[Darren]: Welcome to another edition of Cloud Coffee Talk, sponsored by CloudButton. These are real world problems solutions and thoughtful discussions about working in the cloud. This podcast is for cloud professionals at every level of the organization from the executive team to those with their hands on the keyboard, putting out fires and making the world a better place. I am Darren Weiner, the owner of CloudButton, an independent IT And Cloud consulting company. And this week's topic is Certifications in the Cloud.  I have a very special guest, someone who's very qualified to talk about this topic. It's Mohammed Malki.  Mohammed, please introduce yourself.

[Mohamed]: Yeah, Darren I appreciate the opportunity. So Mohammed Malki as you said it.  I currently am in charge of the enterprise security architecture with the State of Colorado and HIPAA officer. That's my day job and I love what I do.  As a public servant. I go out outside my working hours and my holidays and my days off and I actually go out and teach cloud security. I love to teach, I love to learn from the students, I love to share my experience.  I love to learn from their experience and currently I teach for ISC-Squared - I am the one of the direct instructor globally for the CISSP as well as the CCSP.  Pretty soon I will be doing the CCSP Including HIPAA certification as well. I am also a SME - subject matter expert,  for COMPTia.  I did help the COMPTia global team in updating the Cloud+ certification, so the exam blueprint, as well created exam question items for CompTIA for what is now called now CYSA+.  I teach at Regis and community colleges.  Also I'm one of the trainers for Cloud Security Alliance.  Don't tell me if I have a time for having a life.

 [Darren]: I was going to say, I mean any one of those could be a full time job and yet you have your full time job, and yet you have your full time job where you're really - what's pretty amazing about you is your teaching all these classes, teaching people to prepare them for all these certifications and it's truly applied knowledge. You have the real world experience working for the State of Colorado and beyond. You must bring that into your classroom all the time.

[Mohamed]: Absolutely. And both ways, what you just Stated, one of the things I use with my students with of course I anonymize the experience. I said as having a day job and I tell this many students, especially those in colleges and in the SecureSet academy now is part of an academy. I had a few 100 people, that went through my class, I tell them having a day job as your instructor, I don't have to make up stories.  Literally I was working on a situation before this class started. Even when I teach some global teams, like from HP or from Microsoft and I had global teams and I tell them in last 24 hours I worked on this issue.  You are absolutely right.  The State of Colorado is very - and in this podcast, I'm not speaking as a State of Colorado representative - but we are big going out as public servants and sharing our knowledge and experience and also welcoming anybody who is interested to apply for the State of Colorado jobs, especially cybersecurity.  Actually, me being involved with colleges and training academies. I had more than a few individuals who they actually are working for the State of Colorado because they were in my class.   Of course they applied and they went through the process. Also we have a program for the vets where we actually have more, more individual coming the the State of Colorado and I serve as kind of, not in a formal capacity but as an ambassador to go out and tell people how great it is to work for the Office of Information Technology, which I'm very proud to be on that team.

[Darren] That's pretty cool that there is such that support coming from the government sector,  from the State of Colorado, to do something that's pretty important, right? We know that there's a lack of trained subject matter expertise in cybersecurity right now. So that's that's pretty neat that they're fully supporting what you do in terms of going out...

[Mohamed]: Full disclosure these are things I do outside my working hours. It's not programs that Colorado is doing.  I go out to do these things.  This is really just a byproduct of what I do, I love what they do. And if I am very happy in my job with where I work, I would like to invite people to come and try to serve our State.  It has been very successful and I support everything that I get from my office. I mean at least when I when people say: My references Mohammed, they don't tell them he was a bad choice. They know if they put Mohammed's reference, hopefully that will help them.

[Darren]: I know you from the Cloud Security Alliance, we were on the board together for a while.  You obviously are far too busy right now but you're still involved quite a bit and I was always impressed by every time your name would come up it would be in the context of: if you need a class, if you need to take a certification class, talk to Mohammed because number one: you teach all of them and you just get incredible reviews. You must be quite the educator. Talk a little bit about the classes you're teaching right now.

