Starting your career in cloud security

Natalia has a cloud security architect um uh she specializes in AWS eer gcp oci all the cloud platforms basically um so this talk covers the essentials of launching a career in Cloud security we're going to discuss the different possible career paths including latest job market trends and briefly touch on some differences in key Concepts between cloud and on premise Sol Solutions um so that includes encryption access controls compliance uh there's some bonus materials too which are recommendations for free training and an overview of beginner Lev Cloud certifications all right and with that I'll turn over to Natalia thank you yes thank you and um there was already an introduction and I know many of you have probably

attended another uh session with a very similar name at 10 maybe who has attended the S no at 9: right there was a session about career so who has attended it okay so I will try uh not to uh repeat uh that much um let's uh start with an introduction so uh I was uh born and raised in Finland and after graduation from school I have studied in University of Germany and I got my PhD in mathematics and after this I returned to Finland and worked uh in cyber security research uh division of Nokia until um it was acquired by Microsoft and after this I started working in cyber security Consulting so I worked with uh some

clients not inhouse I worked for Deo later I I work for Microsoft also in Consulting as a cyber security incident responder uh then I moved to Canada where I am residing right now anybody from across the dit here came from Cana oh okay so we do have cyber security in Canada as well just in case um yes so I worked as a cloud security architect at Mercedes um I got some exposure to Cloud security Consulting in Google and currently I work for uh Nvidia uh as a security architect so that's uh my path you can see I have experienced different aspects of um cyber security career um but the important part is uh do not look too much at me because I

started my journey like almost 20 years ago I'm that old so back when I started uh nobody even asked for cssp or some other like four or five letters like ocsp whatever you have aure aure didn't exist um so right now you have to get some IC Square fancy certificate out of the box uh even for entry level position uh but there is uh not everything that is bad uh so do not get that easily discouraged because more businesses right now recognize the need for a dedicated security stuff uh before it was like you are an admin you are help desk and uh you are network engineer and somewhere on the side you can also do some

security if you like uh then because there are more uh specialist in cyber security you can get some mentorship advice guidance more easily cuz back in my days I wouldn't go to to Bruce schneer and ask Bruce can you please tell me how do I work with with all this probably not so now it's easier thanks to LinkedIn and communities and the amount of free training available uh so what is that about starting career in cyber security so you need some kind of a plan uh maybe it will look like this picture but anyways some kind of plan uh first of all you need to select uh which area of cyber security you want to work in because it's not like a

single specialty but rather lots of like dozens of different uh professions so once you have selected uh you can get some training and important you can also get a job because that is why you have started it in the first place uh you build the relationship with your peers colleagues managers uh then you're getting noticed and recognized and finally you get a fancier uh job or maybe go like solopreneur uh whatever is closer to you so how do you start um I don't have such a fancy Matrix of certifications like the first presenter uh I I get a simpler table so you can see that uh in a nutshell all the jobs in cyber can be divided into like three

categories there are technical there are uh non-technical there are mostly like legal so I would say mostly legal and the compliance Auditors working with government and so on and then there are finally academical so that is how I started uh so when I was working as a mathematician I taught mathematics and I had special speciality with the cryptography um and I moved from the academical so the very far right column to the technical or maybe now I'm like a little bit in the middle like Security Consultants and Architects I place them specifically here between two pillars and uh you can see that uh uh there are many uh entry points to cyber security everything that uh uh is marked

by a green check mark uh can be attempted by somebody with um uh let's say general interest into cyber security and somebody who is willing to do some at least uh free training so the key here is that you must be willing to train and uh you always need to understand that it's not always about how so not uh the amount of information you can put in your head in a certain period of time but also like why um I've been a hiring manager for Mercedes and I've been interviewing people at the Microsoft and Google and sometimes you interview some intern and you ask why do you want to work in cyber security and uh sometimes they cannot even answer

sometimes people tell hey but I watched this hacker movie and it looks cool and I I also want but it's not about this it's quite boring and there are like good days and bad days and sometimes you feel like hey when everything is working nobody knows I exist uh something doesn't work we have a brid uh next day you have this brid in all the newspapers and you are to blame so they only come for you when uh when they want to say something bad about you except for days like today when I'm uh surrounded by by fearce and I can relax and yeah so today is a good day um so entry level salaries because

