Security is in Our DNA

Clarke Rodgers:
Welcome to the Executive Insights Podcast, brought to you by AWS. I'm Clarke Rodgers, Director of Enterprise Strategy, and I'll be your guide through a series of conversations with security leaders.

Today I'm joined by Matt Garman, CEO of HAQM Web Services. Listen in as we discuss more about HAQM's security culture, how we think about security investments and how customers can leverage the AWS cloud to secure their environment. Enjoy.

Matt Garman, CEO of HAQM Web Services. Thank you so much for joining me today.

Matt Garman:
Yeah, absolutely. Thanks for having me.

Clarke Rodgers:
So you were AWS' first product manager. Can you take me back to that time and how security was reinforced as part of your job?

Matt Garman:
My first job actually, I interned at a business school for AWS before we ever launched in 2005. And from the very first day I started, Andy Jassy drilled it into our head that security was priority zero. It was the first thing that we got to think about no matter what. And so when we were thinking about the early days of AWS, we were constantly thinking about what does it mean? How do we think about security? How do we think about isolation? At the time, in particular, there was a lot of concerns about trusting your data to someone else. And I think it was the right bias for us to be very focused on security, the right bias to be extra diligent on isolation, on isolation of customer workloads, but also our own security and how we think about accessing customer data and how we think about protecting customer data. And so that was a huge focus for us very early on. It was a big area of investment for us and it remains that way today of course.

And we've only continued to scale as the security threats get bigger. We think more and more and more about how we both protect the security of the cloud, like our own security and protecting customer workloads in that way, but also giving tools to customers so they can protect their own workloads in that shared responsibility model. So everything that we do, it's the first thing that we ask our developers to think about. It's the first thing that we ask our data center folks to think about it from a physical security, from a logical security, from software security, from maintenance of our software and services, from operations of our services. It's front and center of everything we do.

Clarke Rodgers:
As your journey progressed through AWS and especially now as CEO, how have you held business leaders inside of AWS accountable for the security of their operations and their actual lines of business?

Matt Garman:
Yeah, look, number one is it is the biggest leverage, the lever that I think we have is that focus on culture. And it is a focus on making sure that the leaders know that security is their responsibility and that they should be thinking about it. And so we have a couple of mechanisms that we use to enforce that and make sure that they're learning because I think when people come from other environments in particular, they don't actually have that same bias and other places don't necessarily start with security first. They kind of do it afterwards or it's someone else's problem or maybe the security team will take care of security. And you're on the security team. We don't rely on you for security. Everyone is responsible for security. You're an excellent partner in that journey to help us build best practices and enhance security.

But we really have to build that as part of the culture. And so it's definitely part of the learning when engineering leaders come in, when product leaders come in. They have to think about that responsibility as something that they take seriously for their products. And we have several mechanisms where we review, we try to encourage leaders to think about how they're improving security, where they think about their products are secure, but that's why there's belts and suspenders and extra belts and where else can we find ways to keep getting better? Because our job and the promise that we make customers is: “We keep getting better,” right? The security landscape out there keeps getting more challenging but the bad guys keep getting more skilled and we've got to keep having more layers of protection. Finding those mechanisms where you can reinforce that with your leaders, where you don't punish people, where it's not a punishment of that, but it's understanding that we won't ship a product if it doesn't have the right bar in security.

We won't even embark on something if we don't think that it has the right constructs around a security isolation. And the first time people get something that doesn't get launched because we don't think it has the right bar to deliver or that we read a new product offering suggestion and we go, "I don't like how that thinks about this particular architecture in a way that doesn't work." That message gets reinforced and I think it drives a lot of the right behavior.

Clarke Rodgers:
You mentioned mechanisms. On last season, I had the opportunity to interview the AWS CISO and he described the weekly CEO CISO meeting. Could you talk a little bit about the benefits that you get out of that meeting?

