A conversation with the exam architect behind the hottest certification in cloud security
This feature first appeared in the Fall 2020 issue of Certification Magazine. Click here to get your own print or digital copy.
Let’s face it, the long-promised cloud revolution is here and nearly every application and system in commercial and consumer life is interconnected today. Right? We hear organizations wax poetic on their digital transformation journeys as if every hurdle has been overcome and they’re on autopilot from here on out. But is this really the case?
Yes and no. It’s true that a forecasted explosion in cloud application development and usage over the past several years has taken place. But the reality is that most organizations and the wider tech community thought we were further ahead in the adoption phase for cloud technologies than we currently are.
This was made apparent thanks to the triaged technical migrations and remote working setups forced by COVID-19, which exposed the fact that cloud readiness is far from ubiquitous. If cloud implementations are behind the curve, then there is likely a significant lack of security forethought as well. And yet, the pandemic has served as a forcing function to drive faster adoption.
In any case, at this point the wholesale move to cloud environments is a case of when, not if. As such, we need professionals who can securely build and implement cloud-first systems in order to keep pace with the speed of business. So where do these professionals come from and how do they prove themselves?
That’s a question that Dr. Casey Marks, chief product officer and vice president at (ISC)², has spent the better part of a 25-year career preparing to answer. As the world’s largest nonprofit association of certified cybersecurity professionals, (ISC)² has been at the forefront of professionalizing cloud security for more than half a decade.
The birth of CCSP
Dr. Marks, who holds a doctorate in the field of psychometrics — the study of how to measure knowledge and abilities — leads the association’s exams team, tasked with affirming the knowledge base of these professionals. One of his key accomplishments in that role has been developing and deploying a certification exam to validate the knowledge and skills of cloud security specialists.
Introduced in 2015, the Certified Cloud Security Professional (CCSP) has been the fastest-growing certification in (ISC)²’s portfolio — which also includes the widely respected Certified Information Systems Security Professional, or CISSP — with a growth rate five times that of comparable (ISC)² professional specialist certification exams.
The CCSP topped Certification Magazine’s “Next Big Thing” list for four consecutive years. While it seems obvious today, building a certification specifically around cloud security was an educated guess that paid off for the association.
In Dr. Marks’ words, “(ISC)² was founded more than 30 years ago, but we’ve kept pace with the technological shifts and predicted that cloud platforms and applications, and building and managing them in a secure way, would be a critical part of the future of data infrastructure. So much so that we introduced our CCSP certification more than five years ago, when cloud was still a much more nascent trend.
“We correctly identified that the professionalization of cloud security would become a necessity as more platforms were created and security became an engrained and permanent aspect of the architecture process, rather than a siloed or added function.”
The changing data storage landscape, in particular, has made attention to cloud security a priority. “Organizations rightly have concerns when their data is no longer held on premises and there’s a level of trust they need to feel with cloud providers about the integrity of the data transfer process,” said Dr. Marks.
“Having experts on staff who can guide that process and advise on best practices is a huge deal, and something that’s typically recognized as a priority even at a board level.”
Keeping pace with changes
The challenge that Dr. Marks and his team face is that, in such a quickly developing and evolving field as cloud security, the exam is only as good as its adaptability to change. This is why the CCSP exam underwent a review — as all (ISC)² exams do — and was updated as recently as 2019, to ensure that it most accurately reflects the deep knowledge and hands-on experience required for cloud security architecture, design, operations and service orchestration.
“Our philosophy is that items are assessed before people are assessed. Through what is called a Job Task Analysis, we discovered some emerging skills that are now required of CCSP holders and we wanted to make sure these changes in cloud security were included in the knowledge base we’re testing during our exam process,” said Dr. Marks.
“It is through updates like these that we maintain the high standards we’ve set for the CCSP certification and ensure that it evolves in lockstep with what’s actually required in the field.”
The exam items are designed through a highly scientific psychometric process that Dr. Marks oversees, which seeks to remove bias from the equation. This minimizes discrimination of any kind based on demographics or deficits not related to the construct being measured. But while the science puts guardrails in place to ensure reliability, validity, and fairness, the exam development process does not exist in a vacuum.
“There’s no ivory tower here unilaterally making content decisions. It’s our members who ultimately determine the content of the items within the exam, and I’m not sure that’s widely understood,” Dr. Marks said.
“While the content aligns with a routinely-updated Common Body of Knowledge, these items are carefully crafted by existing CCSP certification holders who currently work in the field and understand all of the relevant subjects a cloud security professional should be familiar with, including skills, techniques and best practices.”
Professional cloud certifications or vendor certificates?
The age-old debate about the comparative value of vendor certificates and professional certifications is one that continues to rage within the IT community, and particularly when it comes to the cloud. But Dr. Marks sees this as an ecosystem where all are welcome.
“It’s really beneficial to look at certification holistically and gain an understanding of the different functions that each type provides. If you’re in a position where you’re working with Azure, for example, on a daily basis, then having the technical chops to know your way around the Microsoft platform is extremely useful,” he said.
There is room at the table, in other words, for both vendors and professional associations. “Becoming Azure certified demonstrates to your employer or your clients that you’ve gained a level of proficiency and can manage and troubleshoot issues on that particular platform. There are several areas of Azure that you can focus on as well, each with its own specific training. That’s certainly valuable in that context, and I would argue it’s a core competency that’s necessary,” Dr. Marks said.
“You may also be working in another instance, now or in the future, with AWS, and in that case you would want to get some training on that platform as well. That technical knowledge is an essential building block to becoming a cloud professional.”
What CCSP provides is a sort of capstone unit that brings everything together. “We look at the CCSP as the culmination of technical, practical, ethical and experiential knowledge that’s required of a professional,” Dr. Marks said.
“It’s more broad-based than any single cloud platform and acknowledges the deep commitment the individual has made to their career, as well as their agreement to adhere to ethical standards and the endorsement of their peers.”
As opposed to taking a test and receiving a certificate, the CCSP is also different in that it requires upkeep. Members must keep their certification current by earning continuing professional education (CPE) credits for each three-year cycle and must pay an Annual Maintenance Fee to help maintain the accreditation of the certification. Earning the CCSP is a commitment that’s geared toward those who are seeking a higher level of professional recognition.
Cybersecurity and the cloud
One thing is for sure: Cloud migration and cybersecurity are on the path to tighter convergence. As more of our systems and applications move outside the firewall and are hosted virtually, attack vectors only expand and become more of a threat to critical data.
Cybersecurity will always be hand-in-glove in terms of the importance it plays in the development and operation of these platforms. The demand for professionals needed to ensure information security will only grow, especially in the face of a global talent shortage of more than four million trained cybersecurity professionals, according to the 2019 Cybersecurity Workforce Study.
Whether vendor certificates or professional certifications like the CCSP appeal to you, gaining and affirming knowledge of cloud security will be an increasingly valuable practice.