CISO insights:

Q:

Thanks for joining us, Clarke. Please give us a bit of background about yourself and your team at AWS.

A:

I’m a former Chief Information Security Officer from the financial services and insurance industries. At AWS, I work on the Enterprise Strategy team, which is a group of former C-suite executives like myself who have led a digital transformation or cloud migration at their previous companies. Broadly, we’re a bunch of generalists that can cover the spectrum of IT and business transformation – former CIOs, CTOs and similar roles.

Q:

How do you interact with security leaders at your client organizations?

A:

We meet with peer-level executive customers to help them develop, optimize and think differently about their overall security program. That includes helping them think through the security considerations and business impacts of digital transformation and cloud migration.

I also host our Conversations with Security Leaders podcast where I speak with security leaders inside and outside of AWS about security leadership and culture. My goal is to advise them on how to apply effective security practices across their entire estate, whether that’s all on AWS or not.

Q:

Given that you’ve spoken with so many security leaders over the years, how have you seen the CISO role evolve?

A:

It’s been quite a journey for the CISO role. It was just 20ish years ago when there was no such thing as a CISO. You had someone in “the basement” who had security as part of their job responsibility. If anything bad happened, bells would go off and you’d contact them and hopefully they would fix things. And then they’d go back to the basement. This was essentially a firefighting view of information security – and highly reactive.

Today, CISOs are business leaders with deep security expertise, just like how a CFO is a business leader who has deep financial expertise. Cybersecurity is no longer just a technical topic, it’s a business enabler. More and more boards of directors now see security as an organizational strategic imperative.

CISOs now have that seat at the table where they can influence the direction of the business, mitigate risk and help innovation move faster.

Q:

How are those CISOs getting buy-in for their plans?

A:

It’s a hot topic in our customer roundtables, we call them AWS CISO Circles and it’s where we bring customers together to talk through these things. Reporting to the board has evolved over the years. If you were lucky, you might get one time a year where you would report the status of your security program.

And it was something similar to, “Here’s what machines need to be patched. Here’s my anti-virus status.” That would either go over the heads of, or not be very interesting to, the board. Today, our most progressive CISOs understand their business deeply. They understand the risk appetite, the risk tolerance of the boards. They present cybersecurity information in dollars and cents, not in bits and bytes. They speak the language that the board is used to – the language of risk.

So now it’s not so much, “Hey, business unit A is behind on its patching.” It’s, “Business unit A is not meeting your risk criteria. And there are some mitigants that they need to put in place so you’ll hit your revenue objectives.”

Q:

You mentioned that a lot of your conversations with security leaders center around culture. What does having a culture of security mean to you, and why is it important to effective cybersecurity?

A:

It means security is embedded in everything we do. What that means, from a business perspective, is that if I’m faced with the challenge of getting a feature release out the door non-securely to meet a deadline, versus getting it out the door securely, I have the support from leadership to make the right decision and get it out securely first – and then add the desired functionality later.

One way we do that at AWS that helps set the tone for the organization is there’s a well-known weekly security meeting. AWS Executive Leadership, AWS Security Leadership and our Service Team Leaders all attend. The CEO and CISO talk through what the CEO is interested in around security, risk, compliance and privacy. Then, the CISO shares with the CEO the things that maybe the CEO needs to pay attention to. And he can adjust his priorities to make sure that security is a proactive contributor to the business outcomes our CEO cares about.

This sets a tone. If the CEO is taking an hour out of his week to do this, it must be important. If I’m a business leader, I’m going to make sure that I meet or exceed whatever the security standards are for my line of business. It’s not impossible to set a culture of security from the ground up, but it’s much easier – and faster – when you can have the most senior leader holding everyone to account.

Q:

What advice would you give other leaders about establishing a strong security culture?

A:

A strong culture of security requires empathy and psychological safety. If we go back 20 years again, security professionals, especially the head security professional, were people you avoided. They were the cop. “Don’t do this. Don’t do that. That’s too risky.” Now it’s, “How can I help you succeed? Help me understand what you’re trying to do. Let me help mitigate the risks.”

When people are worried about getting into trouble – or getting others into trouble – they can hold back from saying something. People have to be encouraged that saying something is not a bad thing. It’s a positive thing.

When our security teams get a security ticket, they investigate it. If it turns out to be nothing, they say, “Thank you very much.” If it turns out to be something, it’s still, “Thank you very much.” We want people to consider talking to security as a safe, positive thing to do. There are no stupid security questions.

Q:

With security talent and budgets being constrained the way they are, how can security teams scale to support the entire business?

A:

A lot of CISOs ask how they can scale security expertise across the organization for a couple of reasons. I’ve yet to meet a CISO who can hire all the security people that he or she would like to have. It’s just not possible from a budget and staffing perspective. So CISOs need to get creative on how best to execute the security mission across the organization, whether the team members are part of the official security team or not.

At AWS, for example, the security team is finite, so we need to make sure security is embedded in everything we do. We can’t hire security people throughout the entire organization. You just can’t scale that way. So we’ve come up with a program called Security Guardians, where AWS security trains a subset of developers who are embedded in every service team. They are not only the eyes and ears of security into those service teams, but they are members of those development teams. They are not outsiders… they have ownership of the product or service that they’re building, but the security of it as well.

That allows our product teams to innovate and scale without worrying that security is going to be a blocker. It helps ensure that security is baked into every product we build, right from the start, rather than being bolted on later.

Q:

To close, what are some of the most important lessons you’ve learned from your own experience as a CISO?

A:

One of the most important is that security is there to mitigate risk as defined by the organization. I’ve often run into security professionals who feel like they have to bubble wrap their entire organization without fulling understanding the business needs to innovate and make money.

You have to understand the risk to the industry you’re in, the risk to the specific business you’re in and put in the appropriate mitigants. There is no one-size-fits-all. It’s understanding that nuance, being a business leader with deep security expertise and then following that bouncing ball. That’s opposed to putting up a wall everywhere you possibly can. If you do that, you’re negatively impacting the security culture of your organization. You’re being a cop instead of a coach.

If we look back 12 or 15 years, there was this new thing called the cloud and CISOs were like, “Nope, never going to happen. I’m not going to put my data on somebody else’s infrastructure.” Well, what happened? The business did and ran around them and then once they realized they had assets in the cloud, they had to scramble to figure out how to secure it. Not the ideal situation.

Fast forward to today. There’s this new thing called generative AI. What are CISOs doing now? “How can I help you be successful. Let’s work together to understand the risks here, put the appropriate mitigants in place, and let’s go do great things with generative AI.” So, it’s really been a sea change over the last 15 or 20 years as far as culture, and I can’t wait to see how things progress over the next 10 or 15 years.