Login

Promote Your Company       |     Contact

Independent Cyber News.

The Voice of Cyber®

KBKAST
From AWS re:Invent 2025 – KB On The Go | CJ Moses, Hart Rossman, and Mark Ryland
Artificial Intelligence | Government & Policy | Security Awareness | Security Operations | Threat Intelligence
First Aired: December 17, 2025
Click Here
Click Here
Click Here
Click Here
Click Here
Click Here
Click Here
Click Here
Click Here

In this bonus episode, KB sits down with CJ Moses, CISO at Amazon, Hart Rossman, VP of Global Security Services at AWS, and Mark Ryland, Director, AWS Security. Together they discuss the realities of “planetary scale security,” AI-powered defenses, and the shifting mindset that’s driving organizations to adopt automation and agentic technologies faster than ever before.

CJ Moses, CISO, Amazon

CJ Moses, CISO at Amazon, leads security engineering and operations across the company. His mission is to enable Amazon businesses by making the benefits of security the path of least resistance. CJ joined Amazon in December 2007, holding various roles including Consumer CISO and AWS CISO, before becoming CISO of Amazon in September 2023.

Before Amazon, CJ led the technical analysis of computer and network intrusion efforts at the Federal Bureau of Investigation’s Cyber Division and served as a Special Agent with the Air Force Office of Special Investigations (AFOSI). CJ led several computer intrusion investigations seen as foundational to the security industry today.

CJ holds degrees in Computer Science and Criminal Justice and is an active SRO GT America GT2 Race car driver.

Hart Rossman, VP of Global Security Services, AWS

Hart Rossman is the VP of Global Security Services at AWS. He leads a team of geographically distributed AWS builders who help customers realise the benefits of planetary-scale security solutions in the cloud, with a focus on innovating with internal teams and partners. Prior to AWS, he was VP & CTO of Cyber Security Services & Solutions at SAIC.

Mark Ryland, Director, AWS Security

Mark Ryland is a Director, AWS Security, reporting to the CISO of AWS, and engaging with a variety of external and internal stakeholders on behalf of the AWS Security leadership team. Externally, he focuses on public policy initiatives and public sector regulators and customers on issues related to cloud and AI security. Internally, he works with AWS service teams by channelling the perspectives of external stakeholders to influence their plans and priorities. In addition, Ryland works with industry partners to enhance the security of the broader information technology ecosystem as Amazon’s representative on the governing board of the Open Source Security Foundation (OpenSSF), as well as in industry groups focusing on the security and reliability of cutting-edge artificial intelligence systems such as the Frontier Model Forum (FMF) and the Coalition for Secure AI (CoSAI.

Ryland has more than 34 years of experience in the technology industry across a wide range of leadership roles in information security, software engineering, distributed systems, technical standardisation, and public policy. Most recently he founded and ran AWS’s Office of the CISO from 2018 to 2023, a team with which he still collaborates closely on a variety of matters. Prior to that, he was the Director of Solutions Architecture and Professional Services for the AWS Worldwide Public Sector team, founding the team in 2011 and growing it to a large global organisation through early 2018. Before joining AWS, Ryland worked for Microsoft for 13 years in two different stints (1991-2000 and 2008-2011) in multiple roles including Lead Program Manager for COM/DCOM, and founder and Director, Standards Strategy Group. In between work at Microsoft, he was co-founder and CTO of two start-ups, and served as vice president and director of the Washington DC office of a public policy think tank.

Vanta’s Trust Management Platform takes the manual work out of your security and compliance process and replaces it with continuous automation—whether you’re pursuing your first framework or managing a complex program.
Visit Vanta

Help Us Improve

Please take two minutes to write a quick and honest review on your perception of KBKast, and what value it brings to you professionally. The button below will open a new tab, and allow you to add your thoughts to either (or both!) of the two podcast review aggregators, Apple Podcasts or Podchaser.

Rate KBKast

Other Recent Podcasts

No results found.

Episode Transcription

These transcriptions are automatically generated. Please excuse any errors in the text.

Karissa Breen [00:00:10]:
What’s up, everyone? It’s KB and I’m on the go in Las Vegas for AWS re:Invent 2025. Innovation is accelerating, threats are compounding, and security isn’t a feature anymore. It’s the foundation. From planetary scale architectures to AI driven defense, we’re officially in a day and age where resilience isn’t an option. It’s just part of the furniture. And I’m here talking directly to the people defining that future. CJ Moses, CISO of Amazon, the man steering security at a scale most companies can’t even conceptualize. And Hart Rossman, Vice President of Global Security Services at aws, the leader behind the teams helping customers build and defend at planetary scale.

Karissa Breen [00:00:56]:
Stay with me as we’re diving into the conversations that actually matter, the off script insights you won’t hear on stage, and the real talk on where cloud security goes Next. This is KB on the go from AWS Reinvent 2025. Let’s get into it. Joining me now in person is C.J. moses, Chief Information Security Officer and VP of Security Engineering, but also known as a sizer at Amazon. And today we’re discussing the path of least resistance with Amazon. So, C CJ thanks for joining me and welcome.

CJ Moses [00:01:32]:
Oh, thank you. Thank you very much.

Karissa Breen [00:01:34]:
Now, C.J. before we sort of got on the recording today, I mentioned that I’ve been watching a few of your YouTube and a lot of your team have spoken very highly of you and say you’re, you know, very charismatic, you’re very animated. So maybe I want to start with getting, getting into your mind and understanding that you’ve spoken about making security the path of least resistance. Now this is interesting because I’ve come from a security background myself. Traditionally and historically we haven’t made security easy. So perhaps I’d like to explore that with you first.

CJ Moses [00:02:01]:
Yeah, absolutely. Well, it really goes back to, dare I say this, and I’m a human as well, but humans are inherently lazy and you don’t necessarily want to do extra work. None of us do. That’s an honest thing. And what we’ve realized is that if you make security, or anything hard for that matter, people aren’t going to do it or they’re not going to adopt it as quickly, that’s for sure. Unless they’re forced. The path of least resistance goes back to if you make someone’s job easier and also more secure, they will do it. They’re not worried about the more secure, they’re worried about it being easier.

CJ Moses [00:02:36]:
Examples being is rather than telling people to patch stuff, to create a system that allows them to have things patched automatically and providing that capability out for them to use. And at the same time, there might be a little bit of work they have to do in order to implement that capability. And at the same time, it’s a lot less work in the long run. And that’s the kind of mentality is these paved paths, the path of least resistance is great. And if you can create paved paths to that path of least resistance, even better, because you’ve now created a systemic way for these things to occur going forward. And it really just goes back to human psychology. You know, you don’t want to do extra work and you can only only have so much time in the day. If you can make things easier, people will do it.

CJ Moses [00:03:20]:
In using systems rather than mandates is a way to do so.

