Issue link: https://read.uberflip.com/i/1472540
Senior leaders discuss security quickly and often Security operates well when not siloed or relegated to a cost center. In fact, senior leadership investment and participation is a key quality in highly successful security organizations. These organizations and leaders understand well that security is everyone's top priority, all of the time. Leaders from across these organizations— across all lines of business and including the CEO—are deeply curious about security, and encourage regular and frequent meetings, updates, and check-ins. At AWS, our security engineers have daily standups, standard in the DevOps and Agile development world. For example, our CEO is deeply engaged with the security team and joins our leadership every week to review and discuss key security metrics. It's understood that security is a key enabler of the business. Seek two-way doors At AWS, we think of decisions as doorways. A one-way door is a decision that results in something difficult or impossible to change once we've gone through it. And if we don't like what we see on the other side, it's really hard and often expensive to get back. In contrast, with two-way doors, we can walk through and see what we find. If we don't like it, we can walk back through the door, effectively reversing the decision. Successful security organizations do everything in their power to avoid one-way doors and seek out two-way doors. It's about keeping any changes to security small and frequent in order to iterate rapidly along the way. Iteration is the key to success rather than perfection. Trying to be perfect out of the gate prevents us from ever getting out of the gate. At AWS, one of our leadership principles is, "Bias for action." It states that speed matters in business (and, in this case, security), so decisions and actions should be reversible, and not require extensive study. We find that risk taking in security can be healthy, if it is calculated. Practicing agile decision making: Emilio Escobar, former VP & Head of Information Security, Hulu As a celebrated entertainment provider that serves millions of viewers through thousands of pieces of video content— and a live TV offering— things move fast at Hulu, and decisions need to be made quickly. For Emilio Escobar, in order to enable his teams to be creative while remaining secure, it's about building the right guardrails into the process from the beginning. That way, decisions can be made within certain parameters by the team members themselves to avoid bottlenecks; they then present their ideas and plans on a biweekly basis. This system promotes a sense of creative freedom, as well as a profound sense of pride. Also, to keep the cadence high around decisions, Emilio meets with his directs every week, as well as his executive peers. In the times in between, they are active and vocal in their collaboration tools. Finally, Emilio believes there can be no fear in escalating any potential issues if everyone has a sense of solving the same problems. They're always seeking to find the right balance between security and velocity, which requires a certain measure of transparency and visibility. Emilio and his teams have a close working relationship with AWS—Emilio himself is active at AWS conferences and participates in the CISO council to help drive AWS security products. Working with AWS has ratified his thinking about the importance of closely embedding security within engineering. 12