AWS Executive Insights / Security / ...
Rethinking Security and Compliance Operations at AWS
Hear from Chad Woolf, VP of AWS Security, on how AWS is constantly reinventing its security and compliance teams and processes to meet the demands of such a fast-growing and ever-changing world.
In part two of their conversation, AWS Enterprise Strategist Clarke Rodgers spoke to Chad about how the landscape for hiring, building, auditing and maintaining within the security and compliance organization has changed in the last few years and how his team at AWS continues to innovate. Watch part one of their discussion here.
Conversation in detail
Chad, thank you so much for joining me today.
It's great to be here.
So could you please share a little bit about your background and what brought you to AWS?
Yeah. So I've been with AWS about 11 years, been doing security and compliance ever since I've started back in 2010. And I came from EY where we did a lot of security consulting, a lot of business continuity consulting. And that background was really good to help me doing what I am today, and that is security compliance for AWS.
So as the Head of Security Assurance at AWS, what are some of your primary responsibilities?
Well, our primary goal and mission is to help our customers move regulated and really sensitive data to the cloud and a lot of things come along with that. You need to be able to prove internally that you've got your environment secure. You also have to audit AWS, make sure your supplier, AWS is secure. And so that's where we come in, where we prove through audits and certifications and other direct audit engagements that the things we're doing in the background, the things that the customers can't see, is secure and compliant with all the different kinds of regulations and certification standards that we adhere to.
So you have internal teams, internal compliance teams making sure that AWS services meet a certain bar. I imagine you also work with external third party auditors and regulators?
Yeah. Yeah. So most of our work is related to the external engagement with external auditors, regulators, regulator examiners, and customers that are also performing audits on AWS, doing their own due diligence on us.
So in the security world, as from a broad lens, it's very difficult to find talented security people, hire them, train them, and then retain them. I imagine it's the same case with security assurance and compliance professionals.
You'd be right. Yes.
We prove through audits and certifications and other direct audit engagements that the things we're doing in the background, the things that the customers can't see, is secure and compliant with all the different kinds of regulations and certification standards that we adhere to.
Can you talk through a little bit, how you sort of ramp someone up, so a new hire, and then how do you keep them engaged and how do you make security assurance a place that people want to work?
Yeah. I'll step back a little bit and say that the difficulty of hiring really good technical security people today is that we're competing against some pretty amazing externally facing services. And we're all trying to kind of hire the same people, like developers and system designers and things like that. We have to compete.
And a lot of times, in our world, when you've done a really good job, nothing happens, right? Like there's no breaches, there's no escalation, just nothing happens. But when you do something really good in the services, something happens. They release a product, everyone's excited, there's revenue, there's customer engagement on the... And so we're kind of competing against that, but what we have, what security professionals have is there's an aspect of really being good, like corporate... Not corporate citizens... It's like really being a good contributor to the overall good of the security of the entire industry.
And so there's an aspect of that where what we're doing here, we're developing internal processes that we externalize, internal services that we externalize, helping the entirety of all of our customer base to do security and compliance better. And so there's that aspect of it. And those kind of people who really value that do really well on our team and really love working compliance. Yeah. Nobody is in college thinking, I want to be an auditor. I want to be a compliance engineer. Nobody really says that, but when they come on our team and they really kind of catch the vision of what we're doing and how we're helping customers, it is a very, very broad value proposition to all of our customer base and not just those using particular services. So there's that, and that's one thing that we have where we kind of develop that.
So when we hire people, often, we don't hire those with traditional compliance backgrounds, maybe because it's that traditional animosity that they have maybe with the service teams or developers. We don't really want that. We want to get away from that. So there's not very many people... There are some, and some very passionate people about doing this right and scaling, but traditionally, they might not be as technical. And therefore it's not a great fit in our in org.
But when we get those that have... They kind of need two Amazon leadership principles to do well. Number one is the learn and be curious. They need to be able to be curious and get into the workflow of the developers, to understand what tools they're using. Like I said, understand how they do their work. And that takes a lot of technical curiosity in order to be able to do that properly.
