How to be a Better CISO

Clarke Rodgers (00:07):
What qualities make for a successful CISO? As the CISO for AWS, my guest today has a great perspective on this question. I’m Clarke Rodgers, Director of Enterprise Strategy at AWS and your guide for a series of conversations with AWS security leaders here on Executive Insights.

We’re happy to welcome Chris Betz, CISO of AWS, to the show. Join us as he shares his thoughts on everything from establishing a culture of security, to hiring for diversity, to mentoring the next generation of great security leaders. Please enjoy.

Clarke Rodgers (00:38):
So, I know you quite well, but would love to get a little bit more about your background for the audience.

Chris Betz (00:44):
As you said, we've known each other for a while. That's one of the things I love about the security community is just how small it is. At a certain point, you end up interacting with people you've seen throughout the world. In my case, my background started in the Air Force. I was in the Air Force for a number of years, went into the federal government, spent more years working cybersecurity there.

I've had a chance to do security at companies like CBS, a media company, a ton of time at places like Apple and Microsoft and Lumen, CenturyLink at the time, and most recently at Capital One. And so, it's just been interesting seeing kind of a diversity of roles and again, like you say, seeing the same faces over and over again.

Clarke Rodgers (01:23):
So, as the AWS CISO, when you're going to meet with customers now and you're answering their security questions, how has that changed things? The ability to say, "Hey, I was in your shoes not too long ago, and this is how I thought about it. And now that I'm here, this is the answer to your question," that sort of thing.

Chris Betz (01:45):
For the past decade, I've been working in security roles in companies that are significant customers of AWS. And so yeah, I've been there alongside AWS as we've gone on our security journey, as we've gone on our technology journey. Recently being a customer lets me go and have that conversation in a very different way because I feel I understand those conversations and the questions and the challenges they have.

One of the things that I appreciate the most about those conversations as well is the ability to stay well-grounded in what our customers are seeing, how they're feeling what's going on in the world, and really the ability to toss ideas back and forth. "Hey, here's what I'm seeing. Here's how I'm solving that problem." "Oh, that's what you're seeing? That's how you're solving that problem." That ability for us to mutually continue to raise the bar within AWS, but within our customers as well is incredibly powerful.

Clarke Rodgers (02:51):
And you're in the position that you can earn more trust by saying, "This is how I solved that problem in the previous role," which is great.

Chris Betz (02:58):
I've got the scar tissue.

Clarke Rodgers (02:59):
Exactly. As a CISO, you have to have depth of security expertise, you have to have business expertise, and you bring it all together, but you have large teams underneath you that actually have to deliver security to the business, to our customers, et cetera. So, with that lens, what are some of the challenges that you see facing security leaders today?  

Chris Betz (03:21):
So much of it comes back to talent. The problems that we are solving in security are so multidimensional, as you point out, that having the right people around you is absolutely essential to being successful in security. For me, I love to be surrounded, in fact for all the top performing companies I've ever been at, we love to be surrounded by people who teach, inspire, and challenge us.

Because this is a field where we're constantly learning. So we need people who are constantly raising that bar. When you get those people, it is so incredibly inspirational. They've found ways to solve problems in ways that you'd never imagine before to make the business more effective, to think about how to make security a natural motion for people. It's incredibly important. And those same people, when you have the right culture, are willing to challenge you. “Are you thinking about this the right way?” And that challenge helps everybody grow, helps you grow, helps the organization grow, helps you head in the right direction.

People who have exactly the same background, who approach problems the same way, they're not the people who are going to teach, challenge, and inspire you. And so, I think one of the big challenges we continue to have in the security field is how do we get that breadth of perspectives, that breadth of culture, that breadth of experience, that diversity in approaches and that diversity in mindset that helps us really be that incredible organization that we should be? And so that's where I spend a lot of my time, is helping make sure that we have the right people, the right mix, because without that, we can't solve the rest of the problem.

Clarke Rodgers (05:10):
And perhaps from nontraditional backgrounds, that doesn't hold “That is a security person.” Well, that point of view might help us with a certain aspect of security because our adversaries are certainly diverse.

Chris Betz (05:23):
Exactly. And I mean it's important to recognize AWS is a global company. The adversaries are global. We need to be tapping that global talent. We need to be tapping people from all sorts of different backgrounds and bringing it in. Some of the smartest people I know in security have some amazingly diverse backgrounds. They honed their craft in security for years and years. But how you bring in that right mix of perspectives is really, really important.

Clarke Rodgers (05:51):
As you look over the last couple years and sort of looking forward, what are you most excited about from a security perspective? And this could be a program, a process, a technology, whatever the case may be, and so where are you focusing your efforts based on that?

