It's great when our community can share your thoughts about cloud security, especially AWS security and its certificate. I currently find myself going step by step deeper into cloud security via practical skills of AWS security tools set. I have figured out that they have a huge knowledge, skills and tools set so I have to put in a heavy effort for this journey. During this journey, I just take a break, and take a deep breath in and wonder if it is worth it to invest my huge effort for AWS security. Can anyone share with me your thoughts about this journey or is it worth pursuing?
Certainly Yes! it is worth to invest effort for AWS security or may also think about CCSP by ISC2 https://www.isc2.org/certifications/ccsp
@ashishkarpe @alicetran I think it depends on the employment circumstances, whether you are working for an employer who requires those skills specifically or is prepared to support you to gain them.
Most of these are short lived, so within a few years, you have to re-certify as new elements are added to keep aware of developments and updates too.
Rather like doing the firewall journey on a specific vendor, one has to keep being certified to keep up fluency etc.
Regards
Caute_Cautim
You both are right.
You need to weigh up your vision of the future, and objectives - if you see yourself specialising in AWS Security, then by all means do so, if you think this will be your bread and butter on a daily basis.
My thoughts are towards having sufficient knowledge to understand the Cloud Computing environment and how to apply the principles to any cloud situation - often as consultants or even architects, we find ourselves in a new situation, - yes we may have a certificate in AWS Security instance, but five years hence that current knowledge may have gone stale. Rather like the CISSP, knowing how to tackle situations by going back to grassroots and then weighing up the risks, implications or impact and then understanding what countermeasures or mitigations you can put in place - becomes more important as you inherently weigh up the risks, against the current situation i.e. what is the impact to AWS Security when AI Gen AI is applied i.e. data poisoning, distribution denial of service against the LLMs? or What is the impact of changing over from Public Key Cryptography to Quantum Key Management etc. Yes, you can be a specialist, but remember we all have to have the capability with experience by being able to apply ourselves to literally any situation, by being able to see things from a holistic perspective and then have to delve deeply to root out the issues and then provide. trusted advice based on the current situation and circumstances. These circumstances constantly change, our original hypothesis can often changes, due to new capabilities and technologies being applied. It is dynamic, understand the principles, apply them well, gain new experiences, and constantly keep your own self knowledge and development regularly up to date, so you maintain your fluency and capabilities.
What about data security, governance and being able to protect data, where ever it exists within a cloud environment? Who controls the keys? The Cloud Provider or the client? Can it be purged securely or returned back to the client securely and the integrity maintained etc?
Others, may have a totally different perspective to myself, it really depends on the circumstances, and what you want to achieve, what your goals are and your vision of yourself five, ten or more years on.
Can you learn, develop, self develop, applying soft skills not just technical skills to virtually any circumstances?
Regards
Caute_Cautim
@Caute_cautim @Early_Adopter @ashishkarpe
Thank you for sharing your thoughts! My picture is becoming more clear from your sharing. I'm the case with experience in cybersecurity and GRC in my previous jobs in my country and certified CISSP. Although the CISSP helped me to pass over the resume screening round, my interviewers had never asked me about this knowledge but they asked for hand-on skills instead 😭. I'm not sure whether I applied to the wrong roles but I'm looking for GRC roles. I used to work as a GRC first layer defense working directly with developers, system admins, security admins, but I didn't do their jobs. Via some interviews I wondered that should I improve my hand-on skills and that's why I have taken step by step to AWS security 😅
@alicetran Where possible always keep your knowledge up to date, to stay relevant, especially with new threat and risk avenues such Gen-AI and new technologies, which are likely to engulf everyone within the next five years or so. Often you will find that this role, requires a number of skills and abilities, so whether you are motivated towards GRC roles, often we find ourselves having to roll up our sleeves and get pitched or providing trusted advice or guidance.
Stay curious and in discovery mode, to keep yourself motivated and invigorated.
Regards
Caute_Cautim
@Caute_cautim i highly appreciate your advice!
I can see more and more AI and new technologies are being discussed in many forums, meetings to raise awareness. Could you please advise in more detail which level of hand-on skills a GRC role should be? They may be GRC tools which we use to manage risks/incidents or audit tools which we use to assess security posture, or security tools such as AI security to detect threat and response to incidents or tools to create security policies in the systems and manage the security posture of an organization. I feel that this role requires more or less hand-on skills but which levels and which tools should be focused more than the others are what I don't have enough information on.