And so the second leadership principle they need is to invent and simplify because we are doing things and we are inventing ways to do compliance that nobody's ever done before. And I know because when we ask colleagues and other forums and conferences and stuff, there's no one who has to deal with the scale that we have to deal with. And so we have to invent our own things, our own tools and our own services for developers. So I would just say that those are the two kind of leadership principles that we were really need.
And as we bring people on, we'll hire them from all over. One of my best people was an electrical engineer. And he went to school and got his electrical engineering degree and did something else in electrical engineering and then came over because he was very, very curious about what we were doing and saw the value proposition. And really he was one of our best people. And so that's the kind of thing that we like.
We like a little bit of diversity in the educational background and the corporate background. I mean, we have a very, very diverse team in that regard, the background and thoughts and where they're from, locations and all that are very, very different. And it really does benefit the organization because we can think outside of the box. We can think of ways to scale. The more I involve my team, the more they get involved in that aspect of it, where they're doing industry leading things and scaling at unprecedented rates for different activities and different processes, they get excited about it. Like we all do. I do because we're doing we are paving the way and really exercising thought leadership in this realm.
And the other exciting thing about it is that it does apply to many of our customers too. There's more of what we're doing that could benefit customers than I think people realize. And we are kind of in a really, really working on not only developing those processes and developing those tools and enablers, but we're also trying to externalize them through our other services to help our customers leverage our lessons learned.
We're developing internal processes that we externalize, internal services that we externalize, helping the entirety of all of our customer base to do security and compliance better.
So Chad, the last 18, 24 months has been difficult for everyone with the pandemic and people having to work virtually and from home and coffee shops, et cetera. How has this remote work affected your team and their ability to do their day to day, and then add the features and services that your team does to help support the different development teams out there?
There are certain aspects of audits traditionally that are kind of don't make sense, like visiting a data center. In many ways, the auditors want to visit a data center, mainly because they can check the box that they did that. Or they want to meet in person because they have to check the box they did that, when actually they can get the information they need from something else. Like a data center walkthrough our data centers are so instrumented, we can gather any evidence that you need, including camera coverage, remotely. Why would you need to go to a data center? Actually going to the data center doesn't actually help you do that.
And so before the pandemic, we just had all these kinds of engagements where really it wasn't actually necessary and took a lot of time, especially traveling like what, with data centers all over the world. And when we need to coordinate a data center walkthrough in Singapore. Well then that takes an entire week out of an entire group, the auditors' and our time.
And so the pandemic hits and we can't do any of that. And at first, it was really hard for the auditors to say, okay, I'm not going to come to the data center. But what we did was we really worked with them and said, you know how we've been telling you how instrumented we are? Yes. Well let me show you how you can do all your procedures that you normally would've done in person remotely and through like a virtual reading room, review documents and video conferencing to do interviews. And sampling, you don't need to be there for us to download the system table that describes something you want to review. We can provide it to you in this secure way and show the chain of custody of how we downloaded it and all that.
So because it's forced everyone do that, all of our audits got way more efficient. We've been able to speed up audits. We've been able to not only get them done faster, more efficiently, but also we've been able to do a lot of different things in parallel where normally we would have to do it in serial because we had to do all the travel. So there's a lot of benefits to the audits themselves.
Plus we've been able to really rethink what's really necessary in order to get the control statements validated or the control processes validated. The pandemic in many ways have enabled us to step back and maybe forced us to step back and forced the auditors to step back and rethink how they're really getting assurance in our environment.
We've taken the time to build more tools. We have different ways to show, like I said, a data center walkthrough. There's a virtual data center walk walkthrough tour now. There's, I mentioned the Digital Audit Symposium, which is instead of getting everybody in a room and lecturing, we now have kind of a virtual place to do that with videos and things like that, which makes it so they can do it on demand on their own time zone and we don't have to hit up the service team leaders and the GMs to come present over and over to the customers, basically the same information. So it has made those kind of other audits and other engagements and educational events that we have much more efficient.
