Do You Need To Know Coding To Succeed In Cloud Security ??
My take on this commonly asked question

“Do you need to know coding in Cloud Security ?
Newcomers to Cloud Security often ask me this question with a scared face when we do a coaching session.
Coding has always been something that separates the real “techies” from the casual “non-techies” in Cybersecurity.
Let me be clear right from the start.
Coding is NOT a mandatory skill for Cloud Security
It is entirely possible to have a great Cloud Security career without once touching code
BUT .. it is a massive advantage for the following reasons
1 — Understanding IAM becomes easy:
I have written about this multiple times, but Identity & Access Management (IAM) is at the very heart of Cloud Security
If you want to control what a user can do .. it is IAM.
Want to control what a cloud workload can do .. it is IAM
Want to control the blast radius of a developer with power user permission .. it is IAM
If you want to control third-party access into your environment, it is IAM !!
If you want to enforce a complex security model like Zero Trust, good luck without learning how IAM works!
Coding makes creating and fixing IAM policies much easier, as they are typically in JSON format.
Not knowing how to read JSON will make your life considerably more difficult in cloud security
The better you are at coding .., the more amazing IAM policies you can create!
2 — Infrastructure as Code (IaC)
No one creates infra in the cloud from the management console i.e. the dreaded “CLICKOPS”
Everything is captured in Infra as Code ( keyword here being “code” ! ) using tools like Terraform or CloudFormation
And that is where is where the security weaknesses also reside.
You might scoff and say you can buy scanners that check these IaC templates for security issues, but you will be disadvantaged if those findings are challenged.
Few things frustrate a cloud team more than a security professional not being able to understand WHY a vulnerability is being reported as a false positive
Knowing coding will help make finding issues easier and help you enforce security within the code itself
3 — You Can Automate With Serverless
Serverless is one of the most amazing parts of the cloud
Serverless is an execution model with full abstraction of the environment, and only code exists to run it (and be secure!).
Forget servers, patching, and agents .. you can just write code and run it without worrying about the boring parts.
Coding not only helps you understand serverless but also allows you to implement your own amazing serverless functions for security automation and incident response!
4 — DevSecOps
In today’s cloud environments, security isn’t just a gatekeeper role — it’s integrated into every phase of the development lifecycle.
This is where DevSecOps comes into play. Understanding basic coding helps you:
Embed security early in CI/CD pipelines.
Write custom scripts to automate security checks.
Understand how APIs interact, enabling you to secure data flows better.
Without coding knowledge, you may struggle to collaborate effectively with DevOps teams, slowing down security feedback loops.
5 — Understanding APIs: The Backbone of Cloud
APIs are the glue holding cloud services together.
Cloud security heavily relies on securing APIs — whether it’s API Gateway, RESTful APIs, or microservices communication.
Knowing how APIs work allows you to:
Detect and mitigate API-related vulnerabilities like injection attacks.
Test API endpoints securely.
Automate security controls via API calls.
Without basic coding skills, these tasks can become daunting.
A Tale of Two Cloud Security Analysts
To make this more simpler .. imagine two cloud security analysts:
Analyst A doesn’t code. They rely solely on dashboards from 3rd party solutions, struggle to understand complex IAM policies, and need extra time when investigating incidents.
Analyst B knows basic coding. They can quickly write scripts to audit permissions, debug policy issues, automate routine tasks, and even deploy security fixes via Infrastructure as Code.
Guess who’s more effective and in demand?
The Good News ??
The good news?
Learning coding is now massively easy thanks to GenAI tools like ChatGPT, which makes learning coding a breeze !
You can even make them explain code to you simply and easily.
There is no excuse not to know some coding in today’s AI-powered world.
I hope this helped to demystify why coding is necessary for cloud security professionals.
Good luck on your coding journey!
I would look at from a slightly different perspective. While it is great if you know how to code in the cloud security world, I think it is perhaps more valuable (depends on your perspective) to better understand that your partners in cloud security are developers/coders. What I mean by this is if you can understand the implications of your policies on the developers in your organization, and develop a sense of empathy towards them with regards the impact of your policies and decisions, you'll achieve much better outcomes.
I need to learn code, even at my age!