Title

AWS re:Invent 2023 - Sustainable security culture: Empower builders for success (SEC211)

Summary

• Speakers: Hart Rossman (VP of AWS Global Services Security) and Sarah Curry (Organizational Excellence Leader for GSS).
• Focus: Creating a sustainable security culture through leadership, inclusivity, empathy, and empowering security champions.
• Key Strategies:
  • Embedding security into the business by briefing the board and ensuring all teams prioritize security.
  • Establishing psychological safety to earn trust and encourage security risk and compliance discussions.
  • Reinforcing positive escalation to encourage proactive issue reporting.
  • Empowering builders as security champions to implement security earlier in the product lifecycle.
• Personal Story: Sarah shared her experience as a new AWS employee, dealing with imposter syndrome, and how a security incident led to her becoming a security specialist.
• Security Culture Roadmap:
  • Focused on leadership and did not include code demos.
  • Discussed the importance of security culture and practical strategies for implementation.
• Security Guardians Program: A program with 2,000 builders trained to implement security and perform threat modeling, resulting in fewer security findings and faster reviews.
• Mega Trends:
  • Human-centric security design.
  • Zero Trust architecture.
  • Reverse mentoring.
• Call to Action:
  • Hold weekly security business meetings.
  • Amplify ideas and concerns by thanking people for escalations.
  • Scale security through mentorship and training builders to be security champions.
• Upcoming Event: Reinforce conference in Philadelphia, June 10-12.
• Resources: QR codes for free resources on cloud security and AWS certifications.

Insights

• Empathetic Leadership: The story shared by Sarah highlights the importance of empathetic leadership in security. When leaders respond positively to escalations, it fosters a culture of trust and encourages team members to proactively address security issues.
• Security as a Business Function: Security should be treated as an operational imperative and a core business function, not just a project or program. This approach ensures that security is integrated into the daily operations and decision-making processes of the organization.
• Psychological Safety: Creating an environment where team members feel safe to express concerns and ideas without fear of retaliation is crucial for a sustainable security culture. This encourages open communication and collaboration, which are essential for effective security practices.
• Security Champions: The Security Guardians program demonstrates the effectiveness of empowering non-security role individuals to become security champions within their teams. This approach helps scale security efforts and integrate security considerations earlier in the development process.
• Zero Trust and Identity Management: Emphasizing the importance of Zero Trust architecture and identity management as key components of a modern security strategy. AWS's focus on these areas, including the release of IAM Access Analyzer improvements and the open-source identity policy language Cedar, indicates the direction of AWS's security offerings.
• Mentorship and Reverse Mentoring: The concept of reverse mentoring, where individuals at any level can learn from each other, supports a culture of continuous learning and adaptability. This is particularly relevant in the fast-evolving field of cloud security.
• Security Culture as a Continuous Process: The talk underscores that building a security culture is an ongoing process that requires consistent effort, regular meetings, and a focus on both proactive and reactive security measures. Mechanisms like the "five hows" help in anticipating and preventing security issues before they occur.