Cloud computing, in its relative infancy, has become ubiquitous in nearly every industry. By some estimates, over 90% of all companies in the world are leveraging some form of cloud computing to deliver products and services. Yet, securing cloud resources has been slow to keep up with demand for the services themselves. Unfortunately, one of the key characteristics—and benefits—of the cloud is also a serious vulnerability. Broad network access provides users, developers and administrators easy, universal access to cloud services, but it also opens cloud services to substantial threat. According to the SANS Institute, 31% of organizations experienced a significant increase in unauthorized access by outsiders into cloud environments and/or assets in 2019. That is up from 19% in 2017. We’ve seen growing interest in the (ISC)² CCSP Certification, and for good reason.
With the increase in overall adoption, it is clear that cloud security is a major concern for most organizations. And while traditional security controls are in regular use throughout the cloud, there are challenges that are unique to the cloud that must be addressed by an already undermanned security force.
This article is meant to provide an overview of the CCSP certification, exam, and requirements, as well as discuss the who should obtain this highly respected credential.
A Brief History of the CCSP Certification
In 2015, (ISC)2 and the Cloud Security Alliance (CSA) introduced the Certified Cloud Security Professional (CCSP) certification. It was designed as a complement to the flagship CISSP credential, building on the broad, deep knowledge and experience of that certification path, while addressing the need for cloud security professionals to acknowledge this field’s skills and experience. Since then, it has become one of the most well-known and respected vendor-neutral certifications in cloud security.
Earning the CCSP Certification
As with all credentials in IT, there is an exam. You will be given 3 hours to complete 125 multiple-choice questions. 25 of these are what (ISC)2 calls ‘pre-test’ questions, meaning they are not scored. Of course, these will not be called out for you during the test. They’re included in the exam to help examiners test out exam questions for inclusion in future exams. A score of 700/1000 is required to pass. (ISC)2 scales its scores, converting the raw score against this scale to maintain consistency across various exam forms. Thus, 700 isn’t exactly 70%. Rather it is a normalized representation of performance based on question difficulty. As with many security certifications, the exam is the first step to gaining the credential. You must also provide evidence of a minimum of five (5) years of IT experience, of which three (3) years must be in information security, and at least one (1) year in one of the six (6) domains in the Common Body of Knowledge (CBK), listed in the table below.
The 2019 CCSP Course and Exam Update
The CCSP exam was updated in August 2019, and it is important to recognize the changes as they have an impact on how to prepare. Most notably, the exam length was reduced from 4 hours to 3 hours. There was no change in the number of questions, unfortunately, so it is a bit more challenging from a time perspective. There were also some changes made to the domains themselves to accommodate new and changing technologies and techniques. Below is a table of the CCSP domains, along with their relative proportion of the overall exam:
(ISC)2 emphasizes that the exam tests both knowledge and experience, and many questions cannot be answered based on study alone. It is critical that you have the necessary experience in these domains in order to successfully navigate the exam.
CCSP Course and Exam Audience
The CCSP is intended for experienced cloud security professionals looking to validate their knowledge and background. As you can see from the domains, there are technical and non-technical elements that are examined. CCSP is considered a top-tier certification by most in the industry, so it will usually attract security engineers and architects, as well as security managers and officers.
As mentioned earlier, this exam and certification is complementary to the CISSP. Many professionals who pursue this credential likely already are a CISSP. Much of the material covered in CCSP is “traditional” security knowledge, applicable to both cloud and non-cloud architectures and environments.
CCSP Training vs. Self-Study
As with any certification, you must decide whether formal CCSP training or self-study is the right path. And while I am almost certainly biased, I do believe, objectively, that advanced certifications in information security should include a training component. This is because these certifications are not just a list of definitions, ports, and attack types to memorize. The exam is a serious deep-dive into highly conceptual subjects in cloud security. Going it alone is possible, make no mistake. (ISC)2 will happily sell you their study guide and wish you the best of luck. But there is no substitute for collaborative discussion and learning. Both in-person and virtual training options are available, and you will be studying with both industry peers and experts in the field. And your instructor will have “been there, done that” where the exam is concerned. That kind of experience is invaluable.
Last Words on the CCSP
The CCSP credential has emerged as an industry standard for advanced cloud security practitioners looking to validate their skills and enhance their careers. This is not a beginner’s certification. You must demonstrate years of experience and deep understanding of the domains presented in the CBK. If this sounds like something that could elevate your career, then this may be the credential for you.