The Business of Security

Clarke Rodgers (00:07):
Chris Betz, AWS Chief Information Security Officer. Thanks for joining me today.

Chris Betz (00:11):
It's great to be here. Thanks. Thanks for having me today.

Clarke Rodgers (00:13):
So as AWS CISO, what brought you to AWS from Capital One? With your vast experience that you had as an executive, you could have gone anywhere. What brought you to AWS?

Chris Betz (00:25):
One of the things, as I spent a number of years there, that I kept on realizing was how much our work relied on the security of AWS. As you know, Capital One is all in in the cloud and closed their data centers. And so that journey at Capital One, the security work at Capital One with AWS, really led me to appreciate how incredibly important the technology that we bring is to that trust, to that security of so many businesses.

And so frankly, given the opportunity to move from relying and trusting AWS to be able to be part of that system that so many companies, so many people around the world trust to do security well — man, that's just incredibly exciting. I appreciate the way you phrased that question, “Hey, I could go anywhere.” I think of it the other way around. This is one of those jobs that is the absolute pinnacle of a security career, the ability to be part of the security team at AWS.

Clarke Rodgers (01:31):
That’s fantastic. So now that you've been here a while, what are some of your observations that may not have been as clear as a customer? And now since you're inside the wall and you're responsible for the security at this point, what has changed for you? What have you learned as being an employee now?

Chris Betz (01:49):
It's one thing to hear the conversations. I've heard a number of times the story about how security is job zero, is the top priority at AWS. I've heard conversations about the weekly security meeting. It’s one of my predecessor’s most frequently told stories is about how every week the CEO of AWS sits down with all of the leaders in AWS, and they talk through some of the major security things that we need to be focusing on, areas that we need to get better.

It's one thing to hear about those. It is another thing to live it, to have those conversations, to be challenged by my business partners, my technology partners, about “Are we moving fast enough? Are we raising the bar enough? Are we staying ahead of the threats? Where are we going to see attackers?” And have them be leaders to the same degree in terms of driving security forward that me and my team are. And that's just a fun experience and somewhat unique.

Clarke Rodgers (02:55):
That’s fantastic. And then of course you're absorbing the security culture. You talked about the mechanism of the CEO/CISO meeting, but it just permeates everywhere.

Chris Betz (03:05):
It does. I'm in security, so every conversation I have is going to have that to some degree, but it's amazing just to be in meetings that are even not on security topics. As a senior leader, one of the things I do appreciate about AWS is that they involve security in non-security-specific meetings. I mean, I get to be part of those conversations and to have other people bring up, ask about security, think about, “How do we do that better?” Just like you said, that culture that is everywhere really, really matters.

Clarke Rodgers (03:36):
Exactly. So, let's shift gears a little bit to sort of running a security program. What are some key indicators or measurements that you use to demonstrate the effectiveness of your security program? And this could be here at AWS or in past lives.

Chris Betz (03:56):
It’s a really good question. And often when I'm asked that question, people are expecting me to jump to metrics or measurements and those kinds of things. And there's certainly a slew of metrics and measurements that we can use to help describe what's going on in security. But one of the things that I think is truly a leading indicator is the degree to which the business and the technology organizations see security as an enabler of them achieving their programs, and the degree to which the security programs see their job as making the secure way the easy way for the business and for technology providers.

When you get the two of those mixed together, the business and technology providers feeling like security is an enabler and an essential part, and the security team looking at their role as not eliminating risk or not being responsible for risk, but enabling the business to take on their business objectives in a secure way, it very much changes the organization. And so to me, that kind of chemistry, that kind of attitude, those approaches are the most important indicators for the success of a business in making security an effective part of how they operate.

► Listen to the podcast: CISO or CSO? Which Role Defines Today’s Security Leaders Best?

Clarke Rodgers (05:21):
And earlier you mentioned you are now in meetings that maybe security is not the focus, but you're at least exposed to it, which is a demonstration of that, “Security is important and we want to have a seat at the table.”

Chris Betz (05:32):
Yep. And that's part of the challenge is that, you know, you and I grew up in a world where security grew out of technology and yet these days we're asking security leaders to be business leaders, to sit alongside the business and to be part of those conversations, to understand what risk means to the business, what are all the risks to the business and how they help make sure that people are secure, and while also managing those other risks, while managing business success. And so, I think that's something that's increasingly important for so many security leaders.

Clarke Rodgers (06:07):
And that's a great segue to my next question. A lot of customers, in my conversations with them and I imagine with you as well, they want to know how to most effectively report risk to the board of directors. Do you have any tips or guidance on how you do it or how you think about it when reporting cyber risk to the board?

Chris Betz (06:30):
That is a great question and, honestly, I have never seen two companies who do it the same way. Part of that is because it's important to talk about risk within the context of the business. When you're talking to the board, it's incredibly important to understand who your board is, what kinds of leaders they are, where their expertise is.

When I'm talking to a board here at AWS, I'm surrounded by board members who are incredibly deep in many aspects of technology as well as other aspects of business. And so, the conversations that I have are very different than when I'm at a board where I've got experts in a particular type of business, in retail or in something else — those experts bring a different approach, a different knowledge.

And one of the most important things, and this goes back to that conversation we just had about a CISO as a business leader, is to understand security within the context of the business.

Clarke Rodgers (07:32):
And reporting it that way.

Chris Betz (07:33):
And reporting it that way in terms of how it affects the business. We do a lot of things as security leaders, but I tend to think about it in, I guess four major buckets. It's our job with the business to establish the bar of what we think “good” looks like for our business. What is our risk tolerance? What do we want to achieve? It's my job, it's our job as security leaders to be a source of truth and transparency. “Here's how we're performing today.” And that's where you get to those metric conversations.

Clarke Rodgers (08:08):
We earn trust with customers, but you need to earn trust with your business partners.

Chris Betz (08:11):
We need to earn trust with the business. Which leads me to point three, which is almost more important, is we can't just be that source of transparency. We can't just point at a problem. We as security leaders need to be a solution provider that provides ways for the business to be effective and efficient at reducing that security risk, and so, it’s our job to provide those solutions, to think about how we do that.

"We can't just point at a problem. We as security leaders need to be a solution provider that provides ways for the business to be effective and efficient at reducing that security risk."

And then the last, the fourth bucket, is it's also our job to be a source of accountability, to hold ourselves in security, to be transparent to the board, to hold the business accountable for how we're meeting that bar that we set. And so, we’ve got so many different roles, but the businesses that I think are most successful in this space, the security leaders, are the ones that don’t just stop at the, "Here's the goal to achieve and here's how close we are to it," but they focus on enabling the business to get there in really, really thoughtful ways.

Clarke Rodgers (09:13):
Chris, thank you so much for joining me today.

Chris Betz (09:15):
It's been great. Thank you for having me.