Reframing Security as a Strategic Advantage

Clarke (00:05):
So Merritt, thank you so much for joining us today.

Merritt (00:08):
Thanks for having me.

Clarke (00:09):
So, could you tell me a little bit about your background? What brought you to AWS and what you do in your current role?

Merritt (00:15):
Yes. I've been at AWS for almost four years now. I came from U.S. Government doing security on behalf of the American people. I've worked in all three branches there. I came to security because I felt like there were these big questions that were looking us in the eyes, and yet we didn't have strong ways to reckon with them. So I got a law degree, in part because I knew that would be one of the stakes that we have here. And I also have this sense that these landscape issues will matter more than figuring out this one threat at this one time or this one actor or whatever. And as a result, I've ended up working in what I consider to be kind of un-sexy areas of security. So, the stuff that is infrastructure layer but that matters a lot behind the scenes. And I think that's what really drove me to land here.

Clarke (01:08):
That's a great story. So can you tell me a little bit more about the office of the CISO and its purpose in sort of the greater AWS scheme of things?

Merritt (01:17):
Yes. So I'm a principal in the office of the CISO. The office of the CISO (Chief Information Security Officer) at AWS is much like one in any other enterprise, right? Steve Schmidt, my boss, is looking after not just the internal security of how AWS protects itself, but also how we ensure the security of everything we deliver as a company. And that's a really interesting set of deliverables to consider because you're thinking about how you do guard railing and enable your employees to have minimal friction and to be Dev teams themselves. And then you're also trying to make your Dev teams do the most secure thing, the easiest and most secure way. So, this is where my role really allows me to have some empathy and credibility I think when I talk to customers, because about half of my job I spend trying to make our security better here at AWS and the other half I spend talking to customers. So sometimes that's public speaking, but a lot of times it's CISO to CISO conversations, talking to security groups and figuring out how to enable their enterprise maturity. And a lot of times security is one of those kind of key factors that will allow them to move forward at a broader, a faster, a more mature pace. When, I guess the other side of the coin is that often security can be perceived as a blocker. And I think that's just not good enough. Not only because security teams need to grow up and not say no anymore, but also because these days, especially in Cloud, as you know, the minute that you start developing anything, you're putting articulation around your identity and your permissions and the ways that you construct it in relation to the rest of your architecture and the rest of the internet. And so there's inherent security properties to everything you build. And that means that we need to be weaving security into our conversations, and that means that we need to be talking to customers about how we do that.

Clarke (03:23):
Got it. So in your customer CISO conversations, I imagine it may bleed over into your other responsibilities, because I would imagine a CISO might say, "I love product X or Y, but I wish it did this." That falls into the security stack that you're also responsible for. How does a customer ask, through a conversation like that, make it back to the security services product teams to actually implement into a feature?

Merritt (03:51):
As you know, service teams are building and implementing and deploying new functionalities all the time. And so it's not really a challenge of keeping up with what they have decided or been able to invest in offering. It's really more about how we are solving the problem and if we aren't solving the problems in the right way, then I think that is obviously a conversation that I then take back to our side and I work on. But a lot of what I do is figuring out, one, what the customer’s really asking and how to help them get to their next stage of maturity or how to get them somewhere better. And the other thing is, how do we do it? A lot of the value I think that customers really expect from a conversation with me is, “How does your team reconcile this?” Because I don't believe in zero sum games, but I do think that there is value in having really genuine empathy. 

Clarke (04:51):
Well said, well said. So when customers are asking, "How does AWS do X?" What are some of the more common, "How does AWS do..." From a security perspective, those types of questions you get from customers?

Merritt (05:07):
By far the biggest one to show up is the innovation side. “How do your Dev teams innovate and how does your security team have a relationship with your Dev teams that is not butting heads?” And I think that is a really remarkable aspect of what we do, because, say what you will about the kind of rapid pace of innovation that we unabashedly pursue, that sometimes means that we're putting out releases at a really fast pace, or that folks have a hard time understanding what new things mean. But ultimately what we do is, by nature of some of these mechanisms, like a two-pizza team, that has security resonance, right? So under a two-pizza team, which is to just connote that you are siloed, sort of intentionally, to move quickly as a business decision, under that two-pizza team, you've got some business decision making around the security of it. So only a small handful of folks will know how the components work under the hood. That has security elements of how we operate. What we're really talking about is the way that we've baked security into the products that we deliver. And so it's not so much about relating to them as a security team that has been tasked with coming in to reform this ship. It's really them saying, “How have you turned your enterprise into one that lives and breathes security as part of the deliverable that you are selling?”

