Building A Cloud Security Team

What skills do you need for cloud security? Jonathan Villa, Practice Director of Cloud Security at GuidePoint, gives his perspective on this question.

Or listen on

Building A Cloud Security Team

What skills do you need for cloud security? Jonathan Villa, Practice Director of Cloud Security at GuidePoint, gives his perspective on this question.

Or listen on

Description

Jonathan Villa, Practice Director of Cloud Security at GuidePoint, meets with host Amir Bormand in this episode of The Tech Trek. Jonathan shares his insights on how organizations can build effective Cloud security teams and adapt to a changing environment.

Show Notes

2:29 – How to upskill your Security team for the Cloud.
7:46 – Best practices for integrating Cloud security.
11:21 – Which skills best equip you for Cloud Security?
14:02 – Working with Cloud Security for the first time.
19:21 – How do you start learning and training for Cloud Security?

Jonathan Villa

Practice Director, Cloud Security @ GuidePoint Security

Meet our guest

For over twenty-two years Jonathan (“JV”) has served as a hands-on leader in various roles throughout information technology and cyber security. JV has been responsible for the growth of a national cloud security practice and worked side-by-side with his team within the delivery of services across various verticals.

Episode transcript

Amir Bormand: [00:00:00] On this episode of the podcast I have with me Jonathan Via, he is the practice director of Cloud Security at Guidepoint Security. We’re gonna be talking about building a cloud security team, and I think a lot of times, You know, people don’t have the expertise. They do bring in consulting companies to help.

And at some point, either if you have those consulting companies in, or you actually have the internal expertise, at some point you have to upscale. You have to help build out this team. And there’s a lot of, lot of things that have to go into this, especially in the cloud security space. And, uh, Jonathan, uh, is here to talk to us about that.

Jonathan, thanks for being on the podcast. Thanks for having me. Awesome. So let’s talk about, uh, two things before we start. One, tell everyone what Guidepoint does, and then you are the practice director of cloud security. What, what are some of those responsibilities? Absolutely. 

Jonathan Villa: Uh, so Guidepoint, we are, uh, I would just gonna refer to us as a, a pure play cyber and information security organization.

Um, [00:01:00] you know, we, we do a lot of professional services in the cyber and information security space and application security cloud, security force, G R c penetration testing. Uh, but we’re also a value added reseller, right? So that’s what we partner with a lot of organizations, um, you know, kind of focusing a.

On a lot of the, uh, current, um, and, uh, even, you know, folks, companies that we run for a while, we’ve been working with a lot of the, the technologies in the, in the security space for quite some time. So what do I do in the cloud security, uh, practice? So I have the exciting challenge of, uh, staying on par with the course or ahead of the curve in terms of what’s happening in the cyber security space, uh, with the.

With respect to cloud, you know, leading a team that delivers, uh, engagements around architecture, uh, security architecture, design, you know, reviews, assessments, implementation, um, and program development. So, I’ll probably touch a little bit about on that since we’re gonna talk about upscaling, right? What that cloud security program development is.

So, uh, but yeah, I mean, that’s it at a, at a high level. 

Amir Bormand: There you go. Awesome. Yeah, I’m, I’m excited. I mean, you know, [00:02:00] security is hard enough. Cloud security, uh, incorporates a whole different level of complexity, obviously, uh, you know, platform specific issues, multiple, you know, platforms. I mean, there’s a lot here.

And, um, I, I guess out of, just as a jumping off point, you, you guys do security consulting and I guess the. Problem sometimes is identifying the problem, right? Knowing when you need someone to step in and help. And what part of cloud security from what you’ve seen, uh, you know, what are, what are some of those, you know, reasons of, Hey, I, you know what, I gotta desk cloud security.

Obviously everyone has to adjust cloud security, so let’s actually right that, that’s, that’s not the problem. But there are nuances to how security and cloud security integrate and, and if you’re building. That platform or you’re building out a product and, and you need to mature and stabilize the security component, you have to know what you’re looking for, 

Jonathan Villa: right?

Yeah, that’s a great question. I think a lot of times when we’re, when we [00:03:00] engage a, a client, um, the problem that’s been identified is that the, what I refer to as the business, right? Like just the normal, uh, folks that are either, uh, you know, helping the migration to the cloud or innovating and developing, you know, new applications depending on the, the type of client.