Karissa Breen [00:03:24]:
Yeah. So today in the session you announced the security AWS security agent, which is probably getting to a point around patching automatically. Right. And removing people to have to do it and think through it. So I’m keen. How does that sit with you? In traditionally security people are very concerned about relinquishing the control. Right. So what, what do you think about that?

CJ Moses [00:03:44]:
That’s the thing is, is that our model around security isn’t so much that we have to have the control. Quite honestly, it is our job at Insecurity to enable others to be able to be secure. It’s not necessarily to force or to coerce them into doing so. And I think that is a different mentality than some may see. But security isn’t about us having control, it’s about the right things happening as quickly as possible. In the case of using an agent to do things, humans aren’t good at doing repetitive tasks or extra work. And the reality is, is that if you can have an agent, that actually that is what it does. It will.

CJ Moses [00:04:22]:
You know, when I say agent, it may be an agent, it may be other types of automation that just makes sure the right things are happening and the humans can oversee that. Because that’s the thing is, is that AI is still non deterministic. So you still need security engineers or engineers in general to be looking at those things. But the one thing I enjoy about Amazon is, is that the ownership model is one that those that are creating or running a system or own a product, own that product from the beginning to the end. They own the profit and loss, the success and failure, the security of that product. And if we have a means through various different tooling, whether, you know, through the new security agent to be able to go ahead and take care of those things that can be done in an automated fashion. It frees up their engineers to look at other things that they can do, potentially providing more value and traditionally providing more value to the customers rather than, you know, AWS was built on taking care of the muck, the things, the undifferentiated heavy lifting. This is a new version of the undifferentiated heavy lifting that making sure that the security patching or otherwise is taken care of, such that you can focus on the things that really matter for your business.

Karissa Breen [00:05:33]:
And just for a moment, C.J. now, I know we’re obviously here at Re Invent and there’s a lot of announcements going on, et cetera, and also releases and the vision for the next year. And I get a sense you’re a bit of a mission person given your background. So really when you zoom out and I asked you that question, what sort of comes up for the mission for Amazon?

CJ Moses [00:05:51]:
Yeah, I mean, the mission from an AWS perspective is, you know, to allow our customers to be able to delight their customers without having to do the heavy lifting of a lot of security functions. There’s no doubt that operating on today’s Internet is one that has lots of threats and risks that go along with that. As much as we can provide capabilities in order to mitigate those risks and threats, such that our customers can focus on their customers and doing the things that delight them, the better off we’ll be. And that’s what our focus has been through the many years of AWS. Now I’ve been here coming up on 18 years myself, and the focus has always been towards that end. And we now have technology from a security perspective to be able to take out, you know, a good percentage of that, just by way of example, some of those same types of tools and agents that we’re actually releasing. My team has actually been using and if you look at a normal security engineer in a security operations type of space, we’re looking at a 30 and 40% of the what they used to do, they don’t have to do anymore. That allows them to free up, to actually do more strategic, more meaningful types of work and effort while still making sure that actually the computers are actually doing the things that need to be done by doing the patching, which is really not seen as fun work by any engineer.

CJ Moses [00:07:11]:
You ask any engineer, do they like patching anything? The answer is going to be no, because it’s, it’s rather boring, time consuming and has some risk in it is sometimes it causes issues that then you have to roll back and try over again. So it’s one of those things that we’re still on the mission that we’ve had long ago and that is to, to remove as much of the undifferentiated heavy lifting and do that on behalf of humans such that they can, you know, our customers can delight their customers.

Karissa Breen [00:07:36]:
So going back to the 30 to 40%, which I agree with in terms of eliminating banal tasks or repetitive etc. You’d be familiar with the whole alert fatigue of just thousands of things every day in our mind. Why do you think that people still seem a little bit rattled by oh, but now automating these things and to your point, you want to get your engineers and doing more strategic vision value adding work rather than repetitive mundane tasks that we should have moved on as a society from. So when you’re talking to people, given your role, what sort of comes up, what do you think sort of the inertia is?

CJ Moses [00:08:09]:
Well, I think there are those just like with any change, people are reticent to see change or to actually accept the change. So there are those that would rather continuing to do it the way that we’re doing it now. We don’t have that option, quite honestly, because the threat actors that we’re going against are using the technology and embracing it. Because I think change is a part of that natural space when you’re a threat actor is to be able to take advantage of weaknesses around you or that you’re targeting. In this case, you can see a bit of that from the standpoint that you don’t like to see the change because this is human psychology. Again, it may all be computers, but the reality is there’s humans that are involved. Those humans sometimes need a little bit more of a push in order to make the changes. But quite honestly, in our case, we know whether we’ve seen it or not, and we have seen it, where threat actors are utilizing the technology that not only do we need to utilize the technology, we need to be better at utilizing that technology than they are.

CJ Moses [00:09:07]:
And that’s one of the advantages to having the resources that an AWS and subsequently Amazon has, is to be able to use those resources for the betterment of all of our customers and they can then level up using that. That’s the example of our security operations or application security space being able to do things, you know, to take the things that have been runbooked and when I say runbooked, a lot of the processes and Procedures that we all use the, you know, sops, if you will, standard operating procedures of different parts of the business. We have those in all of our different security disciplines, whether it’s application security reviews or security operations. From the standpoint of doing incident response, all of these things, many of these things have been well documented over the years. And what better to train an LLM on or an agent based upon all of these things that we actually use, the humans use in order to do their job? Once you’ve done that, in many cases those humans don’t need to do those things because you can have the agents that are doing that and subsequently up level to actually be looking at other things and at the same time in that process doing so in a manner that because we have created, created those SOPs and things, that is where we can get the upper hand, if you will, on threat actors is because traditionally threat actors aren’t as strategic from that standpoint or don’t keep as good record keeping on all of the different tactics. They jump from tactic to tactic trying to find their way obviously. But for a few nation state based actors that are very methodical, that’s one of the things that we found that’s given us, dare I say, an advantage or all of these things are fleeting. So it’s always a cat and mouse game that we continue to battle, but in the space that we’re in now, we’re taking advantage of any kind of technology we can in order to keep up the good fight.

Karissa Breen [00:10:54]:
So there’s a couple of things in there CJ that you mentioned I want to get into. So you said before, like obviously people, you know, creatures of habit, they don’t want to do change, all those sort of things. But would you say a company is now having to make these decisions faster? We’re not going to do the 12, 18 months because they’re going to fall behind in their competitiveness. They don’t have time because they’ve got threat actors coming at them at each angle. So would you say given your level that you’re operating at, that companies now are having their backs against the wall, they just need to make decisions faster than traditionally speaking.

