Why are some security organizations more successful than others–and what does a successful security organization look like? AWS CISO Steve Schmidt offers his perspective, highlighting three common traits he's observed in successful security organizations, and three fellow CISOs who are applying those traits to their advantage. Learn why these CISOs are able to improve the risk posture of their companies and create new business value faster and more efficiently than others.
The democratization of security
It’s no secret that the responsibilities of security and risk management executives like CISOs, CSOs, and CTOs are dramatically expanding.
Not only are we accountable for being preemptive and vigilant against security threats and safeguarding business networks, we’re now rapidly evolving to become stewards of our organization’s brand, strengthening its reputation while also building board credibility and customer trust.
In my over 12 years as CISO of Amazon Web Services, partnering with numerous AWS customers in their cloud and security journeys, I’ve come to recognize some standout organizations that are taking on this transformation remarkably well. I’ve also been able to see firsthand how they’re doing it.
What do we mean by successful security organizations? These are companies that are improving their risk posture at a more efficient rate than others, while at the same time optimizing their use of cloud to create new forms of business value at a faster pace.
Trait #1: They are forward leaning with audit and legal
Working closely with legal and compliance professionals, audit partners, and regulators is perhaps the most critical of the three traits. Just like security professionals, these individuals are tasked with safeguarding their organizations, so they need to be engaged early and often. Security organizations that are able to rapidly adopt the cloud recognize that legal, audit, and compliance stakeholders can become strong allies.
Communicate early and often
Successful security organizations proactively communicate and prioritize alignment with legal, audit, and compliance professionals. This seems obvious, but quite often we see organizations establish their internal control systems and get momentum going only to stumble because they haven’t properly aligned with the right teams along the way. It’s not always easy to overcome the traditional way of operating, which for some organizations was to enlist stakeholders in the middle or near the end of a given process. As security leaders, we don’t want to see security “bolted on” to a product after it has been built. In the same way, we should integrate the necessary steps into our security processes to proactively ensure adherence to legal, audit, and compliance requirements. One of the things we do on a regular basis at AWS is engage with our customers and their internal auditors early on, so they can teach their stakeholders how to audit successfully in the cloud. We do that by providing guidance and tooling, and running “game day” mock audit exercises.