CCSK Success Stories: From a CISO and Chief Privacy Officer
Published 07/01/2022
This is part of a blog series interviewing cybersecurity professionals who have earned their Certificate of Cloud Security Knowledge (CCSK). In these blogs we invite individuals to share some of the challenges they face in managing security for cloud computing and how they were able to leverage knowledge from the CCSK in their current roles. In this blog, we'll be interviewing Kwonsoon Park, Chief Information Security and Chief Privacy Officer, CHEQUER.
1. Can you tell us about what your job involves?
CHEQUER is the maker of a modern data-governance platform. I am responsible for securing all of the company's data assets and protecting personal information. Under my leadership, I supervise four security teams: Blue, Red, Purple, and White, to ensure that our cybersecurity protocols, measures, and compliance comply with the highest industry standards.
2. Can you share with us some complexities in managing cloud computing projects?
Some apparent complexities arise when managing cloud computing projects, but the solutions are not so obvious. Cloud complexity results from the rapid acceleration of cloud migration and net-new development without regard for the complexity this introduces into operations. Details matter, as they say.
For example, one of the unspoken problems is that the most optimal cloud infrastructure does not come from a single CSP, but rather from various services from different CSPs, resulting in a high level of complexity. Adding to the difficulty, each CSP provides its versions of container services in some form, such as K8s and Docker. Given this scenario, it's nearly impossible from the customer's perspective to manage these unique services effectively unless they can do it under a common platform. Furthermore, given the real-world requirement to integrate a wide range of SaaS applications, not having a well-thought-out plan for cloud computing projects would make running a smooth cloud-enabled computing infrastructure a challenge, if not a nightmare.
3. In managing cloud projects, what are useful tips you could share with IT professionals to avoid common pitfalls?
The best tip I can offer IT professionals to avoid common pitfalls is to shed light on one of our best practices in protecting data assets and ensuring secure workflows from the start of product development and management. At CHEQUER, we design, operate, and manage, considering all data and security protection-related issues, from design to development, maintenance, monitoring, and regular updates. Also, we follow the Shared Security Responsibility Model to consistently maintain the highest confidentiality, integrity, and availability for all customers, regardless of industry or size.
The Shared Security Responsibility Model is a framework introduced by CSPs to separate customers' and CSPs' security responsibilities. The Sharing Security Responsibility Model separates some of the obligations between the involved parties. CHEQUER manages the cloud platform's security, and the customer is responsible for the tenant's security settings and behavior in the CHEQUER cloud environment.
A security responsibility sharing model is a security and compliance chain responsibility model. As part of this security responsibility model, customers need to check and identify compliance and compliance issues before choosing a cloud solution. If customers must follow a compliance requirement, it is crucial to review whether the requirement is met in all security chains.
4. What made you decide to earn your CCSK? What part of the material from the CCSK has been the most relevant in your work and why?
In this security responsibility model, my primary motivations for achieving my CCSK reflect my recognition of the importance of compliance. Regulatory compliance requirements are essential to consider and check before choosing a cloud solution. In contrast, existing compliances offer only conceptual guidelines. The appeal of this certification is that it is not a license that one can maintain indefinitely by filling out CPE (Continuing Professional Education) credits once obtained, but one that must be re-acquired each time a new standard is released.
5. How does the CCM help communicate with customers?
As a result of CHEQUER's CCM compliance, CHEQUER's security level will be evident to customers, only enhanced by our CSA STAR certification due later this year. The CCM aims to verify our understanding of the cloud controls, and the CSA STAR aims to ensure CCM compliance.
6. What’s the value in a vendor-neutral certificate like the CCSK or CCSP versus getting certified by AWS? In what scenario are the different certificates important?
Qualifications such as CCSK, CCSP, AWS GCP CKS, and others are not the same. I believe they are all essential. All of the alliances, associations, and vendor-specific qualifications mentioned above enable you to understand the platform's advanced cloud technology and security. The CCSK provides knowledge insights that combine these technology silos for one to achieve a cohesive and efficient cloud. The CCSK lets you see the big picture while providing the platform knowledge base to put it into action.
7. Would you encourage your staff and/or colleagues to obtain CCSK or other CSA qualifications? Why?
Definitely! I am confident that my security team members will gain a thorough understanding of cloud-native security while obtaining their CCSK certification. Preparation for CSA STAR certification is also an option. The CCM also has an ISO 27000 family mapping, which enables the management of various security compliances. Similarly, our security team's OKR includes such objectives for the year's second half.
8. What is the best advice you will give to IT professionals in order for them to scale new heights in their careers?
My simple advice is an ongoing study. With new technologies constantly making quantum leaps, IT professionals must be able to acquire knowledge in a completely new field of technology, assimilate new knowledge, and converge with previous domains and areas of expertise. There is a growing need for people who can produce creative results across multiple domains.
Related Articles:
How Cloud-Native Architectures Reshape Security: SOC2 and Secrets Management
Published: 11/22/2024
It’s Time to Split the CISO Role if We Are to Save It
Published: 11/22/2024
Establishing an Always-Ready State with Continuous Controls Monitoring
Published: 11/21/2024
5 Big Cybersecurity Laws You Need to Know About Ahead of 2025
Published: 11/20/2024