AWS Security profiles: Michael South, Principal Business Development Manager for Security Acceleration

In the weeks leading up to the Solution Days event in Tokyo, we’ll share conversations we’ve had with people at AWS who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing.

How long have you been at AWS, and what do you do in your current role?

I’ve been with AWS since August 2017. I’m part of a team called SeCBAT — the Security and Compliance Business Acceleration Team. I lead customer-focused executive security and compliance efforts for the public sector in the Americas, from Canada down to Chile, and spanning federal government, defense, state and local government, education, and non-profit verticals. The team was established in 2017 to address a need we saw in supporting our customers. While we have fantastic solution architects who connect easily with our customers’ architects and engineers, we didn’t have a readily available team in our World Wide Public Sector organization to engage customers interested in security at the executive level. When we worked with people like CISOs — Chief Information Security Officers — there was a communication gap. CISOs have a broader scope than engineers, and are oftentimes not as technically deep. Technology is only one piece of the puzzle that they’re trying to solve. Other challenging pieces include policy, strategy, culture shift, staffing and training, and the politics of their entire organization. SeCBAT is comprised of prior government CISOs (or similar roles), allowing us to establish trust quickly. We’ve been in their shoes, so we understand the scope of their concerns, we can walk them through how they can meet their security and compliance objectives in AWS, and we can help remove barriers to cloud adoption for the overall customer.

These customer engagements are one of my primary functions. The team also spends a lot of time on strategic communications: presenting at conferences and tradeshows, writing whitepapers and blogs, and generally providing thought leadership for cloud security. Lastly, we work closely with Amazon Public Policy as subject matter experts to assist in reviewing and commenting on draft legislation and government policies, and in meetings with legislators, regulators, and policy-makers to educate them on how security in the cloud works so they can make informed decisions.

What’s the most challenging part of your job?

Customers who are new to the cloud often grapple with feelings of fear and uncertainty (just like I did). For me, figuring out how to address that feeling is a challenge that varies from person to person. It isn’t necessarily based on facts or data — it’s a general human reaction to something new. “The cloud” is very mysterious to people who are just coming into it, and oftentimes their sources of information are inaccurate or sensationalized news articles, combined with a general overuse of the word “cloud” in marketing materials from traditional vendors who are trying to cash in on this industry shift. Once you learn what the cloud really is and how it works, what’s the same and what’s different than what you’re used to on-prem, you can figure out how to manage it, secure it, and incorporate it into your overall strategy. But trying to get past that initial fear of the unknown is challenging. Part of what I do is educate people and then challenge some of the assumptions they might have made prior to our meeting. I want people to be able to look at the data so that they can make an informed decision and not lose an opportunity over a baseless emotion. If they choose not to go to the cloud, then that is absolutely fine, but at least that decision is made on facts and what’s best for the organization.

What’s the most common misperception you encounter about cloud security and compliance?

Visibility. There’s a big misperception that customers will lose visibility into their data and their systems in the cloud, and this becomes a root cause of many other misconceptions. It’s usually the very first point that I focus on in my briefs and discussions. I walk customers through my cloud journey, including my background in traditional security in an on-prem environment. As the Deputy CISO for the city of Washington, DC, I was initially very nervous about transitioning to the cloud, but I tasked my team and myself to dive deep and learn. It didn’t take long for us to determine that not only could we be just as secure and compliant in the cloud as on-prem, but that we could achieve a greater level of security and compliance through resiliency, continuous monitoring, and automated security operations. During our research, we also had to deal with a few on-prem issues, and that’s when it dawned on me that the cloud gave me something that I’d been lacking for my entire IT career — essentially 100% visibility! It didn’t matter if a server was on or off, what network segment it was on, whether the endpoint agent was installed or reporting up, or any other state — I had absolute visibility into every asset we had in the cloud. From here, we could secure and automate with much greater confidence, which resulted in fewer “fires” to put out. Security ended up being a driving force behind the city’s cloud adoption strategy. The security and governance journey can take a while at first, but these factors will enable everyone else move fast, safely. The very first step is understanding the visibility that the cloud allows.

You’ll be giving a keynote at AWS Solution Days, in Tokyo. Is this the first time you’ve been to Japan?

No, my family and I were very fortunate to have lived in Yokosuka, Japan for a few years. I served in the U.S. Navy for 25 years prior to joining AWS, where I enjoyed two tours in Japan. The first was as the Seventh Fleet Information Assurance Manager, the lead for cybersecurity for all U.S. Naval forces in Asia. The second was as the Navy Chief Information Officer (CIO) for all U.S. Naval forces in Japan. Those experiences were some of the best of my career and family life. We would move back to Japan in a heartbeat!

