A couple of weeks ago I was asked by my colleague to give him some clues and tips on how to become a Cloud Security Architect, as that's the venture he wants to follow and he knows I've been in architect-alike roles for a while.
Knowing how much fulfillment one can get from a good career and work-life, I've had decided to sit down and write down some tips right-away. I did share it with him, but then I've had looked at it myself and I've come to realize that instead of a few tips, I happened to write a lengthy article on the subject. So I've polished it a bit and wanted to share this with you.
Please note, that I'm never in this article claiming that this is the ideal path, the only path or anything of that nature. I'm no guru, no career expert or some crazy good security architect. I'm just a dude who happened to manage to get to the point I'm right now, and I want to share my perspective as a mean to help you see the journey of others and maybe get some clues on how to proceed with your career.
To me, the role of a security architect is as much about technical work as it is about business and leadership. While the specifics of the role definitely vary between companies, it's a common requirement for architects to know how to talk to C-level executives, lead teams and independently manage the workload in such as way that the project gets delivered in compliance with the business requirements. Sometimes reading through the job descriptions you may get the impression like the productivity of a security architect equals their social-savviness and there is something to it. Rarely you can build great things without the involvement of great people and if you can't influence them to follow your leadership, then you're missing out on a huge potential of the group work. But I published a whole book on how to level up your social skills game to boost your career in infosec, so I'll skip that and will focus on other aspects of the role.
My path isn't obvious but it's very common
In my case, I can't really speak of any certifications or training aimed at becoming a security architect - if you know some, please leave a comment with some about it - but I have completed a bunch of Cloud Security Architecture related courses and training, which I believe helped me tremendously in getting better.
I haven't had any formal education that got me into the role of a security architect, but rather a lucky series of opportunities that presented themselves in front of me and I was able to get hold of them. To cut it short, I've started gaining exposure to the commercial IT about 10 years ago. I've started as a programmer, then became a network administrator(netops), sysadmin, bug bounty hunter, pentester, offensive security engineer, security engineer working in a blue team focused on SOC/IR. During that time I've been focused on self-development to mature - as each human should - both in personal and professional life. I've made sure to keep myself educated on business, social dynamics, relationships and all types of things, to get more context and wider perspective. It took quite a while, but I feel that the appreciation for the challenges faced by people on different roles and different levels of seniority eventually made me a better security architect.
Like I've said earlier, education never stops because you always learn new things on the go and try to be prepared for new projects. To stay as current as I can in this fast-paced industry, I try to take advantage of the content shared by people generous enough to share their knowledge. I can't really express the level of gratitude and admiration I have towards people who've had done something and then have decided to share their knowledge on the Internet. You can really, really learn a ton by following what others have tried, what they succeeded in as well as what they've failed at. Each lesson holds enormous value, regardless of it's a study of the success of a failure - you're focused on studying somebody's attempt and then deciding on how you can put that knowledge to use in your particular real-life scenario.
Recommended technical training for Cloud Security Engineering and Architecture
When it comes to the cloud I'm really a fan of vendor-specific training and certification, because due to the complexity of each of those environments, the generic training just doesn't cut it. Vendor-specific training allowed me to much easier navigate through the piles of knowledge I've collected along the way while playing with various environments on different projects and helped me put a solid structure around the knowledge I've had from reading blog posts, articles, podcasts, and whatnot.
All of the leading cloud service providers - Google, AWS, and Azure - have fantastic training and certifications that prepare you for hard scenarios you'll face in real life. I'd say that before the training I'm about to mention, I used to cope with the security in the cloud and each and every next training made me feel like I'm more thriving in those environments rather than fighting each day and stressing about every little thing, dreading the unknown. After having a few years of average-quality experience in playing with various cloud environments, I took enormous value from signing up for the following training which I've completed over the years:
Google Cloud Platform (GCP):
- Google Cloud Professional Cloud Architect
- Google Cloud Professional Associate Cloud Engineer
- Google Cloud Professional Professional Cloud Developer
- Google Cloud Professional Cloud Security Engineer
Amazon Web Services (AWS):
With AWS they have a few tiers depending on your experience so I've always tried to opt for the Professional level, as it's much deeper and for a security professional who doesn't like getting unpleasantly surprised it's excellent as it provides more depth in many critical components.
- AWS Certified Cloud Practitioner
- AWS Certified Solutions Architect
- AWS Certified DevOps Engineer
- AWS Certified Security Specialty
I haven't participated in any big projects related to Azure, so just to have some overview of the platform I took the following courses:
- Microsoft Azure Security Technologies
- Microsoft Azure Architect
And when it comes to really generic training or certifications, I've enrolled for a course preparing for ISC2's Certified Cloud Security Professional training which was nice but I probably should've had done it years ago to really benefit from it.
Note that I haven't gotten myself to go after the actual corresponding certification after completing the courses/training, because to me the paper isn't worth spending $500 per each and stressing about my scoring. It's just my personal decision and I've never been interested in spending money on things that don't directly improve my working knowledge, but it doesn't mean you shouldn't do it. If you want to spend the money or you have the company covering your training + certification costs then, by all means, go for it because for some employers it matters and some folks enjoy passing the exam.
To me, during my whole formal and informal education I was never excited about passing exams. I guess it's just my nature, because I'm always looking at the next thing I'm going to do after finishing something and I'm more excited about getting myself into the next course and using my money to grow and through my professional growth be able to bring more value to the company I work for.
The cost vs benefit ratio never made sense to me, but I wanted to write this paragraph to let you know that it's not necessary but if you want to - go for it. Still, this is just my opinion of a guy who's pretty conservative when it comes to spending money.
At the end of the day, a security architect is a role where you don't just build secure software or secure infrastructure. Your point of focus is on building a security company/securing your business, which is where big-picture perspective gets beneficial, so while I focused here on the cloud environments, I think you should really try to make yourself familiar with as many building blocks of your company as possible. Obviously you need to assess what's beneficial and what not and what type of sacrificed you're willing to make, but I've never seen anyone's career being hindered by knowing too much.
Even though I've started working in the role of a security architect over 4 years ago, I've all that time focused on becoming. Becoming better at being a security architect, because getting into that position is just a test of your basic abilities required to get an opportunity to start the journey of becoming a good Security Architect.
To sum it up, if someone is wondering what to do to become better I think the training/certs listed above are a fine way to go about it. I'm not saying it's the best or the only way to do it, but if you have no idea where to go next - which was the case for me for a way too long time - then it's better to pick either of those and do something. It's always better to do some than do none.
I hope that's at least somewhat useful piece of advice.
All the best,