👋 Good morning!

Each week I provide an in-depth response to your questions about careers, cloud security, and anything else you need support with. Send me your questions and I’ll do my best to provide actionable advice.

Let’s dive in!

Q: How do I get a job in Cloud Security?

Cloud security offers some of the most exciting and well-compensated roles available to security professionals. It’s almost impossible to avoid cloud exposure in 2024 with 44% of traditional small businesses using cloud infrastructure or hosting services. That's compared to 66% of small tech companies and 74% of enterprises (Cloud Zero).

The reality is, most organisations aren’t great at securing their cloud environments. This is where you come in. 

The best part is, it’s never been easier to build a career in cloud security. World class training is available for free, there are countless follow-along workshops available to help you get the hands-on skills needed to land a job, and you’re spoilt for choice with ‘edutainment’ content.

The goal of today's post is to give you all the necessary information you could need to make sense of this space and make a plan to move forward.

I’ll cover:

• Cloud fundamentals

• Cloud security roles

• Cloud security salaries

• Cloud security experience

• Certifications

• Roadmaps

• Career strategy

• Helpful resources

• Podcasts

• Actionable steps

Cloud Security Foundations

• Before you can take on securing the cloud, you need to understand how the cloud works. Building this foundational knowledge is critical. If you’re starting from zero, consider one of these free introductory courses by Azure, AWS and GCP.

• The natural question that comes up early in your cloud journey is, which cloud is best - Azure, AWS, GCP? I answer this question here.

Cloud Security Roles

There are 4 primary roles available in cloud security:

1. Analyst

2. Engineer

3. Consultant

4. Architect

Descriptions of these roles vary massively from company to company, so be sure to thoroughly read the job specifications before applying for a role. However, there are some important things to note:

• These roles are not necessarily in hierarchical order, or related to pay. For example, a Senior Cloud Security Engineer may earn more and have more experience than a Cloud Security Architect.

• Within roles there may be unique hierarchies such as: Engineer, Senior Engineer, Lead Engineer, Principal Engineer etc. But this doesn’t apply to every organisation.

• All roles have great ‘pivotability’, meaning you’ll be able progress and move from analyst, to engineer, to architect etc. with the right experience under your belt.

• All roles will give you great foundations to pursue a more managerial / leadership role such as Head of Cloud Security, or Chief Information Security Officer in the future.

Cloud Security Salaries

From entry-level security engineers to senior CISO roles, compensation packages for cloud security professionals are influenced by factors such as expertise, experience, industry, and location.

The following insights from the recently published Cloud Security Salary Guide by Wiz, solely focuses on the US market. I work in the UK and can confirm that the US market outperforms (outpays) the UK. Therefore I recommend you take these stats with a pinch of salt, and look for a salary guide that is based on your geographic region.

Key takeaways:

1/ The finance industry offers the most competitive total rewards for Cloud Security Engineers and retail offers the most competitive total rewards for CISOs.

2/ The range of total rewards for Cloud Security Engineers is wider for senior roles:

3/ Retail has the narrowest base salary range for intermediate & senior Cloud Security Engineers:

4/ Finance offers the highest compensation progression for Cloud Security Engineers, while government offers the smallest:

Cloud Security Experience

Hands-on experience is non-negotiable for a career in cloud security. If you’re trying to break into this field, you’ll need to invest time into cloud security projects to develop your skills and gain the necessary experience to add to your CV. This will help you get to the interview stage and thrive when asked about how to approach cloud-specific challenges.

If you’re still in the early stages of your career, consider spending some time as a Cloud Engineer/Analyst before specialising in Security.

Here’s some helpful ways to get cloud security experience for free:

• How to get hands on experience for free.

• How to level up your cloud penetration testing skills.

Certifications

Here’s a high-level guide to Cloud Security Certifications in 2024, covering:

• The best certs

• Prerequisites

• Formats

• Costs

• My opinion

1/ Certificate of Cloud Security Knowledge (CCSK)

• Provider: Cloud Security Alliance

• Prereqs: None

• Format: 60 Qs, multiple choice, open book, online

• Cost: $395 to take the exam (you’re allowed one retake if you don’t pass)

• Opinion: Top tier, credible, recognised

• Helpful resources: CSA Guidance, Cloud Controls Matrix, and Cloud Computing Risk Assessment.