Clarke (06:38):
That makes perfect sense. So, when I have conversations with customers, one of the things they tend to bring up, and I imagine you’re faced with the same question as well is, "I understand the value of DevSecOps. I understand the value of putting resources into engineering and operational security and all the other elements of security. But how do I really go about building a world class security organization like AWS does?"

Merritt (07:05):
Yeah. I think this question takes a lot of forms, right? It might be, "I don't know if we've ever exercised our incident response plan," or "I don't know if we have an incident response plan." And again, I think a lot of this comes to those controls that go through the lifecycle of your assets. I was going to say infrastructure, but that's something that you build through that process, right? From your protective, detective, and remediative controls. And one of the elements here, obviously, that we always come back to is automation. So for example, in our team, our AWS security team, we never close a trouble ticket until we've scripted a remediation, if it can be scripted. So something like automation sounds like lip service until you implement it in ways that are observable. But ultimately right now, what we look for are ways to really scale operations. And because of those protective, detective, and remediative controls, our 24 hour watch floor is a person babysitting all the automations. So there is a lot of freedom that comes from kind of embracing that next generation of security operations center. Don't get me wrong, I know that that is for some kind of a city on the hill, but in a lot of ways, start somewhere. You'll get gains. And we have built a security team by solving big problems, by solving small problems. So start somewhere, right? Hire people who love automation, hire a diverse security team that thinks differently, that solves problems with different code, with different automation and then get there with the buy-in of your leadership too. That is hugely important to this process where we are really talking about the investment that the enterprise, or the entity I should say, because public sector operates much the same way, that they are invested in the security process. And again, that needs to be implemented in specific ways and behaviors. So when folks come to me and say, "How do I build a world class security team?" Or "How do I build a culture of innovation?" Well, it's what you repeatedly do. There are things that we can relate to and we can give some hooks on. For example, in that DevSecOps, we embed a security engineer in the teams at a proportion, right now it's one eighth, but it could be... That goes up and down, we kind of evaluate whether that's the right number. We do cause of error every time something happens that shouldn't have happened or just doesn't go exactly according to plan. And by the way, VPs have to be in those meetings about a cause of error. We don't send a junior engineer there to take the brunt. Having there be this kind of ecosystem of accountability, not for individuals being the brunt of it, but for the organization, having the arc of learning grow over time is really where we're going. And that is something that I think doesn't happen by accident. You have to put in those mechanisms.

Clarke (10:22):
And I guess the trick is developing that mechanism that reinforces the behavior that you're seeking.

Merritt (10:28):
I think that's exactly right. So for example, if you choose to make your employee permissions very open, which we do at Amazon, which by the way, again, is a deliberate business decision. Then you will need to have, or at least we then choose to have a very fine-grained logging and monitoring around what happens. And then you have thresholding and then you have blameless escalations that happen on a schedule, and again, that means that your leadership needs to be invested because they have to know they're going to answer the phone for security. 100% of executives will say they care about security, but actually knowing that they're going to have to go to bat for it, that they're going to have to understand that they'll get called for it, that matters. And it also means that the security team will have some kind of woven in role in the business itself.

Clarke (11:26):
Got it. So you mentioned a little bit earlier in your answer about investments, right? So a lot of our customer CISOs and customer executives come to us and they're saying, "Well, we need to make certain investments in our capabilities." From a security perspective, AWS has been very clear over the years about the concept of the core five for the minimum security baseline. So identity, detective controls, infrastructure security, data protection, and incident response. So when a customer CISO says, "I have limited budget, I have limited staff, but I need to do all those five things. Where do I start my investments, where's the biggest bang for your buck across those five?"

