How AWS and Intuit build a culture of security in their organizations

As the security landscape evolves, organizations need to keep pace with the latest threats and emerging technologies. The only way they can do that is with a culture of security and continuous learning.

At AWS re:Inforce 2024, Kurt Kufeld, VP of AWS Platforms, and Tony Gauda, Chief Architect of Security, Fraud, and Risk & VP of Technology at Intuit, explained how to build a culture of security across technical and non-technical teams. 

Missed the re:Inforce keynote with Chris Betz, CISO of AWS, and Steve Schmidt, CSO of Amazon? Catch up with the main takeaways.

• What is a culture of security?
• 3 key components of a culture of security
• Creating a culture of security is an iterative process

A culture of security is a system of beliefs, values, and behaviors that promote a security-first mindset. A culture of security isn’t limited to security teams—it encompasses the entire organization.

If you had to sum it up in three words? 

“Empathy, partnership, and collaboration,” said Tony. 

“Ownership, mechanisms, and iteration,” said Kurt.

Tony and Kurt highlighted three necessary components of a culture of security: executive support, distributed ownership, and psychological safety. 

“A deficient security culture is the root cause of many avoidable errors,” said Kurt. “Accountability of that corporate culture starts with the CEO, frankly. The CEO and board of directors should be focused on security all the time. [They] should help drive that corporate culture.”

“It has to come from the top,” agreed Tony.

But there’s often tension between security teams and business leaders. How can security professionals build buy-in? It starts by understanding business leaders’ perspectives. 

“Be empathetic to the business. Understand what their timelines are,” said Tony. “Help them accelerate the delivery of whatever thing they’re trying to deliver—in a secure way.”

This often involves shifting the business’s perspective of security from a roadblock or speed bump to an accelerator. “Understand their concerns so you can align security objectives with business objectives. So you’re in there with them to help them find a way to say yes rather than saying no,” explained Kurt.

Tony and Kurt shared their strategies for gaining executive support: 

• Speak business language. Put security into business terms like ROI and financial risk to align with executives’ goals. Tony gave this example: “If we decrease fraud rates, we can increase the profitability of our money movement business.”

• Create a risk register. This is a prioritized list of all the things your security team cares about, including the biggest issues you’re tackling. It also shows your priorities and value to the business.

• Hold regular security meetings with executives. Kurt explained that AWS holds weekly security meetings where the CEO, CISO, and engineering teams discuss security issues. Consider implementing something similar in your organization to further align business and security.

Distributed ownership means that security is everyone’s job, regardless of where they sit in the organization. 

Tony and Kurt explained how they enable distributed ownership in their organizations:

• Make ownership a performance metric. Ownership and other principles can be ignored in day-to-day work. Tying ownership to performance ensures it isn’t ignored. “We’re measured on them, they’re part of our evaluation every year,” said Kurt.

• Create paved roads. Incentivize developers to use these frameworks or paths when writing new code, rather than creating their own method (and potential new security risks). The idea is to create paths that developers want to use, reducing security vulnerabilities and increasing the speed and accuracy of delivery in the process.

• Empower Security Guardians. These early adopters are members of the product team who help their team understand the security review process. “Teams with security guardians move 20% faster through security reviews and have 22% fewer findings during AppSec reviews,” shared Kurt.

When an organization has psychological safety, people feel comfortable speaking up and know that their voice will be heard and lead to action. “See something, say something, and something will change,” Tony summarized.

Culture change takes time, and fostering psychological safety does, too. However, there are some things you can do to get started today.

First, enable visibility and transparency. Tony shared an example. If someone raises an issue at Intuit, the security team enters that risk into the risk register so there’s visibility. If the risk is high enough, they resolve it immediately. If not, they may work it into a multiyear project to resolve it. The key is seeing that issue entered in the risk register and the plan to address it if necessary.

Then make sure you reward people who report issues. ”There’s no punishment [at AWS] for reporting a security issue. In fact, to be blunt, you’re rewarded for it,” said Kurt. When the Log4j vulnerability hit in 2022, several employees went above and beyond to resolve the issue. The CEO wrote them a personalized note thanking them for their unique contribution. This recognition showed employees that their organization cares about security and created a sense of community.

That’s the last component of psychological safety that Tony and Kurt discussed: community. “We encourage cybersecurity awareness. We encourage upskilling and training. It’s about building community,” said Tony. “It’s putting several things in place that enforce that within the culture of the organization.”

Create an internal mentorship program for cybersecurity engineers or hold an internal summit on your biggest security issues to bring people together to talk about cybersecurity and learn from it.

“Culture change is iterative. It’s not a one-time project—it’s something you do continuously. It’s not a checklist,” emphasized Kurt.

Get up to speed with the rest of our AWS re:Inforce 2024 coverage:

• AWS re:Inforce: Take these generative AI and cloud security measures

And start a free trial of Pluralsight Skills to build a culture of security across your org.