CCSK Success Stories: From the Vice President for Information Security
Published 11/01/2021
This is part of a blog series interviewing cybersecurity professionals who have earned their Certificate of Cloud Security Knowledge (CCSK). In these blogs we invite individuals to share some of the challenges they face in managing security for cloud computing and how they were able to leverage knowledge from the CCSK in their current roles. In this blog, we'll be interviewing Tan Zhon Teck, Vice President for Information Security at Bursa Malaysia.
1. Can you tell us what your job involves?
One of my job responsibilities regarding information security is to drive, strategize, consult and execute our cybersecurity strategy, especially our cloud security strategy. In addition, providing security solutions and determining how to implement security controls are key to meeting business requirements which are aligned with corporate strategy and goals.
2. Can you share with us some complexities in managing cloud computing projects?
Each cloud service model has different levels of challenge to address, especially securing configurations and data protection. Ensuring proper governance over each cloud computing project is vital.
3. In managing (outsourced) cloud projects, what are useful tips you could share with IT professionals to avoid common pitfalls?
a. Understand the connectivity cost. Based on your organization's requirements and setup, you may not rely on all the cloud services from the CSP. You have to make sure the hidden traffic costs are considered if you are subscribing to another non-CSP service.
b. Ensure checks and balances are in place on configurations to avoid any misconfigurations, even if you outsourced the service to another professional service. Misconfigurations may lead to data breaches, which would introduce reputational and regulatory risk to your organization.
c. Ensure there is proper governance in place to provide oversight on a cloud security project.
d. Ensure staff handling an important function (i.e., the audit, security, governance, risk and infrastructure team) in cloud computing projects receives proper cloud computing training, especially CCSK training.
4. What made you decide to earn your CCSK? What part of the material from the CCSK has been the most relevant in your work and why?
Being a cyber security enthusiast, ‘never stop improving and learning’ is my key principle to keep me moving. CSA has provided a good platform for cybersecurity folks to gain a broader understanding of cloud security. This helps me design and implement an enterprise cloud security framework and policies for my company.
Besides that, the CCSK is non-vendor-specific and it is based on a good write-up, the Security Guidance in Cloud Computing, which references many industry best practices; this has made it stand out amongst the rest.
5. How does the Cloud Controls Matrix (CCM) help communicate with customers?
CCM provides very detailed controls and maps to industry security standards. It helps security professionals easily assess and review each of the controls in the cloud environment.
From the governance, risk and compliance perspective, this helps provide a good oversight function to ensure each control is implemented effectively.
Last but not least, the auditor should use the CCM tool to perform an audit of the cloud environment, which would be an assurance to the Board of Directors.
6. What’s the value in a vendor-neutral certificate like the CCSK or CCSP versus getting certified by AWS? In what scenario are the different certificates important?
Vendor-neutral certification provides a better understanding of cloud security concepts and a framework to address cloud security risk.
Vendor certifications would give an understanding of their cloud security product knowledge, especially if you are using a specific CSP. This kind of training would be great for those specific subscribers (cloud users).
7. Would you encourage your staff and/or colleagues to obtain CCSK or other CSA qualifications? Why?
I strongly encourage them to consider getting the CCSK certification and/or training as a start. It is crucial cloud knowledge that IT professionals should equip themselves with, given that cloud is increasingly the IT infrastructure of choice. CCSK gives a good understanding of cloud computing and the security controls domains that should be considered in our cloud environment.
8. What is the best advice you will give to IT professionals in order for them to scale new heights in their careers?
I would say that cloud certification is a journey for most IT professionals. Even if you are not in this field, being equipped with cloud knowledge would help you become a professional in the near future. Continuous learning and never-ending improvement help IT professionals stay competent and knowledgeable to deal with new or emerging technologies.