Learning to Secure Cloud Adoption, is this about you?

If you are interested in improving the skills you have for leading your company’s secure cloud adoption, read on. And maybe you are also interested in leading your team in this role. In any case, I need your feedback.

Is this you?

About you

Many people that come to my cloud training are involved in assessing the security of cloud solutions. Not a lot of them are actually involved in designing cloud solutions, although some of them get to design the security controls.

The most quoted job role is ‘security consultant’, followed by ‘security manager’, ‘auditor’, and many job roles with the word ‘risk’ in them. Together they cover three-quarters of my attendance. And the list of tasks is topped by ‘Assess/validate cloud and IT solutions’ and many variations of it.

I can only guess that I don’t see that many IT architects because they tend to focus on vendor-specific content and training.

Anyway: is this you?

And then, what does it take to ‘assess or validate cloud solutions’ at scale and with efficiency? We know you need some basic understanding of cloud and security, but that is only the start of the journey.

Where are we going?

I have been trying to get adequate focus on secure cloud adoption training for a long time. The basics, the fundamentals, are easy to pinpoint. The Cloud Security Alliance has done a great job developing the Certificate of Cloud Security Knowledge (CCSK). And I am proud to be one of the most prolific trainers for that world-wide.

But CCSK is only a three day ‘introductory’ training. How can we help people beyond that? Almost everybody says that CCSK is only scratching the surface. So, what is next? I have sent out many questions and suggestions, received a lot of input, but the big one thing that everybody seems to want is elusive.

Your learning story is NOT how to pass CCSK or understand the body of knowledge. At least, not just that. But what is your learning story?

I want to know about that. The development of the university cloud curriculum I direct depend on it. My independent cloud training business depends on it. I need to understand what will help people be more professional in secure cloud adoption.

Not just more knowledge

In any case, I remain convinced that the answer is not in piling up more knowledge. More knowledge is part of the solution, but not the essential part. And there is so much knowledge already. The Cloud Security Alliance alone has published over 100 research artifacts. Cloud providers produce even more content.

So, my next idea is that we should be focussing on skills. Doesn’t this sound obvious? Well, what skills, by whom? Let’s call it ‘Secure Cloud Adoption for Teams’. Again, once we drill down and expand our coverage, the data starts to diverge, and the responses become lukewarm. In fact, I am not even sure that design principles such as ‘facilitate cloud understanding’ and ‘explain the adoption process’ are what we are looking for.

Time for a different approach. Time to stop outguessing my audience and start engaging in a more collaborative process.

Enter Design Thinking.

Design thinking

Design thinking is about finding innovative solutions for ill-defined or ‘wicked’ problems. It typically involves redefining the problem or even the needs that seem to lead to the problem. While it sounds misty and fluffy, there is an actual method. In fact, Design Thinking allows you to explore fluffiness in a controlled way.

Recently I participated in a workshop on ‘Design Thinking for Learning Designers’, led by Connie Malamed. It triggered me to pivot this process, and this blog is the first visible step.

One of the things that I took home from the workshop is ‘iterate’. You have to iterate and test your designs over and over again with a diverse target audience. In this case, the target audience is you! So, challenge me and my assumptions!

I also think that secure cloud adoption is a team sport and that our learning should reflect that too.

Your contribution

In summary, the current status is that my design problem statement is: “Create an environment for group learning to facilitate secure cloud adoption”.

What is your take on that? Is that a true problem? Why? Do you feel different? Why?

Your answer can be in this survey. Currently, this explores your tasks and context, but you could also use it for some freeform comments.

The plan is to later dive into some specific trends that appear to come out of the answers.