSK content “directly valuable.” Could you talk more about the specific content you were able to use in your job?

Sure. As a CTO of a SaaS company, I am often engaged in prospect and customer discussion around our products security posture. I have found all of the domains to be helpful, but I find two domains especially helpful based on where a customer is on their cloud journey. Domain 1, “Cloud Computing Concepts and Architectures” is especially helpful when establishing a conversation with a customer who is very early on their journey, helping establish what the shared responsibility model will look like. For customers who are well on their cloud journey, I find Domain 6, “Management Plane and Business Continuity” to be extremely helpful as the management plane is where they customer will be implementing the majority of their security controls under the shared responsibility model.

What’s the value in a vendor-neutral certificate like the CCSK or CCSP versus getting certified by AWS? In what scenario are the different certificates important?

The CCSK or CCSP provide the most value to individuals who may need to work with an array of cloud vendors. Many organizations have a mix of CSPs who provide a range of SaaS and IaaS solutions. Individuals responsible for the overall security posture of the organization cannot be expected to hold a certification for each CSP’s technology stack. This is where the CCSK or CCSP become valuable as you have a credential that is relevant to assessing the overall security posture regardless of vendor specific technical details. Vendor certifications are valuable to those individuals in the organization who are configuring and administering those specific CSP solutions.

What’s a common problem you see organizations struggling with when migrating to the cloud?

As the CTO I am frequently engaged in discussions with customers and prospects around the security posture of our SaaS product. It is no small understatement to say that there is a lot of education that needs to be done within enterprise IT security teams. Companies struggle to ask the right questions around cloud security as many still do not fundamentally understand the benefits of the cloud. Each organization has a separate set of questions or controls they want to discuss which takes considerable effort from both internal IT security resources and SaaS provider security teams.

This led me to the Cloud Security Alliance (CSA) and the Cloud Controls Matrix (CCM). The CCM addresses these pain points by providing a standardized controls matrix that can be used to drive the discussion between cloud vendors and cloud customers.

How did CCM help communicate with customers?

By providing our standard CCM to prospects and customers along with our other compliance certifications and security assets we can rapidly assure customers and prospects that we are “Protecting the covenant of trust.”

When you said, “companies struggle to ask the right questions around cloud.” What types of questions are companies asking that they shouldn’t be asking? What types of questions do they need to be asking?

Many of the questions I respond to are very granular, infrastructure-related questions phrased or worded in terminology that is very specific to on-premise services. I seldom get asked about the management plane and the security controls and capabilities that fall under the responsibility of a customer in the shared responsibility model. The major CSPs have extremely mature security controls with compliance, certifications, and other attestations around their infrastructure components. While important to review that material and understand the infrastructure controls, the greatest risk is misconfiguration of the cloud services by the customer. Therefore, customers and prospects would be better served by understanding the management plane and security controls that are their responsibility to configure. This applies to all service models whether SaaS, PaaS, or IaaS.

While important to review that material and understand the infrastructure controls, the greatest risk is misconfiguration of the cloud services by the customer.

Some people are unfamiliar with the CSA Security Guidance. What would you compare it to?

All of the major cloud vendors across the service models have detailed documentation and guidance on their security postures and available controls. However, most enterprises have multiple cloud service providers with different delivery models and what is missing is a way to establish a common dialog across these CSPs’ security capabilities. In this regard I would compare the CSA security guidance to a critical guidebook that helps you establish a common dialog across CSPs as you evaluate their security postures.

What’s the biggest hurdle for security professionals who aren’t familiar with the cloud yet?

I think the biggest challenge is that there are so many different cloud technologies which can cause analysis paralysis. Do I get started with IaaS? If so do I pursue AWS, Azure, or Google? Do I start with a huge SaaS / PaaS vendor like Salesforce or ServiceNow? What will be most relevant? And when you couple this large array of CSPs with continually evolving technologies like serverless, it can be overwhelming to many. My advice is you can’t go wrong with any one vendor. You kind of need to just dive in the pool so to speak. Keep up the great work CSA!

If you’re interested in learning more about cloud security training for you or your team, please visit our CCSK Training page.

Invest in your future with CCSK training

 

Cory Cowgill headshotCory Cowgill is the Vice President & Chief Technology Officer, Fusion Risk Management, Inc., where he is responsible for research and development, customer engagement, operations and security, and go-to market initiatives. With a background in enterprise software development spanning multiple industries, Cowgill leads with a dedication to technology and risk management.