CJ Moses [00:11:24]:
Yeah, I think that companies do need to make decisions faster and not only when it comes to security because I think the pace of innovation, whether for use for good or evil, is there a company could need to make decisions and use technology like Genai more effectively just as much for other reasons such as their competitive nature. Because if you’re going head to head with a company that is Using Genai very effectively and your company is not, that’s going to give a serious disadvantage to your company versus the other. So I think that’s one of the things that potentially you’re seeing actually across the various different industry verticals and sectors is how quickly they’re willing to adopt and different businesses within those different sectors. Because there is always, with any change, there always is risk. But when it comes to a lot of the security space that we find ourselves obviously talking about mostly today, we have to adopt. This is no different than if you think about, if you go back in history, if you just think of, well, the creation of the Internet itself and how that changed various different things, we’ll take it forward and think of the, you know, creation of cloud. We had to change how we thought and the tools and techniques and things along those lines on how we secure data, whether in the cloud or not. Now we’re looking at, you know, things from an agentic or an agent based, you know, AI perspective.

CJ Moses [00:12:54]:
And all of those things have taught us one thing is that if you stand still and don’t embrace the technology and figure out how to best use it for good, those that are intending to use it for evil will take advantage of that. And I think we’ve been very clear that we’re not going to sit idle in doing so. We help to create some of the AI technology, you know, as well, and that gives us an advantage to understanding how it’s created and what its strengths and weaknesses are. And then we’re able to use that to our advantage on behalf of all of our customers.

Karissa Breen [00:13:26]:
Do you think as well over the. You said before about history, like the creation of the Internet, I think there was an excerpt in a newspaper of people saying like, it won’t, it won’t last, it won’t exist, et cetera. And you said through cloud and even before that, we’ve seen other sort of phases and waves of technology. Right. So do you think it’s as we’re in this sort of this unusual stage at the moment where it’s like, okay, we’re going to have the front runners like Amazon and friends that are out here doing this stuff, you’re going to always have people that may be a little bit on the fence and reserved, but eventually they sort of come up to speed, like we’d be struck to find anyone that doesn’t use Internet today.

CJ Moses [00:13:57]:
I agree.

Karissa Breen [00:13:57]:
So do you believe with that statement, in five or so years, arbitrary number, the same statement would apply?

CJ Moses [00:14:04]:
Yeah. And I think you can see that Same type of thing play out in all of the major changes, if you will. You could start out even before the Internet, there was the computer itself and dating myself. But I have friends that I’ve talked to that their parents had large industries and they spent many hundreds of thousands of dollars on some of the very first computers in industry and amortized it, you know, over a 10 year period. And within a year and a half that computer was useless. And they were like, oh my God, we just spent all this money on this computer and now we have to buy a whole new one and it’s amortized into the business for 10 years. That doesn’t work. But nowadays, pretty much any computer you buy and you know, from our perspective, we’re buying them, you’re renting them, if you will, using aws.

CJ Moses [00:14:47]:
You know, we have a shorter life cycle that hardware as well. And that all goes back to just a perspective. So in a way, history is repeating itself with new technology each and every time. This one’s a little bit different. And that’s why we kind of categorize it in the same vein as major technological shifts of creating the computer, the Internet, the cloud, you know, virtualization.

Karissa Breen [00:15:11]:
That was the other one I was thinking also.

CJ Moses [00:15:12]:
Virtualization. Yeah, virtualization was a big one, that was an enabler for the cloud. Without virtualization there wouldn’t have been a cloud at all. And so those are kind of game changers. And I think we’ll see the same thing from this. And we, you know, we’re early days in AI technology right now. I mean, if you look at the different, I mean, a year ago, well, actually it was all about the LLMs. We’re all talking large language models now.

CJ Moses [00:15:38]:
It’s all agentic and there’s new terminology that’s creeping in on different parts of things that I don’t know if that’ll become the new buzzwords, but we’re definitely in the buzzword phase on a lot of this. But from a technological standpoint, there’s huge investment going into the technology and because of that it will continue to change rapidly. And again, going back to, you’ll have those that are cutting edge adopters, we will be cutting edge adopters from the standpoint of we want to know how to use the technology, create and use the technology not only for ourselves, but on behalf of our customers and how to advise them on how to use it, and in our case, how to advise them how to use it securely. So we’ll spend a lot of time and effort in that space. Just as We’ve very visibly spent a lot of money to be able to build the infrastructure to support that hundreds of billions of dollars that we spent building out AI data facilities. And that’s going to be something that we’ll continue to invest in. Only constant is change, and we have to be on the forefront of that change in this area.

Karissa Breen [00:16:41]:
But also just on that point, customers expect Amazon and friends to be on the forefront of that chain.

CJ Moses [00:16:47]:
Absolutely. And they expect us and the others to actually compete in that space. And we’re good with that. Competition actually keeps us all sharp. And in this space, the technology that’s the thing is that the multiple players that are at the forefront of AI are innovating and in some cases going in different directions in that innovation. We don’t know which one of those technologies will become the next big breakthrough, quite honestly, you know, we made bets in various parts of AI and only a few of them went in the direction that we now are seeing. That kind of came onto the forefront, I guess, about two and a half years ago now. And you’ll see that’s the thing is, is that you’ll see those companies that are, that pick the right technology and, you know, bet on it, if you will, they’ll have the first mover advantage for a short period of time.

CJ Moses [00:17:33]:
This space is innovating so quickly. The first mover advantage isn’t the end advantage because it’s iterating already so quickly. There’s going to be even more of that and we’re nowhere. We’re at the very beginning of AI. I don’t even want to say ERA because I don’t know how long it’ll be, but it’s rapidly advancing already.

Karissa Breen [00:17:51]:
So the other thing I want to talk to you about is you mentioned before that we as an industry need to utilize technology better than they, meaning the cybercriminals do. And you also talked about the cat and mouse game. Now, one of the things that I’ve often heard in my interviews talking to people like yourself is, you know, always behind. Would you agree with that, Ziri?

CJ Moses [00:18:09]:
So I think that’s a false choice. I think that if you decide that you’re always going to be behind, you will be. We don’t accept that. There is one of these things also that you can look at. It is if you have to be in a situation where you’re looking forward and taking the technology that’s here today, or that we’re seeing and looking as to how you would use it if you were an adversary, and then Getting in front of that before they think of it. Because it’s an interesting thing, is that you have all these adversaries out there that are doing these things. But if you understand motivation and the psychology as well as the technology as to how it’s been used or how it could be used, and then do it yourself and then put the protections in place ahead of time, those investments are what will pay off for you. For decades forward we’ve done this.

CJ Moses [00:18:55]:
We have many existence proofs. We’ve had other cloud service providers that have had major issues with nation state actors that we haven’t.

Hart Rossman [00:19:04]:
Why?

CJ Moses [00:19:04]:
Because we saw these things coming from years past, invested very heavily in the technology, you know, using. We have our own identity and access management system that we use that when we’re placing things out onto the Internet. It’s not just a normal active directory type of security model provided by some other company. We have our own, we invested in that more than a decade ago. And many of those threat actors that attacked other cloud service providers in the past successfully attempted with us and got nowhere. And we actually saw them knocking on the door and we knew what was up and we actually assisted other cloud service providers in saying, hey, they’re knocking on our door. They’re probably already knocking or in your door and work with them. And those types of investments are sometimes difficult to get others to buy off on.