Chris Betz (06:08):
As I look at the journey that Zero Trust has been on — from a set of products that were advertised to be Zero Trust solutions, to a set of standards, to really a set of technologies that are baked in. As I look at the way some of the user experience has changed even over the past few years, the passkeys technologies that, even in the recent past, Amazon.com and a bunch of other companies have been introducing, that fundamentally changes the way we think about that seamless user experience, that ability to access technology and do it in a really, really thoughtful way and so-

Clarke Rodgers (06:50):
And making security that easy path, right?

Chris Betz (06:52):
Making security that easy path. And so, I think the advances we've made in that world, moving away from convoluted VPNs, moving to seamless, in-depth analysis of what's going on is incredibly powerful.

There's just so much buzz around generative AI. The AI field, it's not new. We've been doing these for decades, but the speed of change in the Machine Learning/AI fields over the past year, two years is just incredible. That brings a bunch of really neat capabilities to how I think about doing security. One of the examples I like to give when I'm talking to folks is in the old world, it may have been time-efficient when you're trying to analyze a piece of data to see, "Hey, is there a security risk here?" to go create a large spreadsheet and search through it and work with data the way we used to hands-on, because the time it took to write code to make that happen-

Clarke Rodgers (07:53):
Was so much longer, yeah.

Chris Betz (07:54):
-Was measured in hours and you could do the hand analysis in an hour or something like that. Now with things like CodeWhisperer and other technologies, that model's flipped. The ability to go describe a well-understood problem, “Hey, I want to analyze this data to find this stuff,” becomes something you can ask a system to do, get an answer back in seconds, implement, test it, and run it in much less time than you would ever do to a manual spreadsheet. And it's repeatable, it's testable, it's verifiable. You reduce human error. There's a bunch of huge benefits to doing it this way. And so, I think that's going to change even the way security operations works, not just here at AWS, but across industry. And so, I think there's some huge opportunity here.

The other side of that is I'm also spending a ton of time as we're all learning about what generative AI can do and how to secure it and how to challenge it. We're spending a ton of time and energy making sure that we've got the right foundation set within AWS, that we're building the right capabilities. As we're building generative AI-based solutions, one, we get to go test the heck out of them-

Clarke Rodgers (09:14):
At scale.

Chris Betz (09:15):
Yeah, at scale in an industry-leading way. And we also get to take each of those learnings and turn them into capabilities that we get to offer our customers, because the same problems we have are the problems they have when they use generative AI. And so, there's this incredible fast-learning cycle where we are learning new things every day, and that's fun. It's challenging because the attackers are learning new things every day, too.

Clarke Rodgers (09:41):
Indeed, they are.

Chris Betz (09:42):
And we need to keep on getting this really, really tight cycle to move fast in this space, but that's also why I like being here at AWS. We don't move slow. We don't move slow at all. And so, I think that that superpower of AWS fits right into where we need to go in this field.

Clarke Rodgers (10:01):
That's a great answer. And customers traditionally come to us for their technology needs, whether it's security or solving business problems. One thing that may not be as obvious to customers is — clearly we're a technology company, we offer software and services to them — we also spend a lot of time trying to help them build their security programs and be more effective. One of the most popular programs we have is the AWS CISO Circles, as you well know. Would you talk a little bit about them, how they're sort of organized and what customers can benefit from them?

Chris Betz (10:38):
Those conversations we talked about earlier about the security community being small, about learning from each other, is so important.

Chatham House rules, we don't attribute conversation to anybody. That allows people to have real conversations. The ability for us to learn from each other, to challenge each other, to ask questions. “Hey, how are you solving this problem?” “Hey, I'm starting to see attackers do this. Are you seeing that problem as well?” Innovate, think, learn from the very best. That's the environment that I think we get into in the CISO Circles.

And so, pulling people that have commonalities — regions of the world, commonalities in terms of business and technology, similar sets of problems — getting them together with some of the smartest people I know within AWS and outside AWS to have those conversations is incredibly, incredibly powerful. And so that's what I think we really are able to take advantage of with CISO Circles. And frankly, I've enjoyed the ones I've joined, and I'm looking forward to doing a lot more over the next year.

Clarke Rodgers (12:08):
For sure. When I was a customer, I remember I learned a lot more from CISOs in other industries. Surprisingly enough, in insurance, you have a certain risk tolerance and you're doing certain things, and I learned so much from media and retail and banking. It was fantastic.

Chris Betz (12:16):
I've seen exactly the same thing, and that's why I enjoy that mix of getting people together to have those conversations.

Clarke Rodgers (12:32):
Chris, thank you so much for joining me today.

Chris Betz (12:34):
It's been great. Thank you for having me.