Cloud security engineer: Is it the career for you?
When the world went home to work last year, the shift to software-as-a-service (SaaS) accelerated. Organizations came to rely on cloud-based applications to power employee productivity and, with the move to hybrid work, this reliance is predicted to grow further.
Gartner forecasts public cloud services will grow another 23% in 2021 to $332.3 billion, with software as a service (SaaS) being the largest market segment. However, with increased SaaS reliance comes new risks, and organizations are scrambling to shore up cloud security threats for a more secure future of work. They need cloud security engineers.
A cloud security engineer's job is to secure an organization's cloud use and protect data against malicious actors. Opportunities in this field have followed the upward trajectory of cloud reliance. LinkedIn currently advertises more than 22,000 open positions. Glassdoor lists more than 28,000. The job is well-compensated in most geographies. Payscale says the average annual salary for a cloud security engineer in the U.S. is $136,485.
FREE role-guided training plans
What does a cloud security engineer do?
When technology leaders at an organization decide to use public cloud technology, they have many providers to choose from. Consistently, the top three are Amazon Web Services (AWS), Microsoft Azure and Google Cloud, but a long list of other options follow.
The cloud provider will deliver baseline security measures around their platform, but organizations who rely on it are responsible for securing what is inevitably an interconnected web of applications and permissions, not to mention the fleet of endpoints that access those applications. This is the shared responsibility model and, in many ways, represents at least a partial job description for cloud security engineers within an organization.
"It's best to think of Amazon as the plumbers or the water company," says Andrew Howard, chief technology officer for Kudelski Security. "They provide the plumbing. They'll get the water and electricity to your house, but once it's there, you're responsible for it."
Cloud security engineer work is both nuanced and challenging. Unlike networks and on-premise technology, cloud infrastructure changes almost on a daily basis as providers compete to provide the most sought-after solutions. "The entire ecosystem is complex," says Oliver Tavakoli, chief technology officer at Vectra AI. "You don't have any notion of a stable set of infrastructure that you can choose to remain on for six months or a year."
On top of a fast-moving ecosystem, plenty of attackers need to find only one attack template that works. From there, it's entirely reusable. One attack key will have a widespread blast radius across many cloud customers, Tavakoli says. "Attackers need just one way to run a gauntlet that will get through even 20% of customers because of how they have rigged their defenses."
While network security has had years to build out prevention techniques such as antivirus, firewalls, access control and many others, cloud security is still finding prevention techniques that work well in a containerized cloud environment, says Tavakoli.
"We're still in the early stages of coming up with preventative measures," Tavakoli says. Beyond prevention, much more emphasis is also needed on detection and response in the cloud. Overall, "it's important for today's security teams to move past the single goal of building a hard shell to keep everything out."
Instead, the goal is full maturity across prevention, detection and response, and this requires security engineers who are comfortable with ambiguity.
What does it take to be a cloud security engineer?
As cloud reliance grows and the environment continually morphs, organizations are looking to round out their security teams with individuals that bring unique perspectives of the attack surface. Knowing how to deploy firewalls in the cloud is a good skill to have, for example, but more importantly, so is the need for cloud security engineers to know how cybercriminals typically work in a cloud environment.
"The best defenders are people who have a keen understanding of what offense looks like," Tavakoli says. "I highly encourage security people to try their hands at some of the offense pieces, whether that's on the lighter end of the spectrum like a Certified Ethical Hacker class or an OSCP and deeper practices."
What should you learn next?
To gain the offensive perspective Tavakoli suggests, consider these industry certifications and training to get started in your career as a cloud security engineer:
- Ethical hacking certifications like the EC-Council Certified Ethical Hacker (CEH) and CompTIA PenTest+
- Cloud security certifications like the (ISC)² Certified Cloud Security Professional (CCSP) or Infosec Institute Certified Cloud Penetration Tester (CCPT)
- Hands-on cyber ranges, covering topics like attacking and defending cloud-based applications
To learn more about what it takes to become a cloud security engineer, watch our Cyber Work Podcasts, Should all your company data be in the cloud with Andrew Howard and Cloud security best practices and career tips with Oliver Tavakoli.