[Mohamed]: For the certifications, I'm teaching the ISC Squared: CCSP, which is the Certified Cloud Security Professional. I'm teaching the CISSP And pretty soon I'll be teaching the SSCP - going through the process. It's kind of the entry level for certification.  I never had the need for it myself. I can't teach something that you're not certified in, So I'm going through the process to take that SSCP.  After I pass it, I go through a cool off period for 90 days so you don't remember the exam questions, then you go ahead and you can teach the class. In addition I teach CCSK - we do monthly online class now in November. You can go even online through CSA Cloud Alliance. We do have classes every every month - if we don't have students due to Covid, we skip. But this November will be having class - October I don't have for now.  Plus now I think I am the first accredited through the process between ISACA and CSA, the new certification called CCAK, which is a cloud audit which is really cool.  I just had my first class for ISACA in person at CSA global in Seattle at "Sectember" which happened last month. So I had a great session.

[Darren] So you threw out a lot of acronyms and in the show notes, I'll go into some detail with some links on that. Talk about the ones that, based on what you see happening in cybersecurity right now, what are the ones that really matter? What are the ones that seem really important right now in terms of areas of focus?

[Mohamed]: It depends on the job role. If you're coming to this field and want to start into it and grow into this field, I think the security related certifications.  I could have another opinion. If you say you want to start in the Security field, where do you start? If you're asking me what certification need to have, I believe Security Plus would be the, the baseline. That's where you have to start.  Of course this is vendor agnostic. That's the reason I'm saying that.  Not because other certifications cannot give you the quality of knowledge that you need. Just because of being vendor agnostic. So you will get the foundation and it's a pretty excellent certification for somebody coming into the field - That's for somebody coming in the field.  If somebody is in a management position and he or she wants to solidify their position in cybersecurity I think the CISM which is ISACA - a Certified Information Security Manager and/or CISSP Certified Information Systems Security Professional from ISC Squared.  So CISM and the CISSP actually they are kind of - I won't say competing but really achieve the same level - preparing for the next security managers also known as the security officers. So that's the other extreme.  In between you have to decide - if you want to be on the blue team which is basically the team that defends organization versus going to be in a tackle team - the offense which is the red team - certification is different.  I like to always recommend vendor agnostic. Then when you get vendor agnostic, you can you can specialize in something specific - a cloud provider or other vendors. So Blue team, Red team, I think the Pen Test Plus is a good one for the Red team or CEH - Certified Ethical Hacker. I know there are other harder certification out there like OCSP for cloud security security but those I think will be next level because really, you need a lot for the Blue team, I think having the CYSA Plus it's really cool which is from CompTIA.  Again, this is my experience and I make a lot of commendation to my students and they found it very helpful.  After that you tell me what you want to be in the cloud, on premise, hybrid...

[Darren] Well I mean that's the thing right? There are so many, and, first of all, between the course load and then the materials and the test exam fees themselves, these are not cheap right?  If you have people that are trying to figure out what to do...it's funny it seems like everything in cloud these days is overwhelming, even which certification exam should I take.

[Mohamed]: Yeah if you want to get vendor specific because you saw an opportunity and you go to the vendors, if you're talking about GCP - they have the associate certification. If you think you have an opportunity, you did your homework and you have a potential partner with Microsoft Azure, they have the AZ900. If I recall called fundamental, you can start there if you're coming into the cloud.  If you have AWS they have like eight or nine certifications, you can start with the practitioner certification which is itself really - all these certifications are great to start with.  I mean if you want to be a network admin, currently on prem,  it takes you really a long time to learn the skills and even the certification are really hard.  If you go to Cisco and you want to just do the CST, they still call it CST, which is before you get the CCNA it's not an easy thing to learn. It takes months and months. I remember people going through many months.  If you want to do networking in the cloud, it's kind of unbelievable. You can be a network admin providing equivalent service really in a week of learning about the cloud, because of the way the cloud positions the network admin - you can create a whole network with a few clicks. I mean literally a few clicks which is really unbelievable.  The entry bar for the cloud is really low, people should take advantage of this.