Merritt (12:09):
I get a fair number of CISO's who say, "Do I start with one workload or a hundred?" Right? And I think the answer is start somewhere and make it meaningful. Start with however many workloads, but don't do them under the radar. Do them as ones that are under a security microscope, because I do believe that you will have the security inheritances that actually have a business differentiator for your enterprise or your entity from the platform perspective. I'm just going to back up, and this is going to sound silly, but let's remind ourselves what Cloud is, right? 20 years ago, people were doing those five stages by just checking for rogue servers under people's desks. We don't do that anymore, or at least if you're in Cloud you don't. And one of the reasons that we know that to be a security inheritance is that AWS takes the responsibility for those bottom layers of the stack. Leveraging the Cloud to do security Cloud scale, is one of the urgencies that I really see customers not leveraging. If they have a limited budget, it's all the more reason why they should get to this state where they can leverage this scale. I mean, that being said, if I had to pick one, I'd say identity is really hard. I have yet to talk to a customer who's like, "Just love my identity provider. And I think we do it really well."

Clarke (13:40):
So investments in identity, if you're strapped for cash, so to speak?

Merritt (13:45):
I think if you're strapped for cash, you should be talking to the business about what their goals are, and then you should be talking to them about why security is a business differentiator. And I'm not just talking about like security around what you produce, but security as part of your product. So if you are a retailer, if you are an oil and gas company, if you are a... Whatever, automotive, pharma, media, and entertainment, mergers, and acquisitions, part of what people care about these days, as they should, is the security of how you do business. So it's not just the folks who deliver security products and it's not just, "Oh, are you taking care of our data internally on your HR roles?" It's really about how you deliver security as an inherent part of your product. And I think there's no way to fudge that. It has to be done from the way that you build your actual enterprise and the goals that you're achieving. And to your point, the budget that you're chasing has to take that into account. And I don't think that we should be considering security a cost center anymore. I'm really sick of that because, actually, it's a business enabler and it's a business driver and no one wants to do anything if it can't be secure, and no one wants to buy anything if it can't be secure, and no one wants to interact with the company if it can't be secure, or a government. And so frankly, it's a non-starter if you're not there. And I know that there is a moving target because it is a process and we are working on it, but you have to be striving with the best of us.

Clarke (15:24):
So on that line of security being a business enabler, how does a CISO and an organization that views the CISO's organization as a cost center, how does that CISO stand up or get that message across to the board or other decision makers at their organization?

Merritt (15:42):
There's a couple elements of this, right? One is just the general transformation that happens in enterprises when they choose to grow up. I actually think that enterprises in general are, are way too fixated on the cost of moving. And instead, are not examining the cost of staying where they are. You know, at this point, you should be looking at what are your costs of staying where you are and what are you paying for now for not moving and for not doing the things that you know you could be. And frankly, I understand that it will require some chutzpah or some affirmative energy to get there, but it will start to yield returns almost immediately. And it will also become one of the ways that your organization can really grow up as an enterprise. And I think ultimately anything that delays it is just a waste of time. And by the same token, to answer your question, I think that folks who perceive this as a cost center are part of the past. 

Clarke (16:53):
Yeah. I think you made a great point there with the risk of not doing something is equally risky to some of the other risks that companies are taking a look at.

Merritt (17:01):
I wouldn't say equally, I would say often more expensive. And when you're talking to the board, this is one of the things to think about. When folks talk about security metrics, they often, I find, have gamified them. They're like, "We have said that last week we observed 100 knocks at the door and this week it's only 70." And it's like knocks at the door and neither here nor there. And obviously these numbers are artificial. I've just like made these up. But the point is, your security metrics should give a genuine arc of whether you're improving over time or not. And if they're not, then they're the wrong metrics. Because who are you really gamifying? This is yours to be in the fray with.

Clarke (17:50):
Ransomware is a big topic these days. And it's a big concern for customers. I know you have some expertise in this area. What's some advice you can give to customer's security organizations on the things that they need to do to prepare themselves for a ransomware event.

Merritt (18:07):
Yeah. Obviously it's been really heavily in the news lately. Although ransomware is nothing new. It goes, at least as far back as 1989. There was a health conference where some bad actor was handing out disc drives that were labeled with “aids” because it was a healthcare conference. And so, when you would — then it got to be known as the “aids ransomware,” because when you would insert it into your disc drive, it would encrypt your files, and it would demand that you mail an $89 check to a PO Box in Panama. So I guess the point is, ransomware itself is nothing new in theory, but in practice, it is because obviously with the rise of cryptocurrencies and the ability for folks to monetize the fact that they got inside your network-

Clarke (18:58):
And ransomware is a service, right?

