The CISOs of Netflix and AWS Discuss Remote Work, Security Culture, and Cats as a Threat Model
As part of Verified: Presented by AWS re:Inforce, a new video series of discussions with security leaders, AWS CISO Steve Schmidt sat down with Jason Chan, VP of Information Security at Netflix, for a broad-ranging interview. Even though we couldn’t be together this year at AWS re:Inforce, we still wanted to create a platform for conversation about important security topics from the event and for security leaders to share their experiences.
I’d like to call out two of the topics they discuss that continue to come up in conversations that I have with customer executives: the human element of security and how to think about data protection at scale, especially when the entire workforce is working remotely.
Customers often want to focus on security tools, like the latest anti-malware service, firewall, or vulnerability scanner available on the market today, yet discussions around how to build and cultivate a strong security team are not as frequent. While it is important to have security “arrows in the quiver,” it is equally important to build a culture of security (e.g., ownership) around the human element of running large security organizations. This will help set the foundation for embedding a culture of security across the company. Questions security leaders will often ask to draw at the human element include “What motivates people to get into security?” and “How do you ensure that you have a healthy, diverse mix of security talent from many disciplines and perspectives?” Not every security professional needs to be a coding superstar (but you do need them). You also need people who understand people: the motivations of adversaries, how and where to make the right investments based on your organization’s risk posture, and other soft skills.
Earlier this year, companies quickly found out that having a remote work force was a business necessity. Some customers, who had already made investments in remote work, simply expanded what they were already doing. Others had to start from scratch, and fortunately, AWS was able to support customers across the spectrum, with myriad services such as Amazon Workspaces, Amazon Connect, and Amazon Chime, to name a few. But getting people to work effectively remotely AND securing sensitive company assets can be challenging. As a forward-thinking security leader, Jason made the appropriate investments in an approach that is working well with other successful security leaders: where possible, centralize your most sensitive data and apply the appropriate protections. Then, treat every device/person who wants to access that data as potentially hostile. Is this an authorized user? Can they prove it (e.g., through MFA)? Are they using a hardened company asset on the corporate VPN (e.g., strong endpoint protections) or an untrusted personal device on the public Internet?
By building appropriate risk/threat models and then applying the right level of interrogations (visibility) and technical protections, customers can protect their information assets regardless of whether everyone is working remotely or back in the office. Oh…and the cat reference? Well, you’ll need to watch the video.
Introducing the First Video in Our New Series, Verified, Stephen Schmidt, VP and CISO, AWS
Cultivating Security Leadership (Featuring Jason Chan), Stephen Schmidt, VP and CISO, AWS
Traits of Highly Successful Security Organizations, Stephen Schmidt, VP and CISO, AWS