CCSK Success Stories: From the Head Cybersecurity Architecture
This is part of a blog series interviewing cybersecurity professionals who have earned their Certificate of Cloud Security Knowledge (CCSK). In these blogs we invite individuals to share some of the challenges they face in managing security for cloud computing and how they were able to leverage knowledge from the CCSK in their current roles. In this blog we'll be interviewing Lee Han Ther, Head, Cybersecurity Architecture & Strategy at Maxis.
(1)You currently work at Maxis as Head of Cybersecurity Architecture & Strategy. Can you tell us about what your job involves?
In my current capacity, I am responsible to drive security architecture, technology innovation and strategy. I help our teams design, deploy and operate solutions across our information technology
(2) Can you share with us some complexities in managing cloud computing projects?
Well it depends on the cloud service model. IaaS, PaaS, and SaaS have different levels of complexities. Some complexities however are generic across all three, i.e. data residency, regulatory requirement and aligning service provider responsibilities with business needs.
(3) In managing (outsourced) cloud projects, what are useful tips you could share with IT professionals to avoid common pitfalls?
I would say the important financial aspect is to look at a cloud project’s overall Total Cost of Ownership (TCO). In justifying cloud project spending, we need to forecast the total growth / decline of the project components over time due to the date scalability and utility like billing, unlike traditional infrastructure.
(4) What made you decide to earn your CCSK? What part of the material from the CCSK has been the most relevant in your work and why?
As part of a self-development plan for the year, I have already included in my goals to obtain a relevant cyber security certification. Why the Certificate of Cloud Security Knowledge (CCSK)? Well, that is the most relevant vendor neutral cloud security certification around. It has helped me build the right foundation and framework, looking at cloud security and controls in a holistic manner.
(5) How does CCM help communicate with customers?
The Cloud Control Matrix (CCM) clearly sets forth a comprehensive control framework based on various domains, service delivery models and architectural reference. Backed with references against various industry standards and best practice. It helps customers think about all the relevant controls and thereafter zoom into the specific technology for implementation.
(6) What’s the value in a vendor-neutral certificate versus getting certified by a vendor like AWS? In what scenario are the different certificates important?
Both certifications have their respective unique value. Whilst a vendor-neutral cert is product/service or technology agnostic, it is important to lay out a clear cloud security framework, model and key concepts which can be applicable regardless of cloud service providers. On the other hand, a specific certificate issued by a specific CSP will assist in architecting, deploying or operating that specific cloud technology.
(7) Would you encourage your staff and/or colleagues to obtain the CCSK or other CSA qualifications? Why?
Yes, I would highly recommend it. CSA is a recognized body for cloud security. They have been continuously revising their knowledge base and research to meet the technology and market demands. Being CCSK certified demonstrates the professional has a broad grasp of relevant cloud technology and security models.
(8) What is the best advice you could give to IT professionals in order for them to scale new heights in their careers?
Continuously develop yourself and be relevant. As a security professional, to scale to new heights, we not only need to keep abreast with the latest technology, we also need to be aware of security trends, incidents, regulatory requirements, and the changing business landscape.