We typically step in when security has realized that they’re moving very fast. Right. And since we kind of talked about upskilling here, right? Uh, traditionally here now in, in the cloud space, um, it, it’s been a little bit of a uphill climb, right? For a lot of organizations that have very talented security professionals.

But understanding how things work in the cloud is really kind of where some of those challenges have. And I think that’s also been a recurring theme. Alright. I mean, for the last 5, 7, 10 years, right? In terms of cloud security. But a lot of times it is, it’s, you know, how, how do, how does an organization approach the problem and ensure that they are safeguarding the organization without, you know, impeding innovation, right?

And slowing folks down. Which again, kind of been a recurring problem, but a lot of times that’s when that, that [00:04:00] problem’s been 

Amir Bormand: identified. Yeah, it’s interesting cuz uh, you know, just when you’re, you’re mentioning, you know, the problem being identified, you know, when you, when you, I guess you look at security, everyone assumes.

That it’s a problem. Um, and, and I guess when you’re talking about cloud security and as you might be in different phases, if you’re a mature company, you’re a startup, everyone seemingly runs into these similar problems. And when we’re talking about upskilling and you’re talking about learning how to do this, You might need to bring somebody in right from the outside to help you figure out how these pieces fit together, solve the high level problem.

But everyone always wants the consulting company to leave at some point. Can’t, can’t really keep ’em on forever. It’s expensive, right? I mean, at some point they have to leave and then they have to, they have to deal with. Taking on some of those things, being being the, their own, uh, you know, core competencies in that.

And, and, and, and since you’ve seen this happen, uh, that [00:05:00] handoff of, hey, the consulting companies come in, they’ve done their part, they’ve helped you solve your problem. What happens when the consulting company 

Jonathan Villa: leads? That’s a great question. Um, you know, again, having been around the space for quite some time, I think I.

I would say we, I’ve gone full circle with some organizations where, you know, we come in and, um, and whether this has been at my time at, at Guidepoint or, or before, right. I’ve, I’ve kind of experienced the same thing here where, you know, I’m working with a, with a client or an organization, the problem solved, but the, I guess the, the understanding of how.

Keep that ship afloat right. Is not there. Right. So you kind of come back around in, in six months or a year and you’re like, oh, you’re, you’re back to the original problem. Right? So I think educating your team on, I like to, you know, look at patterns a lot, right? And really that’s where I think the education needs to happen for your, you know, your existing personnel.

Um, it’s not in. [00:06:00] You know, how does, uh, network security work in the cloud, right? But it’s more about the pattern of network security, right? And that’s what’s evolving very quickly in cloud, right? Um, I mean, now a couple years ago we’re talking about hub and spoke. Now you have things in a w s like transit gateway, which kind of made that easier for a lot of organizations.

So I think the leaf behind should really be the education on identifying patterns in, in the cloud, um, so that those individuals know how to make, you know, future decisions. But, Keep following those patterns, right? Making sure that the, the wheels don’t fall off, I guess. 

Amir Bormand: So that’s that, that, that, that is, you know, I like the leave behind the follow patterns.

That’s actually, I think, um, a good way of putting it. I think, you know, if I was, if I was thinking through this and I’m like, if, and, and we have it right in, in your own home. You have the situation, somebody comes and does some work, and then you think you gotta. You know, the next time it happens, I’m gonna take care of it.

My wife is always like, do not try to touch plumbing electricity. Just because you saw somebody [00:07:00] do it does not mean you could do it. You’re gonna, you’re gonna make a mess of it. And she’s right. And part of it is I don’t have, I don’t have the ability, I don’t have the competency, I don’t have that understanding, you know, somebody hasn’t upskilled me.

Just watching. I haven’t transferred through osmosis the, the recognition of what I need to do, but so you, you know, you leave and really the, the, the core of the podcast episode is around this concept of the team and upskilling and the knowledge transfer and obviously being cloud security being so new, um, and resources being so tight.