Sources
- Gartner forecasts worldwide public cloud end-user spending to grow 23% in 2021, April 2021, Gartner Press Release
- Average cloud security engineer salary, Payscale
In this Series
- Cloud security engineer: Is it the career for you?
- Top-paying cybersecurity jobs and salary trends for 2024
- The importance of IT certifications in boosting your career
- Understanding the role of a network engineer in IT
- The role of the chief information officer (CIO) in cybersecurity
- What is a network engineer and how to become one?
- What does a system administrator do and how to become one?
- Cyber security hiring: Tips and best practices
- Cybersecurity soft skills: Career benefits of public speaking
- CompTIA Data+ certification: Opening doors to new careers
- Surviving cybersecurity burnout: Tips from industry experts
- How to make a mid-career change to cybersecurity
- 7 top security certifications you should have in 2024
- The Changing Role of the Modern SOC
- Discover the top 5 information security management certifications
- CySA+ versus CASP+: Is the CySA+ good enough for a career in cybersecurity?
- The best cybersecurity jobs in 2023: Trends, roles and salaries
- Top 10 penetration testing certifications for security professionals (2023)
- How to land an entry-level cybersecurity job: Essential skills and certifications
- 133 cyber security training courses you can take now — for free
- Breaking down barriers: How to make cybersecurity more inclusive and diverse
- Computer forensics interview questions
- The digital security forensic analyst salary guide
- Applying linguistics to cybersecurity: The journey of Jade Brown, a 2022 Infosec Scholarship winner
- The Path to “Career 4.0”: Amy Bonus leverages humanities, FinTech experience to bring Cybersecurity to the layperson
- Security engineer: Degree vs. certification
- Cybersecurity engineer: CyberSeek
- Infosec Accelerate Scholarship winner highlights essential qualities of a successful cybersecurity professional
- Career skills, imposter syndrome and intelligence-led pentesting | From the Cyber Work desk
- Cloud security engineer interview questions and answers
- Prior preparation results in a big payoff for Jason Mondragon, an Army veteran transitioning into cybersecurity
- Infosec scholarship winner Kandice Kucharczyk salutes her mentors as she sets her sights high
- Which CompTIA cert is right for you: Security+, PenTest+, CySA+ or CASP+? [updated 2023]
- How VetsInTech and Infosec Laid the Path to Gaurav Panta’s New IT Career
- Infosec 2022 scholarship winner Anthony Torres: Bringing the Marine Corps ethos to the cyber domain
- Infosec Scholarship winner Chris Chisholm knows the power of service and diversity in cybersecurity
- Betta Lyon Delsordo, Infosec scholarship 2022 winner, is a true life-long learner
- A veteran transitions from military medical logistics to multi-national security analyst
- An Army National Guard member fast tracks his cybersecurity career transition with VetsinTech
- How a career harnessing Navy nuclear energy can power a transition to a Security+ certification
- What is a cloud administrator? Essential roles and skills
- Security control mapping: Connecting MITRE ATT&CK to NIST 800-53
- Should you take the CCSP/SSCP before the CISSP? [updated 2022]
- (ISC)² certifications: The ultimate guide [updated 2022]
- CCSP vs. Cloud+ [updated 2022]
- Data architect: The ultimate career guide
- The ultimate guide to ISACA certifications: Overview & career paths [updated 2022]
- I failed IAPP’s CIPP/C certification. Here’s how I recovered
- How learning to be "Always Flexible" helped a Marine in earning the Security+ certification
- How to learn and pass your next certification exam
- Mission accomplished: How one army veteran turned neurobiologist moved into cybersecurity
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Professional development
Professional development
Professional development
Professional development
The role of the chief information officer (CIO) in cybersecurity