Why AWS Security is the Middleman, which is what Regulators Need

Artificial Intelligence | Cloud Security | Compliance & Legal | Data Management | Governance & Risk

Posted: Wednesday, Dec 17

KBI.Media
$
Why AWS Security is the Middleman, which is what Regulators Need

Karissa Breen, crowned a LinkedIn ‘Top Voice in Technology’, is more commonly known as KB, and widely known across the cybersecurity industry. A serial Entrepreneur and co-founder of the TMFE Group, a holding company and consortium of several businesses all relating to cybersecurity. These include an industry-leading media platform, a marketing agency, a content production studio, and the executive headhunting firm, MercSec. She is also the former Producer and Host of the streaming show, 2Fa.tv. Our flagship arm, KBI.Media, is an independent and agnostic global cyber security media company led by KB at the helm of the journalism division. As a Cybersecurity Investigative Journalist, KB hosts her renowned podcast, KBKast, interviewing cybersecurity practitioners around the globe on security and the problems business executives face. It has been downloaded in 65 countries with more than 300K downloads globally, influencing billions of dollars in cyber budgets. KB is known for asking the hard questions and getting real answers from her guests, providing a unique, uncoloured position on the always evolving landscape of cybersecurity. She sits down with the top experts to demystify the world of cybersecurity, and provide genuine insight to executives on the downstream impacts cybersecurity advancement and events have on our wider world.

i 3 Table of Contents

Why AWS Security is the Middleman, which is what Regulators Need

From Karissa Breen

Regulators want certainty. Engineers want velocity. Cloud providers are expected to satisfy both simultaneously, globally, and at scale. Tough job, but not for Mark Ryland, Director of Security at AWS.

Ryland’s day to day to role is being the intermediate between all parties to ensure things get done and to make it happen. The function is underpinned by how cloud security decisions are negotiated in practice between policymakers, customers, and the teams building the infrastructure many companies depend on.

“My role is really about understanding the stakeholders,” Ryland explains.

“We may not agree on everything,” he says, “but the relative interests and priorities are understood.”

Product teams may be moving quickly to deliver new capabilities, while security teams raise concerns that require redesigns or delays. The conundrum we’ve seen the industry in for years, but thankfully there is unity across both teams with the same goal. Engineers aren’t indifferent to security in terms of the outcome, but they don’t always view risk through a regulatory lens. Ryland’s job is to make sure that perspective is present early, not retrofitted later and at the eleventh hour.

“When talking about regulators, they’re often looking through one particular keyhole,” says Ryland.

Policymakers, he adds, are typically ‘very by the book’. The challenge is understanding what problem a requirement is actually trying to solve and whether the proposed solution actually addresses it.

Ryland points to recent policy interest in ‘memory-safe languages’ as an example. Rather than simply endorsing the idea, AWS engaged with policymakers to introduce nuance. Not all implementations are equal, and some approaches create a false sense of security. Instead, AWS advocates for automated reasoning and formal methods, which can detect a broader class of vulnerabilities.

Questions of regulation inevitably lead to data sovereignty. Customers want clarity around where their data and associated metadata resides and who ultimately controls it. Australian and American businesses are focusing heavily again on the sovereignty component, which we did see in previous years but has recently made a resurgence.

“That’s coming up much more than it did in the past,” Ryland notes.

In response, AWS has invested in region-specific infrastructure, including its European Sovereign Cloud, designed to meet both legal and operational expectations for that part of the world.

Sovereign capability isn’t just about the legalities but about engendering trust that commitments will hold under political, legal and technical pressure. Infrastructure can support that trust, but it can’t just manufacture it.

Artificial intelligence has introduced a new kind of urgency. Organisations that once took a year to assess risks are now compressing timelines to avoid falling behind their competition.

“There’s definitely pressure to move fast,” Ryland acknowledges.

But speed, in AWS’s model, doesn’t mean irreversibility. The cloud provider has a major focus on ‘two-way doors’, which means decisions that can be tested, adjusted, or reversed if assumptions prove wrong.

In turn, architectures become more modular, switching costs decline. Vendor loyalty becomes less durable and not the way the market is responding. Trust is earned continuously through performance, security, and transparency, not long-term lock-in contracts.

Despite advanced innovation, legacy technology remains one of the hardest constraints on progress, particularly in sectors like banking and government.

Ryland is frank about the limits of past modernisation efforts. Tools that promised seamless migration often delivered partial success… “Eighty percent was easy. Twenty percent was extremely hard.” The twenty percent is the critical part, too.

AWS is now applying AI to close that gap, automating some of the most stubborn aspects of legacy transformation. But technology alone doesn’t solve the problem. Migration still requires organisational change, confidence, risk tolerance and leadership willing to move systems that have worked for literally decades. The saying ‘if it ain’t broke, don’t fix it’ is a very real reality for most businesses who are cognisant of potential downtime and moving away from what they know.