uh if we speak about really entry uh level positions they are unfortunately uh not very good paid especially where the like cyber security analysts uh of the first level uh but we will come back to this about uh salary comparison um and yes because there is a lots of job to do imagine you are one cyber security professional and there are some indefinite amount of hackers that want to hack the system and because they are all around the globe they never sleep and you have to sleep if you don't sleep you go to the burnout so you should always uh remember this um so getting back to uh I have selected uh uh some amount of uh entry level

position itions uh with pros and cons for each uh of course it's like my opinion uh if you have like different opinion comment we can discuss it afterwards um so let's start with the penetration tester because uh when people talk about cyber security they imagine that kind of a hacker that breaks into things for uh good or bad but we will be speaking about uh uh a lawful hackers so soal white hats or blue teamers uh so there is plenty of training available um most of it was already mentioned uh today in the morning so like try hug me hug the Box um for certain tools you have tool specific training like burp Suite um then you have a

certification uh there are some cheaper certificates uh and there are very expensive certificates like Suns uh I I do not have any sun certificate because it's a training and certificate is over $10,000 so unless some company pays for me I'm not going there uh yep so so this is like a fancy profession um uh but uh uh everything that's related to this it's very competitive so unless you are really good learning with really good technical basis most probably you would be uh stuck in this very very lower sector for a long time uh so so that is something you have to understand and uh uh but the good thing for at least for me that this uh profession requires uh

the least amount of uh social skills apart from social engineering so you don't have to go and talk with with the customers every day there is usually some kind of manager that handles it for you so if you if you don't like uh spending your time with people every day that is probably something for you then there is uh uh another profession uh security analyst uh which is sometimes referred as SEC Ops so security operations or some people say it's opsac operational security so that is is somebody at level one who watches over the logs or some kind of aggregation of system logs and tries to understand if there is something malicious going on and if it

something malicious is going on then uh most level one people just forward it to the next level for more detailed investigation and that's your career letter you you get from level one to up to level three or four so depending on the size of the company you can have multiple layers of security analysts so uh as I already mentioned the entry L uh level salary here may be very low so sometimes you wonder I could be flipping burgers for that price but uh the good thing is that you can relatively uh quickly move uh one or two levels up and then it becomes more competitive uh another thing is what you are ATT any security conference uh that

deals with business um um almost every company now offers something ai ai that uh uh replaces the level one sock analysts uh with uh different degree of success so now it's the same with uh junior developers that you have some some AI that is able to browse through logs really quickly and try to to find some incident here so you must be ready to prove your value that you're actually better than this uh and the yes for this speciality there is lots of free training available uh sometimes you can work remotely uh and uh for them like very entry level you need to learn significantly less than for penetration tester um so uh that is something the

profession I'm very good familiar with I have been working as a security consultant for uh many years uh just security consultant or Cloud so uh you do not work for just one company you go to the customers and you're trying to fix their problems and you have very limited time uh the bad thing about this that yes the time is limited so you come to the customer you try to recommend them to do something but you cannot control it so you go away from the customer and after one year you see they were breached because they didn't Implement what you were recommending so it's kind of if you are a result oriented person it can be dissatisfying at some

point uh so it requires lots and lots and lots of soft skills so you need to identify key stakeholders you need to convince them to to do your recommendations so it's I would say it's like 50/50 50 technical 50 soft skills unlike the the first two uh the sock analyst and the penetration testing um the but it has its own like benefits so usually Consultants are significantly better paid than uh pure technical people uh usually you don't have to pick up so much uh uh Tech skills at the very beginning and uh also you have possibilities to uh develop your career into the more managerial position so even less Tech and uh uh you can become self-employed

if you already know the customers you can just work for them on a contract without uh uh this middle layer of some consulting company um and I believe that uh uh so finally we have a cloud security engineer uh which is sometimes referred like def secc Ops Specialist or application security specialist so this is uh um more technical version of security consultant and uh usually security Engineers uh come not from zero but rather from either developers or um operation uh Engineers so those who know how to run kubernetes uh those who know how to run those developer tools so it's I would say it's not exactly exactly entry level a little bit harder but the borderline uh um entry level so

though this um profession is also usually a bit better paid because it is more specialized um and uh another bonus from it is that uh the Hot Topic of machine learning Ai and so on uh it really depends on security so on these defc Ops basically because um machine learning um algorithm is an algorithm so it's something that's being developed uh add on this uh the skills of data management and you are this fancy ml te Ops which gets paid very well and with like 2 three years experience uh you will be right now just fine and not that much uh uh competition uh so uh the question is more rhetorical to cloud or not to Cloud