Like it’s not like you can go. A cloud security expert at will. Like, it’s not a, it’s not a position that there’s, you know, abundance of people that are experts at this. There are a lot, but it’s, there’s, there’s a definitely gap, right? So when you, when you talk to these companies and they are trying to go, okay, well we need somebody to, to, to, to follow the patterns.

What are some strategies that people try to put in place? Because I think that’s useful for someone who’s, who’s either thinking about cloud security, they’re in the middle [00:08:00] of it, or, or maybe they’re somewhere in between. 

Jonathan Villa: That’s a great question. So when, you know, when I talk. Patterns. Right. I guess I could probably unpack that for a bit, but you know, I look at cloud as, as an API driven infrastructure, right.

And I’ve been using that term for a, a very long time and, you know, and a lot of folks, uh, do as well. Um, and I think having, having an understanding that that’s what cloud or cloud computing is, is that it’s an API driven infrastructure. The reason I say that you have, you kinda really have to identify patterns is because oftentimes what if people maybe don’t really see is that you could solve a, a problem in the cloud with technology, right?

Like, you know, remember security is people, process and technology, right? And organizations will go and, and you know, I say kind of just throw money at the problem, right? Like, we’re gonna buy a tool, right? And we’re gonna, we’re gonna put it in. What that doesn’t solve is the core, right. The root of the problem.

All it does is bring you visibility in terms of like, Hey, we have this problem and now I know we [00:09:00] have this problem everywhere instead of just here. But when I talk about, you know, patterns and, and, and that, that point you made, right, of, of getting a subject matter expert, finding somebody to work with, whether it’s in your or within, whether it’s within your organization right?

Or an outside firm, um, that that’s able to look at the problem and. You know what? Let, let’s, it’s an API driven infrastructure, right? Meaning we can take full control of what’s happening in the cloud, right? We can put it, we can put in preventative security, right? Through policies or through some sort of, you know, uh, infrastructure’s, code scanning, right?

Or through probably a couple different ways to ensure that. Those, those misconfigurations, I guess to put it real simple, right? Those misconfigurations aren’t, uh, don’t come to life. Um, and, and when you find somebody who is able to solve the problem that way, I think that’s, that, that’s the deter, uh, that’s what separates a kind of cloud security sergeant at, or expert in my opinion, from just [00:10:00] somebody who knows how to turn the knobs and, and things like that, right?

So I think, uh, when you’re looking to upscale your folks, or you bring in a third party company, That should be a big lead behind is the training in, in terms of how to approach the problem differently, right. Than, than just installing a, a firewall, for example. Right. That’s, uh, it’s not, uh, it’s not as easy as it used to be, right?

In the data center, I’ll say, 

Amir Bormand: well, every, everything is so engineering, right? Like, I mean, I, I like the, I like the, the line Cloud is an API driven infrastructure, and I like to. I like to speak about everything has become engineering. Like there is no more, I mean, there are tools, right? But, but the majority of work being done is, is an api.

You need some understanding of code, uh, security teams are still catching up. You know, it’s, it’s, you know, there’s a mix of tools and some people are getting into, you know, the software side, you know, the, the whole shift left. We won’t even touch on this episode, but you know, there, there is a, an upskilling happening, you know, the cloud security [00:11:00] components kind of catching up and I guess as you’re working with companies and they have to go through, You know, they have to, they have to take the hand off, they have to take the baton from you guys.

And obviously they have talented individuals, either people currently insecurity, that have other people in other functions. This gap needs to be filled by somebody, even if it’s not a net new outside hire. Are there typical like, you know, profiles that suit someone to move into cloud security if someone doesn’t have specific people to actually take.

Jonathan Villa: That’s a, that’s a great question and I, I try, um, see if I can eliminate my bias out of that. Right. I always, when you talk about, look, looking at specific skills, I mean, I tend to lean more towards people who have some sort of development background and it doesn’t mean that they were an application developer, right.

It just that they understand that, you know, we could solve this problem with maybe a little bit. Of a [00:12:00] customized solution. Right. Complimenting maybe a, a, a third party product. Right. You know, and that goes back to the API driven piece. It’s not just that public cloud is API driven, almost, you know, every vendor that we’re, that we’re working with Right.