CJ Moses [00:19:53]:
At AWS and Amazon. It’s not, you know, if the threat actors are after you, it’s how many and how aggressive they’re going to be. So we made that investment, if you look at how we do, you know, you talked about virtualization a little bit real quick earlier and the idea that virtualization enabled the cloud. One of the things that virtualization also brought with it is the possibility for side channel attacks and other types of threats to those different instance types or virtual machines. And we from the very early days created very strong software to protect our instances and then took it further from, you know, just being software. As we then moved that idea of separation of these different pieces into the silicon and created the nitro stack that we have today that actually provides, rather than having software virtualization that’s just separating things using ones and zeros. We’re to the point where we’ve invested billions of dollars, literally billions of dollars in technology in order to be able to make sure that the isolation between the various parts of our data infrastructure for each customer is done in the silicon itself. That’s an investment that we’ve been making.

CJ Moses [00:21:01]:
We’re on our fifth Generation of it, which means we’ve been doing it for a while where others are just trying to figure out how to do so. These are investments that we were willing to make knowing they were out to get us. It wasn’t a if or when they were. And make the investment in the technology early on makes it a lot easier to say how do I know that my engineers aren’t looking into your data? Within a nitro instance we could have a policy, we could have all kinds of stuff. We have all of those things as well. I could say that they don’t have access, like physically, like technologically don’t have access into that data. That’s a different type of answer than saying, oh I have good policy. And we’ve reviewed with audits and all of that stuff.

CJ Moses [00:21:45]:
And that’s where it kind of goes back to, is that in order to operate at our scale and to ensure security and data privacy and all of these types of things, the different types of technology that we invest in are, I’ll say long term strategic views on how to implement the infrastructure incrementally created over time as the technology, as we create the technology to be able to do so. And that’s the whole idea of having the virtualization is no longer just software running on a normal system. It’s actually the silicon itself that’s doing things and providing those isolation boundaries where you don’t have the side channel attacks because there’s no side channel to be had because it’s silicon, it’s actually in the chip. So there’s a lot of different technology. We’ve made those bets on. We’re doing the same thing in the AI space.

Karissa Breen [00:22:32]:
So I’d like to just close on this last question. So you mentioned before, and you said it very sternly, which I appreciate given you’re a leader. You said like we don’t accept that. Do you think a lot of that mentality, mindset, vision is attributed to your background? Obviously working the FBI, the Air Force, it just comes across a lot stronger perhaps than someone who’s come from just industry background.

CJ Moses [00:22:51]:
Yeah, I think it does. In those past lives, failure is not an option. So you don’t predetermine. If there’s a 1% chance that you’re going to be successful, go for it, because you got to do it. There’s life and death in those circumstances are part of the equation. So you make it happen. That’s the mentality at Amazon that we have, is that, you know, if it was easy, others would do it. We’ll take on the hard challenges and be successful in doing so.

CJ Moses [00:23:14]:
And we have the track record to prove that we can.

Karissa Breen [00:23:20]:
Joining me now in person is Hart Rossman, Vice President, Global security services at AWS. And today we’re discussing AWS’s view towards planetary scale security and how to leverage AI to, to counter today’s threat. So, Hart, thanks for joining me and welcome.

Hart Rossman [00:23:34]:
Cool, thanks for having me.

Karissa Breen [00:23:35]:
Now, I know we’re in a bit of a rapid fire interview today, so want to get into it. You talk a lot about planetary scale security, but customers still struggle with basic sort of incident response. And I know it’s really your area and your background. Where’s the real sort of disconnect between the scale of AWS can operate at and the reality of the customer site now with the adoption of AI and cyber criminals that are attacking us with AI and everything like that. So I’m keen to sort of get a bit of your view to start off with.

Hart Rossman [00:24:01]:
Yeah, sure. You know, actually, I think the scale at which we operate helps the individual customer. Right. There’s a number of things that we see at the scale we are on the Internet that allows us to proactively identify and resolve security issues before it ever gets anywhere near the customer. Right. It also enables us to really have, have very strong roadmaps that deliver features and services that give customers the ability to take actions themselves, however it aligns with whatever their risk posture is.

Karissa Breen [00:24:34]:
And so you said before scale, and I was just listening to a couple of your sessions here throughout the week. How do you think sort of customers are adopting, like AI, for example? And what I mean by that is, do you find having a security background that people are still a little bit hesitant to adopt and relinquish that control, would you say? Where is that sort of sitting with you?

Hart Rossman [00:24:53]:
You know, I guess I’m not seeing it from that perspective. There’s a lot of curiosity in the security community on how best to use agentic AI, generative AI and these other technologies, but they’re hungry for it, right? And so as I talk to security teams, public sector and commercial organizations around the world, right, they’re finding these use cases where they’re getting a ton of leverage out of their existing security professionals, right? That’s a challenge we’ve had for decades. There’s not enough security professionals in the world to meet the needs of an organization. And so I talked to CISO after ciso who tells me stories that they’ve got SOC analysts and then they’ve got SOC engineers, security engineers, and by giving them some of these agentic tools, those analysts are now performing the function of an engineer and tremendous leverage out of these talented people. I think there’s a lot of hunger and interest there. There’s also the ability to just allow the human to move up the value chain. And so as these agents are doing a lot of the pre work and analysis, it’s leaving the high judgment, higher value work to the trained professional. Right.

Hart Rossman [00:25:58]:
Which is, I think, where we all want to be. Right where we can have the most impact.

Karissa Breen [00:26:02]:
And I was speaking to CJ yesterday about this. So do you think as well that, you know, people always worry about change and we’re creatures of habit and all these sort of things that you’ve sort of seen, and we did touch on yesterday around like alert fatigue. And as you said, we of course want employees and the people who are now front line of defense to actually not be fatigued through numerous alerts and stuff like that. So do you think it’s just we’re coming into this space where we don’t have a crystal ball in front of us. We don’t really know exactly how this is going to go. And but with history repeating itself, it’s like, well, people start to ease into this is the way we do things anymore. Like people aren’t upset that blacksmiths don’t exist anymore. So do you think it’ll just become a time where we’ll look back on this point and say, well, actually we, we were slightly concerned, but more calculated in our approach moving forward.

Hart Rossman [00:26:48]:
The behavior I’m seeing is that a year or so ago, I buy your premise, right? There was hesitancy. People weren’t sure. They were all familiar with kind of the chatbot modality. And so a lot of people, particularly in security, were thinking, what do I need a chatbot for? But a lot has happened in the last 24 months, right? The security practitioners I talk to, the security executives I talk to really see the value in investing in agentic AI. It’s a natural extension of the automation they’ve already been doing in their socks. It brings tremendous efficiency. It gives you that leverage we were talking about earlier. And it opens up the opportunity to address threat actors in a way that just wasn’t possible before.

