Why the CCSK and/or CCSP Training should be done before platform specific training.
An expression comes to mind when I think of the difference between CCSK, CCSP and vendor specific training such as AWS and Azure training offerings. This expression is “Never ask a barber if you need a haircut”. It basically means don’t ask someone with a vested interest about the need for their product. The barber only makes money when they cut your hair, so why in the world would they ever say you don’t need a haircut? To bring this thought to this topic, why would a service provider ever recommend you take something other than their own training offerings to learn about cloud security?
When it comes to knowledge of cloud computing security, there are generally two paths you can choose. These are vendor-neutral and platform specific training. First off, we need to understand what each path covers and then discuss why your team needs both.
Path 1: CCSK/CCSP Training
This training addresses the “Who, What, Where, Why” (maybe the when) of cloud security. Both the CCSK and CCSP are vendor-neutral training offerings that are focused on the changes cloud introduces to your environment. The CCSK material covers the Cloud Security Alliance guidance which is followed by many organizations around the world. The CCSP by (ISC)2 covers the CCSK material and adds discussion of additional subjects. Rather than writing all the differences here, let me point you to the CCSK vs CCSP entry I wrote here that covers all of that.
Bottom line: Both the CCSK and the CCSP discuss industry best practices for cloud security across all service and deployment models. This training is holistic and strategic.
Path 2: Platform-Specific Training
The upside of this offering is your people will be trained exclusively with the systems they will work with. This is the “How” of implementing cloud computing on a particular platform (e.g. Amazon Web Services (AWS) or Microsoft Azure, Salesforce, etc.…). Platform specific security training is of course recommended for all team members that will be responsible for securing specific vendor platforms and services.
The downside to this training is your team does not learn what is standard for other enterprises their size. They are not trained in assessing cloud providers. They do not look at which party is responsible for implementing or configuring controls to obtain and maintain certification. They do not focus on any third-party security controls that can increase your organizations overall security posture of general cloud usage. Governance, Risk Management, Compliance (GRC) may be covered from a platform-specific perspective, but not from an organizational perspective.
Bottom Line: This training is for people to understand how to meet industry best practices in a specific provider environment. This training is atomistic (single point) and tactical.
Both for Most
If you want various teams in your organization that are well equipped for cloud adoption and operations, you need to send them on both vendor-neutral and provider-specific training. Certain roles, those that don’t touch a keyboard or audit cloud systems, and just need the 10,000 foot view of the cloud security landscape can “get away” with just the CCSK training. Roles that implement, manage or audit a particular cloud offering need the CCSK and/or CCSP training, followed up with training on the platform itself.
Which Certification is Better?
Honestly, this isn’t a binary option. Cloud security certification should be seen as a two-stage process. While its true that you don’t “need” the CCSK or CCSP to work in AWS, Azure or any other platform, by only doing platform specific training, you are frankly robbing yourself. Sure, you’ll learn about how a single platform should be secured, but you won’t learn why specific steps should be performed to support the organization. This gives you the tactical view, not the strategic view.
Since we’re talking about certification, I can only assume you’re focusing on certification to advance your career. I would argue (as many others do) that the employee of the future is shaped like a “T”. The horizontal part of the “T” is broad high-level understanding of core concepts and how they impact an organization. This is strategic. This is the CCSK/CCSP training. The vertical part of the “T” is a deeper understanding of a particular technology. This is provider training. This is the tactical part. This is where employers are heading for selection of employees. With this in mind, I hope you now see why I think foregoing one for the other is a fool’s game. As I said, it’s not a binary option. Rather, they are highly complementary to advance your career.