Merritt (19:01):
Yes. And the commoditization of it is certainly a factor. And then frankly, the fact that data privacy regimes have made it really expensive for companies to be outed as having had a breach. There was a form of ransomware where they just genuinely lock up your data and there's a form where they xFill it. And even if you have backups, they threaten that they will expose that they had gotten access. And that in itself could be categorized as a breach, especially if you're dealing with regulated data, which all of us are. So I think that the landscape that it is happening on is relevant here. But I think, to answer your question, there's no silver bullet for ransomware. Ransomware requires you to get your house in order. So, everything from minimizing the likelihood of folks getting in the door in the first place. So things like identity and patching, and least privilege and segmentation. And then also having those imutable backups. So things like AWS backup or Cloud and Door that allow you to have a fresh backup point in time, restore backup capability. 

Clarke (20:23):
So, in keeping with sort of hot topics, another hot topic that's out there from customers is the concept of zero trust. So what does zero trust mean to you and how do you articulate that to customers and how can AWS help customers achieve zero trust if, in fact, that's something that they need to be doing?

Merritt (20:42):
Sure. I think zero trust can be a useful conceptual lens on which you consider your security controls. Right? I think... So, first of all, ask any person what zero trust means and you'll get a different definition. But to me, zero trust connotes, not the idea that this coffee mug is not connected to the internet, but it connotes the idea that you should reduce, possibly down to zero, the level of trust that we should give an actor in the network based on their position in the network. So basically kind of whether software or whether human, that we should reduce our reliance on this idea of a traditional perimeter. But of course, the perimeter is dead, long live the perimeter, right? And I think in Cloud, one of our, and frankly at AWS, our approach is not to make this a binary choice between traditional perimeter-centric controls like a VPN or a VPC, and fine-grained, identity-centric controls that operate within those like security groups, Naples and so forth. But instead, to actually have those work with one another and in fact augment and be aware of one another. So an example would be a VPC endpoint policy, where there is both the perimeter and the fine-grain permissions. And they are aware of augmenting one another and able to be reasoned about through some of our tooling that is inherent to Cloud because we're doing infrastructure as code. You can do security as code. So something like access analyzer or inspector, can do network reachability without sending a packet over the network, for example. So the idea that you should be coupling these kind of embracing the defense in depth, I guess, but that sounds old fashion. That's like, "Put the lock on the door and the window." No, these are serving different purposes. And in fact, they are also part of the same logic that we use when we do the rationale around the security.

Clarke (22:57):
Merritt, thanks for your time today. Any closing thoughts?

Merritt (22:59):
You know, I think that often folks come to me with what they think are deep technical CISO questions. And really what they're asking for is, "How do I get my organization to have the impetus and the wherewithal to make a change?" And I think that comes down to the investment, both literal and metaphorical, that an entity makes in making security a first-class citizen. So when we say security is job zero, or whatever aphorism that we use, we don't mean that to be a motto. We mean that to embed itself in the culture of everything we do. One of the ways that we do that is to have Steve Schmidt report directly to the CEO and to have security never be out-classed or out-humaned by other business interests. So, I think for folks who are hoping to kind of emulate some of the prioritization that we have been able to exhibit, the way to do it is to do it. And the way to get there is to start. And the way to start is to make your business line up with those objectives. And one of the other ways to get there, or one of the ways to enable your organization to get closer to there is to build that world class team. And I think it's such a trope right now that talent is hard to find, and I want us to hire folks who think differently, and look different, and code differently because it's absolutely the right thing for the industry and the right thing for the entire ecosystem. You know, security has a lot of touch points on vulnerable communities, on ways that we interact with technology, on ways that we solve problems and make businesses and entities stronger. If not here, then where. And so I would say this is a call to action for all of us, make your workplace inclusive and make your entities stronger.

Clarke (25:02):
Merritt. Thanks so much for your insights and joining us today.