Hart Rossman [00:27:32]:
So I think people are really excited. The thing about AI in my personal experience is that it’s like a non transferable experience. You can’t learn about it from a PowerPoint or a blog post or listening to a podcast. You have to have some first person experience building an agent Working with an agent, interacting with an agent to get that light bulb to switch on and understanding how best to deploy it for whatever your use case is. It’s a little bit different than previous automation where it was easy to read about it and kind of quickly connect the dots. This is very much, I think like it’s this kind of step function. You need that hands on experience and it’s easy to get. Right.

Hart Rossman [00:28:10]:
Super easy to get, particularly with aws. Right. But there’s lots of avenues these days.

Karissa Breen [00:28:15]:
So can I just ask more of a rudimentary question and so easy to get. So now obviously, you know, I was looking to a podcast this morning of if you’re not a DJ now you can become one because of AI and you can do all these sort of things that you had to be talented before and you can be less sort of talented nowadays. So how does that sort of sit with like, is this lowering the bar for security practitioners and analysts? Because historically you had to be pretty smart to do this type of work.

Hart Rossman [00:28:39]:
Now I wouldn’t say it’s lowering the bar. I think what it’s doing is it’s taking people who have expertise and allowing them to go further faster. Right. Because you have to be able to have the background knowledge first of all, the underlying system, you can’t protect what you don’t understand. So you kind of have to know how the systems or the business that you’re working within behaves and then you’ve got to have some security risk knowledge and then you want to channel that towards some outcome. What we’re doing though, with things, for example, like the new security agent we just launched is we’re giving a developer, for example, in this case an opportunity to have access to that security expertise and sort of symbiotically, right. Develop that outcome together. They’ve got, in the case of developer, they understand the technology, they understand the mission of the business, they have some understanding of secure coding and all the things that are pretty modern and typical today.

Hart Rossman [00:29:35]:
Now they have access to this security agent which is going to do the assessments, which is going to do the pen test. It’s going to provide sophisticated courses of action and allow them not only work together but also bring in a security engineer. Right. When they realize they need to even go to that level of collaboration.

Karissa Breen [00:29:55]:
And so are you ever worried about people perhaps being slightly on autopilot? And what I mean by that is like now people are quite happy to ask for. I mean this is a very basic example of like ChatGPT to outsource a lot of their thinking, especially for maybe the newer folks that are coming up through the ranks, where that is ingrained into how they learn things nowadays. Whereas before we had to go to university and read and research and do all those things. And that’s fundamentally changed how people are understanding more about technology.

Hart Rossman [00:30:22]:
I don’t agree with that. I just, like, academically, there’s a lot to learn in this world, and there’s, I think, a strong role for formal education, particularly in science and technology. And I think it will allow people to learn maybe in new and different ways. And I think, again, it might get some people further, faster. Our cto, Werner, likes to say there’s no compression algorithm for experience. And so there’s some level of having to go through that education cycle and having the right tools, right? And so today we’ve got this amazing tool, AI. In some ways, it’s no different than a hundred years ago when you could have a calculator in class instead of an abacus. It’s not like we didn’t have to learn math anymore, right? But now we have this phenomenal tool that we could use to learn more faster.

Karissa Breen [00:31:05]:
And so you said, obviously things have changed in the last 12, 24 months. What do you think? If you and I have this conversation in the next 12, 24 months, where do you sort of think the industry will be at?

Hart Rossman [00:31:14]:
I think a couple of things. For me, as a security practitioner, one of the things that we’re going to is more personalization for that security experience, right? So today, for example, if you think of like a web application firewall console, everybody who uses it has the exact same experience. But if you look at what we’re doing with Security Hub, if you look at what we’re doing with Security Incident Response Service, right, We’re making security personal, which is something we’ve done in other areas of it, by the way, for quite some time. But now we’re bringing that home, and that unlocks a lot of opportunity and potential. The other thing I think we’re going to see is that these autonomous agents are going to have more flexibility in the courses of action they can take so that they can make more impact in terms of protecting customers, protecting content, and allowing humans to move even further up the value chain, right? And that’s going to require, I think, people to learn some different skills, right, in terms of having. Having that new scope of role and.

Karissa Breen [00:32:10]:
Just to build out a little bit more. Do you think as well? And I was interviewing CIO of an education company around leveraging AI in schools and just people learn differently. Right. So like I learn through voice and that’s probably why I run a podcast. But do you think as well what you talked about the personalization of that so people can understand and interpret like what’s happening and then to relay it to an executive so they can get more money for their security team, for example?

Hart Rossman [00:32:33]:
Yeah, I think it’s going to help a lot talk about not just education, but again it feels like we’re a very writing oriented culture at Amazon. And so if English isn’t your first language or if business English very specifically is not something you’re comfortable with, it takes a lot of work to build those skills in a very writing oriented culture. Well now with the availability of some of these AIs that can take your thought and craft a point of view in writing and then you can then further iterate on it. It’s a game changer for really, really bright folks. Right. Who in the past had to learn this whole other skill set to be able to get their idea across. And I think that’s just awesome for humanity quite frankly.

Karissa Breen [00:33:18]:
And we’re gonna just to close because I know we’re rapid fire interview, we’re coming towards the end of the year. What do you think’s the vision for next year?

Hart Rossman [00:33:26]:
First of all, more self service, greater variety of tooling and access to telemetry. The whole game and incident response as it were, is to go from a bump in the night to everything’s all right as fast as possible. Right. And to do that either automagically or in a self service manner that meets a customer’s needs. So more data, more automation, more speed. And then the other part is more collaboration. Right. Security response as a team sport we’ve got I think a very strong service that invites collaboration amongst the various parties responding to an incident or an issue.

Hart Rossman [00:34:02]:
There’s always opportunity to do better there. And so I see us coming out with far more collaborative features going forward as well. Another thing that I’m super excited about future is building on the launch that we just had of the incident response security agent. So what that does is it takes the inbound alerts that we triage and use to create cases for investigation and it goes out and it collects all the relevant evidence from log files from other telemetry and it pre analyzes the security issue that’s being escalated and provides some summary analysis and courses of action that the customer or a trained security responder can then go ahead and select the best course of action. So it’s takes something that historically took hours to get to that sort of first blush review of the case now down to seconds or minutes. So it’s cool stuff and it’s literally day one on that. So I see many more incident response agent capabilities coming in the future.

Karissa Breen [00:35:07]:
Joining me now in person is Mark Ryland, director at AWS Security. And today we’re discussing regulators versus reality and the way ahead. So, Mark, thanks for joining me and welcome.

Mark Ryland [00:35:17]:
Thank you.

