First CCSP delivery, and some thoughts on oldskool and newskool IT thinking

A few weeks ago I ran my first CCSP training session (I did more than 40 CCSK sessions before this). As of this writing, the attendants still have to do the exam. Apparently the exam slots are booked a few weeks in advance.

This was an in-company training with a pretty advanced group: info security consultants and a few of their clients, all of whom had experience in being a cloud consumer as well as having been involved on the cloud provider side. Half the group had already done CCSK.

The location was equally inspiring. Central London, with a great barista around the corner, which we therefore frequented multiple times a day for the entire week.Barista

The good news on cloud security is: it is interesting, dynamic, relevant and worthwhile stuff.

The bad news is: it is more complicated than you think.

The CCSP body of knowledge is significantly more elaborate than the CCSK one. And while the book is pretty reasonable, it does have its limitations.

We mused quite a bit about the adoption of cloud computing. Like any disruptive innovation, cloud computing is going to take 10-15 years to grow from zero to saturation. According to my guess, we are in year 3 or 4 of enterprise adoption, with 2021 or so as the target date for near complete adoption.

What we saw in the discussions was a lot of talk on ‘oldskool’ thinking versus ‘newskool’ thinking. Cloud brings a new thinking model, and in cloud security we see the biggest failures when oldskool controls are applied to newskool architectures.

LMS 1-2 oldskoop newskool

Examples: location no longer implies control, and the uptime of a server no longer implies the uptime of the application.

It was really interesting to tear apart these assumptions and see which will carry over to the new world. The dangers of mixing these modes of thinking can go many ways: you either protect too much, the wrong way, or not at all.

The consequence of this is that in our training we really want to pay attention to the hidden assumptions of these two schools of thinking.

The CCSP body of knowledge itself is a product of its times: it is a peculiar mix of oldskool and newskool thinking, and mostly not very explicit about that. It also does not elaborate much on how ‘newskool’ thinking should be applied to create business benefits while avoiding the new risks.

But we should not confuse the messenger for the news. The text is just the messenger, cloud is the real news.

I am looking forward to the next CCSP training session. What about letting me be your guide for one in your company? Drop me a line.

Your Name (required)

Your Email (required)


Your Message

Just did the CCSP exam

(update: I passed! Click here for in-company CCSP training)

Yesterday I took the CCSP exam. Certified Cloud Security Professional is the new certification launched by ISC2, and is supposed to be complementary to CCSK. I must have been one of the first, as it only opened last Tuesday. I think I did pretty well, but my results won’t be available for the next couple of weeks. This appears to be the normal situation with a new exam.

My overall impression is that the exam covers the field of cloud computing and cloud security pretty broadly with significant detail, though little attention is given to cloud applications such as Big Data and DevOps. The questions are clear, by and large, and mostly relevant to cloud computing. I have seen other so-called cloud exams that are more like classical technical IT security exams.

I know how hard it is to make good questions, as I do that for the CCSK trainings I deliver, and this set of questions is pretty decent. Of course, there are some questions that have weird language, and I filed an incident report against them.

At 125 questions this is a significant exam. I took more than an hour to answer them all, and took the rest of two hours reviewing my answers. You are allowed 4 hours in total.

I still think CCSK is a good basis for working your way to CCSP, as CCSP is more extensive in coverage. It is also a more formal exam that you have to take in a controlled testing center. In contrast, CCSK is an open-book on-line exam. This does not make it easier though, as is witnessed by that fact that it is failed regularly by students.

CCSP has 6 domains that cover cloud computing and its risks. Unsurprisingly, the first domain is about cloud architectural concepts and its impact on risk. Second is about data security, arguably the pivotal dimension in cloud computing. The third domain elaborates on the cloud infrastructure stack, which covers business continuity as well. The fourth domain covers application security and identity management, while the fifth domain is about operations in a cloud world. Finally, the last domain is about legal and compliance.

CCSP is designed to be a 5 day course, but I currently think that it is very dependent on the background of the attendants. I am not sure if this format is a good way to study for CCSP. In any case there is also a lot of reading to be done.

Post Scriptum. I now also deliver CCSP courses that train you for the exam. Here is what one of my clients wrote:

Tony Richards, CTO, Securestorm, London UK:

“The training was well paced and covered all the topics. Peter is a knowledgeable and interesting trainer who used his extensive experience with excellent effect. He guided us into very productive group discussions so that we could link what we learned to our work experiences.

As a result our entire team has been able to pass the CCSP exam.”

Sign up here for a one page overview of the differences between CCSK and CCSP.

First name

E-mail address

New cloud security certification CCSP to complement CCSK

Cloud security certification is getting a new dimension.

In 2015 the Cloud Security Alliance and (ISC)2 announced a new cloud security certification: Certified Cloud Security Professional or CCSP for short.

Read the official announcement here and here.

CCSP is supposed to be a more extensive certification than CCSK with a more formal exam and a requirement for 5 years in IT; at least three of which must have been spent in security, and at least one year in cloud computing.

While (ISC)2 (who also run CISSP; arguably the most relevant IT security certification) coming to the game underlines the relevance and maturity of cloud security, there will be some questions left for people who either have or are pursuing  CCSK certification.

The important question is: what is the relevance now of CCSK?

Rest assured that this has my interest as well, as CCSK training is a significant part of my business. That is why I contacted Jim Reavis directly, whom I have met a number of times personally. His answers are reflected in the FAQ that you can find on the (ISC)2 website on CCSP.

Here is a quote from that FAQ:

“The typical cloud security professional will likely achieve the CCSK first, and then the CCSP credential. Attainment of the CCSK also can be substituted for the one year of cloud security experience”

Other text in that FAQ document suggests that CCSK can be seen as somewhat of a broad base, on top of which CCSP is built as a deeper and more focused certification.

So if you are currently thinking of getting CCSK, should this be a moment to reconsider? It does make sense to evaluate your options. If you spend time on a certification, you might as well spend it wisely.

Getting to CCSP is a path with a lot of unknowns at this time. So here is one thing to consider: participants in my CCSK training report that it helps them  in their day jobs now, even more so if they take it as a team. CCSP will take a few months to iron out. Try book CCSP training now, and you will see what I mean.

On the other hand, if you are already very knowledgeable and experienced in cloud and cloud security, CCSK may not add much to your current business value other than public recognition.

In any case, should you want to know more about the value of CCSK, I suggest you judge for yourself. One approach is to join my free course: “Understand the CCSK cloud security certification”.

Finally, if you want to know more about my training options, visit, and register at the sidebar for updates.