[Darren]: They should. And you know, it's funny - I do focus in the AWS space, that's where I operate. There's actually I think 11 or 12 certs.  I have about eight of them, something like that. But for me the exams, obviously there's a street cred associated with it, but it's also for me an opportunity to sort of test my knowledge like do I really know this stuff?  It's important to me when I prepare for an exam that I'm actually not just preparing to figure out how to answer multiple choice, just like we all did in high school, like the right way to choose it. But am I really diving deep into the material underlying it because I want to come out of it, making sure that I actually understand more about this topic then then when I went in.  The interesting thing and I'm curious in some of these exams because I helped write some of the AWS exams, and one thing I like about what they're doing is they're really trying to focus more and more on the actual material and topic instead of the trick question type of thing. It always really annoys me, when you have these certifications where there's so much material to know, there's so much you need to learn, and the exam should, should strictly focus on that and yet you end up with these trick questions on the exams which are just completely pointless. I'm kind of curious, have you seen an evolution of the exams over time or are there are some organizations do it better than others?

[Mohamed]: Yeah, I mean there are some certifications really where the curriculum itself as well, is busy work.  As we always say in, mathematics is low entropy.  After you finish 10 slides what's new here? So it's not only in the exam questions.  I have seen some of the exam, they get a reputation. They are tough because the people who they write the questions - as you said you're an exam item writer and I am as well - I have seen people with that attitude try to trick somebody with, with the question including true/false, they put false/true.  I believe that's a lack of maturity of the exam.  I have people in security - we have security nazis, I call them. I have people in this field as well, they actually enjoy tricking people and I have them in the room with me for a week long creating exam items and as you said, there's a lot of material to test, why are they trying to trick?  There are some certification out there that actually get the reputation by being tough just because of what you said. However there are other certifications that, sometimes I find the vendors, they have all the budget in the world, especially the top three cloud providers. They have all the budget in the world to create quality, quality questions.  To be honest I see that happening more from the vendor specific certification versus vendor agnostic.

[Darren]: I mean I will say it's hard, it's hard writing good exam questions, you know what AWS does - what they are starting to do more and more is there grabbing subject matter experts that are in the field to try to get that sort of applied knowledge into the exams and I think that's great.  I just took a re-cert last week - the Security Specialty exam.  and it was still the older style.  I'm really looking forward to to having the newer material where you get to really focus on the material instead of the trick questions.  It is so it's so time consuming to create these exams, even these companies that have all the resources in the world. I think they just have to take short cuts sometimes.

[Mohamed]: I don't know how it happened with you with AWS when I did with some organizations actually they really teach you how to create questions. They have people PhD in this psychometrics or something like that?

 [Darren]: Yeah.

 [Mohamed]: ..and there is a whole system. I mean there is a very mature system how to make sure the question passes some scrutiny.  Almost like over 40% of the time is spent preparing first time exam writers on how to write a good question. That's like candy for my students - I tell them: let me give you some tips. How to take a test.  You didn't ask for it, but I think it'll be good to share with our audience is - cloud questions are a bit of a dilemma. I'm sure you did you associate certificate with AWS because it was that most available earlier - if working on your lab and doing some hands on - as we say - you hear you forget, you see you remember, you experience, you understand.  so when you experience, you understand the concept.  But the nature of the cloud is not constant. That's the nature of the cloud, it doesn't stay in the same place. So things change.  The next time you log into the console, there's a new service.  I remember one question was in the exam preparation was being able to add a role to an instance.  It used to not be possible to do it on the fly. You used to have to create a new instance and start over.  There was an overlap (of time) when you could do it but for the exam question, actually the correct answer is you cannot do it. So what do you do with this? It's kind of a dilemma.

 [Darren]: That's one of the areas that makes it more incredibly challenging because the cloud, we all talk about how it changes so fast. The exam material from the time an exam is started to be created to when it's actually released, about 18 months goes by just to prepare those exams.  What's happened in the cloud in 18 months? So it's really hard to write exams that are going to still be relevant in two years. That's why a real focus on material, not how to use the console, right, but fundamental concepts, are really important in those things. I think the vendors are getting better. I think that the exam providers in general, like you said, everything is maturing.  It's just hard to keep up. So it's just a like everything cloud, it's just going to continue to be challenging.
 What what would you say the material that you teach? What is the hardest exam? Just outright. Just a lot of material. Really hard concepts?