Hart Rossman [00:35:17]:
It’s great to be here.

Karissa Breen [00:35:18]:
Okay, so Mark, I. There’s a lot of questions I do have for you and I really want to get into it considering we’ve got a shorter amount of time. But I’m really interested in this space. So I want to probably start with your position, which is between regulators, policymakers, customers, AWS engineering, et cetera. What I’m really curious to know more is the tension point. You’re having to sort of mediate a lot of people with personalities and different agendas. What does that sort of look like in your eyes? How do you, how do you manage that day to day?

Mark Ryland [00:35:49]:
So I have the benefit of working with the experts who facilitate the conversation, understand the stakeholders that we’re dealing with, and then I provide to them an expertise in terms of the technology, you know, product direction, industry trends and so forth through collaboration with experts in different domains that, that I find that I can react to the different, you know, different perspectives, different interests and reach a good point where we understand each other. We may not always agree on everything, but the relative interests and priorities are understood. And you know, even working internally, we have teams that we work with all the time who they may have different priorities, they’ve got different stakeholders in their customer base. We represent sort of that CISO Persona to, even to our own engineering teams, they’re never going to release, you know, features that are insecure or whatever, but they might prioritize features for one part of their customer base over another. And for us, we want to make sure that they’re conscious and very aware of, hey, the security team would really love it if you would build X rather than Y. And that helps them to understand and balance the different requirements that they’re getting. So, like, if you’re running a storage service, your primary constituent is going to be the storage manager, whatever, a customer. But we bring that security voice into those conversations as well.

Mark Ryland [00:36:56]:
So they understand that you could build a feature this way or that way, and if you do it that way, then the security team will love that. And so that’s how we’re able to Help guide and direct the part priorities of the platform as we develop it together.

Karissa Breen [00:37:08]:
Yeah, because I think your role’s quite interesting because when I’ve come from a security backer myself, historically in a regulated industry, and when you’re talking about like regulators, they’re looking through one particular little keyhole. Right. And then you’ve got policymakers, they’re very by the book and how they do things. And then also you’ve got customers. So how do you sort of digest all of that, that you’re still keeping everyone happy at the same time, but you’re sort of not compromising on your vision, your goal, what you’re sort of set out here to do day to day?

Mark Ryland [00:37:34]:
Well, often it’s kind of understanding what’s behind a question or what’s behind a policy or a requirement. Someone may, there’s a, we all have a tendency to sort of over specify like I really want X. And you say, well why do you want X? Well, because of Y. It’s like, oh, okay, well I think I can get you Y. I won’t get it in the X way, but there’s another way to get it that will make it so we can, we can agree that solves the real concern that you have. So I think a lot of what’s always helpful in these scenarios is to kind of go behind the immediate question or the immediate ask, look for the kind of underlying reasons and then find a way that can satisfy that without necessarily doing it in a way that would be more difficult to do if we just answer the question directly. So that’s, I think part of kind of the art of navigating a job like the one I have and then.

Karissa Breen [00:38:21]:
Just to maybe focus a little bit more. Mark. So we look at like regulators, policymakers. Would you say, given your experience, tenure and you know, your background in this space, that they are historically a little bit more regimented than, and perhaps like some customers. Sure, perhaps can be, they sort of look at things maybe a little bit two dimensionally sometimes. Like, well, it’s in the policy and we need to adhere to the policy. But one thing that you raised which was quite interesting is going beyond that. Well, why do you want that? Do you think that not enough people are asking that question and they’ll just say, well, it’s in the policy and I’m not going to ask why or.

Mark Ryland [00:38:51]:
How does that sometimes how we get to those places. But I can give you a very concrete example. The US Government a couple of years ago, they got very interested in the notion of Memory safe languages, they said to themselves, hey, a ton of the classic, you know, severe CVEs of the industry over the last 10 or 20 years are typically, you know, C language or some language that automatically handle memory properly and programmers have a bug and the bug results in memory leakage or you know, pointers that point to memory that this process doesn’t own, or you know, classic buffer overruns, et cetera, et cetera. So they became very interested in like, what can we do to reduce dependency on languages that are not memory safe. And pretty much that means C and C, because most memory languages today, Java, Python and so forth are generally speaking, they’re memory safe. So when we responded to an RFI that they brought up that topic, we made a couple of points to try to really add a bunch of nuance to their interest. You know, we said, first of all, even a Rust language has an unsafe mode and people have to use that sometimes because when you’re like exchanging memory blocks with a C library, you have to do that in an unsafe way because the compiler can’t manage the other side of that, you know, of that interface between say a C library and a Rust executable right there, there’s no panacea. On the other hand, we really began pushing and promoting something we spend a lot of time on, which we call automated reasoning.

Mark Ryland [00:40:10]:
So using what are called formal methods in computer science, logical proofs of correctness of code. If you use those kinds of techniques, then you can not only catch memory bugs, but there’s a whole wider range of bugs that you can catch if you employ automated reasoning. So they were very receptive to that. And in the end, the bug, the paper that they put out and the policy they began to push was much broader and included formal methods as well as memory safe languages. And they also nuanced their position on memory safe languages. You know, recognizing that in any given language you can always like, and there’s always this escape where you can mark something and say, don’t, don’t handle a memory. I’m going to do it myself as a programmer. So anyway, I guess my point is that when we, when we engage with them and explain like a more deep nuanced view and alternative views, the response was super positive in that case.

Mark Ryland [00:40:59]:
I’m not saying that would always happen, but I think it’s, it’s a very good concrete example of, of how we’ve been able to be successful in, in kind of expanding minds on certain topics, getting them to think more broadly. But ultimately, you know, with approaching things in a better way, more realistic way.

Karissa Breen [00:41:14]:
So just to build out a little bit more, you’ve used that example. What do you think regulators, policymakers are really sort of focused on today and sometimes going back to regulators, and I don’t know if this is Australian phraseology, they get a bit of a bee in their bonnet and they’re very focus that one thing. Anything you can share.

Mark Ryland [00:41:28]:
Well, we hear a lot about digital sovereignty today. That’s a very common topic that comes up more than probably did in the past. The good news for us is we’ve always had a very strong commitment in our platform to like, hey, wherever you choose to process your data, we never automatically migrate to other locations. So you have, you know, very strong choices around, you know, and ability to control data in that respect, as well as a lot of other features to make sure that even an engineer on your team might not accidentally export data in a place that they shouldn’t, et cetera, et cetera. But still, that is, that is a topic that has become more prevalent, especially in Europe, as I’m sure you realize. Partly in response to that, we’ve added even more features recently. We’ve launched this, about to launch this thing we call European Sovereign Cloud, where we take it even to a much greater degree, to make sure that the entire lifecycle of your engagement with aws, from account creation all the way to the billing and the whole life cycle takes place in Europe, where historically all your data processing and all your code and all your data was wherever you wanted it to be. But we would take metadata, like, you know, your billing information, process that in the US and send it back to you.

