In this spotlight, we focus on security, specifically developing a positive security culture within your business. We will also pull back the curtain to show you our approach at AWS to implement and maintain a positive security culture and how you can do it, even if you don't sit inside the security organization.
We are not only building and operating a security organization that operates at a scale that nobody's seen before, but it's building and operating a culture that is very unusual in the security world. And that's something I'm most proud of, building the right culture in the organization.”
Goal setting’s role in building a positive security culture
We strongly believe in incremental progress. Rather than trying to go with a big bang program that doesn't complete for many years, we try to have our teams accomplish something significant in a very short interval. We aim for incremental things that are progressive, measurable, and, more importantly, attainable in a relatively short period of time, like a couple of months.
Progressiveness means always making progress towards goals our service teams and our customers want to achieve. This mindset is important for two reasons. One, this is how businesses progress and how our services are launched to our customers. Two, it's a way of encouraging the service teams to talk to us instead of viewing us as obstructions to their ability to launch services or products.
This is not about what the security team itself wants to do, but ensuring that we're always helping our customer teams, our internal teams, make progress towards their own goals, their own accomplishments.”
The way to a customer’s heart is to identify the problem
Let’s start with defining the word escalation. Escalation is the process of ensuring that the right people know about the problem at the right point in time and is fundamental for efficiency at AWS. Escalation is the concept of somebody seeing something that causes them to go, "Is that right?" And then, instead of sitting on it, we make sure the right people know about it.
Escalation encompasses one of our corporate values, which is the fact that leaders dive deep and owners drive deep into the details of the way the business operates. Without all the details, you cannot make good decisions about what's going on and how to run your business effectively.
In the old world of security, we used the phrase “shoot the messenger” when a problem was identified, which discourages people from bringing things forward. My job as a leader is to thank people who’ve identified things and brought them forward for our attention. We reward the messenger and then fix it.
What is “zero trust,” and how can it make things better?
To us, zero trust means that you are not relying on a network perimeter as your primary defense point anymore. Pushing down the security perimeter to the smallest possible component, ideally individual data elements, if you can get down to that point. Then in the converse of that, opening up access to those individual data elements from wherever the user who's authorized happens to be. It's no longer that I have to be on a VPN, for example, but instead, a situation where perhaps the phone has an agent on it that can inform our authentication and authorization system that my phone is in an approved state for patching.
And anchoring that trust in hardware components that have a great deal of repeatability in their ability to discern, is this the right person? So for us, zero trust is about building a set of controls that altogether allow us to either permit or deny access to individual components of data for individual people based on their work, where they are, what they're using to access the device, the time of day, day of the week, the location they're at in the world. And it allows much, much better, fine-grained control of information when done correctly.
Remember your “why?” for customers and personnel
The most important thing we would like people to take home today is that business should be a positive one. It should be about how do we make people's lives better? How do we make them more effective and more efficient at their job? And how do we ensure that we make incremental progress towards our goals every day, as opposed to waiting for a big bang.
So for those who do not sit in the security organization, we encourage you to schedule a virtual coffee, understand their business objectives, and find ways to communicate more effectively. You can learn more about what AWS security is doing at the AWS security blog. At BP, we try and be the best-in-class at whatever it is that we're doing. After working so long in the trading arena you start to realize as quickly as things change with the market, with things being more margin-driven, the only way that you're going to be able to do that is to leverage digital technology, to automate, and to be as efficient, lean and effective as you can be.
You want to give people the tools, rules, and instructions on how to do it right and make it easy for them to do the right thing. As a result, you’ll be happier as a security professional, and your customers will be happier that they can get their job done more easily.”
Share this story
Take the next step