 [Mohamed]: I think the content - the depth and the content for the lately released CISSP from ISC Squared on May 21. The book that I received, I think the UPS is 8 pounds.

 [Darren]: The book itself is 8 pounds.

[Mohamed]: Yeah. I think over 1300 pages of content.  It makes sense. If you're going to be a security manager, you have a number of years experience, you should be knowing these things. We're not expecting you to be very technical in the encryption or writing python code in asymmetric encryption, but we want you to know when you use asymmetric when you symmetric.  When you're advising your management or when you're advising your data officer to achieve some compliance. So there's a lot of content and it has been updated and it touched on...

[Darren]: Containers and..

[Mohamed]; It's a lot. I mean if you survive the CISSP, I mean you are ready to actually be maybe take a shadowing some CISO or security manager because the content is really beautiful.

[Darren]: ...and that exam is a crazy exam.  I've actually started studying for it. I don't have the free time right now, so probably next year.  When you take the exam it will cut you off once you've hit a passing grade or a failing grade in the middle. So you don't get to take the whole exam.

[Mohamed]: It's adaptive. Yeah.

[Darren]: Yeah. So that the questions don't get out there as much in the wild. I assume that's why they're doing that.

 [Mohamed]: What you said to me you are confirming to me what I heard.  I've been CISSP certified since 2004, so I don't know the current questions that the students are seeing. It's adaptive and it's achieving the goal. Do you know your material? If you're asking all those hard questions I'm not going to ask if you answer encryption at some (hard) level, I'm not going to ask you about something like: what's base64 - is it encoding or is the encryption? I hope you understand the difference because you answered tougher questions.

 [Darren]: What would be, what's your advice? I'm sure you give this advice to students when they're preparing for the exam. So three months out, a month out, a day before. What kind of advice do you give people when they're, when they're in those stages?

 [Mohamed]: I mean it depends the type of exam.  I don't want you to go for six months after they do the curriculum. If they go through formal class, like from CCSK - A month, no more than a month. If you're not ready to take it within a month, don't take the class just read the books. And if you're doing CISSP, my personal advice, don't go more than three months as well, and don't do it like a week after because you're still getting the smoke out of your head. Chill, relax. Get a good good rest because you went through a lot of material. I say the sweet spot is 45 days. So if you look within a month, two months, that's my personal advice because you need to go back and review. The last thing what to do is the night of the exam - don't do it - or when you're driving to the exam center...

 [Darren]; No cramming?

 [Mohamed]:  Yeah you know no cramming.  That's not going to do anything, if you do anything it's going to mess you up.  You won't be ready for things that are obvious. One tip I can give there are things, just for example: knowing the port and protocol numbers of things or some encryption keys - I don't think employers will ask what's this TCP port number for, say DNS port number. I don't think somebody would be asking for it at work

 [Darren]: But is it on the exam?

  [Mohamed]; Yeah, that's why I'm giving the advice about the exam. You need to know that, so that those kind of things take a note say three days before go through those things.  When you walk in exam exam room they give you a pad - they take everything away from you except your brain. So at that moment before even you log in and start to draw those numbers or if you have a trick you learned how to do subnetting, for example.  If there's something that's really going to evaporate, just get them there. I mean put them as cheat cheat when you walk in, just put them there.  I hav a lot of students, they found it very helpful, especially encryption keys - which one is asymmetric, which one is symmetric. Those things that really you don't touch them. Those are things that really you do them last minute.  Make sure in the last three days, make sure you summarize them.  You can even look at them the night before but they are not cramming.  Just when you walk in, just write them down even though you may not get them as questions.

 [Darren]: That's good advice. Yeah. Especially on an exam like CISSP.  1300 pages of material, what are you going to cram for? I was wondering actually about the because they go into a fair amount of encryption on the CISSP, knowing all the ciphers and everything else.

 [Mohamed]: There's a lot of good content. I mean it's great content. Somebody who survives CISSP, it doesn't make you a security manager but I can talk to you. I can have a conversation with you, which is good.  We can make sure you know what you're talking about.