Matt Garman:
Sure. Yeah, there's a couple. One is that's a great opportunity for us to help reinforce with our leaders and frankly, a great opportunity for me to learn and I think for all of us to learn. And so we have that weekly meeting where we review. Oftentimes... Actually, almost all the times, they're kind of these security issues where we're looking around corners where this could have been an issue if we hadn't caught it, or again, if we didn't have other mitigating controls in place. But it's a very good opportunity for us to dive in and understand where are the choke points that we might've missed, why something slipped through, where is it where we've identified a new type of concern that we want to roll out to a bunch of different teams. And so we do this every week where we go and look for opportunities around all the teams across AWS where we want to dive a little bit deeper to learn where we can actually build that.

I think that mechanism is powerful is number one, it's a great opportunity to teach those leaders how to really think and dive deep. And we have a whole host of leaders that are on that call or in the room that'll dive into those problems and understand what's going on. And often we'll debate back and forth on the trade-offs of doing A or B because a lot of times, these are subtle type of issues where we're trying to decide there isn't a clear, "Oh, you forgot to close a port," or it's not that, right?

It’s not those type of issues. It's more subtle things like, "Oh, this could happen or this could happen.” Or it's an edge case that we're looking at. And then there's that mechanism of just, "Okay, great. Now that we've done this, how do we go talk to the other 50, a hundred teams that may have a similar type of thing and make sure that we spread that learning?" And it also helps us as leaders where we hear the next week, and the next week, the next week, where we can actually build on our learning and understanding and think about where there might be other areas that we're looking around corners. And so it's a super powerful reminder for all of us about how we think about it and frankly, a good opportunity for us to learn from each other on how we keep getting better.

Clarke Rodgers:
And it makes security as a rhythm of the business.

Matt Garman:
That's right. And I think the other important part of that is… I think this is a mistake where some people think about a mechanism like that as we're going to yell at somebody for making a mistake. And I think that's a really important part is you don't want to make it a punishment to have an issue that's brought up in that meeting. In some ways, it's a good thing that you flagged it and found it and we're all learning from it. And so I think that's important too because you don't want a culture where teams want to hide that issue where they're like, "Oh, I don't want anyone to find out about this because I don't want anyone to yell at me." And so you really want to encourage a culture where people bring, bubble these things to the surface so that the broader organization can learn from them.

Clarke Rodgers: 
And making sure that you're focusing on the issue and not the person.

Matt Garman:
That's right. That's right.

Clarke Rodgers:
Another sort of downstream effect of that meeting is it gets out. It gets out that the CEO is getting at least an hour a week to learn everything about security. So I believe that helps our overall security culture throughout the organization and reinforces its importance.

Matt Garman:
It could be. I think that's probably true.

Clarke Rodgers:
As you look at the next three to five years about what you want to do with AWS, how does security and broadly compliance, regulatory issues, et cetera, how does that fall into your planning?

Matt Garman:
Well, like I said, I think there is no signal anywhere in the market that security is becoming less important, nor that the bad guys are becoming less sophisticated. And so it has to be something that we continue to invest in and will invest in because I do think it's one of the things that frankly differentiates what AWS does versus everyone else, especially what you can do. But frankly, even from the other cloud providers, it really is a differentiating capability for AWS. And we want to keep it that way.

As I think over the next couple of years, there's additional surface area that we have to think about how do we secure. I think as you think about AI, there's a whole host of other attack vectors that you want to think about and escape vectors and ways in which security... AI is, I'm optimistic that it is an incredibly powerful tool and capability and technology for companies to drive a lot of value and it's probably powerful for the bad guys too and for fighting and helping find security issues. So I think it could be both something that we're leveraging to figure out how we can continue to improve our offerings and our underlying security. But I also think it's one of those things that it's going to increase the volume of surface area that we've got to protect against.

And so I do think that that's going to be an area where we're going to have to double and triple down on our efforts and we are already. I think that over the next kind of three to five years, that'll definitely be a space that we want to think about. And the other thing I think that's important that as that space is moving fast, people will sometimes have the temptation of saying, "Yeah, we can probably squeeze by and we'll go do security later."