so for most of those professions that are mentioned uh it is so strongly recommended to learn some Cloud so if your entry level do not try to learn all the clouds at once you will just get U stuck and overwhelmed so uh my recommendation is to select one of the major providers uh so anything out of them goes the difference that I have noticed as somebody who has certifications from all three and on top of this I have also Oracle certification that uh uh aure gives you opportunity to get a free uh entrylevel Cloud certifications for free quite often so I would say like uh maybe every quarter there is some campaign uh that you uh complete some lab challenge

a set of lab challenges and then you are getting an exam uh limitation you cannot pass uh more than one exam uh every um more than every six months but over the year you can accumulate lots of certificates and good thing is that uh R certification is every 2 years and it's for free so you don't have to do anything for AWS uh it's not that simple so they almost never offer you anything for free they give you 50% discount most of the time uh but the training is uh also for free uh but once you're certified again every two years you have to renew it and you have to pay again uh so it's uh a little bit expensive to

maintain and uh finally Google uh which is now running up to the B two providers uh also um quite rarely gives you those free training opportunities uh but the good thing is that you get an immens amount of Swag for every professional certification so you get your certificate and in um couple of weeks you get that kind of box with whatever clothing I think there are even hammocks whatsoever but yeah so uh usually for startus I would recommend the aure or AWS as it's um right now more in demand uh so that's for the let's say like technical part and now uh as you're progressing on Career Journey it's important to start uh right so not only

like what you are doing for your uh career but how so first of all do not get discouraged because at the beginning of your journey it's very easy to get uh discouraged uh because you are seeing all those posts on LinkedIn like in the morning there was this uh post hey I have uh 21 interviews in seven weeks and I got an offer uh well I mean maybe I mean you can also write such things on LinkedIn but who who can prove it so sometimes you get your interviews sometimes you don't some have sometimes you have to reiterate your CV for I don't know two months three months sometimes six months um sometimes you need to come

back over and over again to select uh maybe a little bit different pass so you started in Consulting you realized that Consulting is uh not your um uh Sweet Spot maybe you want to go more technical Maybe maybe you want to go less technical so there is nothing to be ashamed of so do not automatically label yourself as a failure just because the first pass you selected turned out to be not for you just not for you um there are still like a dozen of other paths so uh essential is to find some kind of a support group so it can be uh let's say woman in cyber or some kind of community in cyber and uh essential is also to

find some Mentor or somebody um who can advise you and uh uh okay I switch to slides so uh about the mentor so first of all there are lots of free mentorship programs available um the drawbacks of those that uh I got experience with that that uh the mentor cannot select their mentees and mentees cannot select their mentors so you get uh those random assignments and sometimes you realize that you are um you are just on a different career trajectory so it's not that much that you can advise to this person uh and uh switching mentors M uh link uh in the middle of mentorship program is also not like not the best idea I would say

uh so uh alternative to this would be to find your uh individual Mentor uh you can ask nicely let's say on LinkedIn uh but like be be proactive and uh uh if you have something particular to ask from your Mentor so ask a particular question not like can you please be my mentor because I'm getting lots of those messages and linked in and I'm like but what do you want from me in particular I I don't know uh so yeah and if you get some kind of internship and get uh some help from colleagues uh in the uh terms of mentorship that would be like ideal sorry so uh about training I already said lots of training available uh if

you got a mentor just tell them um maybe you need some help with selecting proper training they can see your uh uh weak sides and strong sides and they maybe can advise you if you don't find a mentor at least join some meetups local cyber security chapters uh even my uh local Toronto Library runs some cyber security groups so you can even join this uh and uh also um if you are prone to some kind of procrastination and postponing everything think that U Mutual body checkup system is uh very valuable so you are responsible to checking on your body how the training is going and they are responsible uh for you and uh uh almost the last thing uh

getting noticed so at the same time when you start your career and often always in high school uh start taking care of your LinkedIn page because right now I would say there is a very little alternative to promoting yourself as a professional uh other than LinkedIn because even if you have a personal blog you need to attract visitors there somehow but on LinkedIn you are there you can write something to your blog and you can just post those articles and Link and you get some visitors uh so take care uh keep it up to date connect to the relevant people you meet on the conferences uh uh engage in some respect meaningful discussions uh uh if you get some certifications

