Advice for CISOs from AWS CISO CJ Moses

Clarke Rodgers (00:21):
You speak to a lot of CISOs, as do I, what's the advice you give them? If they are not as fortunate to have that set up already, maybe they're coming in new and they realize, "We need to do something," how do you even pitch that internally? Or how would you pitch it internally?

CJ Moses (00:34):
Yeah. I mean, there's different ways to pitch it. What I've found in the CISO space is a lot of times your average tenure for a CISO these days is 18 months. It seems to be a rotating door. If you have a CISO that is really, really strong, and gets hired into a business because they know they need change. They've had issues. The last CISO got fired because of them, or whatever it may be. That's your opportunity.

Negotiate up front. Don't negotiate as much for pay and comp and all that kind of fun stuff. You can do that, but the real focus should be, you should be interviewing the company. If you're going into a role, there's a lot of CISOs out there that go into roles know it's going to be 18 months. Negotiate for a really good contract or whatever it is for 18 months’ worth of work and 18 months’ worth of stuff, before they end up, there's a major issue because the resourcing isn't there and the culture isn't there, and all these things aren't there, and then they get booted. Essentially, from a board perspective, the risk went away because the CISO that wasn't doing the job has moved on.

Clarke Rodgers (01:42):
Right.

CJ Moses (01:42):
Security theater. Again, we know I don't like security theater. When advising CISOs that are sitting in a role is to, A, make sure they're not in a role like that. And if they are, to quickly find themselves, not necessarily out, but to advise and work their way up with leadership to explain the situation, the risk that the company has. But also, if they are newly coming into a company, to make that part of the discussion. Anyone that's interviewing a CISO that's willing to just take blindly what's going on, and say, "Oh, I can fix it all," probably is on the latter plan, where they're going to be there for a little while and gone, and absolve the risk with it.

Rather than, in our case, we want to build that culture. How do you build a culture? Get executive sponsorship. If you don't have executive sponsorship above yourself, make yourself that executive. Invite the business leaders on board. Explain that you're trying to enable them, rather than putting blockers in their way of doing things and without their participation. Start to build that group, if you will, of leaders that strongly believe that they need to be secure in order to do their business. It's a long road in some businesses.

CJ Moses (02:59):
We're still on that journey today. As you get large and scale, and complexities increase, you need to continue to make security the simplest way of doing things. By making them simple, people will naturally go towards them. If you make things hard, people will go away from them. Especially in our case, innovation is key. Innovation and the speed of the internet, if you will, to be able to get things done. So, from a security perspective, that's one of the things that we focused on early. We're still focused on today, is continuing to drive down the cost of security to the builders that are building and running services.

Clarke Rodgers (03:32):
Yep.

CJ Moses (03:32):
That model helped us to ... Not only helped us, it was very well in line with our ownership model, and it made sure that the single threaded leader owned security. So, if there's a security issue, they were the ones responsible. In saying that, doesn't mean that that lets Steve or I or others off the hook. It's our job to establish the bar — to monitor and audit the bar, if you will — to report on it to make sure that our executive team is understanding of the risks that we're taking and where we need to drive that down. As well as to create tooling, services, capabilities to make it easier, because security needs to be the path of least resistance for those teams.

Clarke Rodgers (04:14):
Yep.

CJ Moses (04:15):
We continue down that journey but I think that ... We've seen over the years that strong owners want to own anyway. So, the model really aligns with our builder mentality, because you don't want to, as a service team owner ... When we were running VPC, I didn't want to have anyone else be responsible for it. When I built AWS GovCloud or subsequent other government entity stuff, I wanted to be the last ... I want to be the one that was responsible for it. Because it also meant that I kept eye on the ball. I had metrics that I was trying to hit — risk reduction or otherwise. Those are the types of things that, if you're paying attention to things, you'll be able to drive down, in this case for security, drive down the risk.

And, going back to security theater, I want to do absolutely nothing. I'm not an actor. I'm a security professional or engineer, and I want to engineer. My team wants to do the same. They don't want to do things that appear to be meaningless. Blocking things, that creates friction for our builders and users. Just to say to someone that we blocked access to stuff. When we all know, as engineers, you can engineer your way around a lot of blocks. So, you need to engineer in smart ways of getting things done. There's a lot of technologies out there. Just as we found coming from the FBI to Amazon, we had the challenges. We understood working backwards from the customer. In that case, we were the customer.

Clarke Rodgers (05:42):
So, when we look at our sort of larger security culture, when we speak about it to customers at re:Inforce and re:Invent, and other third-party summits, we often talk about having mechanisms to help support it. One of the key mechanisms that you often refer to is, I believe it's your weekly meeting with the CEO, and that you get approximately an hour with him to discuss security topics.

So, when I speak with customers, I get questions like, "Well, how did that happen? What do they talk about?” And then, “How do I learn from that relationship that the AWS CISO has with the AWS CEO, and perhaps try to get that in my own org?" Because as we see, building a strong security culture is much easier when you have that executive top down support. So, would love for you to talk a little bit about, what you can, about what that weekly meeting looks like, what kind of prep goes in on your side, et cetera.

CJ Moses (06:44):
We'll be very transparent with how we do there. So, going back to how AWS security was established with Andy kind of fostering, not kind of, actually fostering the creation of it. And the single threaded leader model, he personally wanted to be involved in what was going on and be witting of the security challenges that we were having. After we were stood up and had a few security engineers that were actually being able to respond to things from an AWS perspective, we started to realize there were things that we would want Andy to be witting of. Not only Andy, but the executive staff as a whole, to be witting of. But it wasn't something that we needed to 2:00 AM call them, and say, "Hey, we need a meeting to explain this stuff." That along with the idea that we wanted to make sure that the culture that we were building was coming from the top down on a regular basis, in those places where we're likely the weakest from the culture perspective.