Mark Ryland [00:42:27]:
So we’re giving people more options there in response to increased interest in that, in that topic. I think that’s one example. And of course, AI security and safety is a huge topic, responsible AI. And that’s something that again, we as a company and I think as an industry, we’ve got some very good responses and we’re building the capabilities to make sure that we can carry out the responsible AI as we develop the technology.

Karissa Breen [00:42:50]:
So then, one thing I’m curious to understand, and last few days I’ve been speaking to a lot of your colleagues, and everyone’s come with a different perspective and a different lens. So perhaps you’re going to share something different with me today. Where do you think this sort of industry sits with AI? And you’ve made a bunch of announcements over the last few days. Do you think that people are still holding back? Where do you think that they Are at. Are they still a bit afraid? And I know that, you know, heart sort of spoke the other way, but I’m keen, like, do you still see resistance, or are people just accepting that this is the new reality?

Mark Ryland [00:43:21]:
As always, there’s a range, I think, of reactions in business and government, just like there was on the cloud journey.

Hart Rossman [00:43:26]:
Right.

Mark Ryland [00:43:26]:
The cloud took a while for people to get accustomed to the idea this new kind of technology could provide not only adequate, but often more secure infrastructure than what they could do on their own. But it wasn’t an overnight thing where people suddenly saw the light and there was no more friction. There was a period of time when that was an issue that we had to address. I think you can see from our keynotes that we have a lot of custom who are leaning in and really doing amazingly progressive adoption of the technology as we are ourselves. But I think it’s still relatively early in the journey in terms of the percentage of companies that are doing advanced agentic AI. It’s probably still not a high percentage. That’ll take probably a few years for that to be the case. But it does seem to be one of these more or less inevitable trends, because the benefits and the efficiencies that can be gained are so significant.

Mark Ryland [00:44:16]:
Our old CEO, Andy Jesse, used to have a saying about cloud adoption. He would say, you can’t fight gravity. Like, there’s just some fundamental benefits that it may take you a while, but you’re going to get comfortable with doing things in a different way. You’re going to understand the technology in a way where your trust is there, and then the benefits are just so great that you’ll. You’ll go that way, and I think you’ll see the same exact trends and kind of patterns with AI adoption.

Karissa Breen [00:44:39]:
So one of the things that I’ve noticed in the interviews of people that I’m interviewing at your level would be that they’re saying, we’re seeing customers make decisions a lot faster than they have historically. So it’s not like we’re going to take 12 months and do a whole, you know, risk assessment for as long as we can, because to have that competitive advantage over their competitors. So are you seeing that, that even if someone is a little bit resistant, a bit on the fence, like, I’ve just got no choice, it’s going to trust the process because if I don’t, my competitor is going to be leveraging AI and therefore we can get behind. Are you seeing that?

Mark Ryland [00:45:10]:
I think that’s definitely a factor, a big motivator to Move fast. But there’s also what we at Amazon and I think many of our customers now call. It’s two way doors. We can make decisions and then if they don’t work, we can undo them. And if we’re moving rapidly, it’s okay, he decides to do something, it’s working well, Great, keep moving, it’s not working well. Change your mind, two months later you try something a little different. So just taking a kind of more agile approach to some of these technology decisions. And to me it’s a lot in continuity with the historical adoption of cloud because cloud itself provided a lot more agility than traditional IT infrastructure.

Mark Ryland [00:45:41]:
Traditional IT infrastructure, you buy a server, you’re going to amortize it over a five year lifespan, you do a, a three year licensing deal with a large software provider, you’re not going to change software for three years. I mean all these things you would do would just have kind of this pretty long natural life cycle. And even in the process of moving to the cloud, all of our customers were like, whoa, you mean I don’t have to take sign up for any long term contracts? You mean I can just do stuff for a month and if I don’t like it I can stop? And there’s no downside to that? Absolutely. That’s what pay as you go means. So their whole mindset is already shifted towards this kind of more agile, experimental try things, see if they work just purely at the infrastructure level with cloud. And I think AI now will just be the next kind of phase of that as well, that it’s, hey, you can try it out, try the agentic technology, if it doesn’t work, try a different thing, see what benefits you can get, make some quick decisions and then just keep moving. That’s what we’re seeing pretty much across the board.

Karissa Breen [00:46:29]:
And so then with that, would you say that historically, like you said before, how customers would buy things was like, you know, we do like 30 years on stuff and this is how we’re running. But now it’s, it can change. So obviously with that there’s a benefit, but there’s also, that can be a detractor for some as well. I’m seeing this with other hyperscalers, they’re moving more towards that model because people are trying things out, they don’t know what they don’t know just yet. So they’ve got to experiment and then see. Would you say now the loyalty towards businesses, I wouldn’t say dropped, but because there’s so many options, they can get faster, cheaper, better Are we going to see a lot more people moving around or what’s that look like an aspect.

Mark Ryland [00:47:05]:
Of it as well? I mean, there’s still a human and relational side to business. And if you do business with people who have earned your trust, you’re going to tend to stick with them for those very valid kind of human reasons. But the agility is there, the technology is flexible, the experimentation is something that I think everyone is trying. So I do think there is much less of a kind of, hey, you know, through thick and thin, this vendor will be my vendor from now till whenever. That just isn’t as much present as it used to be. And I think it’s probably a very healthy thing because we have to earn our customer’s business every single day. That’s just the nature too of a pay as you go business. It’s like, hey, if you don’t like us, you can leave.

Mark Ryland [00:47:42]:
And so we’ve always had, I think, a mindset of like, how can we serve you? How can we be more effective? I actually started my career at AWS in a sales organization running a solutions architecture team. So I was a technical leader in a sales team. And all of the salespeople and the solutions architects in these early days, they were, they found it just absolutely remarkable how they felt their interests were now aligned with the customer in a totally different way than the company they had come from. And the companies where they typically came from, their goal was to get the customer to sign that big contract, you know, that $30 million database deal or that $10 million hardware deal, whatever it was. And then all this pressure, all this, all this love they would give and then boom, the contract signed and then they go, they go, they buy Ferraris and they all celebrate. And then they like wait for.

Karissa Breen [00:48:23]:
And I didn’t see the vendor again after that.

Mark Ryland [00:48:26]:
Whereas at aws, it was like, hey, we won this big deal. How much did they bill the first month? Oh, $3,000. Oh, well, that’s good. That’s a start. But we have to keep working with them because we have to grow this business. And so every day it was like, okay, what can we do to help you? That was the mindset that we as sales team, we would experience that we. No one had experienced that. So clearly before having worked in technology sales, I mean, they personally were very service oriented, but it didn’t align the interests of the provider and the, and the consumer.

