#16 — Rant Job Hunting for a Cloud Security Job

Here are some observations and thoughts I have based on my job hunt:

1. Amazon AWS is still the dominant cloud platform in terms of market share. This is also reflected in the number of jobs available. A quick search on LinkedIn for AWS security shows 40k+ jobs whereas a quick search for Azure security shows only 25k+ jobs, and a search for GCP security shows only 6k+ jobs.

2. Inversely, it is harder to find and recruit people who can work with Microsoft Azure or Google GCP since most people will learn only Amazon AWS. Candidates should have a solid foundation of cloud security before selecting a cloud to specialize in. Even after that, it is best to have a basic understanding of ALL three top cloud service providers.

3. People with skills in Microsoft Azure and Google GCP are able to command a higher salary due to the lower number of candidates in the job market. Simple supply and demand.

4. Reality is that many organizations still have on-premises data centers and multi-cloud environments using more than one cloud service provider. Among the three cloud service providers, Microsoft Azure has the advantage where you can defend across all three clouds and on-premises data centers.

5. Even if the title for a position includes “Cloud Security”, more times than not most organizations use Amazon AWS and prefer candidates with strong skills using it. This is interesting since basic cloud technology has many identical services and functions across all three major cloud service providers even if names of specific services are different. For example, Azure has Defender for Cloud whereas AWS has Inspector. Both services perform security assessments and assess for compliance. In short, a candidate with experience in Amazon AWS should be able to quickly learn the basics of Microsoft Azure or Google GCP.

6. Even with experience using Amazon AWS in the past, I was passed over for jobs because it was assumed that since I used Microsoft Azure extensively at my last organization, I must have zero experience with Amazon AWS.

7. Consulting firms overall were more cloud neutral and more willing to accept candidates who have not selected a specific cloud to focus on.

8. In terms of cloud security certifications, Microsoft is the clear leader. All three cloud service providers have a general cloud security certification. Microsoft adds four on top of that including a brand-new Cloud Security Architect certification currently in beta. I know a few people who have already passed it.

9. Some positions include cloud security work as part of job duties even if “Cloud Security” is not in the job title. This is a mistake I made in my job search.

10. Many jobs involve the creation, optimization, or working with CI/CD pipelines, aka the heart of cloud workloads and where many security risks exist that need to be addressed with DevSecOps automation, security tools, and solid processes. This makes it essential to have some developer skills.

11. JSON is very much a required skill and used heavily for cloud work regardless of cloud service provider.

12. Many organizations moved to the cloud too quickly using the lift and shift model with little thought to security or cloud optimization. This increases the demand for cloud security professionals, who have to apply guard rails.

13. On the other side, many organizations make the mistake of just adding cloud security duties to existing staff, leading to higher chances of burn out.

14. Some recruiters reached out to me about positions that paid less than six figures with many assuming I am entry-level.

15. Many jobs were looking for a Cloud Security Architect level of experience even if the job is listed as Analyst or Engineer. Also, the vast majority of cloud security jobs are looking for Cloud Security Architects, leaving little room for folks who don’t have such a high-level skillset. In short, it feels like the market is saying: Cloud Security Architect or bust. I was lucky to land a security engineer role, on my way to Cloud Security Architect.

The views and opinions expressed in this article are those of the author and do not necessarily reflect the official policy or position of any other agency, organization, employer, or company.