Has an api. Right. So they’re third party tool, um, the interfaces with the Public Cloud’s api, but the, they’ve also given us an API to work with. Right. So when you, when you look for an individual to really. Kind of build out your, your program. Sometimes again, maybe it’s my, my bias cuz I, again, I have a, an application development background, but I tend to lean more towards people who’ve, who, who say, you know what, we can, we may be able to solve this using this a p i driven infrastructure.

Right? Like one way or, or or another. So yeah, I think to me that’s a big piece. Now that doesn’t say that folks who never, you know, been involved in development wouldn’t be able to be successful. Right. That, that would be wrong. Cause I’ve met some very talented individuals who have been. You know, completely away from development.

But they understand that, like I said before, the pattern, right? They understand, they may [00:13:00] not know how to implement, you know, a particular solution, but they could conceive it, you know, and they could help build, bring in folks from other parts of the organization to help, you know, build out those solutions or find the right, you know, solution for it.

So I think it’s, you know, when you’re finding, when you’re looking for the right person, I think, um, yeah, somebody who just thinks pretty broad, right? Because cloud. Broad, right? I mean, there’s so many, it’s not just the new technology, it’s like the data center rebuilt, right? Every component, everything that’s happening in the cloud or that happened in data center is happening in one, one environment now.

And uh, I think that, yeah, a broad thinker, I guess is what I would say. 

Amir Bormand: That makes sense. I, I guess, you know, something that, you know, I, I was listening to, to you talk about that and you mentioned broad thinker and it made me kinda, you know, think. You mentioned somebody from the, you know, somebody with an application maybe side, and it seems like this might be, and again, I could be wrong, correct me, but it seems like you need somebody who has broad experience, right?

If you’re gonna [00:14:00] talk about cloud security, uh, You do need some experience touching different things. Seeing you, you, you mentioned the, this is wide, right? So seeing different things, touching different things, having that broader experience, it sounds like it might help, but also knowing that, you know, security has a, a talent shortage and then cloud security’s even.

A, a deeper shortage cuz it’s very nuanced and new. Does that kind of make it harder for someone, I guess, earlier stage career to jump into cloud security because they have to touch a lot of different things? Or is it something where you’re like, you know what, it’s, it is so new that you can actually jump in and be an expert in, you know, maybe one, one very, you know, tiny component of it and that’s the way you go.

Jonathan Villa: It’s, that’s actually a really great question. Um, I talk to a lot of, uh, whether they’re my former, you know, colleagues or just, you know, younger, uh, younger adults that want to quote unquote get into right. Cloud security. I [00:15:00] would say the answer is yes to both, both points there, right? So, um, cuz I have found myself telling many people, um, the latter part that you talked about is cloud is still relatively, relatively new.

You know, now is the time. You know, I remember years ago I’ve been, I’ve been working with aw w s as a platform since, geez, like, I don’t even remember the year, but well before like 2010, right? Like, it just, I was very curious and I jumped in very early and there was a cer, there was a period of time where I would tell my colleagues, you know, I would say, listen, at this point in time, if you just.

Learn for the next six months, if you just ingested Azure or just ingested Google or aws, like you will get into this, this space, right, into this, uh, this field. Cuz there aren’t, there weren’t many, uh, experienced professionals, right? So I think for some people this is a great time to, to kind of specialize in something and get in at the same time.

The first part of what you said, right, is also true, right? Because if I’m, you know, if I’m, [00:16:00] uh, if I’m a hiring manager at a. And I need to just grow my team. That, that ladder group, that’s, you know, that’s probably where you’re in is, you know, but if I am, you know, maybe not a hiring manager, but if I’m a director right, or VP level at an organization or a ciso, I, I, I can’t use that person right?

Then I need the person that. Is like, what is it? A, a mile wide and inch deep, right? Like somebody who could speak to governance and again, application security, network security and compliance and all those different things in the cloud. And that’s really where your consultants are coming in, right? They, cause they have that, right, they’re seeing, you know, project to project client to client, you know, vertical to vertical.

So on the consulting. That’s really what I would be looking for is somebody who has that broad experience. But again, to, to kind of just repeat myself here, if I was a hiring manager and I just needed to, to hire more talent, I, I would have no reservations on hiring, um, I guess what we would call junior level folks.

