Security-First Leadership

Clarke Rodgers (00:10):
When you have those sort of private meetings with customer CEOs and effectively your peers, what are they asking you? What are they talking to you about in terms of security and privacy and compliance and sort of the regulatory regime that we see out there? Can you give us sort of a little peek into those conversations?

Adam Selipsky (00:28):
Those are really important conversations, which a lot of CEOs really do care about, and these topics resonate with many of them, as they should. I guess I'd point to a few things, one of which is, well, generative AI of course is on everybody's mind. And we get a lot of questions around "How do I think about security in a generative AI world " and "Things are moving so quickly" and "What types of applications or technologies should I be using?” and “How do I know they're secure and how do I think about being secure inside of my company as well?" And the first part of the answer is,

Somehow there's been this schism where people talk about enterprise security for all these services over here and then, “Oh, now let's talk about generative AI.” And it was actually quite astounding to me how some of the first generative AI chatbots or consumer-grade assistants came out really without a security model. And the data literally did go out over the internet and any improvements to the model literally would be shared by everybody using the models. That's why so many CIOs, CISOs and CEOs literally banned some of these assistants from their company for a good amount of time.

But it kind of amazes me because I think about going to a security-minded CEO or a CIO or a CISO and saying, "Hey, I've got this amazing new database service. There's nothing like it. You're going to love it. I really think you should adopt it. By the way, it's got no security model attached to it, but don't worry about it because I'll come around with v2 and it'll be secure then." I mean, I'd get thrown out on my you-know-what!

Clarke Rodgers (02:20):
Sure.

Adam Selipsky (02:21)
At least I hope I would, I would deserve to. And so, I think other companies in this space for some reason, I can't tell you why, are taking a different approach to security and somehow deemed it less important. And we're very predictable here. Our generative AI services like Amazon Bedrock, which is a managed service for operating foundation models, is no more secure and no less secure than any other AWS service.

So that's the first conversation around generative AI. And then there's some other topics as well and the topic of "How do I get a security mindset into my company?" And I think that gets back to culture. It gets back to some of the things you and I discussed today around really top-down leadership and sending signals from senior leaders that this matters. And the bar, the standards are incredibly high. And I often counsel my peers, a lot of it's about insisting on the highest standards and people need to see how high the standards are in security and what your lack of tolerance are for anything except those highest standards.

Clarke Rodgers (03:30):
What advice would you give your peer CEOs who maybe are not leaning in as much to security risk and compliance issues within their organization to get more involved in them?

Adam Selipsky (03:43)
I think the first thing would be to understand, how important is security to your business and in what ways is security important to your business? I think it's easy to say, "Oh, security is security, it always has to be the top thing that anybody is always worried about." And I already said for AWS it is, that's the statement about us and the type of business we run and the trust that our customers place in us to run their mission-critical workloads. But there are other businesses for which different aspects of their business probably have a different security set of risks and opportunities.

And so deciding, “Where does security really matter in my business?” And that's going to help me decide where to invest. Because I think it can be pretty daunting if the concept is, “Well, I have to invest a massive amount of money everywhere in security, irrespective of whether I manufacture farm equipment or whether I have a large social media website or whether I'm a startup in the data space.”

Clarke Rodgers (04:44):
Got it.

Adam Selipsky (04:45)
And I think the security priorities are going to be different. All of those types of companies are going to have security needs and the security will be important in one way or another. But I really encourage people to dive down deeper than that and figure out what the true priorities are. And that usually actually makes it a lot easier to invest because you say, "Hey, I'm going to start by investing more there and then we'll decide what the next spots are to invest." So that's probably the first thing I counsel folks.

Clarke Rodgers (05:14):
So what advice would you give to CISOs who are trying to report security and compliance in a meaningful way up to the CEO, the board of directors, that kind of thing?

Adam Selipsky (05:26)
I'll tell you the advice I give my CISO and the requests that I have of my CISO, which I think
is probably very similar to what makes sense for other CISOs, which is to put a customer lens, a customer filter on your work, your job and the advice and the counsel that you're giving. The CISO's job is to enable the business to do what it needs to do and what it wants to do to delight customers and to provide value to customers, comma, securely.

And I think that creates great credibility because then the CISO becomes viewed as a valuable business partner, who is driving and enabling the business, as opposed to somebody you need to get a checkbox from.

And I think it totally changes the relationship and it also really helps with prioritizing the resources. So you can really then tell when viewing it through the customer lens of, “Where do we truly create customer risk if we do X?” Or “Where do we really create a great customer opportunity and security if we do Y?” If you think about it in that way.

And then by the way, I think also the CISO gains an enormous amount of credibility on those occasions where he or she does say, "I need to pull the Andon cord. We cannot, we should not do this. We need to fix something before we do." And if that is a rare occasion, then if you're smart, you will take that very, very seriously.

Clarke Rodgers (07:06)
That's fantastic advice. Adam, thank you so much for taking time out of your busy day to meet with me today.

Adam Selipsky (07:10)
It's a pleasure. Thank you.