The keynote is called “U.S. government and U.S. defense-related security.” What implications do U.S. government and defense policies have for AWS customers in Japan?

The U.S. and Japan are very strong political and military allies. Their governments and militaries share common interests and defense strategies, and collaborate on a myriad of socio-economic topics. This all requires the sharing of sensitive information, which is where having a common lexicon, standards, and processes for security benefit both parties. I plan to discuss the U.S. environment and highlight things that are working well in the U.S. that Japan might want to consider adopting, plus some things that might not be a good fit—coupled with recommendations on what might be better opportunities. I also plan to demonstrate that AWS is able to meet the high standards of the U.S. government and military with very strict, regulated security. I hope that this will give Japanese customers confidence in our ability to meet the similarly rigorous requirements they might have.

In your experience, how does the cloud security landscape differ between US and Japanese markets?

From my understanding, the Japanese government is in the very early stages of cloud adoption. Many ministries are assessing how they might use the cloud and secure their sensitive data in it. In addition to speaking at the summit, one of my reasons for visiting Japan is to meet with Japanese government customers to learn about their efforts. They’re very much interested in what the U.S. government is doing with AWS. They would like to leverage lessons learned, technical successes, and processes that are working well, in addition to learning about things that they might want to do differently. It’s a great opportunity to showcase all the work we’re doing with the U.S. government that could also benefit the Japanese government.

Five years from now, what changes do you think we’ll see across the security and compliance landscape?

My hope is that we’ll see a better, more holistic method of implementing governance with security engineering and security operations. Right now, globally across the cybersecurity landscape, there are silos: development security, governance, compliance, risk management, engineering, security operations, etc. They should be more mutually supportive and interconnected, and as you implement a plan in one area, it should go into effect seamlessly across the other areas.

Similarly, my hope is that five years from now we’ll start seeing a merge between the technologies and people and processes. Right now, the cybersecurity industry seems to try to tackle every problem with a technological solution. But technology is really the easiest part of every problem. The people and the processes are much more difficult. I think we need to devote a lot more time toward developing a holistic view of cybersecurity based on business risk and objectives.

Why should emerging markets move to the cloud now? Why not wait another five years in the hope that the technology will mature?

I’d like to challenge the assumption that the cloud is not mature. At least with AWS and our near competitors, I’d say the cloud is very mature and provides a level of sophistication that is very difficult and costly to replicate on-prem. If the concern is about technical maturity, you’re already late.

In addition, the waiting approach poses two problems: First, if you’re not engaged now in learning how the cloud works, you’ll just be further behind the curve in five years. Second, I see (and believe I’ll continue to see) that the vast majority of new technologies, services, and concepts are being born in the cloud. Everything is hyper-converging on the cloud as the foundational platform for all other emerging technologies. If you want to be successful with the next big idea in five years, it’s better to get into the cloud now and become an expert at what it can do—so that you’re ready for that next big idea. Because in some way, shape, or form, it’s going to be in or enabled by the cloud.

What are your favorite things to do when you’re visiting Japan?

The history and tradition of Kyoto makes it my favorite city in Japan. But since we’ll be in Tokyo, there a few things there that I’d recommend. First, the 100-Yen sushi-go-rounds. To Americans, I’d explain it as paying one US dollar for a small plate (2 pieces of nigiri or 4 roll slices) of fantastic sushi. You can eat thirty plates for thirty bucks! Places in Tokyo to visit are Harajuku for people-watching, with all the costumes and fashion, Shibuya for shopping, and of course Tokyo tower. I also recommend Ueno park, somewhat close to where our event will be held, which has a pond and zoo.

Japan is one of the safest and politest countries I’ve been to — and I’ve visited about 40 at this point. The people I’ve met there have all been extraordinarily nice and are what really makes Japan so special. I’d highly recommend visiting.

What’s your favorite thing to do in your hometown?

I’m originally from Denver, Colorado. If you’re in Denver, you’ve got to go up to the mountains. If you’re there in the summer, you can hike, camp, go white-water rafting, or horseback riding. If you’re there in the winter, you can go skiing or snowboarding, or just sit by the fire with a hot toddy. It really doesn’t matter. Just go up to the mountains and enjoy the beautiful scenery and wildlife.

The AWS Security team is hiring! Want to find out more? Check out our career page.