Right. Uh, I mean, I’ve done that on [00:17:00] my team. I actually have, um, some really interesting stories of folks that I’ve hired with, uh, pretty much no experience when I hired them. And one, one of the guys, uh, Unfortunate for me, but fortunate for him, uh, he moved on. Right. Um, but I brought him on, he was in med school and had five Amazon certifications with no experience, but I, I love that.

Right. This was about four years ago and I hired him and, uh, l beginning of last year, he left and went to go work for aws. And I said, unfortunate for me, but fortunate for him. Right. Um, but so I guess what I’m saying here is that that idea. Hiring people that are just getting into the, the space, you know, into this field.

Mm-hmm. Um, I wouldn’t, I, I really wouldn’t have reservations in doing that if you have the right training program. Right. If you have the right mentorship program to build those people up. 

Amir Bormand: Yeah. That’s a, and I think that’s great and I think, um, you know, I think as you mentioned, you know, if you look at [00:18:00] something and you look at the technology and how old or how new it is, and you judge it based on the years of experience someone has in that.

I think things change. We get a lot of, you know, companies are like, well, we need a deep expertise in X. Well, it’s only been around for six years, so if somebody has two years of it, they’re a senior. Whether they have a, you know, how much overall work experience they have, that’s different. But if you need expertise in this particular skill, you know, there’s a, there’s a limit.

And I think to your point, you know, I think that’s, I, I actually think it’s a great time. If you wanna specialize on a platform and dive deep down the rapid hole of, of the security side of that platform, you’re gonna be. Still early. It’s still early. So I think, uh, I think I like how you, how you kind of use that example of, uh, the med school student who now is at AW w s.

Jonathan Villa: That’s great. Yeah. And I think he’s probably making more money than me over there now, so really, really worked out for him. So there 

Amir Bormand: you go. There you go. He was, you have a bottle of, uh, something you like there. Um, [00:19:00] last question I was gonna ask you in, in terms of this, um, you know, this what we were talking about, the upskilling.

When you’re looking at training, right? Where can you, is this something as, this is for me to actually understand, is this something that I could literally just go if I wanted to do the a w s search? Cause you mentioned this guy who did, obviously he’s sharp, he’s in med school. But can I just literally go on a s just start watching the videos and, and actually end.

Understanding, or do I need to actually go sign up for classes? Or how, what does that look like for someone who did wanna, you know, does want to get into cloud security specifically? How do you, how do you actually do that? 

Jonathan Villa: So, another, another great question. So I, I won’t give this person’s title because I think it’ll give away who it is.

Right. Okay. And I was just story yesterday, so, um, like, geez, a long time ago, uh, You know, I’m from Milwaukee. I worked in Chicago, right? Forever. And I took a train every day. And one day I’m, I’m walking to the train and, uh, you know, this guy that I, I [00:20:00] knew at the client that I was at, just, we just met and we started walking to the train and he asked me, he goes, how do I, how do I get involved with aws?

Like how do I, how do I learn aws? And he was a Unix Linux admin, right? For a kinda well known services company. And I just said to him, look, nothing’s gonna be hands-on experience, right? Just go to aws. Here’s what I mean. He already had some skill, right? So, so go to aws, user freeze. You know, 12 months, as long as you kinda keep it minimal, you’ll be able to use it for free.

That was in the spring of a particular year, and in the fall of that year, he comes to my desk and says, Hey man, it was a pleasure knowing you. I’m leaving. Said, well, where are you going? So I’m going to aws. I’m like, that’s cool. We start off as like a, a, you know, a ta I’m right, a technical account manager.

The reason I don’t wanna give his title is cuz anybody listening could probably find him on, um, on, you know, LinkedIn. I’ll, I’ll just say this. Is that his title now? Global head, X, Y, Z. Right? And I mean, he, he was a smart individual, right? I I, I don’t wanna take anything from him, right? But the [00:21:00] opportunity to, to again, get into this space is really at your disposal, right?

It’s the amount of information out there, whether they’re, um, Udemy courses, you know, YouTube, all the reinvent sessions, so much Microsoft Cloud, you know, information out there, Google. It’s really at your disposal. And then a lot of these public cloud, I mean all the three major cloud service providers give you, um, like a free tier usage, you know, so I always tell people, kick the tires, right?