And for me, that is not an acceptable trade-off for us. And as you think about where is the right isolation boundary and you think about what is the right time for when you might launch a product or service or whatever, it's just not one of the... It is not an area that I'm willing to give on any sort of compromise on, but I do think there's probably some temptation to do that. And so we'll just have to keep educating our teams. And I'm sure that others out there in the market will be tempted to give on that level to move fast. And my bet is long-term, that will be the wrong choice.

Clarke Rodgers:
Yeah. Bolting on security at the end never seems to work.

Matt Garman:
Well, there's a couple of evidence pieces out there in the market right now that is much, much, much more expensive for the cloud provider as well as for the end customer to do it that way.

Clarke Rodgers:
For sure. Let's switch gears a little bit to customers. You meet with a lot of customer CEOs. What are they talking to you about in terms of security, not only what they should be doing, but how AWS is helping them?

Matt Garman:
Yeah. Look, there's the obvious kind of things. I think people are worried about takeover attacks and things like that. And I think that there's a lot that we can do to help continue to help customers on that front. I think one of the things though that increasingly customers are worried about is realizing that one of the bigger assets that they own and the most important parts of their IP is their data. And so thinking about how do they have protections around their data in a way that ensures that it doesn't leak out? It's security in a different lens, but it is important as you think about AIs, as you think about analytics, as you think about this broad set of data. It's both how do you ensure that people within your own company and external to your company, you can protect the data in the right way. And some of that's your own customer data. It's personally identifiable information. It might just be proprietary enterprise data that you have that is core to what you do.

And I think increasingly that is a super important area that people are worried about because I think if that data leaks out or it ceases to become proprietary for them, I think a lot of customers realize that that's a big chunk of what makes it valuable. And so that is an interesting area that I think folks will continue to think about. And then I do think that there is another lens, which I think we're helping customers on is just how you think about where data should live, and you think about data sovereignty and how you think about encryption and you think about who owns encryption keys. And there's a lot of... Some of that can make your system much more difficult to operate, and some of it totally makes sense to do, even if it does. And so I think it's a different level of decision where it's not a one or a zero decision. It isn't one of those decisions where there's an obvious right or wrong answer.

But I think our job is to help customers understand how they can balance some of those things where if you have data sovereignty concerns where there's increasing regulatory environment where data can't leave a country or shouldn't leave a country, but how do you operate a global company under those constraints? And thinking about that, maybe it's a close neighbor to security, but it is kind of a security control.

Clarke Rodgers:
For sure. So protecting data and actually getting it into the cloud can make it easier to protect the data in the first place. And that is also one of the most baseline requirements that people need to take advantage of, things like generative AI. If your data's not in the cloud, you can't use a lot of these awesome generative AI tools that are out there.

Matt Garman:
It's a super interesting area where I think if I look back 18 years ago, everyone was super worried. They're like, "How can I trust the cloud? How can I be more... Is the cloud secure? I'm in a multi-tenant environment that seems scary." And now I would say the vast majority of customers have flipped and actually realized that they're more secure in the cloud. We have more capabilities. We spend billions of dollars building security into that space. They don't do that in their data centers.

Clarke Rodgers:
Correct.

Matt Garman:
And that is a big difference. It's been a big shift. And so I think there still is a lot of work for many customers to do that migration and modernization and get to where they want to be in the cloud. Actually, most customers, if their data is on-prem, it is less secure, right? They're more susceptible to hackers and other attacks and things like that. And they can't take advantage of many of the greatest, the new cool technologies around generative AI, around data and analytics, around new capabilities from compute and storage and other things like that that we're rolling out. They're kind of stuck on legacy, infrastructure and technology.

Clarke Rodgers:
Under that lens, are you having more of these migration and modernization conversations with customers?

