Failure isn’t an Option says CISO at Amazon

Posted: Monday, Dec 15

KBI.Media
$
Failure isn’t an Option says CISO at Amazon

Karissa Breen, crowned a LinkedIn ‘Top Voice in Technology’, is more commonly known as KB, and widely known across the cybersecurity industry. A serial Entrepreneur and co-founder of the TMFE Group, a holding company and consortium of several businesses all relating to cybersecurity. These include an industry-leading media platform, a marketing agency, a content production studio, and the executive headhunting firm, MercSec. She is also the former Producer and Host of the streaming show, 2Fa.tv. Our flagship arm, KBI.Media, is an independent and agnostic global cyber security media company led by KB at the helm of the journalism division. As a Cybersecurity Investigative Journalist, KB hosts her renowned podcast, KBKast, interviewing cybersecurity practitioners around the globe on security and the problems business executives face. It has been downloaded in 65 countries with more than 300K downloads globally, influencing billions of dollars in cyber budgets. KB is known for asking the hard questions and getting real answers from her guests, providing a unique, uncoloured position on the always evolving landscape of cybersecurity. She sits down with the top experts to demystify the world of cybersecurity, and provide genuine insight to executives on the downstream impacts cybersecurity advancement and events have on our wider world.

i 3 Table of Contents

Failure isn’t an Option says CISO at Amazon

From Karissa Breen

Security teams must move faster because attackers already are, according to Amazon’s CISO, CJ Moses.

His key tenet is to cut the friction, build the right systems, and make security so seamless that nobody has to think twice.

“If you make someone’s job easier AND more secure, they’ll do it,” Moses comments.

✔️ Stop begging engineers
✔️ Stop writing more policies
✔️ Build infrastructure that fixes the problem for you

Patch Tuesday? Old news. “We create a system for automatic patching,” Moses says. It’s not guidance, it’s engineering. It’s AWS removing the human bottleneck entirely.

“Security isn’t about us having control. It’s about the right things happening as quickly as possible.”

Attackers automate everything. If defenders don’t, the gap becomes irreversible. Moses talks about adversaries like competitors in a race. “Threat actors are using the technology and embracing it,” he says.

While some enterprises still wrestle with basic change management, attackers are already onto their next mission.

Automation is changing the work itself. “30 to 40% of what security engineers used to do, they don’t have to do anymore,” Moses adds.

The solution is that machines can finally handle the repetitive and banal parts of a job. Engineers get to focus on strategy and innovation, not the same monotonous tasks.

“Companies need to make decisions faster,” he warns. “If you’re going head to head with a company using GenAI effectively and you’re not, that’s a serious disadvantage.”

AWS’ mindset according to Moses is refusing to lose. Some companies live with the mindset of ‘we’re always behind.’ Moses calls that what it is, is merely a choice.

“If you decide you’re always going to be behind, you will be. We [Amazon] don’t accept that.”

AWS built its backbone on long game security bets others weren’t willing to make, which included custom silicon, proprietary identity, an architecture designed for threats not yet invented. And when the nation-state campaigns started hitting cloud providers, those investments paid off in the long run.

Moses’ pedigree as previously worked in the Air Force and FBI background supports the mission of not failing. “In those past lives, failure is not an option,” Moses went to say.

AWS doesn’t chase ‘good enough’, the hyperscaler is predicated on building for the worst day imaginable and assumes that day is coming and prepares for it. This approach is the undertone and the explanation as to why AWS consistently builds for resilience rather than repair.

The next decade of cybersecurity will be defined by who embraces automation, not who resists it. The companies moving with speed and conviction will dominate. With any ‘wave’ of technology – there is early adopters and people who defy it. When we think back to when the internet started, the same level of scrutiny and lack of confidence was the same. History really does repeat itself.

Source: Astronomer Clifford Stoll’s 1995 Newsweek article excerpt “Why the Web Won’t Be Nirvana”

AWS is trying to make security part of their DNA, so builders can build, customers can innovate, and attackers hit a wall without penetrating through it.