added because it uh increases your chances to be noticed by the recruiters or maybe even hiring managers uh and because most of my latest positions I I got through networking I didn't apply so either through Linkedin or through personal connections so so this is important so make sure that job finds you and you don't have to run and search for the job uh and uh hopefully with this uh you will be able to get your uh first uh job and uh U important thing here is that when you're uh starting with a job uh if you have some issues do not be shy to raise them with your manager if you feel like you need

accommodations uh don't be shy to ask for it because we are all different people some of are like so-called neurotypical others are Naro dierent some needs headphones to isolate themselves uh or completely like quiet rooms and if you believe that will help your productivity just don't be shy uh ask for it don't wait until management will just raise the question why you so unproductive uh you don't want to wait for it and uh okay the last Point uh so as I said your goal is to develop yourself into this nice like uh master from the baby Yoda so if you don't take care if you don't uh uh protect yourself from burnout from overworking you would rather become one

of uh those guys guys and you don't want because uh nobody likes them and nobody wants to work with them and um that will stagnate your career in the end so take care of yourself if you uh get enough sleep uh take care what you eat and don't be afraid to say no if you your workload becomes really unmanageable and already mentioned imposter syndrome it's after all it's a good thing um if you limit it because it stimulates you to learn but don't uh let it like eat yourself so I guess that is what I wanted to say so if you have any questions for me about

anything are there any specific you would Rec starting out with like for it aure or AWS uh so aure has lots of starter level uh certifications so uh uh absolutely beginner is 900 series so they're uh um I think aure security fundamentals or Azure fundamentals you can start with those um It's relatively easy to get the certification voucher for free you just need to monitor sometimes Microsoft gives vouchers as a part of online Microsoft build uh or some kind of cloud challenges I think it's called aure Cloud challenge you have like 30 days to complete something and then you get the voucher code per post uh so start from from this uh beginning and sometimes sometimes there

are more uh Advanced certifications like 200 or 300 on giveaway but it's relatively rare So if there are some people on LinkedIn who are reposting this sometimes you are lucky to see it in your uh uh news feed or just um uh keep in contact with your local asure user group or whatever it's now called some Microsoft lab to get them with AWS as I said it's a bit the more complicated so maybe you want to invest uh like a couple of hundred dollar in it if you want to select AWS but once you uh getting the first certification from AWS you getting every subsequent one with 50% discount if your certification is active Al so but also AWS doesn't have

this granularity so for aure you have like identity and access management certified you have uh security analyst specified you have some def SEC Ops certified for AWS you have AWS practitioner AWS architect AWS security so that's it so it's like prodad coverage so maybe if you want to have this like bomb coverage you go with AWS and get the security uh did I answer your question pretty much I wasn't sure like I forget like what AWS is I mean levels were and I thought Microsoft kind did with their verification like what certifications to get you know I mean like I thought had the 900 and then they had like couple levels and then they kind of split and

thens is Club practitioner uh yes practitioner then architect and then you have this security or devop specializations so it's less granular than compared to Azure but aure is good when you have uh uh when you want to work in uh like identity access management let's say uh AWS is better when you want to work with developers so closer to upsc from my uh experience yeah you had a question yeah uh just real quickly I know that a lot of people especially where you tend to try try to do as much as possible so that they can kind of jump in or jump get promoted Move Along how do you think that or how would you recommend that uh

practitioners could avoid burnout minimize burnout or potentially burnout so I would say regulate your workload uh so set a realistic goal so over the time you you know that this task takes you approximately that time so it's it's a bit hard to to get when you are in beginning of your career so that's why this mentorship is important uh but then you already know and uh uh always remember that uh like health and mental well-being is something that's your basis because if you lose it then you will eventually like uh damage your career so you have to take care of it um and the sometimes it's necessary to change a job because the manager is just

taking care of deadlines unfortunately it is so so don't don't get this imposter syndrome telling you that you have to work uh 48 hours a day yeah so I was going to ask how do you find a m on M or anywhere like just search for any random security person in a company uh I would say random no but if you're already working and you want to switch to cyber uh you may find somebody from cyber security team and uh uh especially if you are working like in parallel let's say you are a developer and there is security team and you'll say hey uh what about uh we launch some security Champion for our devops uh I'm

