Building a Diverse and Empowered Security Organization

Clarke Rodgers (00:10):
Security leaders face constant threats, complex challenges, and high-stakes repercussions on a daily basis. When the pressure is on and the right answer is hard to find, the best solution might be to lean on a community of other security leaders.

Hi, I’m Clarke Rodgers, Director of Enterprise Strategy at AWS and your guide for a series of conversations with AWS security leaders here on Executive Insights.

I’m pleased to be joined by Danielle Ruderman, leader of the AWS Worldwide Security Specialists organization. Danielle was instrumental in launching the AWS CISO Circle program. Join us as we deep dive into the origins of the program and how it’s evolved.

Clarke Rodgers (00:48):
Hey Danielle, thanks for joining me today.

Danielle Ruderman (00:50):
Very happy to be here.

Clarke Rodgers (00:52):
Please introduce yourself and tell me what brought you to AWS.

Danielle Ruderman (00:55):
I lead a team that runs global programs to help our customers and internal teams understand and talk about cybersecurity. And I think what's interesting is that I had a very nonlinear path to get here, if you will. And I think that's very important for people to know that, in cybersecurity you can come to this role from many different directions.

So, I actually started out as a visual basic programmer. And then worked my way up and eventually became a project manager, I've worked in every phase of the software development life cycle. My career changed pretty dramatically after I had my first child, and I think we'll touch on more of that a little later. But I really had to take a step back at that time and rethink what I was doing to balance my family obligations.

I came in to AWS Security, so not in the marketing department, again, I worked in AWS Security and they said, "Help us think about how to talk about cybersecurity to our customers." So, one of the first things I did was help write the very first security messaging for AWS. So that was my formative experience at AWS and really gave me a deep understanding of what we do here and how we make security job zero.

Clarke Rodgers (01:54):
That's fantastic. So, from your background, at what point did you get the cybersecurity bug, for lack of a better word?

Danielle Ruderman (02:02):
I think it really came to the forefront for me when I was at the American Red Cross. So, I led a modernization effort of the mobile blood system. So, if you've ever gone to donate blood, we did a massive hardware and software modernization of that system. And to do that, you are protecting billions of donor records in the blood database. And so that's a very big privacy and security consideration

So, we had to work very closely with the CISO of the Red Cross, and with the security team throughout all phases of the software development lifecycle and the site validation and things like that. And so, while I was not myself a security practitioner, working on medical device software, working with the FDA, that really gives you an appreciation of the importance because it is very serious.

Clarke Rodgers (02:47):
So, in your current role, you run global programs with a security bent to them, as I understand, and I think one of your most popular ones is the AWS CISO Circles. Could you talk a little bit about the CISO Circles?

Danielle Ruderman (03:00):
So, at AWS we have the CISO Circles, and this is a global program that we've scaled all over the world and it is our opportunity to bring together customers in small groups, so it tends to be between 10 to 25 CISOs. And it's closed door, so our customers are under NDA, we follow Chatham House rule. And it's a real opportunity for customers to talk from and learn from each other, and then meet with our security executives. So, I will say I've been incredibly humbled by how our service team leadership and how AWS security leadership has really leaned into the program.

And this is something I want customers to hear, is our leadership and our service teams want to hear directly from you. And the CISO Circles have given us a way, not just for the customers to learn from each other and share advice, but also give us very candid and very direct feedback. And that's really what we're trying to drive here is that really direct customer engagement.

To have senior leaders go talk directly with customers in groups in their region is very powerful. To really understand the local conditions, the local market, the maturity and the cybersecurity concerns of these different areas in the world; it really gives us a much better understanding of what our customers are dealing with to help make our products better for everyone.

Clarke Rodgers (04:09):
I can't imagine this is a small investment to create a global program like this and invite CISOs and have content that they're interested in learning about and discussing. How did you A, see the need for it and then sell the idea internally to actually make it happen?

