Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

CCSK Success Stories: From a CISO

Published 02/20/2022

CCSK Success Stories: From a CISO

This is part of a blog series interviewing cybersecurity professionals who have earned their Certificate of Cloud Security Knowledge (CCSK). In these blogs we invite individuals to share some of the challenges they face in managing security for cloud computing and how they were able to leverage knowledge from the CCSK in their current roles. In this blog, we'll be interviewing Sau-Wern Tuan, CISO, FINEXUS International Sdn Bhd.

1. You currently work as the CISO at FINEXUS International Sdn Bhd. Can you tell us about what your job involves?

My job involves operating and managing our on-premises data center operations, ensuring our network, servers, systems, and applications are running securely and efficiently.

I am also involved in architecting solutions, writing programs, training staff, troubleshooting, and preparing policies, procedures, and standards, as well as influencing the company's direction on which technology to use.

Jack of all trades, master of none? A generalist, not a specialist.

2. Can you share with us some complexities in managing cloud computing projects?

Some of the complexities in managing cloud computing projects involve getting a grip on the variable costs of implementing the solution from a non-functional requirements perspective. For example, quality attributes such as security, maintainability, performance, and portability, while keeping an eye on the costs.

3. In managing cloud projects, what are useful tips you could share with IT professionals to avoid common pitfalls?

A common pitfall is being overly focused on functional requirements at the expense of non-functional requirements. While the project should deliver on business function, non-functional requirements such as security often take a backseat. Bolting in security requirements at a later stage as an afterthought typically would result in much higher costs and complexity.

4. What made you decide to earn your CCSK? What part of the material from the CCSK has been the most relevant in your work and why?

Being relatively new to the public cloud space, I found the Security Guidance (v4.0) most relevant; a part of the CCSK examination kit containing all the key points that can be used as a framework to secure resources on the cloud.

The best part of the CCSK materials is that they are concise and to the point. No fluff, just useful stuff, and the preparation kit is FREE! What more can one ask for?

5. How does CCM help communicate with customers?

CCM is a labor of love from CSA. The CSA team has done a lot of heavy lifting, mapping critical cloud controls against various industry standards and frameworks.

Using the CCM as a reference would help ensure one covers the controls of most (if not all) bases on the cloud. Considering it is widely recognized, auditors have been using it as a reference to conduct cloud audits.

Thus, there is some level of assurance that essential controls are taken into consideration.

6. What's the value in a vendor-neutral certificate versus getting certified by a vendor like AWS? In what scenario are the different certificates important?

A vendor-neutral certificate allows one to see the big picture and essential points of the cloud platform and identify important common traits, advantages, and drawbacks.

A vendor-specific certification enables one to exploit the features specific to that CSP's platform to the fullest and to best use it as it is intended to be used.

7. Would you encourage your staff and/or colleagues to obtain the CCSK or other CSA qualifications? Why?

I always encourage my staff and colleagues to obtain certifications or certificates. The certification or certificate syllabus would force one to systematically cover the required knowledge area instead of cherry-picking areas of interest.

The systematic coverage of knowledge areas to pass an exam provides one a toolbox in which one can select the correct tools for a given job. Conversely, if one does not have a systematic learning path, it is analogous to having only a hammer. When that happens, everything is treated like a nail, even screws or bolts!

Of course, having an extra shiny badge (I believe there is an announcement that Credly badges are being issued!) would not hurt on one's resume? The majority of folks like to collect shiny things.

8. What is the best advice you could give to IT professionals in order for them to scale new heights in their careers?

Stay hungry for knowledge. What you know today can be obsolete tomorrow. The learning must never stop.

Share this content on your favorite social network today!