AWS re:Inforce 2024
The Building Blocks of a Culture of Security Sec202 Int

Title: AWS re:Inforce 2024 - The building blocks of a culture of security (SEC202-INT)

Insights:

  • Security as a Top Priority: AWS emphasizes that security has been a foundational priority since its inception, integrated into their leadership principles and operational DNA.
  • Challenges in Changing Culture: Establishing a security-first mindset across an organization is difficult but presents an opportunity for security teams to collaborate with business units to manage risks effectively.
  • Defining Culture of Security: AWS differentiates between "culture of security" (scaling security ownership across the company) and "security culture" (the internal culture within the security team).
  • Executive Support: Both AWS and Intuit highlight the importance of executive support in fostering a culture of security. Regular reviews and direct involvement from top executives, including the CEO, are crucial.
  • Distributed Ownership: Security should be everyone's responsibility. AWS uses mechanisms like security guardians to distribute security knowledge and responsibility across teams.
  • Psychological Safety: Creating an environment where employees feel safe to report security issues without fear of retribution is essential. Transparency and positive reinforcement are key components.
  • Empathy and Collaboration: Security teams should use empathetic communication and collaborative language to build trust and partnership with business units.
  • Continuous Improvement: Security is not a one-time project but a continuous process. AWS uses mechanisms like correction of errors (COEs) to learn from incidents and prevent future occurrences.
  • Paved Roads: Intuit uses "paved roads" to provide secure, easy-to-use technological stacks for developers, ensuring that the secure choice is also the easiest choice.
  • Risk Management: Intuit employs a risk register to prioritize and manage security risks transparently, involving domain experts in the process.

Quotes:

  • "Security is our top priority without question. And it's been that way since day one."
  • "Changing culture is hard. Scaling a security-first mindset across an entire company can be really hard."
  • "Security is everyone's job. That's different from this idea of security culture, where we're talking about the culture of the security team itself."
  • "Building trust with your customers takes time. It's difficult. And losing that trust is trivially easy."
  • "Security is not an afterthought and it has to be built in from the very beginning of every project."
  • "We are delivering a product, and that product is a great security outcome."
  • "It's better to wake someone up and be wrong than to not wake someone up and be wrong."
  • "If you think there's an issue, there's an issue."
  • "We embody a culture of kind of see something, say something, and something will change."
  • "Be empathetic, provide paved roads that you can make great decisions quite fast, and also partner with the business."
  • "Building security is not a one-time project. It's continuous."
Supply Chain Security Aws Signer for Build Attribution Aps323Traffic Safety Auditing and Enforcing Iam Best Practices Iam303 S