Mark Ryland [00:48:56]:
So clearly, as did a pay as you go business. So I think that that has, you know, really changed the industry. You know, Very considerably. Nobody I don’t think is doing the, you know, three, three year multi million dollar enterprise licensing agreements with, you know, certain vendors or whatever. They’ve got the agility that they want. I mean that’s not to say there’s still not some lock in, in the industry. People still struggle with some traditional technology that’s very hard to get off of. But in general I think everything’s much more flexible, which is good.

Karissa Breen [00:49:22]:
Yeah. And that’s interesting because that’s something that I’ve observed as well. Just the flexibility of, you know, what I’ve observed with Amazon or AWS more specifically would be it’s more that slow burn like okay, we can get you on, you try it out, see what you want. Here’s the options, here’s a smorgasbord, take what you want, take back, we’re not offended. And then that’s how you’ve. What I’ve seen over the years of, you know, being in this space for 15 years is that that’s how people have then got more and more sort of products and services from me. And that’s really, if you look back the history and the lineage, that’s what has happened along the way. So are we going to start to see, and I’m noticing, you know, you’ve got Oracle and friends that are doing much the same.

Karissa Breen [00:49:58]:
So is this just now for vendors across the board that they are becoming more competitive? Like you said, people aren’t going to ex vendor and doing the 30 year deals anymore. So is this something that we’re just going to see as more and more like agentic AI and all sort of stuff’s coming around that we’re not going to be locked in and it’s going to be a lot of different services they’re going to be plugged into.

Mark Ryland [00:50:16]:
Absolutely. That’s a big change. And the AI is also very, very beneficial and very powerful for things like legacy migration and legacy updates. You saw the announcements on Monday, I think, right. With some of the new services we have for transformation of legacy technology. And that is a great example of how AI will give you the freedom to move off of whether it’s mainframes or old style databases, whatever it may be, where you feel constrained and locked in and feel you don’t have the flexibility you want and AI will make. So you do have that flexibility, which is really, which is great. But that is great for us.

Mark Ryland [00:50:47]:
It keeps us on our toes. Right. We have to continue to deliver value every single day because we can’t just coast and say, oh, you know, they use AWS so it’s not going to be, you know, it’s going to be hard to move, blah, blah, blah, nobody can think that way anymore. Which is, which is really healthy.

Karissa Breen [00:50:59]:
And that’s the operative word you use is coast. And that’s what I’m seeing being in this media role is that now even more so than ever, the vendors are very competitive, very cognizant on price because everyone wants to do more with less money nowadays. That’s what I’m often hearing. Yes, in the us, in Australia, whoever. But also how can I optimize that cost? And if they’re not using something, why should we pay for it so we can turn it off? So it’s just more that I’m seeing that now vendors are getting more towards that path of we need to keep offering more, we need to keep innovating. And it’s, you know, it’s impressive and what you, what you’re doing is quite impressive that I’ve observed the last few days. So is this more so that. Yeah.

Karissa Breen [00:51:35]:
Curious to see that customer journey because I’ve been on the customer side as well and sometimes you would get locked into things. And I’ve worked on tel end of like core banking modernizations and what that process looked like from a migration perspective. And it’s a lot. So maybe just touching on that to sort of close would be. So with businesses today that have got some of that legacy, you know, debt that they’ve got, are we going to start to see people just doing this migration moving forward? I know some people still reserved or they have to because they’re regulated in terms of they’re doing on prem sort of stuff. What’s that going to look like in the next couple of years?

Mark Ryland [00:52:09]:
You’ll see an acceleration of transformation off of legacy systems, a big acceleration because it’s just been so hard to remove all the dependencies on a specific SQL dialect or a specific language or a specific mainframe architecture. People have tried over the years to do tools like there have been vendors that tried to do things like mainframe COBOL to Java translators. And you’ve probably seen all those and you know they work okay. But it was always like that 80, 20, like 80% was easy, 20% was super hard. So it was like hard to finish a project like that.

Karissa Breen [00:52:40]:
So you just wouldn’t do it then.

Mark Ryland [00:52:41]:
Yeah. So yeah, or you try it, you do a prototype and you’re like, oh, I don’t think this is going to go great. So you would Give up. But with the AI technology with you know, again amazing sort of extremely powerful, both pattern recognition and code generation capabilities, they can look at all those edge cases and generate the code that will get you around that thing that would have been really hard to do manually and help do that last mile like close it out and make actually a working system that you’ve now transformed from your, from your old system. So those announcements around it’s AWS transform, right? That’s the name of the, of the service that we, the agentic AI service which is specifically targeted at getting people, giving them the freedom to move off of legacy platforms and onto modern open source or open open technologies. Because like if you move to postgres you literally like every cloud provider provides a, you know, we think ours is the best, we have some special cool features but the programming interface is the same even if you’re using our multi region super high end amazing postgres. The code you write to talk to the database is the same as an on prem or on another cloud. So you can, you can build systems that are highly portable and highly flexible and yet still, you know, leverage all kinds of special capabilities from, from a vendor that invests heavily in the underlying platform.

Mark Ryland [00:53:52]:
So that’s a huge trend and I think, you know, may finally be the case that some of the old, you know, 30 year old systems will finally begin to see the end of, end of life.

Karissa Breen [00:54:01]:
Because I used to work in a bank and it’s like when you’re dealing with records for like 150 years, it’s a big risk. Like we can’t lose someone’s banking like records or that information. So it was, it’s quite stressful for these businesses that are regulated and they’re coming in, they’re doing the audit every couple of months or whatever happens. So I can understand that as a use case. I mean for like a, like a media company or like ours, if we had that, it’s a little bit easier. But for these regulated folks or even healthcare, it’s a lot more of a jump. So I do understand of working in that front line that it’s not as easy when you and I are talking about this than in reality.

Mark Ryland [00:54:34]:
That’s true. There’s always going to be challenges. But I think the tools can also help create the kind of reasonable checkpoints along the way. Like hey, we can revert this change if we need to. Like we always think in our engineering culture about rollbacks. That’s like a fundamental part of like a cloud architecture. It’s like hey, we made a change. Oh, the performance is 3% worse.

Mark Ryland [00:54:52]:
That’s not what we want. We roll it back and the customer may never even notice that. But we were able to detect that with our own, you know, detect metrics and so forth. So we can observe the behavior of the system, roll it forward, roll it back, and that checkpointing and having that fallback. Hey, this phase doesn’t go well, we can still use the previous phase is an important part of like a legacy migration as well, as well as like really great data backups, right? Like you keep all that data forever, but in a format like transform all those mainframe records into Apache iceberg format on S3 and you can do queries, you can do joins, you can do all these traditional database operations, but yet you can also store it for essentially forever for very, very cheap. So those are kind of architectural patterns, I think that can mitigate against the risk of making those kinds of changes.

Karissa Breen [00:55:39]:
And there you have it. This is KB on the go. Stay tuned for more.

Share This