AWS Cloud Enterprise Strategy Blog

The CISOs of Netflix and AWS Discuss Remote Work, Security Culture, and Cats as a Threat Model

As part of Verified: Presented by AWS re:Inforce, a new video series of discussions with security leaders, AWS CISO Steve Schmidt sat down with Jason Chan, VP of Information Security at Netflix, for a broad-ranging interview. Even though we couldn’t be together this year at AWS re:Inforce, we still wanted to create a platform for conversation about important security topics from the event and for security leaders to share their experiences.

I’d like to call out two of the topics they discuss that continue to come up in conversations that I have with customer executives: the human element of security and how to think about data protection at scale, especially when the entire workforce is working remotely.

Customers often want to focus on security tools, like the latest anti-malware service, firewall, or vulnerability scanner available on the market today, yet discussions around how to build and cultivate a strong security team are not as frequent. While it is important to have security “arrows in the quiver,” it is equally important to build a culture of security (e.g., ownership) around the human element of running large security organizations. This will help set the foundation for embedding a culture of security across the company. Questions security leaders will often ask to draw at the human element include “What motivates people to get into security?” and “How do you ensure that you have a healthy, diverse mix of security talent from many disciplines and perspectives?” Not every security professional needs to be a coding superstar (but you do need them). You also need people who understand people: the motivations of adversaries, how and where to make the right investments based on your organization’s risk posture, and other soft skills.

Earlier this year, companies quickly found out that having a remote work force was a business necessity. Some customers, who had already made investments in remote work, simply expanded what they were already doing. Others had to start from scratch, and fortunately, AWS was able to support customers across the spectrum, with myriad services such as Amazon Workspaces, Amazon Connect, and Amazon Chime, to name a few. But getting people to work effectively remotely AND securing sensitive company assets can be challenging. As a forward-thinking security leader, Jason made the appropriate investments in an approach that is working well with other successful security leaders: where possible, centralize your most sensitive data and apply the appropriate protections. Then, treat every device/person who wants to access that data as potentially hostile. Is this an authorized user? Can they prove it (e.g., through MFA)? Are they using a hardened company asset on the corporate VPN (e.g., strong endpoint protections) or an untrusted personal device on the public Internet?

By building appropriate risk/threat models and then applying the right level of interrogations (visibility) and technical protections, customers can protect their information assets regardless of whether everyone is working remotely or back in the office. Oh…and the cat reference? Well, you’ll need to watch the video.



More on this topic

Follow Jason Chan, VP of Information Security at Netflix, on Twitter

Follow Stephen Schmidt, VP and CISO, AWS, on Twitter

Introducing the First Video in Our New Series, Verified, Stephen Schmidt, VP and CISO, AWS

Cultivating Security Leadership (Featuring Jason Chan), Stephen Schmidt, VP and CISO, AWS

Traits of Highly Successful Security Organizations, Stephen Schmidt, VP and CISO, AWS

Security on AWS Executive Insights

Clarke Rodgers

Clarke Rodgers

Clarke is an Enterprise Security Strategist with Amazon Web Services. In this role, Clarke works with enterprise security, risk, and compliance focused executives on how AWS can strengthen their security posture and to help understand the security capabilities/possibilities of the cloud. Prior to AWS, Clarke was a CISO for the North American operations of a multinational insurance/reinsurance company where he took a strategic division all-in to AWS for security reasons, to include achieving SOC2/Type2 attestation. Clarke's 20+ year career in IT operations and security focused roles helps him align with the needs of today's enterprise customers during their cloud transformation journeys. Clarke attended the University of North Carolina and served as a United States Marine.