2/ GIAC Cloud Security Automation (GCSA)

• Provider: GIAC

• Prereqs: None

• Format: 75 Qs on securing automated processed associated with CI/CD

• Cost: $1,999 ($799/$1,149 for SANS Affiliates)

• Opinion: Advanced, cost/benefit low, 5+ years exp required, great reputation.

• Training here.

3/ Certified Cloud Security Professional (CCSP)

• Provider: ISC2

• Prereqs: 5 years exp

• Format: 125 multiple-choice questions

• Cost: $599 to take the exam; $125 annual maintenance fees

• Opinion: Best in the game, vendor agnostic, best rep

• Training here.

4/ Azure Security Engineer Associate (AZ-500)

• Provider: Microsoft

• Prereqs: None (imo at least 2 year w/ Azure)

• Format: 40-60 multiple choice / multiple-select questions

• Cost: $165

• Opinion: Amazing value, industry recognised, top tier training

• Learn here.

5/ AWS Certified Security—Specialty

• Provider: Amazon

• Prereqs: None (mo at least 2 year w/ AWS)

• Format: 65 multiple choice or multiple response questions

• Cost: $300 (you can buy a practice exam for $40)

• Opinion: AWS still most widely used cloud, extremely useful, good value

• Learn here.

6/ Google Professional Cloud Security Engineer

• Provider: Google

• Prereqs: None (should have at least 1 year experience with GCP)

• Format: 50 multiple choice or multiple response questions

• Cost: $200

• Opinion: Less common, great opportunity for skill gap in market!

7/ Certified Kubernetes Security Specialist (CKS)

• Provider: CNCF

• Prereqs: Candidates must hold a Certified Kubernetes Administrator cert

• Format: Performance-based test in which test-takers solve multiple tasks from a command line running Kubernetes

• Cost: $375

• Opinion: Kubernetes is the dominant platform for orchestrating container-based applications - signals top tier technical talent

• For kubernetes learning, see this thread.

Advice to become a top tier candidate:

• Cover foundational courses: Azure, AWS, GCP + Kubernetes.

• Specialise in one of Azure, AWS or GCP - get one of the above certs.

• Target CCSP after 3-5 years exp.

• Remember: Certs + Experience is the killer combo. Not certs alone.

Roadmaps

I’ve created some roadmaps loaded with insights and learning resources to help you on your journey:

1. Cloud Security Engineer Roadmap (Azure focused)

2. Google Cloud Security Engineer Roadmap

3. AWS Security Roadmap

Career Strategy

Depending on where you want to work and the problems you want to solve, specialisation might be the best move for you. I’ll explain…

• Big enterprises with large security capabilities often seek specialised resources and are willing to pay handsomely for those skills.

• Smaller organisations (such as start-ups) with smaller teams may seek a jack-of-all-trades security resource.

Regardless of where you seek to work, I recommend having a strong breadth of knowledge and skills across all core domains, and deep dive in one specific area. You could master: IAM, Networking, DevSecOps, Compliance, or CSP-specific technologies (Azure, AWS, GCP).

Helpful resources

• CloudSec Academy by Wiz - Fundamentals and Best Practice

• Cloud Threat Landscape by Wiz - Incidents, actors, techniques, and tools

• Core Documentation for Azure, AWS and GCP

• Cloud Security Frameworks

• Recommended Reading

Podcasts

These are the cloud security podcasts that I listen to and have served me on my journey:

1. Cloud Security Podcast by Google

2. The Azure Security Podcast

3. Cloud Security Today

4. Cloud Security Podcast

5. Crying out Cloud by Wiz

How to make it in Cloud Security

5 actions you need to take immediately:

1. Create a learning plan and allocate time to complete foundational learning courses.

2. Following the completion of foundational cloud learning, plan one practical project per week for 2 months.

3. Now you’re sufficiently educated and skilled in cloud security, choose a certification to prove it. Schedule your exam.

4. Pick a path or roadmap for your cloud security career and focus your learning on the role you want.

5. Schedule time each week to listen to podcasts and read useful cloud security resources. This will compound over time and make you an ultra-high-value security professional.

Note: Unless the role advertised is an entry level analyst role, you will likely need 1-3 year’s experience in security and/or cloud before applying for these types of roles. Consider a stepping stone role before pursuing one of the above roles, such as Cloud Engineer, or Security Analyst.

If you found this newsletter valuable, please refer a friend who would benefit:

www.cyberproclub.com