CCSK Success Stories: From the VP of Internal Security and IT

This is part of a blog series interviewing cybersecurity professionals who have earned their Certificate of Cloud Security Knowledge (CCSK). In these blogs we invite individuals to share some of the challenges they face in managing security for cloud computing and how they were able to leverage knowledge from the CCSK in their current roles. In this blog, we'll be interviewing Nikolay Akatyev, VP of Internal Security and IT, Horangi Cyber Security.

1. In your current role at Horangi Cyber Security, you oversee corporate and application security, as well as IT. Can you tell us more about what your job involves?

Let me focus on the cybersecurity side of my role. Our company is a cybersecurity company providing both professional cybersecurity services and a multi-cloud security product. So internal security has strategic importance at Horangi. As our company sees security as a business enabler for our clients, we mirror that mentality internally. We build and operate internal security in a way that allows our employees to innovate without fear. They can deliver business without continuously looking over their shoulders, fearing whether they are doing something wrong from the security point of view.

To be more specific, we deploy and run a lot of cloud security tools, as Horangi is a cloud-native business, and both our consultants and software engineers run their workloads in the cloud. So, internally, we establish policies and processes. We also deploy and operate cloud-native security tools and our product, Warden.

2. Can you share with us some complexities in managing cloud computing projects?

The ease of deployment and scaling in the cloud is its main advantage as well as a challenge. Implementing projects along with providing their security in the cloud needs a different mindset. The security team needs to partner with the implementers of the cloud projects so they can have full visibility and the ability to react fast. The security team should not prohibit the implementers from moving fast and innovating. The security team needs to understand the cloud well, observe, react quickly, and guide the implementers about the security aspects of their implementations in the cloud.

3. In managing cloud projects, what are useful tips you could share with IT professionals to avoid common pitfalls?

IT professionals need to focus on two things: learn the cloud and use the right tools.

1. Learn the cloud. It’s easy to start using the cloud. But when using the cloud professionally and at scale in production, the complexity can become overwhelming without doing it in a cloud-native and platform-specific way. Fortunately, major cloud service providers (CSPs), as well as reputable organizations like CSA, have good documentation and tutorials on how to use it correctly. I recommend that after finishing research or running a POC, IT professionals need to step back, reflect, learn the documentation in-depth and rebuild their product in a proper cloud-native way. And security should be a natural part, not an afterthought, of this process. The documentation of CSPs and other relevant organizations always has a security part. Don’t skip it; learn it as a part of learning the whole platform.
2. Use the right tools. I observe that CSPs provide a lot of services. They have core services that they implement well in scalable and usable ways. But other services they implement just to have, and I don’t find them easy to use or have deep specific functionality. Usually, security services and tools by CSPs have such characteristics. Find tools that are solving your specific problem, easy to use for that problem, and integrate well with the chosen cloud platform.

4. What made you decide to earn your CCSK? What part of the material from the CCSK has been the most relevant in your work and why?

My principle is to let professionals do the job they do the best. CSA is focusing on the cloud. I consider their work and research very focused and professional, so I decided that undertaking training and exams from them would be very beneficial for me. Moreover, CSA has had a proven history, while other organizations have just started adding cloud-related topics.

To prepare for the exam, I took an online training course from CSA. That alone was generally enough, maybe because I already had hands-on experience with development in the cloud and securing it. For those preparing for the CCSK, I recommend practicing first with the cloud, deploying workflows with your own hands and experiencing what an end-to-end solution looks like, then taking a CCSK training and reviewing all referenced materials. And you should be good to go.

5. How does the CCM help communicate with customers?

We work with many mature clients, and they always have a due diligence process. In one instance, our client explicitly asked to fill the CCM as a part of the due diligence process. So, having the CCM ready would help shorten the procurement cycle and enable scaling the response to due diligence requests.

6. What’s the value in a vendor-neutral certificate like the CCSK or CCSP versus getting certified by AWS? In what scenario are the different certificates important?

All of them have value, but in different ways. Vendor-specific certificates are hands-on. They bring value when you want to prove your experience with specific technologies. They also enable the company to establish partnerships with CSPs.

The CCSK sits at a higher level. It summarizes knowledge across domains, gives value to managers and consultants who work with a broader range of technologies, and covers such aspects as risk management, vendor management, architecture, and multi-cloud.

7. Would you encourage your staff and/or colleagues to obtain CCSK or other CSA qualifications? Why?

Yes. Particularly, I would recommend it to my colleagues from the professional cybersecurity services business unit and my team members responsible for cybersecurity compliance. As I mentioned earlier, it is useful to refer to risk management and other higher-level knowledge in the CCSK when advising the clients or managing our own internal multi-cloud requirements.

8. What is the best advice you will give to IT professionals in order for them to scale new heights in their careers?

Prepare, or, even better, get proven experience, to be able to enable the business. We believe that security is a business enabler, and this is how we communicate internally and to the clients. So if an IT professional can obtain business acumen, they can become invaluable to a company. They will then be able to be more flexible when requesting a budget for IT and security, as IT and security would be seen not just as a commodity or blocker, but as a business enabler. It enables the company to work with more mature clients, deliver higher quality service faster, and have better visibility and understanding of the market through data.

The CCSK can help with that direction. IT professionals can have proven knowledge and membership in a relevant community, enabling them to guide the business towards new partnerships and markets.