Background

As an Enterprise Strategist at AWS, I spend the majority of my time in two key areas when I meet with customers: all things digital transformation—people, process, technology, culture, aligning technology investments to business outcomes, cloud migration, organizational change, etc.; and security, compliance, risk, and privacy topics, due to my experience as a former Chief Information Security Officer (CISO). One thing that transcends both of those subjects is the desire from customers to learn from others: “What common mistakes should I avoid?”, “How did you address this issue?”, “What do others in my industry/part of the country/world do in this case?”, “What is a best practice for ‘X’?” are questions that my fellow Enterprise Strategists and I answer regularly.

The Problem

There is one question; however, that keeps coming up: “How does AWS handle [insert your security topic here]?” Customers wanted to know how AWS handles security at scale for ourselves, and on behalf of our customers, with the idea that if they can learn from AWS and approach security similarly, then they can be more secure as they move workloads into and mature their operations in the AWS cloud. This question is not limited to customer CISOs; I received it from virtually every member of a customer’s C-Suite, Line of Business (LOB) leaders, and Boards of Directors, among others. It is a question I used to ask when I was a customer.

The Solution

I could answer these questions individually, and for many months, I did just that. But one person does not scale well when we have potentially millions of customers with these same questions and interests. So, I decided to create an AWS Security Leaders Video Series: an in-depth, one-on-one interview series with AWS security leaders who are responsible for parts of the larger AWS security mission. The series is free of security and AWS service marketing, and focuses on tackling the challenges that many customers face regarding their security and compliance posture.

I am happy to say that the final video of what I’ll refer to as “Season 1” of the series launched a few of weeks ago, and I wanted—in this blog post—to collect all the material in one place and provide a reference for customers and employees.

The Takeaways

While each interview focused on a specific area, there were common themes that I will summarize below. There are core concepts that allow AWS to scale its security operations, and they may be helpful for customers to use when thinking about their own security programs. We don’t claim to be perfect at AWS, but we are constantly experimenting with and improving our security and operations programs with the goal of making them as indistinguishable from perfect as possible.

1. Create a Culture of Security: This is the crux of the AWS security program . This can be achieved through top-down, executive support of your security program; by making security everyone’s job; by thinking about security at the beginning of projects; and embedding it into every business practice. The most junior employee to the most senior must be enabled to raise security issues.
2. Engineering & Automation – This is how one scales. If you have to do something more than once manually, automate it. Excellent software engineering INCLUDES excellent security practices. Develop baselines of what is automated from a security perspective and increase that by a percentage each year. Build systems to fix other systems, and let your humans focus on risk and solving business problems.
3. Learn and Be Curious & Ownership: Traits of highly successful security teams (which happen to be two of Amazon’s Leadership Principles). Why did the system react that way? How can I make it more secure/resilient? What solutions can I try? If you think you have a security issue, then you have a security issue, and it is your responsibility to either fix it or inform those who can. The Correction-of-Errors (COE) process includes asking “why?” until you get to the true cause of an issue, and then engineering a fix for it. Mistakes will happen. The same mistake should not happen twice.
4. Security Outcomes: Understanding the why and the how. Security programs exist to reduce risk to business operations, so understanding business risk and being able to articulate (and implement) appropriate mitigations to those risks is critical. The security outcome (risk reduction)—not the specific tool, technology, or the size of security team—is the goal.
5. People: Humans are your security program’s greatest strength . Know what to look for in security hires, then train and retain security talent: your next great security hire may not be a security expert at all. Diversity in security hiring is critical to avoid group think and uniformity of thought. One of the most effective security scaling mechanisms is the development of a security ambassador or guardian program.

Closing

My team and I are currently in pre-production of “Season 2” of the AWS Security Leaders series, and I can’t wait to share some more great content from other AWS Security Leaders in the not-too-distant future. Please connect/follow me on LinkedIn for updates, and if you have an idea for someone you’d like me to interview at AWS Security, or a topic you’d like to see covered, please DM me via LinkedIn!

The Interviews