Building a Culture of Security
In some security channels, the perception of fear, uncertainty, and doubt (FUD) can create a reactive environment in which employees see security as a gatekeeper or the “Department of No.”
At Amazon Web Services (AWS), we think about security culture differently. Security should not be an obstacle to achieving your organization’s goals, but a collaborative force to propel your business safely forward. If we do our job right, security is a business enabler.
As Chief Information Security Officer (CISO) at AWS, one of my favorite parts of the job is fostering a positive culture that evolves along with our technology and the world around us. The foundation of successful security culture rests on a few key pillars: security as a business priority, building the right mechanisms and tools, and using automation to help our customers scale.
Security is everyone’s job
CISOs and IT leaders play a key role in demystifying what security and compliance represent for the business. At AWS, we made an intentional choice for the security team to report directly to the CEO. The goal was to build security into the structural fabric of how AWS makes decisions, and every week our security team spends time with AWS leadership to ensure we’re making the right choices on tactical and strategic security issues.
Security culture starts from the top down, but it’s equally important that responsibility flows from the bottom up. We prioritize an attitude at the C-level that security is not just the security team’s job—it’s a distributed responsibility we all own.
This creates an atmosphere where employees feel safe informing us early and often when they identify a potential security issue. We call this an escalation, and it’s a fundamental part of how AWS operates. Put simply, it’s a process that ensures the right people know about a problem at the right point in time to make a decision.
Mechanisms versus good intentions
At AWS, we’re guided by the principle that good intentions alone don’t drive action; you need to create mechanisms to implement them. A mechanism is a complete process and the tools needed to operationalize intent. Often, in security, this means building automated guardrails, not gates.
Guardrails allow teams to move quickly by automating more routine security practices, leaving humans in control of high-judgment decisions, but empowering them to make the right choices. For example, any AWS service that stores customer data can encrypt that data and, by default, users can only access accounts they create. Organizations must then put intentional data policies in place to define how users share that data and with whom.
A good example of guardrails is at Netflix. Amid the shift to remote work during the pandemic, Netflix’s investment in AWS helped the organization implement a centralized data approach with secure endpoints. This means no matter what device an employee is using to access data from home, the endpoint is protected and the data itself is centrally stored and monitored in the cloud.
Collaborative security culture
AWS security and service teams work collaboratively to solve problems on behalf of our customers. If a team has a question about security, or something is unclear in the software testing process, we provide guidance and partner to remedy any issues.
At the heart of collaboration is transparency. One of the ways we help customers implement a collaborative security culture is by providing end-to-end detection and monitoring capability for full security visibility across every part of their infrastructure. AWS security services leverage machine learning to deliver a near real-time view into potential security issues at scale, with investigation tools to analyze the root cause—and get a little smarter each time an event occurs. This proactive approach, informed by data, gives teams the shared understanding necessary to work together to identify and remediate issues quickly.
Another pillar of collaborative culture is diversity. At AWS, we are committed to achieving our goal of building a diverse and inclusive team—with varied perspectives, backgrounds, and ways of thinking—to help us approach challenges in creative ways and ultimately become a more effective, well-rounded security organization.
Comcast is a good example of collaborative security in practice. It created a Cloud Center of Excellence to embed security into the development lifecycle, which has enabled security to collaborate with teams across the organization as equal partners in rolling out its cloud infrastructure.
Security culture should be rooted in continuous progress. It's easy to get caught up in a negative headline, but what most people don't see are the trillions of distinct activities and decisions going right every day.
At AWS, we take an optimistic but accountable approach. We believe that with the right processes, automation, and transparency, security in the cloud is not only achievable—but something that builds trust in the business itself.
To learn more about AWS Security solutions, click here.
Wall Street Journal Custom Content is a unit of The Wall Street Journal advertising department. The Wall Street Journal news organization was not involved in the creation of this content.