AWS Security Profiles: Matt Bretan, Principal Manager, AWS Professional Services
In the weeks leading up to re:Invent, we’ll share conversations we’ve had with people at AWS who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing.
How long have you been at AWS, and what do you do in your current role?
I‘ve been with AWS Professional Services nearly five years. I run two teams: our Security Assurance and Advisory Practice team, and our Security Experience team. The Security Assurance and Advisory Practice team is responsible for working with our customers’ executive leadership to help them plan their security risk and compliance strategy when they move to AWS. Executives need to understand how to organize their teams and what tools and mechanisms they need in order to meet expected regulatory or policy-based controls. We help with that. It’s a relatively new team that we started up in early 2018.
The Security Experience team is responsible for our Jam platform, which is changing the way we help customers learn about AWS services and partners. Previously, when we went to a customer, we gave slide presentations about how to be secure on AWS and how to migrate to the cloud. At the end of the presentation, people could usually repeat definitions back at us, but when we put them in front of a keyboard and monitor, they were uncertain about what to do. So, we built out the Jam platform, which allows customers to get hands-on experiences across a wide variety of AWS services, plus some partner products as well. It’s a highly gamified way to learn.
What’s the most challenging part of your job?
How to scale our offerings. A lot of what we do is to work one-on-one with our customers. Part of my job is to figure out how to impact more customers. We don’t just want to work with the largest companies of the world, but rather we want to help all companies be more secure. So, I’m constantly asking myself how to create tools and offerings that are scalable enough to impact everyone, and that everyone can benefit from.
What are you currently working on that you’re excited about?
The Jam platform. It allows us to change the way that customers experience AWS, and the way that they learn about moving to the cloud. It’s a different way to think about learning — gamifying the cloud adoption process helps people actually experience the technology. It’s not just definitions on a slide deck anymore. People get to see the capabilities of AWS in action, and they’ll have that Jam experience as a foundation once they start building their own infrastructure.
What can people expect from your teams at re:Invent this year?
The Jam Lounge will be in the Tundra Lounge within the Partner Expo Center at the Venetian. You’ll be able to register for the Jam Lounge there, and from Monday night through Thursday night, you can take part in a number of challenges — everything from security to migration to data analytics. We’ll be showcasing five partner solutions as well. The cool thing about the Jam Lounge is that it’s a completely virtual event. Once you register for the event in the Partner Expo Center, you can take part in the challenges from anywhere at re:Invent. This means that you can gain hands on experiences with AWS and our partner solutions in between the other amazing sessions and activities that go on during re:Invent.
The Security Jam takes place on Thursday, and it’s purely security-focused. We’ll have 13 different challenges. There are 10 specifically around AWS services and three from partners, and they’ll highlight different cloud security scenarios that people might encounter on a day-to-day basis. You’ll get to go into AWS accounts that we provision for you, identify what is wrong, and then fix them to get them into a known good state.
We’re also hosting the Executive Security Simulation as part of the executive track. That one is a tabletop exercise to help attendees experience and think about security from a high level. We simulate the first two years in a company’s life as they adopt the cloud — including some of the decisions they have to make in this process — so that people can think through security adoption from a lens that’s less about technical implementation and more about high-level strategy.
You mentioned that the Security Jam is an example of gamified learning. Can you talk more about what that means?
People love the hands-on application of learning: Rather than reading definitions, you get to use the technology and experience it. And that’s what gamification does: It gives you the actual infrastructure with an actual problem, and you get to go in and fix it. Also, it plays well to peoples’ competitive side. We set participants up in teams, and you have to work together to solve problems and win. There’s a leader board and scoring with points and clues. Anyone can participate, get what they need out of it, have fun doing it, and feel successful at the end of the day. This is the third year we’ve run a Jam at re:Invent, and we’re excited to have everyone try brand-new challenges and learn about new services and ways to do things on AWS.
Any tips for first-time conference attendees?
This conference is a marathon and not a sprint! There are so many great sessions and activities that go on during the week, so spend a little bit of time now reviewing the agenda and figure out what is most important for you to attend. Prioritize those items, and then make sure to leave some time for some surprise announcements! For the Jam sessions, you actually get to interact with AWS and our partner solutions, so bring your laptop. But also, come with an open mind. I think the big thing here is that re:Invent is a learning event. But for our events, at the end, there are prizes!
Five years from now, what changes do you think we’ll see across the security/compliance landscape?
I think a lot of the changes will be around the requirements themselves. Today, many of the requirements in the compliance space center around specific technologies, rather than around the risk itself. Often, these programs are also primarily written around a traditional data center model where someone deploys an application onto a server and then doesn’t touch it for years. I think as compliance programs mature, we’ll shift to more of a risk-based process that puts the overall security and protection of customers first while taking into account how technology is constantly changing.
What does cloud security mean to you, personally?
I use technology: I stream videos, I do online banking, I buy things online, and I have an IoT-connected house. So, for me, cloud security is a way to protect my own interests and the interests of my family. I’m using these companies — often customers of ours — on a day-to-day basis. So the more I can do to ensure that they’re being secure with their implementations, the more secure I’ll be in the long run — and the more secure all consumers will be. The more I can do to proactively make it difficult for malicious parties to do harm, the safer and better all of our lives will be.
If you had to pick any other job, what would you want to do with your life?
My passion is building things. If I were to switch careers, I think I’d want to build physical structures, like houses or buildings. I believe there is a strong similarity between the work I do now around helping design security controls and the work that architects do when they design buildings. There are risks around building physical structures. You have to deal with things like lateral loads and entrance and exit controls. Technology involves a different kind of load, but in both cases, you have to go through a process of preparing for it and understanding it. I find that similarity fascinating.
The AWS Security team is hiring! Want to find out more? Check out our career page.
Want more AWS Security news? Follow us on Twitter.