Failure isn’t an Option says CISO at Amazon

Posted: Monday, Dec 15

KBI.Media
$
Failure isn’t an Option says CISO at Amazon

Karissa Breen, more commonly known as KB, is crowned a LinkedIn ‘Top Voice in Technology’, and widely recognised across the global cybersecurity industry. A serial entrepreneur, she is the co-founder of the TMFE Group, a portfolio of cybersecurity-focused businesses spanning an industry-leading media platform, a specialist marketing agency, a content production studio, and the executive headhunting firm, MercSec. Now based in the United States, KB oversees US editorial operations and leads the expansion of the group’s media footprint across North America, while maintaining a strong presence in Australia, and the broader global market. She is the former Producer and Host of the streaming show 2Fa.tv, and currently sits at the helm of journalism for the group’s flagship arm, KBI.Media, the independent cybersecurity media company. As a cybersecurity investigative journalist, KB hosts her globally-renowned podcast, KBKast, where she interviews leading cybersecurity practitioners, CISOs, government officials including heads-of-state, and industry pioneers from around the world. The podcast has been downloaded in over 65 countries with more than 400,000 global downloads, influencing billions of dollars in cybersecurity budgets. KB is known for asking the hard questions and extracting real, commercially relevant insights. Her approach provides an uncoloured, strategic lens on the evolving cybersecurity landscape, demystifying complex security issues and translating them into practical intelligence for executives navigating risk, regulation, and rapid technological change.

i 3 Table of Contents

Failure isn’t an Option says CISO at Amazon

From Karissa Breen

Security teams must move faster because attackers already are, according to Amazon’s CISO, CJ Moses.

His key tenet is to cut the friction, build the right systems, and make security so seamless that nobody has to think twice.

“If you make someone’s job easier AND more secure, they’ll do it,” Moses comments.

✔️ Stop begging engineers
✔️ Stop writing more policies
✔️ Build infrastructure that fixes the problem for you

Patch Tuesday? Old news. “We create a system for automatic patching,” Moses says. It’s not guidance, it’s engineering. It’s AWS removing the human bottleneck entirely.

“Security isn’t about us having control. It’s about the right things happening as quickly as possible.”

Attackers automate everything. If defenders don’t, the gap becomes irreversible. Moses talks about adversaries like competitors in a race. “Threat actors are using the technology and embracing it,” he says.

While some enterprises still wrestle with basic change management, attackers are already onto their next mission.

Automation is changing the work itself. “30 to 40% of what security engineers used to do, they don’t have to do anymore,” Moses adds.

The solution is that machines can finally handle the repetitive and banal parts of a job. Engineers get to focus on strategy and innovation, not the same monotonous tasks.

“Companies need to make decisions faster,” he warns. “If you’re going head to head with a company using GenAI effectively and you’re not, that’s a serious disadvantage.”

AWS’ mindset according to Moses is refusing to lose. Some companies live with the mindset of ‘we’re always behind.’ Moses calls that what it is, is merely a choice.

“If you decide you’re always going to be behind, you will be. We [Amazon] don’t accept that.”

AWS built its backbone on long game security bets others weren’t willing to make, which included custom silicon, proprietary identity, an architecture designed for threats not yet invented. And when the nation-state campaigns started hitting cloud providers, those investments paid off in the long run.

Moses’ pedigree as previously worked in the Air Force and FBI background supports the mission of not failing. “In those past lives, failure is not an option,” Moses went to say.

AWS doesn’t chase ‘good enough’, the hyperscaler is predicated on building for the worst day imaginable and assumes that day is coming and prepares for it. This approach is the undertone and the explanation as to why AWS consistently builds for resilience rather than repair.

The next decade of cybersecurity will be defined by who embraces automation, not who resists it. The companies moving with speed and conviction will dominate. With any ‘wave’ of technology – there is early adopters and people who defy it. When we think back to when the internet started, the same level of scrutiny and lack of confidence was the same. History really does repeat itself.

Source: Astronomer Clifford Stoll’s 1995 Newsweek article excerpt “Why the Web Won’t Be Nirvana”

AWS is trying to make security part of their DNA, so builders can build, customers can innovate, and attackers hit a wall without penetrating through it.