Think about when you were learning to drive, right? I mean, you had a little bit of textbook, but then it was on the road, you know, on on the road lessons. So my advice to anybody who’s trying to get into the space is to. Kick the tires, you know, kind of, you know, take you for a drive and, um, you know, and good luck and hopefully there’s a lot of need, you know, but hopefully they’ll find something.

But, um, that, that, that would be my advice. 

Amir Bormand: Awesome, man. I think that’s, uh, that, that is great advice. And, [00:22:00] and I think if somebody does wanna, you know, build out a team or wants to get into it, I think these are some good, you know, good pointers. So thank you for being on and sharing with everyone. I’d like to ask every guest, uh, this question I was gonna ask you as well.

Um, if you could ask a future guest on the show to cover a topic, what, what topic would you like to hear them? 

Jonathan Villa: The use of ai, right? In the use of public ai, right? So chat G B T right now is hot, right? And there’s a a lot of conversations going on about that, about, hey, is it, is it good for the workplace in terms of, um, you know, if I’m a ciso, should I be concerned about my employees using chat G B T, who may be potentially, you know, providing it proprietary information, right?

We’re just having this discussion today cause. Any, any system that that’s learning has to retain information, right? So we can continue to learn. Um, so a question that I, I would be curious to hear other people, you know, uh, [00:23:00] just what their, what their opinion is, right? Is on, um, what potentially could be the, the future use of public publicly accessible AI platforms.

Um, you know, in terms of are there any concerns about, you know, data leakage or anything like that? So, um, I’d be curious. I know it’s been a topic amongst myself and some people, right? Um, I mean, right now I’m, I’ve been using chat g p t to answer my five-year-old’s questions, right? Like, how long would it take you to swim to the bottom of the ocean, you know?

So, um, that’s been my use, uh, thus far. But, but yeah, I, I would love to hear other people’s perspectives on that. 

Amir Bormand: Awesome. I like that. That’s actually a good one. That’s actually, it might be a good round table, uh, discussion cuz I think there’s a whole host of privacy concerns that we haven’t even, uh, begun to, to touch on.

Um, Jonathan, what’s, what’s a good way if somebody wants to reach out to you? Uh, you talked a lot about, uh, cloud security. Someone wants to just pick your brain, just follow up with you on anything you’ve mentioned. Uh, what is a good way of getting ahold. 

Jonathan Villa: Yeah, absolutely. [00:24:00] So one, uh, you know my name, uh, Jonathan, uh, dot via guidepoint security.com, or, um, marketing, you know, may, may slap my hand for saying that.

I, I, I’m also jv gp sec.com. Just a shortened, uh, domain there, but easier to remember. I’m more obviously on LinkedIn, right Jonathan? Via on on LinkedIn. I think my profile. Kind of looks like how I look today, so I, I think it’ll be fine. All right. But yeah, that’s probably the best way to get ahold of me.

Amir Bormand: Cool. Awesome. Hey, thanks for being on. Thanks for sharing. Thanks for your time. 

Jonathan Villa: Absolutely. Thanks. Awesome. 

Amir Bormand: Awesome. That’s it for this episode. We’ll be back again. Different guests, different topic until then. Uh, two things. One, I’d love to put a round table together about, uh, concerns over, uh, public api, uh, usage of, um, public ai, usage of chat.

G B T. I mean, I think there’s a lot of. Intertwining things there, uh, reach out to me. I’d love to have you on. Um, and if you found the podcast useful, you found it interesting, please share it with somebody else that, that, that could find it useful. Also, [00:25:00] um, give it a review wherever you’re listening to this.

That’s how, uh, it’s been growing organically. So I thank everyone who does that. Till next time, thank you and goodbye.

Latest Episodes

Sunil Mallya

VP of Engineering at OncoHealth

Eric Labourdette

Cloud Business Operation Consultant

Kelsey Steinbeck

Director Software Engineering @ Indigo

A community built by you
for you

Subscribe to Elevano Insights

By clicking Sign Up you’re confirming that you agree with our Terms and Conditions.