Speaking at the AWS re:Inforce conference in Philadelphia, AWS CISO Chris Betz said it takes a “dedicated effort” to grow, evolve and maintain a culture focused on security as a top priority.

Reflecting on his nine months in the role, Betz said there is a culture across AWS which is led by CEO Matt Garman, where security leaders are able to meet with individual service teams to discuss important security issues.

“After experiencing these meetings in person, I'm impressed by the impact they have on each and everyday work and as leaders, we all know that time is incredibly precious,” he said. 

Dedicating Time

Betz said that by dedicating time to security discussion each week allows each service team that joins those meetings to get dedicated and focused time to talk about security. “This may be one of the only times that they get to spend with their CEO this year on their service,” he said.

He also pointed out that the CEO of AWS chooses to talk about security, the challenges and opportunities presented by it, as well as shaping the roadmap for the company. “These meetings reinforce how we empower our service teams to deeply own the security of our products,” he said. “Each team has intimate knowledge of their products and services, allowing them to make smart decisions on how to build these services more securely.”

Betz said this level of security culture has team leaders hold themselves accountable for the security of their services, which led to the formation of the security guardians program: engineers embedded in service teams, who develop security expertise and help scale security practices across AWS.

Betz said: “As part of the service teams, guardians are there in every step of development cycle. From planning to stand-up meetings, into security reviews, to give voice to security decisions and help build more secure software. We also have - and benefit from - a culture of escalation.

“This is fundamentally part of the way Amazon operates. When there's a security issue, we are empowered and encouraged to escalate to whatever level necessary immediately.”

Betz said this enables a fast response, and be decisive, and the culture means the team is united.

“I think we've all seen it before: an issue arises and teams play ticket ping pong, passing a ticket from team to team losing valuable time,” he said. “At AWS, each security related item is rapidly escalated to the security team, who assumes lawyership. Ownership really means something in our culture, and they take that ownership deeply to do whatever is necessary to get the issue solved.”

Developing New Habits

Betz went on to say that culture “is at the root” of developing new habits within an organisation to prioritise security. “It's culture that drives us to design systems that are secure by design - not bolting it on after - and it's a culture that teaches us to empower the individuals and operate the business in a way allowing us to remain agile while distributing security throughout the organisation,” he said.

Betz said that culture doesn't happen overnight, can take constant investment and begins with a single motivated individual. 

He later said that upon joining AWS, it was clear that security was the top priority, and in how processes and mechanisms were developed, and the “thoughtfulness and maturity at AWS was next level.”

Asked on what advice he would give to other practitioners trying to instill a security culture at their business, Betz encouraged engaging with business leaders, and making sure the direction you’re all headed in is the same, and talk about what is important.

He concluded by recommending have security ownership across the organisation, enabling business leaders to hold every layer of the business accountable, having expertise available at the “right place and time” and celebrate successes.

Think of it as a journey and investment and it takes constant time and investment and is really important” he said.

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a seasoned B2B journalist with over 20 years of experience, specializing in cybersecurity for the past 15 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes. Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.