volunteering okay yeah so like and usually the people are quite uh helpful in most of the companies uh and they may provide you some resources and some advice um another thing is when you are not employed you're a student then you're trying to join some chapters like ovas chapter uh um events like this uh bides are also open for people with all backgrounds and then you get your connections and you see who is so important that the mentor should stand not like five steps of career above for you CU for me sometimes people uh come and ask and I understand I don't um uh perceive their reality in the same way so I have to go to somebody who I

already mentored and who is now employed and ask them to Mentor this other person because they are fresher so they are standing one or two steps uh about the mentee what's your opinion on how long you should stay at a job so you don't look like a job H it it it really depends because there are things like layoffs we all know there are things like just toxic management uh I would say if you realize that your management is uh absolutely hopeless and uh uh just micromanaging you it's better to go sooner than later um if your concerns are mostly about let's say salary or something then it is negotiable in most of cases uh but usually nobody looks uh

when you change job like every maybe two to three years so that considered quite normal in it and in cyber security as well I I just want to add a couple of comments that I think tie into the rest of this as well because I've hired a bunch of junior level people relatively recently and I'll tell the couple of things that I've looked at is your learning style know how you best process the information and know what you're interested in because a lot of these Technologies are changing so quickly that finding an expert in this is next to impossible so what we're looking for is people who are selfmotivated who know how to learn that

we can either teach or train so rather than focusing on these specific Technologies figure out yourself how you best learn and what is of interest to you because the worst thing possible is for someone to say like oh I want you to learn end point and you being like I hate this this is miserable so find the things that you don't like find things that are more interesting to you find things that speak to you and be open to those opportunities because you never know where that's going to end up taking you so that that would be what I look for when I'm looking for junior level people is people who know what they're interested in even if they don't know

exactly what it is but if you can tell me some ideas of what you're interested in in how you learn so that I can help you grow those are the type of people I'm looking to hire yes and also I would notice that some people are uh better at those uh uh interview answering uh questions and some people are uh not very good at speaking so if you see that the person is uh struggling uh as a hiring manager I usually try alternative approach so I may ask if they have some kind of home lab maybe they don't speak much but they can just show me something uh and in in this situation uh I I ended up hiring very

good people who brought uh Great Value to the company even so uh as a interview um so they were not able to answer almost any question because they were so anxious or I don't know so they were like uh yes but turned out to be great specialist and it would be a shame for me as a hiring manager if I wasn't adaptable and I say hey it's not not talkable uh just next please so uh in your slides it was mentioned that AI is affecting security n role is it affecting other roles as well or like have you seen this happening in the industry nowadays that AI is affecting and if it is then does

it make sense to get into generative AI or AI in cyber security uh so all the time the double-edged sort so uh AI helps to automate lots of uh tasks so for example this CTF that is going on I was able to answer at least five of its questions using AI just like in two seconds uh so in that sense uh yes it it it goes after entry level Specialists uh but on the other hand it creates lots of uh trouble and uh requires a cyber security specialist overview so starting from people posting some confidential company data in chat GPT uh which is very hard to prevent uh and um U ending some developers use this uh co-pilot uh to

develop code and introduce very banal vulnerabilities and in that way that the another AI scanner is not detecting them so that's so you really have to have this human supervision uh you have to understand the weaknesses and the strengths of AI but do not so I would say uh right now advice it do not put too much uh effort into learning some routine operations or to into memorizing too much stuff like some exams like uh cssp or even these uh fight in cyber security require you to memorize all the ports like Port 80 HTTP then 443 https so you don't need it anymore uh AI will take care yeah and so there is still lots of

opportunities I would say so never give up one more question so if we have to get into Cloud security and we are new to Cloud as well so should we first get the Practical knowledge of cloud and then get into Cloud security like should we go through through two steps and then jump to Cloud security like do some project in Cloud practically and then I should get some certification in Cloud security or how I would say yes first you you learn the the object that you are going to secure and then you learn how to secure it so if you don't know uh like what are you securing so Pi some random problem and then uh you can there are lots of uh

again there are lots of those uh free Labs on Microsoft on Google on AWS where they provide you this free tire access to the cloud uh most of them now require uh credit card details but they do not bill you so you free tire and uh uh you can you can just uh build some app or something and uh there are stepbystep labs and then you should be

good well thank you so much [Applause]