Matt Garman:
Yeah. It's a huge tailwind to the growth of the business. And I think increasingly customers realize this and they just want to go faster. And so it's part of why we've invested in things like Q transformation that helps modernize some of those kind of legacy data stores, things like mainframe or VMware or any of those things and helps move to the cloud faster.

Clarke Rodgers:
And secure.

Matt Garman:
I think that's a big one. And so moving to the cloud and getting to a cloud world helps with security. Getting off of Windows helps with security. Getting into a more modern architecture helps with security. Those are important moves that people know are risks today. And it is, I think, helping spur people to move more quickly.

Clarke Rodgers:
Do you have any advice to the customer CEOs that you engage with on what are the types of questions they should be asking their security teams?

Matt Garman:
There's a whole host of things. I think, number one, when you're picking a cloud provider, how are you thinking about the history of security and what has been the track record? And how do you know that the things that you're moving into have that right bar? And it really is that culture of making sure that every new product and every new offering and every new thing starts with a foundation of thinking about the security of the customers. And then I think it's also from a customer perspective is how are you building up the culture?

Because it is true, it is this shared model. And so that's a super important part of us working together. And we work with all of our biggest customers to ensure that they have the right architecture, that they have the right setup, that they think about how do you think about a root account versus their account permissions and how they think about their IAM permissions and how do they think about encrypting their data and protecting their account keys and things like that. And that the customers have to do that piece too. And so CEOs, I would recommend that they should have a process similar to this, which is the one we talked about, that weekly security, just driving that best practice of there are parts of the security in AWS that you can absolutely rely on, and that is our responsibility.

Matt Garman:
And you don't have to worry about. There's a lot of parts that you just don't have to worry about. You don't have to worry about data center security. You don't have to worry about any of those things. You don't have to worry about hypervisor security, all those kind of pieces that are ours, we got. But there are a bunch of them that are in the application space that companies do have to worry about. And for that, it's just as critical that they have a similar type of mechanism where their CISO is looking every single week and is highlighting where they think they can raise the bar in their application security. And by the way, we'd love to be partners as part of that.

Clarke Rodgers:
For sure.

Clarke Rodgers:
What advice would you give customer CISOs on how to report risk to leadership? So how do you like to have risk framed to you from a security perspective?

Matt Garman:
Yeah. I think, look, the number one and most important thing is fast escalation and being transparent. If there is real risk in the enterprise, holding on to bad news is never the right answer. And so I like to know our CISO, Chris, if there's an issue that I need to know about, he lets me know right away, and two hours later is not good. I need to know about it as soon as possible and so that we can pull in all of the right people. And I would encourage that as one of the things that I would recommend is just speed matters a lot when it comes to, particularly when there's any sort of urgent security issues. And so moving fast really matters. Pulling people into a room and kind of pulling an end on cord and making sure that you drop everything and get on top of that, and whether it's messaging to your customers you need to do, whether it's actions you need to take, whether there's other things, that is incredibly important and the speed of moving is incredibly important on that front.

The other one is just... Also, it's that for less urgent issues where they're important but not necessarily urgent ones, I do think that making sure that you build that culture of not throwing people under the bus and not blaming the person, but really focusing on that issue and burning...

Clarke Rodgers:
Back to that issue.

Matt Garman:
I think that it's a subtle difference, but it really changes how transparent your teams are and how much they bury issues versus raise them up and the company and the business won't get better if you can't be transparent and learn from things that didn't go well. And security's hard. And by the way, everyone's finding new stuff every day. And so it's a hard space. It's a fast-moving space. You got to learn and you have to be willing to learn, which means everything's not going to be perfect, and you just got to learn from it and get better at it and try to figure out how you have mitigations and how your whole team can get better. But you're not going to get that if you don't encourage that transparency. So I think those are a couple of things that I'd encourage everybody to think about.

Clarke Rodgers:
Fantastic advice. Matt, thank you so much for joining me.

Matt Garman:
Yeah, sure. Thanks for having me.

Listen now

Listen now

Listen now