Danielle Ruderman (04:26):
So, we've had over the years, a few groups here and there pull together groups of CISOs because they saw the need. Our customers want to meet with each other, especially they want to meet with other executives who are working with AWS because they understand the landscape. And so again, we'd seen people pull together these discrete groups, but there was no overall movement and it's a lot of effort to pull something together like that.

We kicked off with a small inaugural cohort of CISOs. It was virtual because we couldn't get together in person and we had a really great discussion. So, we brought in some of our AWS Security leaders to talk with and try to get the CISOs talking together online. And based on that success, we then broke out starting in 2021 into more of the smaller, regionalized cohorts. And that's where we really learned how to improve the program, I think you were involved in some of the early ones.

Danielle Ruderman (05:16):
Some of our early topics that really resonated, we talked about things like, “How do I build a culture of security in my organization?” or “How do I talk to the board of directors about security?” So, these aren't like AWS or server-specific discussions. They're really challenges that we found our CISOs were facing, and we were able to create that space where they could talk to each other and then we could also share our knowledge. So, we could share back some of that Amazon and AWS security culture, which I think we have some very powerful messaging about how we've built an organization that we have, and maintained the security.

Clarke Rodgers (05:47):
You mentioned a couple topics that came up in the CISO circles, in the last year what would you say the top three discussion points that keep coming up throughout the CISO circles are?

Danielle Ruderman (05:57):
We do try to be very responsive to the customer's asks and what's top of mind so that we can find the right speakers, and find the right resources and initiate the right discussions to make it a really meaningful experience. And we're somewhat flexible in that we can add topics.

When Generative AI popped up on everybody's mind earlier this year — into the survey it went and guess what's the number one topic globally? Generative AI and security. And then proactive security is actually right now the second most popular topic — so this includes DevSecOps. And so again, a lot of CISOs in current economic conditions are facing a situation where they have to do more with less. And that concept of proactive security is a way to do that.

And then also rounding out the list is of course, Zero Trust, everybody's favorite buzzword. But again, this is a concept that's gaining a lot of so much traction, we hear it everywhere. And what our customers tell us is that there's no consensus on what that phrase means. And so, they'll have their board of directors or their peer executives ask them about, "Hey, what are we doing for Zero Trust?" And the first thing we have to do is level set on what does that actually mean to everybody? And then talk about the benefits and what it can do for the organization.

And then another one that's really resonated has been the evolving role of the CISO. I think we all knew with the new SEC regulations in the United States, there's a lot of pressure on CISOs. How is the role evolving, how can you make the most impact in your organization? And a lot of that does go back to that culture of security, where you're thinking about the ownership of security in your organization and how you're scaling that to your business units.

Clarke Rodgers (07:28):
And making security a business driver, right?

Danielle Ruderman (07:30):
Absolutely. An enabler to the business.

Clarke Rodgers (07:33):
That's fantastic. So again, Amazonian fashion, you go out and run global programs, you collect data, you have to report the success or failure of a program back to leadership so you can continue to get the investment. How do you report that and how do you report success?

Danielle Ruderman (07:50):
If we're just looking at the health of the program, we want to make sure that when we look across the events and the circles we're hosting globally, are we getting people to actually come to them? Are they rating the customer satisfaction scores, do the topics resonate, do the speakers resonate? So those basic understanding, we want to see those numbers be very high and we want to see the return rates. So, we want to see that CISOs are coming back again and again as their cohort continues to evolve and mature.

We consider this a trust-building program. So we want to see are CISOs, do these organizations feel more comfortable doing more with Amazon? Are they deeply engaging in these discussions, are they giving us feedback that is going to help us materially make AWS better for all customers? So, we're looking at all of these different metrics, but I think at the end of the day, we very much value that engagement that we get from these customers and the feedback that they give us, I think that's gold.

Clarke Rodgers (08:42):
It sounds like a great program. So, if I'm a customer, how do I sign up? I assume I have to check the box that I'm a CISO, how do I sign up and learn more about the program?

Danielle Ruderman (08:52):
So, we do target obviously the Chief Information Security Officer, but what we found is that some organizations don't have that title in their org chart. We've also found in some different countries, different terms are used to designate the person who fills that role. And so, we're always looking for the right ... if you feel that you, “Hey, I lead security for my organization.” Yes, we want you in the room.

