First principle strategies with CJ Moses.
Rick Howard: For most of you, you probably didn't notice anything out of the ordinary for this season of CSO Perspectives, but for the astute listeners out there, you may have noticed a slight break this season between Episode 2 and this episode, Episode 3. Guilty. You caught me. But it's for a good reason, you all know that we published my book, "Cybersecurity First Principles: A Reboot of Strategy and Tactics," this past spring. You can get a Kindle version or a hardback version at Amazon.com, a link is in the show notes, and the audio book should be published any week now. But since publication, I've been getting asked to talk about the book at various venues. I spoke at the Google Sales Engineering Conference, I keynoted the Denver Rocky Mountain Information Insurance Conference, and I hosted a security vendor dinner with about 10 CISOs talking about first principles strategies. But the best part was because the CyberWire is an Amazon web services media partner, AWS leadership asked Jen Eiben, the CyberWire's senior producer, and me, to come out to the magical world of Disneyland in Anaheim, California, to attend their AWS Reinforce Conference. Essentially, their standalone security conference. Jen, a rabid Disney fan by the way, guided me for one evening of Disneyland adventure, riding the relatively new for me anyway, Star Wars attractions, and the older, Pirates of the Caribbean Haunted Mansion and the Jungle Cruise, and generally having a blast. We also got to sit down with CJ Moses, the chief information security officer at AWS. But because of fall that, I've been a little late in getting the next episode of CSO Perspectives out the door.
But, hold onto your butts, butts, butts--
Rick Howard: We're about to get caught up.
My name is Rick Howard, and I'm broadcasting from the N2K Cyber Secret Sanctum Sanctorum Studios located under water somewhere along the Patapsco River, near Baltimore Harbor, Maryland, in the good old US of A. And you're listening to CSO Perspectives; my podcast about the ideas, strategies, and technologies that senior security executives wrestle with on a daily basis.
CJ Moses: I'm CJ Moses, I am the AWS chief information security officer, or CISO as many people refer to it, and I've been with AWS 15 and 1/2 years now.
Rick Howard: CJ got his start in the U.S. Air Force back in the late 1990s, working for the Office of Special Investigations as a computer crime investigator chasing hackers around the world back when the internet was still the wild, wild, west. He had a stint working for the FBI and the Air Force as the interagency coordination cell chief, de-conflicting cyber law enforcement and counterintelligence investigations, and then he moved over to MITRE for a couple of years, providing case support for the FBI, and then joined the FBI proper for four years, running the 450 person team of technical, investigative analysts. In 2010 he joined Amazon and worked his way up the ladder and became the AWS CISO two years ago. By the way, if AWS was its own company and not owned by Amazon, it would be a Fortune 500 company in its own right, with 58.7 billion dollars in revenue in 2022, slightly below Morgan Stanley and slightly above Tesla. So CJ has a huge job and of course he spends a lot of time thinking about strategy and tactics.
CJ Moses: So the number one thing that I've conveyed to the team is to be strategically patient and tactically impatient for those things that we know we must need to do when we know the path, and especially if they are two-way door decisions, meaning that you can easily revert them without major calls or issues.
Rick Howard: You mean to back out of it if something catches fire.
CJ Moses: And try again a different way. In those circumstances, given the speed of the internet and the speed of the adversaries, it's time to go. Once you have that, you have enough to move out and from a tactical perspective, that's how we think and how we work. The strategically patient means that you may be facing a one-way door decision, meaning that if you make the decision, the ship has sailed. It's either exceptionally hard to revert or impossible. So in those circumstances we spend a little bit more time, we make sure that we're thinking long-term and you know, focusing on what is best for the customers, working back from them in order to derive that, and make sure that we have all the diverse perspectives that we can have in order to get to the right decision. We have lots of strategic planning, as you might imagine, operational planning is done many times a year because strategic planning in a fast moving environment you can do, you know, one, three, five-year plans, we have all of the above. The reality is that a one-year plan turns into you have to revalidate within six months because things are changing so quickly. Some of the discussions on generative AI are a good example. Out of nowhere, in six months it became like one of the biggest, hottest things that everybody's talking about, whereas you know, go a few months earlier and might have talking about AI but it's not gen AI specifically, and so that may change a bit of the vectoring. So, you have a combination of tactical and strategic tied into one because 90 percent of the things that we do come directly from customers. The other 10 percent are us still coming from the customer but we need to be playing chess. We can't play checkers and just give the customers what they want. We actually have to be thinking far in advance of what they really, what they're going to need and that's a lot of the work that we've been doing in more traditional AI, and I look at gen AI as essentially the large language model that allows easier access, or democratized access to AI, because you can do the same things with regular AI, and I air quote that, you know, for all the listeners, they can see that of course.
Rick Howard: I'm sure, yeah, because it's you know, audio really helps that out.
CJ Moses: Audio lets you see the vision. But they, but you know, from that perspective, you have to I mean, large language models just make easier access, democratizing that access to AI. In our case, obviously, Amazon's a very technical company. We have lots of software development engineers, techies everywhere, so the focus hadn't been towards large language models per se. And actually, if you look at most of the tech companies, I mean that wasn't the focus in a lot of the cases and where it's really started to get its roots was in a startup that went all in and God bless them, it's working out, right?
Rick Howard: Well I mean, but large language models are, it's a technology right? It's not a strategy, right? It's--
CJ Moses: Oh no, yeah, I took a left turn on you.
