CCSK Success Stories: From a Cybersecurity Assistant Director

This is part of a blog series interviewing cybersecurity professionals who have earned their Certificate of Cloud Security Knowledge (CCSK). In these blogs we invite individuals to share some of the challenges they face in managing security for cloud computing and how they were able to leverage knowledge from the CCSK in their current roles. In this blog, we'll be interviewing Yew Hoong, Senior Assistant Director, Cyber Security Agency (CSA).

1. In your current role at the Cyber Security Agency (CSA) as a Senior Assistant Director, you provide cybersecurity consultancy to other government agencies. Can you tell us about what your job involves?

As Senior Assistant Director in the Cybersecurity Programme, I lead a team of consultants to provide cybersecurity consultancy to government agencies working on Smart Nation projects (e.g., National Digital Identity). Through these projects, I am also developing future cybersecurity professionals via on-the-job training methods.

2. Can you share with us some complexities in managing cloud computing projects?

The key challenge in managing cloud computing projects is having a good grasp of how all the various cloud native services (e.g., IaaS, PaaS and SaaS) and third-party solutions/technology (e.g., containers) are integrated together to deliver the business objectives in a secure manner (ensuring Confidentiality, Integrity and Availability of the systems).

3. In managing (outsourced) cloud projects, what are useful tips you could share with IT professionals to avoid common pitfalls?

Cloud is not the panacea to all problems, but it does help to speed up digital transformation. IT professionals need to recognize that they can only outsource responsibility (i.e., they are ultimately accountable for the success of their cloud projects), so they still have to conduct their own risk assessments to make risk-informed decisions. They can’t just accept vendors’ recommendations. Then they can ensure they are using the cloud to deliver the desired business value.

Business owners should also make risk-based decisions on the kind of data that can go onto the cloud because they decide the impact that they can accept when such data is lost (you have to assume such data can or will be lost). This will help to define the cloud deployment model that can be adopted and cloud delivery service that can be used.

These considerations are commensurate with the risks that the organization is willing to undertake from the onset. With this, there is better clarity to define the cybersecurity programme to secure the cloud projects. The security-by-design approach is always cheaper and easier to manage downstream because bolting the required security subsequently may not be able to adequately secure the systems. It may also result in loss of reputation if the customers’ data are leaked/lost.

4. What made you decide to earn your CCSK? What part of the material from the CCSK has been the most relevant in your work and why?

I have decided to earn CCSK after getting the Certificate of Cloud Auditing Knowledge (CCAK)(offered jointly by CSA and ISACA). CCSK’s domains on virtualization, containers and incident response are useful to sharpen my knowledge/thinking to apply in my area of work.

5. How does CCM help communicate with customers?

I don’t think I will do justice to the great work done by the Cloud Security Alliance with my response. Please visit the official website for detailed information on this. On a personal level, CCM helps to provide a baseline reference of what needs to be addressed for cloud.

6. What’s the value in a vendor-neutral certificate like the CCSK or CCSP versus getting certified by AWS? In what scenario are the different certificates important?

Currently, I hold three vendor-neutral certificates – CCSK, CCAK and CCSP (by CSA, ISACA and ISC2) – as well as some cloud certificates from AWS and Google. I see them as complementing one another as the former provides a standard/neutral view of the concerns and what needs to be done to address the risks while the latter provides the guidance on how some of these concerns can be addressed in their respective environments.

7. Would you encourage your staff and/or colleagues to obtain CCSK or other CSA qualifications? Why?

Certainly! There is so much to learn about cloud security! CSA qualifications provide adequate breadth and depth on various domains in cloud. The knowledge gained from attaining these certifications will provide valuable insights on defining the required policies, standards and guidelines in our course of work.

8. What is the best advice you will give to IT professionals in order for them to scale new heights in their careers?

Invest in yourself through continuous learning. The knowledge gained is yours to keep and no one can ever take it away from you. Build new knowledge from previous knowledge gained and in applying the knowledge, you will be amazed how handy it will be when the time comes.