AWS Security Profiles: Min Hyun, Global Lead, Growth Strategies
In the weeks leading up to re:Invent, we’ll share conversations we’ve had with people at AWS who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing.
How long have you been at AWS, and what do you do in your current role?
I’ve been at AWS almost two years, and I lead the Global Affairs team within Growth Strategies. We monitor the intersection between security, privacy, emerging technologies, and practices so that we can catch sight of emerging issues. Then we help both public and commercial sector customers prepare for what’s to come. Our goal is to provide clarity around the positions that AWS holds when it comes to the security and compliance implications of new technologies, whether that’s IoT, AIML, or whatever’s next. We want to earn people’s trust as thought leaders in the space.
How do you explain your job to non-tech friends?
We are like an internal think tank. We do a lot of anticipating, analyzing, advising, and advancing on specific top-of-mind customer concerns when it comes to security and privacy.
What are you currently working on that you’re excited about?
Where to start? Mark Becker, on my team, is actually developing the privacy statement/position for AWS right now. I’m excited about this because it’s the first step toward introducing our voice into some highly important and relevant conversations. AWS has historically been reticent on certain topics, but we’re starting to become more intentional about amplifying our position. We’re in an interconnected world now, and social media is being used across all demographics. How we apply security and privacy protections in this new world, and what AWS has to say about it (particularly from a privacy perspective) is something that I care about deeply as someone representing AWS and as a citizen. It’s a really good feeling to know that that AWS is just as concerned about it, and is moving the dial as an organization and being more transparent about what it is that we do and how we protect our customers.
What’s the most challenging part of your job?
Getting folks to understand the value and merit behind what we do. A large part of our jobs comes down to the Amazonian leadership principle: “Are right, a lot.” We’re trusting an internal compass on what we need to chase down, so we can’t always provide empirical data up front. But we need to follow that compass. There’s this point where it starts to feel like we’re a voice crying out in the wilderness, but in every instance in which we’ve dug into something, folks have appreciated our impact and foresight after the fact. Still, it can get lonely being out there sometimes. We’re still convincing everyone to buy in.
What’s your favorite part of your job?
The people! I work with such brilliant, passionate people. I feel like I’m always growing as a professional and growing the depth and breadth of my own knowledge. That’s only possible because of the talent we have here.
In your opinion, what’s the biggest challenge facing cloud security and compliance right now?
I would say there’s a lot of misinformation about security in the cloud. Customers have taken what they know about traditional computing models and applied these concepts to the cloud. Our job is to secure the infrastructure, and we’ve got the highest level of talent working to do so and to make sure that customers are confident in moving to the cloud. But there’s this gap between what AWS is doing and what customers know about what we’re doing. We need to learn how to bridge that gap for our customers. We need to have these conversations in ways that resonate and make sense to them.
What’s the most common misperception you encounter about cloud security and compliance?
On the compliance side, some people think the more, the better. Specifically, they think the more security controls you have, the better. But that’s not the case. We’ve seen accreditation regimes out there that might have a high bar in terms of the sheer number of requirements you need to meet, but that doesn’t necessarily mean your security will be “better.” It just means that you have more items on your list that need to be checked off. The conversation needs to start with the security outcomes that you want to achieve. After that, you can decide what to do in the cloud to meet those outcomes.
When it comes to security, we don’t have a whole lot of control over what’s happening in the political environment and some of the shakeup that happened with Edward Snowden and resulting pieces of legislation have led folks — particularly people outside of the US — to mistakenly believe that US law enforcement has access to the cloud in ways that simply aren’t the case. We need to clear up the fear, uncertainty, and doubt associated with that.
Five years from now, what changes do you think we’ll see across the security/compliance landscape?
With emerging technology adoption, and what’s almost an arms race in technology, I think we’re going to see governments become much more aggressive when it comes to AI, machine learning, and blockchain as they start to realize how technology can become an enabler for their economies, their defense capabilities, you name it. Governments will start to become more aggressive in their efforts to be first to market. And we’ll see associated policies and requirements that impact the use of these technologies, plus security, privacy and the rest of the gamut.
What does cloud security mean to you, personally?
I really believe that governments need to modernize their technology to better achieve their missions. Think of the US Department of Homeland Security, which has a mission that extends into national security, public safety, and economy security. That’s a really big burden to bear, and technology can actually be an enabler that helps them deliver on their responsibilities faster and more efficiently. I’m eager to see the government modernize technology. One of the top blockers seems to be security, and this is often due to impressions that haven’t even really been confirmed — the blockers are perceived concerns. I’m very eager to help overcome those barriers so that governments will be able to integrate this technology into the mission critical work that they do.
Privacy is also deeply important to me as the mom of relatively young kids. I want to know that when I give my kids a device and they’re on an app, I don’t have to worry about data getting leaked or my kids being tracked by a company or a rogue individual. I want to be able to protect and preserve their safety and security.
How did you choose your particular topic for re:Invent this year?
So I’m co-hosting a chalk talk with Michael South that’s called Aligning to the NIST Cybersecurity Framework in the Cloud, and it’s actually based on the very first white paper that I worked on when I came to AWS. I was given free reign in terms of what to prioritize, so I said I wanted to do a white paper on the NIST cybersecurity framework (CSF). It’s a framework that provides a foundational set of cybersecurity practices that organizations can use, regardless of their sector or size. It helps your organization implement sound risk management and resiliency practices, and it’s been vetted by government, industry, and academic institutions around the world. NIST really does due diligence in terms of distilling its guidance into a subset of activities—a core list of practices that any organization should implement. I believe it’s becoming the de facto industry standard for both public and private sectors, so I think we need talk to our customers about how we can enable them to align their organizations with the CSF using AWS services. We have so many tools available that can help customers secure their environment. And what I love about the CSF is, it’s not only about security. When correctly applied, it’s intended to support business outcomes. It provides a common taxonomy that allows different stakeholders within the business (from CEOs to security professionals) to talk about the underscoring horizontal function that security plays.
What are you hoping that your audience will take away from your session?
I want them to walk away thinking that cybersecurity risk management doesn’t have to be a complex, obscure, onerous thing. I want them to know that there’s a very sensible, pragmatic approach that they can implement within their organization, regardless of size, that will enable them to secure their assets, their data, and their network. And I want them to know that this CSF paper is actually a tool that will empower them to do that. There’s also a customer workbook portion that provide very tactical advice in terms of the actual AWS services that you can use that meet a particular security outcome. Our goal was to make it very user friendly.
Is there anything else we should know about your session?
The session will be discussing a refreshed version of the original white paper. We first issued it back in 2017, and we’ve refreshed it since then to align with NIST’s version as well as reflect an updated list of AWS services that align to the CSF. We also did our due diligence to ensure that the AWS services that are FedRAMP and ISO 27001 accredited have been validated by a third-party auditor so that customers can have the assurance that that those particular services also align to the updated CSF.
If you had to pick any other job, what would you want to do with your life?
I have two very different answers. If I could make a hop inside of Amazon, I would love to go work with Amazon Fashion. And probably more realistically, I’d love to do nonprofit work. I would really love to be a voice for disadvantaged people and to help them be heard, especially the homeless, and disadvantaged children. There’s such a need to represent their needs. In the same way that I amplify topics of interest in my current role, I would love to amplify their voices.
The AWS Security team is hiring! Want to find out more? Check out our career page.
Want more AWS Security news? Follow us on Twitter.