Career Paper CYSE 201S

As my chosen career path, I will focus on the role of cloud security engineer and how they leverage social science in their daily job demands and careers. Cloud security engineers are information security professionals responsible for designing, implementing, and securing cloud computing environments and services. This
paper will explore the role and duties of cloud security engineers and how their work benefits from understanding human behavior and social science concepts.
The daily life of a cloud security engineer is a complex dance. Security engineers delve into the minds of attackers, deciphering their motivations – what valuable data might our organization possess that they want? Cloud security engineers must also have an awareness of their own users, anticipating what errors they will potentially make. They navigate their organizations business and political landscape as well, understanding management’s priorities and effectively communicating the often-complex world of cybersecurity threats. Ultimately, a cloud security engineer’s success hinges on their ability to navigate the complex interplay of human behavior, both within and outside the organization. The structure of my paper will explore how social science concepts relate to the role of a cloud security engineer, focusing on three key groups: attackers, users, and management. Security engineers are at the forefront of the fight against cyber-attack, proactively working to secure the digital infrastructures that underpin modern organizations. In the media, the narrative roars of cyberwarfare and major breaches day in and day out. These battles, however, unfold on a silent front. Unlike historic conflicts marked by smoke and bullets and bombs, the fight for cybersecurity occurs unseen to most. It takes place on underground cables and satellites in space, code running on silicon chips and radio waves carrying invisible bits and bytes. It’s a war fought at a pace and complexity beyond the human eye’s capacity to see and comprehend, yet one that directly impacts the very foundation of the world. If this sounds alarmist or readers get the feeling this is an embellishment consider According to data from the Statista Cybersecurity Outlook (n.d.), business email compromise (BEC) cost victims more than $43 billion USD between 2016 and 2021 in the United States. For the overall cost of cybercrime in the US, estimates vary significantly depending on the source and methodology used. Some resources, like Cybersecurity Ventures, project the global cost of cybercrime will reach $10.5 trillion USD annually by 2025 (Cybersecurity Ventures, 2023). Instead of having to manage and purchase their own physical systems that are on company property, companies are increasingly turning to cloud solutions. These services, offered by Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform, provide on-demand access to computing. This “cloud” infrastructure allows businesses to rent only what they need, when they need it. The benefits are in the scalability and flexibility. Companies can spin up whatever they need for as long or as short as they need and not have to over invest or guess how much they will need. It’s computing on demand. A 2024 RightScale survey indicates that over 94% of enterprise organizations have a substantial portion of their workloads running in the cloud, highlighting the extensive adoption of cloud solutions (RightScale, 2024). Cloud security engineers will need to understand what valuable information is being used in their cloud infrastructure because that is what attackers are after. Data in the form of trade secrets, product designs, patents, proprietary information, credit card information, usernames, passwords, and access keys. What reasons do they have to steal this data? Ransomware payments? Corporate espionage? Destabilization? Money in exchange? There are a number of motivators, but understanding the link between what data you have exposed and the value it has will help determine what needs to be done in order to secure it. It will give insights in to who may be after that data and what level of sophistication they have. Are they sophisticated attackers with access to time and money who will not give up? Or are they looking for the low hanging fruit? Know thy enemy. Also, know thyself. Security engineers need to understand their users as well. Insider threats can be malicious in nature but often times are accidental with unintended consequences. For instance, do our employees travel a lot for work? Then we need to setup a VPN so they can connect securely while they are in other countries or are geographically dispersed. Are our employees full-time employees or contractors? We should use limited-time access credentials with restricted permissions based on project requirements and revoke access upon project completion. Do we have clients or customers? We need to make sure our public facing websites are not vulnerable to all the common attacks like SQL Injection but also update the plugins that are running. Adding secure development cycles that ensure input validation is programmed into our applications to ensure we do not have broken authentication forms. Last, we need to understand the psychology of management. All the planning in the world does no good if management does not approve or withholds funding the projects. We need to understand management’s worries and concerns. We need to understand their motivations and how to effectively communicate with them so that they see our projects and initiatives as worthwhile and defensible. Management doesn’t necessarily care about security in the way we do. They care about security of funds, reputations, and ROI. If we can speak the language of business, that’s a step in the right direction. Cloud Security Engineers must be able to operate beyond the confines of technology. We have to see how technology is being used in the real world. How does the human factor intersect with cybersecurity? Who are the players involved? What are their angles and what do they want? What are they willing to do in order to secure their goals? How do we persuade or dissuade them from doing that?

Citations:
Statista Cybersecurity Outlook (n.d.). https://www.statista.com/markets/424/topic/1065/cyber-crime-
security/
Cybersecurity Ventures (2023, November 14). Cybercrime To Cost The World $10.5 Trillion Annually By
2025. https://cybersecurityventures.com/cybercrime-damage-costs-10-trillion-by-2025/
Citation: Flexera. (2024, February 14). Flexera 2023 State of the Cloud | Report.
https://info.flexera.com/CM-REPORT-State-of-the-Cloud?lead_source=Organic%20Search