The first step is really to reach out to your account team. We do have quite a few options as far as location or some verticals, so we can help you find the right one.

Clarke Rodgers (09:24):
It sounds like a great program. Let's switch gears a little bit. You have a sizable team within AWS. What are some of the things you're looking for when you're hiring for your team?

Danielle Ruderman (09:37):
I think many hiring managers, we go back to the leadership principles because obviously you're going to have specific skills that you need in your team, but our north star is always those leadership principles. And I say across the board for any role in security, I've always seen “learn and be curious,” be a top leadership principle. And this is because, you may not come to AWS with these specific skills that you need for a particular role, but if you have demonstrated in your career, in your hobbies that you're curious, you're willing to dig in — those are the things we want to hear. So even if you don't feel that you have the exact skills, if you really demonstrate “learn and be curious” in other areas of your life, that is gold.

For me, probably the other leadership principle that is most important — obviously customer obsession, it always matters to us, but for me it's “earn trust.” So, when you run global programs and you're interacting with both customers and internal leaders all around the world, you have to be able to approach that with a sense of humility. And I need folks on the team who are able to earn trust with a wide variety of personalities and work in different cultures. And that just becomes so critical, so we're looking for folks who demonstrate that ability to have empathy and have humility.

Clarke Rodgers (10:45):
So, once you have the employees in, and especially if maybe they're more junior in their career, what are you doing to sort of mentor them and give them a path forward that they can see what their career might look like in three to five years from now?

Danielle Ruderman (10:59):
We have a formal mentorship program. Of course, we're Amazon, so we have mechanisms and tooling. So, there's a mentor tool you can sign up in, and that will actually help you find a mentor from somewhere else across Amazon. And that's a great way to just meet a leader who's leaning in and wants to mentor.

Other things we do is the more informal mentoring, where my team members will say, "Hey, I really want to learn more about a particular topic. I need to be a better Amazonian writer, I eventually want to manage someday, how can I learn more about that? I want to better develop my skills in ‘learn and be curious,’ or one of the other leadership principles.” And then we can work together to try to find someone who can work with them for a period of time on a specific goal.

And I really like that approach of having a goal in mind with what you're trying to accomplish. But you shouldn't go into a mentorship relationship just thinking, "My manager told me I needed a mentor." So I really coach the team to think about, “Where do you see opportunities for improvement in your own career, where do you think you want to go?” And then as managers, it's our job to guide them and help them find other people to talk to.

And that's one of the very powerful things about working here is, I'm very transparent with my team. You're in a role today and we hired you to do this role, but this is not the end of your career at Amazon. I want you, if you see something interesting over there in another business unit, I will help you get there. I will help you develop the skills you need to get there.

So that idea of mentorship and connecting people with different individuals across the company, different leaders, is very important to developing a healthy career at Amazon.

Clarke Rodgers (12:23):
As you're well aware, finding security talent is difficult regardless of industry, even at AWS. How do you think about the cybersecurity skills gap in your role and in your hiring?

Danielle Ruderman (12:35):
As an industry, we're facing a skills gap, so we cannot hire enough cybersecurity professionals to meet the needs of all the different organizations. AWS also, we're all challenged to do that. I think one really interesting thing I learned recently, I went and spoke at my son's school. We have cybersecurity classes, and the teacher asked if I would come in and talk to the classes. And of course, I got there and I spoke to seven different classes, and it was mostly young men.

And I was stunned because I thought that we've done so much work in the tech industry in security to really try to attract that diversity of gender, but most of the classes I was talking to was all boys. And I talked to the teacher afterwards and she said, "Oh, high school's too late. By then you've missed it."

Clarke Rodgers (13:18):
Oh, wow.

Danielle Ruderman (13:18):
Right. She's like, "You've got to start in middle school to get the girls interested." And that really made me wonder, “If this is an issue for our industry that starts in middle school, how do we address that?”

