Building A Security Culture With AWS

Building A Security Culture With AWS

A conversation with Steve Schmidt, VP of Security Engineering, and Chief Information Security Officer (CISO), and Jenny Brinkley, Senior Manager in AWS security at AWS.

In this spotlight, we focus on security, specifically developing a positive security culture within your business. We will also pull back the curtain to show you our approach at AWS to implement and maintain a positive security culture and how you can do it, even if you don't sit inside the security organization.

Quote

We are not only building and operating a security organization that operates at a scale that nobody's seen before, but it's building and operating a culture that is very unusual in the security world. And that's something I'm most proud of, building the right culture in the organization.”

Goal setting’s role in building a positive security culture

Goal setting’s role in building a positive security culture

We strongly believe in incremental progress. Rather than trying to go with a big bang program that doesn't complete for many years, we try to have our teams accomplish something significant in a very short interval. We aim for incremental things that are progressive, measurable, and, more importantly, attainable in a relatively short period of time, like a couple of months.

Progressiveness means always making progress towards goals our service teams and our customers want to achieve. This mindset is important for two reasons. One, this is how businesses progress and how our services are launched to our customers. Two, it's a way of encouraging the service teams to talk to us instead of viewing us as obstructions to their ability to launch services or products.

Quote

This is not about what the security team itself wants to do, but ensuring that we're always helping our customer teams, our internal teams, make progress towards their own goals, their own accomplishments.”

The way to a customer’s heart is to identify the problem

The way to a customer’s heart is to identify the problem

Let’s start with defining the word escalation. Escalation is the process of ensuring that the right people know about the problem at the right point in time and is fundamental for efficiency at AWS. Escalation is the concept of somebody seeing something that causes them to go, "Is that right?" And then, instead of sitting on it, we make sure the right people know about it.

Escalation encompasses one of our corporate values, which is the fact that leaders dive deep and owners drive deep into the details of the way the business operates. Without all the details, you cannot make good decisions about what's going on and how to run your business effectively.

In the old world of security, we used the phrase “shoot the messenger” when a problem was identified, which discourages people from bringing things forward. My job as a leader is to thank people who’ve identified things and brought them forward for our attention. We reward the messenger and then fix it.

What is “zero trust,” and how can it make things better?

What is “zero trust,” and how can it make things better?

To us, zero trust means that you are not relying on a network perimeter as your primary defense point anymore. Pushing down the security perimeter to the smallest possible component, ideally individual data elements, if you can get down to that point. Then in the converse of that, opening up access to those individual data elements from wherever the user who's authorized happens to be. It's no longer that I have to be on a VPN, for example, but instead, a situation where perhaps the phone has an agent on it that can inform our authentication and authorization system that my phone is in an approved state for patching.

And anchoring that trust in hardware components that have a great deal of repeatability in their ability to discern, is this the right person? So for us, zero trust is about building a set of controls that altogether allow us to either permit or deny access to individual components of data for individual people based on their work, where they are, what they're using to access the device, the time of day, day of the week, the location they're at in the world. And it allows much, much better, fine-grained control of information when done correctly.

Questions to Ask Customers and Personnel to Create a Positive Culture

  1. Are you happy with the interaction that you just had?
  2. Did I solve your problem in a reasonable period of time?
  3. Did I give you the tools to do your job more effectively and easily?

Those are all the types of questions we ask ourselves, and our customers to ensure we know how we’re being perceived on the inside and outside.

Remember your “why?” for customers and personnel

Remember your “why?” for customers and personnel

The most important thing we would like people to take home today is that business should be a positive one. It should be about how do we make people's lives better? How do we make them more effective and more efficient at their job? And how do we ensure that we make incremental progress towards our goals every day, as opposed to waiting for a big bang.

So for those who do not sit in the security organization, we encourage you to schedule a virtual coffee, understand their business objectives, and find ways to communicate more effectively. You can learn more about what AWS security is doing at the AWS security blog. At BP, we try and be the best-in-class at whatever it is that we're doing. After working so long in the trading arena you start to realize as quickly as things change with the market, with things being more margin-driven, the only way that you're going to be able to do that is to leverage digital technology, to automate, and to be as efficient, lean and effective as you can be.

Quote

You want to give people the tools, rules, and instructions on how to do it right and make it easy for them to do the right thing. As a result, you’ll be happier as a security professional, and your customers will be happier that they can get their job done more easily.”

Share this story


Investing in Teams Transforms an Organization
Conversations with Leaders
Investing in Teams Transforms an Organization
A conversation with Sheri Rhodes, Chief Information Officer (CIO) at Workday
Read more 
Driving Business Outcomes through Technology
Conversations with Leaders
Driving Business Outcomes through Technology
A conversation with Jo-ann Olsovsky, Executive Vice President and Chief Information Officer of Salesforce
Read more 
Reinventing a 50-Year-Old Corporate Culture
Conversations with Leaders
Reinventing a 50-Year-Old Corporate Culture
A conversation with Su Shan Tan, Group Head of Institutional Banking, DBS
Read more 

Take the next step

PODCAST

Listen and Learn

Listen to executive leaders and AWS Enterprise Strategists, all former C-Suite, discuss their digital transformation journeys.

LinkedIn

Stay Connected

AWS Executive Connection is a digital destination for business and technology leaders where we share information.

EXECUTIVE EVENTS

Watch on Demand

Get insights from peers and discover new ways to power your digital transformation journey through this exclusive international network.

C-suite conversations

Get Inspired

Listen in as AWS and customer leaders discuss best practices, lessons, and transformative thinking.