AWS re:Inforce 2024
How to Fail at Building a Security Champions Program Aps326

Title: AWS re:Inforce 2024 - How to fail at building a security champions program (APS326)

Insights:

  • Understanding the Security Champions Program: The session assumes familiarity with the Security Champions Program and focuses on common pitfalls in its implementation.
  • Role of Security Guardians: At AWS, the Security Champions Program is referred to as the Security Guardians Program. Guardians are builders with a security mindset who help distribute security ownership across teams.
  • Importance of Culture of Security: Emphasizing a culture of security is crucial. AWS promotes this culture by distributing security ownership and integrating security into the development pipeline from the start.
  • Mechanism for Success: A successful Security Champions Program requires a well-defined mechanism with clear inputs and outputs, fostering continuous improvement.
  • Business Alignment: The program must align with business goals to gain support from business leaders, ensuring resources and commitment.
  • Pilot Programs: Start small with pilot programs to learn and iterate before scaling. Choose pilot teams based on criteria like easy wins, high impact, and high risk.
  • Avoiding Common Pitfalls: Key pitfalls include relying solely on good intentions, working backwards from security problems instead of business problems, moving too fast, and increasing headcount unnecessarily.
  • Internal Advocacy: Internal advocacy and support from business leaders are essential for the program's success. Guardians should be existing builders familiar with the system, not external hires.

Quotes:

  • "We don't want to ask them to do the right thing because it's not going to be enough."
  • "We should be working backwards from the business problem."
  • "Think big but start small."
  • "The vision and the goals of the champion program have to be driven by the business goals."
  • "Instead of converting your existing builders into guardians, you're going externally and hiring them."
  • "The whole point of a guardian is that they know the system well already, they know why it was built, they have all the context that they need to make security decisions faster."
  • "The Guardians program is embedded into the builders. We're doing those where the goal are those four things that we mentioned before about moving faster, communicating better, and so on."
How Picpay Achieved Temporary Elevated Access Control on Aws Iam323How to Protect Generative Ai Models Using Genai Secure Dap322 S