CCSK Success Stories: From a Banking Project Delivery Leader
This is part of a blog series interviewing cybersecurity professionals who have earned their Certificate of Cloud Security Knowledge (CCSK). In these blogs we invite individuals to share some of the challenges they face in managing security for cloud computing and how they were able to leverage knowledge from the CCSK in their current roles. In this blog, we'll be interviewing Madhukeshwar Bhat, Project Delivery Leader.
1. In your current role as a Project Delivery Leader at a large global bank, you are responsible for complex Identity Access Management (IAM) and project deliveries. Can you tell us about what your job involves?
I lead the delivery of large-scale Identity IAM, including Cloud Access Management transformational projects. I work with senior and executive leaders to understand the key IAM problem areas, build viable business cases and translate them into tangible project deliveries, including operationalization and benefits realization.
It is an interesting role, requiring me to wear multiple hats:
- IAM business leader - Translate executive leadership’s vision into commercial business cases. Need to be creative and effective in capturing the accountable executives’ ideas in an efficient manner (cognizant of executive leaders’ time constraints).
- Techno functional project manager - Break down the complex unstructured problems into manageable work packages and plan their delivery ensuring structured project governance. This requires budgeting and active cost management, as well ensuring that cost variance doesn’t go beyond the stipulated limit. On the other hand, it requires me to get into technical delivery aspects ensuring core technology delivery.
- IAM and cloud subject matter expert - Need to bring IAM and cloud domain expertise into play, solving the organization’s key problems in this area.
- People leader - Be a role model for the team and manage their performance. Be a mentor enabling the team members to meet their professional aspirations.
- Powerful influencer - With no direct reporting or control over the organization’s business lines and application teams, diplomatic and influencing acts play a vital role in ensuring benefits delivery. Senior and executive stakeholder management is a must-have.
2. Can you share with us some complexities in managing cloud computing projects?
There are several challenges and complexities in managing cloud computing projects:
- Skillset - Through my experience as a hiring manager for years, I feel getting the right skillset for delivering cloud projects is quite hard. I think CSA has been doing a great job in spreading cloud awareness and helping bridge the skillset gap.
- Mindset - It is often hard for stakeholders to visualize cloud concepts. People tend to think in terms of an on-premise model. Hence, successful project delivery requires the project team to educate the stakeholders.
- Change management - It requires a considerable amount of change management effort for operationalization and benefits realization. Hence, plan sufficient change management in cloud projects.
- Governance - It is not just about delivering technology. There are several non-technology aspects to be covered for a successful cloud project. With multiple parties (vendors, employees, contractors, implementation partners, etc.)involved in cloud projects, unless there is well-structured governance, it is hard to deliver these projects.
3. In managing (outsourced) cloud projects, what are useful tips you could share with IT professionals to avoid common pitfalls?
Cloud projects require a mindset shift, requiring IT professionals to understand key characteristics of cloud to start with:
- Clear shared responsibility understanding including RACI defined - Need to remember that it is an external entity rendering the service as opposed to another IT function within the organization. Hence, contracts play an important role during cloud adoption. A clearly defined RACI (Responsible, Accountable, Consulted, Informed) matrix will make the segregation of tasks amongst the cloud provider, implementer, and staff eliminate ambiguity. The staff need to get used to formal agreements such as OLA (Operational Level Agreements) and SLA (Service Level Agreements) in handling service requests or issue/incident management with the service provider.
- Governance - With multiple players involved, well-structured governance is a must-have. Depending on the kind of business and datasets, have a pre-approved set of cloud service catalogs available to the application teams or business functions for cloud adoption. Set up a governance function to govern cloud adoption by the application teams or business functions.
- Cloud security - The way security is handled in the cloud is quite different from what is done for on-premise assets. Many of the cloud security controls are software-defined and controlled via configurations. Understanding this aspect is quite important when it comes to handling cloud security.
4. What made you decide to earn your CCSK? What part of the material from the CCSK has been the most relevant in your work and why?
There are a number of reasons for my decision to pursue CCSK certification. Firstly, CCSK is the gold standard for cloud security; it is offered by CSA, who are the leaders when it comes to cloud security. Personally, I have great respect for CSA for several reasons.
Secondly, the domain areas covered in the CCSK are practiced within the industry, hence very much relevant to the present day. Thirdly, there is a great CCSK study material by CSA, which is very easy to follow and has excellent coverage of the topics. Even if one just goes through the material for learning cloud concepts with no certification intention, I think it is a very good investment of time and effort.
Every CCSK domain is very much relevant for me; cloud projects touch pretty much every CCSK domain, more or less. Given I focus on IAM, this domain is even more relevant.
5. How does the CCM help communicate with customers?
The CCM is one of the best frameworks I have ever seen. Given its in-depth coverage, the CCM is a perfect tool when it comes to cloud implementation assessment. Its standardization makes it handy for communicating with customers and stakeholders. From the customer perspective, it is a great standard for assessing provider cloud postures. Whether you are a large organization or a smaller organization, the CCM is highly recommended.
6. What’s the value in a vendor-neutral certificate like the CCSK or CCSP versus getting certified by AWS? In what scenario are the different certificates important?
While every certification has its respective value, vendor-neutral certification is the starting point. It is very important to know the concept before getting into “how do I consume a cloud service.” Especially when it comes to cloud usage, it is all about mindset and concept. This is where the CCSK plays a major role in explaining the core concepts.
The vendor-specific certifications are inclined towards their product offerings and implementing their product for your use case. Hence, before getting to a vendor-specific certification, it makes a lot of sense to earn vendor-neutral certifications like the CCSK.
7. Would you encourage your staff and/or colleagues to obtain the CCSK or other CSA qualifications? Why?
Very much. I have already encouraged a number of my team, colleagues and professional fraternity to pursue the CCSK. Firstly, for cloud security professionals, I think it is a must-have in order to get the right perspective. Secondly, whoever I suggested pursuing this certification to thoroughly enjoyed learning from the CSA material. Thirdly, people like the fact that the CCSK doesn’t expire (while the version might need an upgrade whenever CSA publishes a newer version). Unlike other certifications, the self-study learning material is free of cost. (A true reflection of CSA’s goal of spreading cloud security knowledge!)
8. What is the best advice you will give to IT professionals in order for them to scale new heights in their careers?
Thriving in the IT industry requires continuous learning, as IT is one of the fast-changing and evolving industries. Every day there are new concepts, new offerings and different ways of doing things in IT. Hence, the only way a person can stay relevant is by learning.
For working professionals, certifications are structured learning opportunities to gain industry-relevant knowledge. For current or a prospective employers, industry-standard certifications like the CCSK are a way to get confidence in the candidate. If you are a cloud security professional or aspiring cloud security professional, my advice would be to attain the CCSK for sure!
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.