AWS Security Blog
AWS Security Profiles: Misty Haddox, AWS Customer Audit Manager
In the weeks leading up to re:Invent, we’ll share conversations we’ve had with people at AWS who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing.
How long have you been at AWS, and what do you do in your current role?
I’ve been with AWS for about four years. I joined the Compliance team in 2013, where I built processes and established the groundwork for our external global audit programs and built our first AWS controls framework. After that, I left AWS for a year to join a software company, where I worked with some cool folks and was able to educate and help determine their strategy for all things compliance. The opportunity gave me great insight into who I am and reaffirmed my passion for being a builder and delivering! So I came back to AWS and joined the Professional Services team within Security, Risk, and Compliance, working directly with customers who are at varying stages of their AWS cloud journey. I’ve actually just started a new role on the Security Assurance team, where I’ll be managing customer audits and am looking forward to continuing my AWS journey.
What’s the most challenging part of your job?
It’s sometimes challenging to convince customers that they need to get all their teams involved in security and compliance. I’ll be supporting customer EBCs (Executive Briefing Centers) at re:Invent, with my topic focused on “compliance in the cloud,” but the attendees joining the meetings from the customer side are IT specialists and chief technology officers, I don’t see anyone from the compliance teams involved. It’s really hard to get customers to avoid operating in siloed environments. There’s always going to be upstream and downstream impacts when decisions are being made without a full understanding of your security and compliance landscape. We have this DevSecOps model at AWS, in which developers, security, and operations teams all work together on initiatives, and when we encourage customers to take a similar approach, we often get a response like, “That sounds great, but how does it really work?” But it does work — it’s what allows AWS to innovate so quickly. It’s so important for teams to talk to each other and work together to build integrated solutions.
What’s your favorite part of your work?
I have an innate ability to find anything wrong with something. It’s a unique skillset. I used to get frustrated with it, because it made me feel like a canary in a coal mine — but there’s actually value in this ability. It gives me the opportunity to dive into things and fix them before they become bigger issues, which I enjoy very much. I like fixing things. And I like having the ability to “look around corners” and understand what needs to be established in order to support or develop new programs, or to help existing programs scale.
What changes have you seen across the cloud security and compliance landscape over the course of your career?
I’ve worked in this field for 20 years, and compliance isn’t seen as a blocker or a bad word any more. People are starting to see it as a business enabler, which is really refreshing. Security in the nineties was IT-focused and very hands-on: You had a tangible thing you could touch, and policies drove the ways in which you hardened your posture. But now, it’s much more about interpretation and establishing your environment based on whatever processing is occurring within it. There’s no single right answer. If you practice security by design, and you understand your environment and your boundaries, and you build controls to support that, then that drives security, and you’re going to be a complaint. This approach enables you more. You get the freedom to be more innovative in the cloud security space.
What’s the most common misperception you encounter about cloud security/compliance?
I sometimes work with customers who think that they’ll inherit all the compliance certifications that AWS provides. People assume that, because AWS has these, they don’t need to worry about anything. But that’s not the case. The controls you need to establish in your particular environment are going to be unique, based on how you build, what kind of data you have, and how you want to use it — compliance isn’t one-size-fits-all.
You’re co-presenting two different sessions for re:Invent 2018. How did you choose your topics?
The sessions are How Enterprises Are Modernizing Their Security, Risk Management, & Compliance Strategy, which I’m co-presenting with David McDermitt and Balaji Palanisamy, and Confidently Execute Your Cloud Audit: Expert Advice, which I’m co-presenting with Kristen Haught and Devendra Awasthi (from Deloitte).
Both are topics I’m super passionate about. At AWS, we talk a lot about the Shared Responsibility Model. But as we’ve deployed more services further up the stack, the lines of demarcation around responsibility have changed, and a lot of customers are uncomfortable determining what they’re responsible for. I’m using re:Invent as a chance to dive into that shared responsibility model with customers. It’s already the crux of every conversation we have with any customer at AWS, but we don’t tell them exactly what to do. Customers will ask what their controls should be, without understanding that it doesn’t start like that. The first step is to architect your environment and understand how it’s being engineered — because, depending on how you put the pieces together, the responsibility changes. So I’m using my sessions as a chance to really dive into the shared responsibility model with customers.
What are you hoping that your audience will take away from your sessions?
For the How Enterprises Are Modernizing Their Security, Risk Management, & Compliance Strategy session, I hope that customers walk away understanding that all teams need to be involved in the security and compliance conversation. It’s important not to operate in a silo.
For the Confidently Execute Your Cloud Audit: Expert Advice session, I want people to walk away understanding how to dive into control responsibility, and how to apply that knowledge once they’re back in their work environment, so they can look at their SOC report, if they issue one, or maybe determine if they even need one, and have a methodology that they can apply.
If you had to pick any other job, what would you want to do with your life?
I would love to be a crime scene investigator. I’m very fascinated with true life crime. I think it’s the challenge of putting the pieces of the puzzle together. I’m also fascinated by people, and I find the underlying sociology and psychology fascinating.
The AWS Security team is hiring! Want to find out more? Check out our career page.
Want more AWS Security news? Follow us on Twitter.