The other thing that's very interesting, if you think about bringing in maybe mid-career professionals, we look at things like, how can we make these roles more appealing to diverse candidates such as those with caregiving responsibilities? I worked with a solutions architecture team a few years ago, and they were struggling even to get women to apply for the job. We know women are out there, we know they have the skills, but they weren't applying to the jobs that were open.

The team did some digging and found that part of the issue was the travel requirements for the role. So, solutions architects tend to travel to customers. This role covered the entire United States — that means there's a lot of travel involved. And when they dug into it, they found that women weren't applying because they can't take that much time away from their responsibilities at home, because even today, disproportionately the responsibility for caregiving falls on the shoulders of women.

So, what they did is they changed the job description and they changed the scope of role to break the country up so that they had a smaller geographic footprint, and that allowed them to get more interest from women. And so again, it was thinking about the challenge differently.

And that's the thing, is people who are affected by these decisions we make, they're not going to raise their hand and tell you what the problem is — you have to go dig in. And so that really taught me that we have to be able to think differently about some of these challenges.

And I think there's some very interesting research that's come out recently. So, Claudia Goldin just won the 2023 Nobel Prize in economics, so she's a Harvard economist, and she's looked at the gender pay gap. And especially this is an issue in tech, right? Why do we have a disparity in pay for women versus men? And what she found is that this is not a skills gap, it's not an education gap, it's not sexism.

Actually, they noticed a dip in women's pay right around the time they have their first child. This goes back to, again, women disproportionately having that caregiver responsibility. When you have caregiver responsibility, you might not be able to take that higher-paying role that has more demands on your time, greater requirements for travel.

That research really resonated with me because of my own experience, because I had to leave a job with very high demands. I was on call because we worked with the blood system. I just couldn't meet that pace, I had a lot of issues with my first child and I had to take a step back in my career. And when I look back on my career trajectory, I had to take a complete turn in what I was doing and that was very hard. And I think it's something we don't talk about enough.

Clarke Rodgers (15:59):
We have to ask those questions.

Danielle Ruderman (16:00):
Exactly. And look for ways to make it easier for us to take these roles and have impact in our organizations.

Clarke Rodgers (16:06):
Well, as a leader, I think you're also setting an example. You've recently embarked on, I believe it's a fellowship in humanities and technology. Can you talk a little bit about that and how you think that's going to help your role at AWS?

Danielle Ruderman (16:21):
I had a friend actually forward me an email for a new program that was being stood up at Virginia Tech. And it was all around, they wanted to find some fellows to look at, “How can humanities inform our decisions as leaders in technology?” And I thought, "Oh, my."

And so, I applied to the program, I had to write a paper to apply, I met the founder. And it's a fascinating experiment, I don't think anything like it's been done before. But it's the idea of “How can we learn from that humanistic thinking?”, so how do you think about what is a person? And I think these questions are very important today in the era of generative AI with how we're thinking about the marriage of technology and humanity.

And I don't know that we step back enough to give ourselves time to think that way and think about over the course of human existence, much has been written, much has been said about what it means to be human and exist in this world. And technology adds another dimension, it's another phase of our evolution, if you will, and I think we should be very intentional with how we're using it. And especially as leaders in technology, how we're thinking about reasoning, about the place it has in our lives and how it can make existence better for all of us.

And those are the kind of questions we're noodling on. It's a very powerful experience and I think I have yet to really deeply understand how to bring it to my work, we're still in the early stages. But it's opened up so many channels of thinking. And I will tell you, when I tell people I'm doing this program, they all say, "Can you send me your reading list? I want to know more."

I think there's this untapped need in those of us who work in tech — we get caught up sometimes in I think the technical side of the work. But when you start applying that humanistic thinking and that opportunity to think more deeply about why we do what we do and the impact that it has on the world, people are hungry for that. And I think we need to create space to have those conversations and have conversations at all levels of the organization.

Clarke Rodgers (18:11):
Love it. It sounds like a great course and I hope I can have you back on the show to talk about it in greater depth at another time. Thank you so much for joining me today.

Danielle Ruderman (18:21):
My pleasure.