 [Darren]; So speaking of knowing what you're talking about.  How important do you feel these certifications are to employers?

 [Mohamed]: How important is it to a doctor that goes through the number of years to be a doctor - that's like a certification too.  They go through an internship or something. So they go for three years to have some experience, to see things. So for me, a certification it tells me that you want to be in this business, right? It's not an accident

 [Darren]: You're serious about it. You're moving in the right direction.

 [Mohamed]: You are investing.  If I'm investing to you, I am not putting you here against your will. So if you get your certification - the Security Plus, I'm sure you will appreciate it f I send you for the CISSP class you will take it. Imagine you just happen to be in the office doing IT work. Then I say, I'm going to send you for CISSP. "Who told you I'm mean even interested in that?"  When you get a certification it tells me you're committed to the industry which is cyber security.  If nothing else, it gives you the language, the lexicon, the terminology so we can speak the same language.  If I say NIST I don't have to tell you who is NIST. When I tell you incident response, you know what I'm talking about. When you say disaster recovery, I'm not talking about BCP.  When they say asymmetric, I'm not talking about symmetric. When I don't talk about wireless, I'm talking about wirless security. When you have a certification, you get the foundation.

 [Darren]: I see things very much the same way. I see certifications as: someone's put in the effort because I know what it takes to study for the exams. I know what you need to do by way of practical hands on, as well as studying the books and the websites and whatever else. But for me it is this common language, this foundation. So when I'm interviewing people for example, for my clients, and I see that they have a Solutions Architect Associate exam, one of the first questions I'm gonna ask them is about VPC architecture because if they pass that exam, we're going to be able to have a common starting point for the interview, right and dive in and then we get that much deeper from there.  And if they can't answer it, it's going to be a very short interview because how they pass the exam. Right? So I think it's incredibly helpful and like you pointed out, it's just the starting point. You have to do your time in the cloud.

 [Mohamed]: Absolutely.  For the individuals in the audience, with respect to certification if really just paper.  If you don't know how to do the job, I don't care if you have a certification or not.  I would respect your statement. However:  go get the cert and come back and make the same statement, and you will have actually something to say.  I went outside of security myself.  I want out of my way and became a PMP, I'm a PMP with PMI as well. And a lot of product managers say:  that's just a certification - people need experience...the certification is nothing. I said: Okay, it's nothing. Go get it.  Many product manager with 30 years experience, they will fail the PMP, they will fail miserably. Same thing with the Agile. They say: Agile's just a mess, people just don't want to document. I went ahead and I did my ACP from PMI as well. So I get the Agile and then I come to them say, hey, guess what? If you think as Agile is a waste of time and it's just people being lousy, go get the certification. So at least maybe you'll become a believer if you do the certification and we don't have to argue. So people who belittle certifications, just go ahead and get it, then we can talk.

 [Darren]: There's a lot to be said for that show of investment. That being said, I think you're like just a serial test taker. You've taken them all.

 [Mohamed]: That's the way I learn.  Let me put it differently: Not how I learn. How I prepare myself to be on the journey of learning.  I don't know with cert I'm looking for now. If I want to learn, say - I don't know, I really don't know which one because I have like over 47 certifications.  If I think about one, I won't to pretend.  I'll go ahead humbly, sit down, listen to the instructor, and I go ahead and create that foundation and then go ahead and learn more. So I use certification really to have a structured learning, not for the cert itself.  I don't need it. It's really to put me in a frame - that of learner. I am learning and I'm going to have a foundation. I know what to find the answers.  That's why I do certifications now.

 [Darren]: I assume you feel some of this as well: Even with your your level of experience, which I think is far greater than mine, that lifelong learning is so important to me as well.  The hardest part is every time I think I know something, you need that humility because every day...the whole the whole idea of an impostor syndrome...feeling like you don't know anything, I feel that almost every day when I'm working with these technologies.

