Hey friends,
Let me start out by saying I love the community and really appreciate all the work and content that everyone provides in the CSOH calls.
For some background, I have about 4-5 years total experience in IT, mostly in infrastructure engineering with a focus on windows, cisco, and azure. I am currently in a security engineering position at a startup MSSP, currently been here 6 months. I mainly deal directly with client IT teams and assist in implementation and administration of tools such as EDR, Vuln Management, SIEM, and NDR.
At the time I took this job, I had the choice of taking a role in either cloud engineering or security. I’m interested in utilizing my background in cloud and current role in security to propel myself towards cloud security, hence my being in this community. I’m really interested in some pointers in ways to upskill myself in order to get there. I’m currently working on finishing up my bachelors at WGU and should be done in about a year, at which point I’d like to be in a good spot to be looking at cloud security roles. Is that too aggressive of a timeline?
Here’s a list of things I’m currently working on studying, or will be studying due to school:
-Linux - can always use more of this. I can stumble my way through, but I’m working on teaching myself more.
-AWS - will be taking the CCP and plan on taking the SAA next year. Would also be interested in taking the Security Specialty cert.
-CCSP - I know there are some questions to the validity of this cert, but I’ll be taking a prep class for this at WGU and get a voucher for it, so might as well.
-Python - Dabbled in the past, will be taking more classes and looking to hone this skill.
Here’s a list of things that I have questions on and how important they might be:
-Kubernetes?
-Terraform?
-DevSecOps vs Cloud Security? It seems like there is a lot of overlap here. Is there a hard line in the sand or is it very much blurred?
Obviously these are a lot of topics and I don’t want to information/activity overload myself between work, school, additional study, and personal health and hobbies. I suppose I’m just looking for some feedback on how realistic getting a thorough enough understanding of required topics in order to break into this space would be in a year’s time, or if there are concepts I’m missing that should be added to the list.
Thanks a ton, appreciate you all!
I’m biased – I worked on Twistlock and StackRox so k8s security is deeply tied to cloud-native security in my head. Trying to work around my bias, what I would say is that there aren’t a ton of security engineers who understand containerization, Kubernetes, and everything that goes with it (including, to take on your third question along with the first, DevOps & DevSecOps). If you find this area interesting, I suspect these will be valuable things to know.
It might be my bias talking again. For most security engineers, I suspect understanding the cloud resources that are being managed by Terraform is more important than knowing Terraform deeply. I would (and have) learned enough Terraform that I can read other peoples’ work but not necessarily build a ton on my own without repeatedly searching StackOverflow.
Thanks for the reply, Neil, really appreciate your insight.
It would seem that while these would be useful topics to learn, these generally aren’t necessary functions for a cloud security role to be deeply knowledgeable on. For now I’ll continue down my roadmap with AWS and see where that takes me.
Thanks again!