The idea then spawned that we would go ahead and have our Security Operations team, which was very small then, is much larger these days, have call outs every week. So, during the week, if there was something that raised a bar of attention, if you will, we would go ahead and review them. Say, "Okay, these two, three, whatever it may be, are going to be the Friday meeting content." Still to this day, little bit more structured format. But in the end what we actually have is we do the reviews on a Monday of the preceding week. Normally, during the week, if I, or others actually identify something that we think should be a call out, we'll mention it during some of the meetings and stuff that we have, that ends up on the call out list.

Clarke Rodgers (08:29):
Okay.

CJ Moses (08:30):
On Monday, we'll review that list and pick the top two or three depending on time available. From Monday, there's actually kind of a reasonably formal process that kicks off with notification to the team leader. When I say the team leader, the VP or the service team owner, along with the people that we know that work on their behalf a lot of times.

Clarke Rodgers (08:51):
That would be related to this call out. Okay.

CJ Moses (08:53):
It's a direct tasking, saying, "You're witting of what's been going on, you're now coming to the Friday meeting. We need you to organize together. Here's the format. This is how we do it." It's basically a two-page doc that can be reviewed in 10 minutes — read in five or a little bit more — that is put together to be a concise statement of ... It's almost akin to a CoE or a Correction of Error. So, our five whys, what your action items are, how you're going to fix it. From a security perspective, we want to know, is the issue or the risk mitigated or unmitigated? A lot of the details that you'd want to know about a security related thing are right up front.

The team creates that, along with assistance from my team, in order to create a concise write up. And that goes through a lot of reviews during the week. Starts off Monday with the tasking. Tuesday there's an initial review. Wednesday there's a literal, we get together in a room and review. Then it goes to legal and others to make sure that what we have in there is concise and clear. And then, depending on the write-ups, myself or others will actually review it ahead of time. Then we go into Friday and it's a one hour standing meeting, every Friday, where Adam and Peter DeSantis, and normally Matt Garman or Bob Kimball, depends on who's available. But the core meeting is, at a minimum, Adam or Peter.

Clarke Rodgers (10:16):
Okay.

CJ Moses (10:16):
Normally both. In most case, it is both. Because they prioritize the meeting, understanding how important it is. We then start the meeting off. It's first doc read. At that time, that team that's responsible for that gets pulled into the virtual meeting, or the real meeting depending on ... It's been virtual for a while now, given the pandemic.

Clarke Rodgers (10:34):
So they can answer questions.

CJ Moses (10:35):
So they can answer questions because it's their doc. It's their issue. They're the owners of it. We're there, we actually normally have a paragraph about our perspective or what we need to do, improvements that we need to make. Because we learn things as well. We put that into the doc as well. The discussion then, normally, they read the doc. Normally I'll kick it off and say "Questions, comments." That's a quote pretty much every time, "Questions, comments."

There is no presentation or this is what ... It's straight up. You write it in the doc if you want them to know it. Normally we'll kickoff, some of the different team members will ask questions, service team owners or otherwise. Some of the questions normally are very obvious, "What went wrong? I see you said this, but why?" Keep digging on the why's even though it may be in the doc a bit. Any clarifications. As part of that, that discussion invariably moves towards, "Is the team thinking right? How are they set up for dealing with security? Are they keeping security as the number one priority?"

That's where that culture can be reinvigorated, if it's not already there, or in this case created. So, I find the Friday weekly security review meeting that we have to be the number one mechanism that you can have, to reinforce or build a security culture within a business. That's why-

Clarke Rodgers (11:55):
It almost sounds like that's a business operations meeting with a security bent, much more than a security meeting.

CJ Moses (12:02):
Yeah, absolutely.

Clarke Rodgers (12:02):
Because the CEO is looking, "Are you functioning as a business? Here are some issues." It could have been an accounting problem, but it happens to be the focus is security, which is fantastic.

CJ Moses (12:13):
Yeah, very much so. And, if you think about it from a business perspective, we say, and we actually have, prioritization of those things that we have. Number one is security is priority ... We like to say priority zero, but it's the top priority. We're computer nerds, so zeros come before ones. But being the top priority from a business perspective.

That same process has continued. Every week that's what happens. That one-hour meeting has become two hour meetings when we have things that we need to talk about. So it is a mechanism to reinforce, but it's also ... That's one of the things, talking to other CISOs, I kind of beat the drum on. If you don't have something akin to this. Even if you can't get the CEO, if you can get the COO.

Clarke Rodgers (12:59):
Sure.

CJ Moses (13:00):
Or depending on their org structures and things like businesses to run differently, get the most senior person you can. And what you'll find is sometimes that will become viral to where the CEO or the leadership of the company further on, realizes, "Well, this is something that we really should double down on." I've seen that in a lot of cases.

In the tech industry, probably the biggest way, if you don't have ... you're not coming on new or you're not in a position where some of these other things have worked, the next big security issue that pops up, use that as your opportunity as a, never let an emergency go to waste. Explain not only to the leadership, but a lot of times, in publicly traded companies, a board of directors, the risk that the company's facing, and the things you can do about it. Never bring a problem without a solution. Bring a solution.

Clarke Rodgers (13:45):
Awesome. Well, CJ thank you so much for your time today. Really appreciate your insights.

CJ Moses (13:49):
No, thank you.