I just completed Course 2 of the Coursera Google Cloud Cybersecurity Professional Certificate program. This has been long overdue. I was supposed to finish this course last November, but some things were just beyond my control. Anyway, I’m done now and, as promised in my Course 1 review, I’m once again sharing my personal review of this particular course.
If you’re interested in pursuing a career in cybersecurity, I’m hoping the information I’m sharing here can help you decide whether to make this certificate program one of your stepping stones in your journey into cybersecurity mastery.
Course overview
This second installment of the certificate program, which is entitled “Strategies for Cloud Security Risk Management”, focuses on risk management and cloud security risk frameworks. Risk management is a critical process in cloud security because it helps you identify, assess, and mitigate vulnerabilities and risk to your organization’s cloud-based systems and data.
The course consists of four modules:
- Introduction to frameworks within security domains – Here, you’ll be given an overview of key concepts such as risk, security domains, security controls, compliance, risk management, and control mapping.
- Risk management and security frameworks, regulations, and standards – In this module, you’ll dive deeper into risk management frameworks, industry-specific regulations and standards, data protection and privacy, and the Google Cloud Risk Manager.
- The compliance lifecycle – This is the part where you’ll see how knowledge gained from the previous modules are applied in real-world scenarios. The lecturers will walk you through the compliance lifecycle, and you’ll learn how to conduct control mapping and security assessments, prepare for a cloud security audit, and even review and update a risk management policy.
- Cloud tools for risk management and compliance – Finally, you’ll be introduced to tools that can simplify your tasks in risk management and compliance. This includes Google’s own Security Command Center, Risk Manager, and Policy Analyzer, third-party cloud security posture management (CSPM) tools, as well as valuable resources such as MITRE, NIST, and CIS.
If you want to see a more detailed course outline, check out the official course page at Coursera.
The entire course takes about 18 hours to complete. So, if you really want to, you can devote a single weekend to complete everything. Of course, that’s assuming you can stay locked in with very few breaks. In my case, I needed about three days to earn my certificate.
What I like
Risk management is one of the least exciting disciplines in cybersecurity. The same holds true in cloud security. It involves extensive reading and writing/encoding. A significant part of the job entails reviewing and filling out multiple spreadsheets while referencing lengthy documents, such as cybersecurity standards and frameworks.
That’s no easy feat, as a single framework document can be hundreds of pages long! NIST 800-53 Revision 5, which was used in one of the exercises, for example, consists of almost 500 pages. Don’t worry, you won’t be asked to read the entire document or even 1% of it. I just wanted to give you an idea what a cloud security analyst encounters as part of their job.
Activities that mimic real-world tasks
Since the tasks involved in risk management and compliance can be quite tedious, it’s hard to visualize how they’re carried out. Thus, I’m so glad the course included activities that mimic those tasks, albeit on a smaller and more manageable scale.
For example, in one of the course modules, I was asked to review a hypothetical compliance report spreadsheet, along with a hypothetical security controls table and the actual NIST 800-53 Revision 5 document as references.
I was then required to fill out a spreadsheet, which served as my compliance report notes, where I had to identify the cloud resources that were non-compliant with the NIST framework, the specific security controls that were absent, the corresponding severity levels of the issues in question, and my own recommendations to resolve each issue.
