How to upskill your cloud security team in 3 quick steps
If you are a Cloud Security Manager or anyone responsible for mitigating risks in cloud migrations; one of the biggest headaches is ensuring your teams have the necessary skills to handle the same.
It has been my experience that is easy to find Cloud professionals and easy to find Cyber security professionals but VERY difficult to find Cloud Security Professionals
This problem is by no means small with the recent ISC2 Cloud Security Report 2022 stating that more than half of organizations look at staff expertise as being the main challenge for compliance in the cloud.
However, the good news is that it is possible to upskill your team quickly to the cloud.
A lot of companies make the mistake of relying on certifications only while ignoring the other aspects of hands-on experience which leaves their teams with good theoretical knowledge but not much!
If your team cannot navigate the cloud console without relying on documentation then you will have a serious problem later on
Based on my own experiences with many many cloud migrations; I propose the below steps which will help to make sure your teams get the necessary cloud security skills.
Step 1: Gain access to a cloud sandbox
Your team can attend as many trainings on cloud security as you want but that will not give them a hands-on experience which is essential to learn about cloud controls
Most cloud providers are happy to provide companies sandbox accounts in which the team can play around and understand how the different services work.
AWS, Google, and Azure all give you free tier accounts or free credits as you can see below.
Get the teams to access these accounts which should be completely separate from your production or dev cloud environments. The goal is to get familiar with cloud services and their functionality
Step 2: Build something on the cloud
Now that you have access to a sandbox, the main step is to give your teams something concrete to do in the sandbox.
I always recommend assigning your teams “build” projects on the cloud which do not necessarily have to be security projects. Most cloud providers provide free easy to build workshops on their services which the teams can use to gain knowledge A few of them are listed below :
AWS Workshops: https://workshops.aws/
Azure Workshops: https://microsoftcloudworkshop.com/
Google Cloud: https://cloud.google.com/training
Believe me when I say nothing will give your teams more confidence than actually making something with different cloud services.
Step 3: Be smart about certification
Certifications do matter but you have to be smart about it and not fall for the hype
Do not jump directly into the security certifications if the cloud environment is not familiar to you or the team.
I always recommend first starting with a solutions architect certification before moving on to security-focused ones as it provides a great foundation to learn about the cloud services on which you can build.
If the team does not know how a service works then they will not appreciate securing it. A solutions architect certification will give them a great overview of the entire cloud ecosystem.
Secondly, link certifications to job achievements i.e. making it part of the performance objective for the year or creating a “train the trainer” program where the knowledge is passed on by the teams. This provides a great motivational factor for the team to learn more and more
Learning never stops in the cloud!
Even after spending several years dedicated to cloud security, I can safely say that I am still learning. Cloud migrations do not have to be unhappy, stressful projects they can become if your team has confidence in their cloud security skills. Start learning today
If you are interested in learning more then sign up for my upcoming book on Cloud Security careers here
Taimur Ijlal is a multi-award-winning, information security leader with over two decades of international experience in cyber-security and IT risk management in the fin-tech industry. Taimur can be connected on LinkedIn or on his blog. He also has a YouTube channel “Cloud Security Guy” on which he regularly posts about Cloud Security, Artificial Intelligence, and general cyber-security career advice.
If you enjoyed reading this then consider supporting me by becoming a Medium member using this link