 [Mohamed]: Yeah. I tell my students in every setting: This is not teaching, this is learning and sharing and I know I have I learned something less than a few weeks ago (from my students), where I said: I don't know that.  With my students: if you combine the experience it's over 200 years combined experience.  Seriously, there are less than 20 people or 25 people in the (class). Some of them they have 40 years (experience).  I have CSOS in my class, I have a lawmaker from Washington State in my class. I had VPs and it's so amazing. I've said sometimes to my students: I don't know this person, but I said I love you. I just love your answer. I'm so, so impressed with your answer. So that tells you how much, you know, that tells you how vulnerable we are. We're learning from each other.

 [Darren]: That's really cool that you learn from your students.  Not just from teaching.  We always learn so much from teaching, but you're learning directly from your students who are coming from all these walks of life. Entry level, never touched a computer. Well not quite, but you know...and then CSOS and everything else. That's pretty cool.

 [Mohamed]: I had actually chefs in my class, as I told you I've had a lawmaker had some CSOs and I had some store managers and some of them now actually now are managers in a Penetration testing company. So that's amazing. That's where I get my satisfaction - when I am helping people secure their future, secure our nation and make the world a better place.

 [Darren]: I for one appreciate knowing that you're the one teaching our future cybersecurity professionals. And if I completely fail the CISSP studying by myself, I will be signing up for one of your classes.

 So we're gonna start wrapping up now and I'm gonna do what I call a flash round. So this is just fun.  I'm going to ask you a series of questions. There's no right answer.  You can answer however you want. You could just answer it or you can answer it with context. I don't care, these are just random questions that are topical.

 [Mohamed]: And I can take take the fifth too, right?

 [Darren]; You can choose to do that or you can answer it and tell me to edit it out later. Although so far I haven't had to edit anyone.

 [Darren]: So CompTIA Security Plus or CCSK?

 [Mohamed]: If you do the cloud it's CCSK.

 [Darren]: Multiple choice answer or multiple response answer?

 [Mohamed]: Multiple choice.

[Darren]: RBAC or ABAC? Role-Based Access Control or Attribute-Based Access Control?

[Mohamed]: I mean I want ABAC, because I get more control which is risk based.

[Darren]: There's there's no right answer. It's OK
From a security perspective GCP, Azure or AWS?

[Mohamed]: I think the one who gives you the longest free license, that's the one. So you can google the answer. That's AWS

[Darren]: One-time passcodes or biometrics?

[Mohamed]: I think it's easier one-time passcode.

[Darren]: Is zero trust the best thing since sliced bread?

[Mohamed]: I think the zero trust is going to conflict with a single sign on and the social acceptance of security. If you do zero trust, which is basically never trust, always verify, you will hit your head against single sign on. So you need to answer that question.

[Darren]: That's a deeper topic, I think.
This is serious question: if you can teach kids one thing about cybersecurity, what would it be?

[Mohamed]: Actually I told this last night, I was in the community when a lawyer was talking to our teenage Muslim kids, I told the kids:  You are actually covered when you walk in the street wearing shorts then when you are behind the keyboard.  You are more naked - whatever you do online will be tracked and attributed to you. Think about  walking into a bank with some with explicit desire to commit theft - or a store. So think about that.  You would never do it right? Don't think you can hide behind the keyboard in your parents basement, You're actually more naked. You are more exposed in everything you do. So be careful. Instead of being a cyber warrior, where you can secure your future, you secure your nation, you secure the world, you're going to actually ruining your future, because cybersecurity crime is a federal crime. It could be just to pirate that free game - what you think it's free game.  That's my advice to them - and be on the right side of history. Be a cyber expert.  They pay a lot of good money than going to work for Mcdonald's or fast food.

[Darren]; Don't be exposed on the internet and understand how this stuff works - and be part of the solution.

[Mohamed]: Absolutely.

[Darren] Well, Mohammed, Thank you for joining me. This was a lot of fun. I really appreciate all your insights. So thank you.

[Mohamed]: I appreciate the opportunity.

[Darren] And if you wanted to reach Mohammed to find out more about training opportunities, you can email him at training@cloudtrainingacademy.com.  That will be in the show notes, You can subscribe to our podcast at https://www.cloudcoffeetalk.com. If you'd like to reach me, you can email me at darren@cloudbutton.net, You can also try me on twitter @cloudcoffeetalk.  Until next time, have fun in the Cloud.