Here’s a portion of my output:
| Compliance Report notes | |||
| Security control | Severity | Findings | Recommendations |
| List the missing security control(s). | List the severity (high, medium, or low). | Provide a description of the missing security control. | Provide a recommendation for implementing the security control. |
| CA-3 (Assessment, Authorization, and Monitoring – Information Exchange) SC-7 (System and Communications Protection – Boundary Protection) | High | 2 VMs have been assigned public IP addresses:Instance-1instance-2 | Change the IP addresses of each affected instance to private IP addresses |
| AC-6 (Access Control – Least Privilege) | Medium | 1 account is configured to use the default service account with full access to all Cloud APIs | Reconfigure the account so that it adheres to the principle of least privilege and only uses APIs it needs to perform its duties |
In another course module, I was asked to review a hypothetical risk management policy document and then recommend changes so that the policy would align with the NIST SP 800-53 framework. Here’s a table showing my output for that particular exercise:
| Risk Management Policy Notes | ||
| Policy Section | Recommended Change(s) | Reasoning |
| Access Control | Every employee workstation must be configured to automatically lock 2 minutes after an employee leaves it unattended. | Unattended workstations are susceptible to unauthorized access. Malicious individuals might grab the opportunity to access sensitive information or wreak havoc. |
| Awareness and Training | Employees with greater privileges must undergo more stringent training. | Employees with more sensitive roles and who have access to more sensitive data can put their organization at greater risk if their user accounts are compromised. Hence, it’s more important for them to undergo more rigid training than those employees with less critical responsibilities and access rights. |
| Configuration Management | Users should only be allowed to install approved software on their work devices | Users are usually unaware of the risks a particular software can introduce to your organization. Hence, only those who can make informed judgement should determine what can and cannot be installed on user work devices. |
| Identification and Authentication | Passwords must be both complex and lengthy. | Passwords are more difficult to crack if they are both complex and long. Long and complex passwords are more immune to brute force attacks. |
These activities stood out because they offered tangible ways to engage with a critical, yet often seemingly abstract, aspect of cloud security. By simulating the process of risk management and compliance reporting, the course made an otherwise tedious task feel purposeful and approachable.
While the activities are by no means exhaustive, they do help you become more familiar with tools and frameworks like NIST 800-53, and offer a glimpse on how these tools and frameworks are put to use in real-world scenarios.
Interactive lab sessions
I truly enjoy interactive lab sessions, so I’m glad this course has it. In module 4, I was able to use the Google Cloud Security Command Center (SCC) to identify and verify security vulnerabilities. And then, using the same tool, I was able to remediate high and medium risk issues that were specified in the exercise.
As part of the exercise, I was able to use the Compliance module to run a compliance report based on the CIS Google Cloud Platform Foundation 2.0 compliance standard.
I like how these hands-on exercises offer a practical and immersive experience that go beyond what theoretical discussions provide.
Interview tips
It seems like Google has made it a point to include interview tips on every course. I find that really helpful. Most learners take courses like this to boost their chances of getting hired, so practical tips like the ones Google inserted into the course are a big bonus. The screen grab you see below was taken from a video demonstrating how a typical interview process for a cloud security analyst position might look like.
One major takeaway I got from the interview demo is the importance of providing examples to highlight your level of experience in using relevant skills. Google hires aspiring cybersecurity professionals for their Google Cloud platform, so we know the demo closely resembles real-world interviews for this particular job role.
Challenges to be aware of
Compared to Course 1, I found Course 2 a bit more challenging. Well, yes, Course 1 was just an introduction, so the lessons are expectedly easier to understand. However, I think the topic itself, i.e., risk management and compliance, can be a bit boring. I often found myself re-reading or re-playing the learning materials to internalize certain sections.
That being said, there’s no way around it. You just have to buckle down and put in the time and effort to fully grasp the lessons. The good news is that the course provides ample resources, including detailed explanations, practical examples, and hands-on exercises, to help reinforce the material.
Despite the challenges, I do highly recommend this course.
Why I highly recommend this course
When I was first starting my freelancing career at Upwork—then, still known as oDesk—one of the strategies I adopted to succeed was choosing the road less traveled. I would choose jobs that, relatively speaking, fewer freelancers applied for. This strategy had two advantages:
- There were fewer competitors, so the chances of getting hired was high; and
- Due to the law of supply and demand (in this case, freelancers were the “supply” to the demand), the pay was usually substantially higher.
I believe the same principle holds true for aspiring cloud security professionals who can demonstrate their competency in risk management and compliance. Many organizations that need to secure their cloud-based assets are also likely governed by one or more standards, laws, and regulations. So, candidates who can demonstrate their competency in this area should stand out.