Rick Howard: Thank you, yeah. So you know, you and I have both been doing this for a long time, right? There's a number of strategies that we could deploy, and what I mean by strategy, just so our listeners know what we're talking about, these are what we want to do, not how we're going to do it. These are big ideas about how we want to get there and there's been a number of strategies that we could choose, and some organizations choose one, maybe two, but you know, AWS is big, you might be able to do a bunch of different strategies.
CJ Moses: So we have a lot of different strategies but we route, or we essentially have a lot of our security model based in our culture. You know, I'm not sure how much the listeners understand our culture, so I'll explain it.
Rick Howard: Yeah, please.
CJ Moses: And essentially you know, telling a little bit of a story, I'm a bit of a story teller, when I started at Amazon, one of the things that was clear is that they had a very strong ownership culture, meaning that you own, builders owned and they built and off they went. There wasn't a, you know, a hang out and wait for approvals. Military days and my background in the government it was kind of weird to, you know, bias for action was one of the core leadership principles at Amazon. In the military, if they didn't tell you needed to do it or you should be doing it and didn't get approval to do it, it's a little different environment, and I learned early on that we really needed to take the initiative and go do the things. Thus my little quip about tactically impatient, that was a lesson learned. So, going back to the ownership culture is that that essentially comes down to how does that play to security is a single threaded leader, owners in the company in general, own the success and failure of the profit and loss and the security of their business. Meaning that, we're talking about say, EC2, the leader of EC2 owns the security of EC2.
Rick Howard: But does that mean like the business leader of EC2 has a, might have a different strategy to protect his business, versus--
CJ Moses: So he'll have a micro strategy that is part of our larger strategy that we put forth.
Rick Howard: Mm hmm.
CJ Moses: We establish, and this is part of the strategic, kind of getting to your question, have these multi-year security expectations and we set forth the goals essentially and these expectations will be around access control, vulnerability management, police privileging, kind of go down the normal list and actually, if you look at how we've prioritized them, they're pretty close to, if you look at where the big challenges in security have been over the last few years, making sure that we're actually paying attention to the things that are most likely to cause us pain and those security expectations are then, you know, implemented by each individual team. We set the bar, we audit against that bar, we create tools and pathways, services in many case, to make the path to security the easiest path. That's where we actually see the biggest adoption in the ability to meet those requirements is when we're able to deploy actual internal services that are you know, natively patching as part of the CICD pipeline, or you know, things of that nature, rather than saying, sending a ticket and saying oh, thou shalt patch, across an organization as large as ours can take a long time to--
Rick Howard: I'm sure.
CJ Moses: And that's where, you know, thinking a little bit differently.
Rick Howard: I would look at, you know, the things you listed there, vulnerability management, and the other things, those are tactics, right? To accomplish some goal. So what's the goal? I'm trying to get you to tell me what the AWS strategy is.
CJ Moses: I don't want to tell you my strategy.
Rick Howard: I know, I was going, I'm get that, it's coming through clearly.
CJ Moses: No, it's really one of those things that we actually, you know, the goal in vulnerability management, very clearly, patch it all within the SLAs established, SLAs are different based upon the severity of the risk. And it's all risk based analysis in that. We also have to make sure that we're meeting industry compliance requirements, and in our case, 143 different [inaudible], regulatory requirements, you know, all of the above, and that means that we have to align to those, as well as anything that you know, from our own risk perspective. Traditionally what we'll do and this has just come out of our, you know, kind of being paranoid, and it's not really being paranoid if they're out to get you.
Rick Howard: Which they are.
CJ Moses: And we know they are. Which they are, we know.
Rick Howard: We know.
CJ Moses: Yes, so we traditionally take the high bar, and that is, is whatever the shortest period of time for, in the case of that. So, as part of our major strategy, some of the things that we focused on is you know, obviously our number one goal is to make sure that we keep our customers' data safe, our customers' you know, secure is probably a better term than safe even. And our best way to do that and the things that we've annually started off our annual planning with is that we need to continue to investment in our ability to scale, and that scaling is done through various types of automation. Automation, although is not a strategic thing, it's a means by which to meet our strategic goals. We've laid those strategic goals out and those expectations as part of the pre-work to all of the planning across the totality of Amazon.
Rick Howard: I would definitely say automation is a strategy, the what we want to do to help this, right? And then there's some tactics we can do to, you know, integrating in the CICD pipeline and automating a bunch of stuff. I totally agree with that.
CJ Moses: And our best way to do that, and the things that we've annually started off our annual planning with is that we need to continue to investment in our ability to scale and that scaling is done through various types of automation.
Rick Howard: What you guys, it's a unique thing to you as a, of course in my little startup that I'm working at, right, that when we talk about scale, it's a completely different thing than when you talk about scale, yeah.
CJ Moses: Yeah, and that's why I kind of started off with the whole ownership thing. Because ownership is a means for, by which for us to scale, because if I have to create a security team that's directly embedded, and we do have means to do that and we can talk about that later, but that are you know, responsible for the security of each and every service and every last detail, my team is going to be many more thousands than it already is. And that's not a good use of resources when you can actually have people that are trained in security and have the tooling and the capabilities built in to the IDE, the CICD pipelines that they're already using. This is much more efficient and oh yeah, by the way, when you find something in that process that has created a vulnerability or is you know, caught in the software, we can immediately look back to where it was created and then fix that class of error, not just the one, fix the class of error going forward for the entire, not only that pipeline, but our entire environment. And this is where, you know, you don't, you know it's bad enough if you whack yourself in the foot one time, but if you keep doing it, it's not a, you know, not a good look and it's kind of stupid.
Rick Howard: In my book, I devote an entire chapter to automation as a key and essential strategy to cybersecurity first principles thinking.