So it's almost sounds like auditing as a service?
Auditing as a service or just really focusing in on those things that matter. And maybe the traditional stuff that we did for 20 years, are they really needed? Some of them weren't. And so we able to do the right thing and get to the right procedures and assessing the right controls.
That's awesome. So if we shift gears a little bit to the customer perspective. So I'm a customer and I'm going to start up a security assurance program. Clearly I'm not going to start day one at the level and scale of AWS, but how would a customer go about getting support for their own internal security assurance programs? You know, you talked about having development teams. That's not a "standard operation" that I see with any of our customers. Some of the bigger ones are starting to think that way. But how does a customer sort of lay that groundwork with their senior leadership to say, this is important and this is the kind of investments we should be making.
Yeah that's a good question and I think it's different for many customers. Most customers have some unique situation in their business that makes the value proposition of security and compliance different.
And in general, obviously security is important and compliance is absolutely essential in many aspects. And so you do need to build the program. Everybody needs a security program. Everybody needs a compliance program, whether it be security compliance or legal compliance or whatever, you need to be compliant with laws if you want to continue to do business, right?
But I would just say probably the number one... Well first off, there's the activity of selling that fact of the value of a security and compliance program to leadership and I think that should be a business decision, right? Not necessarily like, some person's obligation or their job to go and try to convince an entire leadership team that it's important to have security. It should be a CEO level decision that we're going to take security seriously.
So once you've decided that, and you understand the value and you want to invest in it, how do you go about doing that? I would just say that as we were talking a little bit about understanding the real processes of, in our case, the developers. That's probably the number one thing you have to really focus on. Most people start with, okay, what control frameworks do we have? And what are the controls we need to comply with, and let's document those controls first and then go to the business and tell them that they need to do these things or achieve these objectives.
If you instead go and really dive deep into how your businesses work, whatever business it is. In our case, it's a bunch of developers, right? How they work, how they get their jobs done, what tools they use, all that stuff is super important because we have to intimately understand it before we can introduce anything new. A lot of times we don't need to introduce anything new because of the way that the work is being done. Or we'll do the job of interpreting the control frameworks to how they're doing their work. And so that activity, no matter what business you're in, the marrying up of what they're actually doing and how they do it with what's required and what kind of interpretation that might require to apply to your organization, that activity is the most important
And probably the first thing that you need to do in order to get a real great partnership going between the compliance team, the security team, and the business. Many times, we get that backwards. And I think that really has been the key to our success, not only at the beginning, but also just ongoing. The only reason we're successful ongoing, is that we're very intimate in the way that AWS developers design, develop, deploy, and maintain software and everything else kind of revolves around that.
Chad, thank you so much for joining me today.
It's great being here. Thanks, Clark.
About the Leaders
VP of AWS Security at Amazon
Chad joined Amazon in 2010 and built the AWS compliance functions from the ground up, including audit and certifications, privacy, contract compliance, control automation engineering and security process monitoring. Chad’s work also includes enabling public sector and regulated industry adoption of the AWS cloud and leads the AWS trade and product compliance team.
AWS Enterprise Strategist
As an AWS Enterprise Security Strategist, Clarke is passionate about helping executives explore how the cloud can transform security and working with them to find the right enterprise solutions. Clarke joined AWS in 2016, but his experience with the advantages of AWS security started well before he became part of the team. In his role as CISO for a multinational life reinsurance provider, he oversaw a strategic division’s all-in migration to AWS.
Take the next step
Listen and Learn
Listen to executive leaders and AWS Enterprise Strategists, all former C-Suite, discuss their digital transformation journeys.
AWS Executive Connection is a digital destination for business and technology leaders where we share information.
Watch on Demand
Get insights from peers and discover new ways to power your digital transformation journey through this exclusive international network.
Listen in as AWS and customer leaders discuss best practices, lessons, and transformative thinking.