AWS Executive Insights / Security / ...
Security-First Leadership
Adam Selipsky on Security Culture, Gen AI, and Customer-Obsessed Decision Making
Generative AI is top of mind for most CEOs today. In fact, it's one of the most common discussion topics AWS CEO Adam Selipsky hears in conversations with his peers. In this Security Leaders interview, get Adam’s perspective on Gen AI and hear his advice for how business leaders should be thinking about security in the age of AI.
Part of this interview is also available in an audio format. Listen to the podcast by clicking your favorite player icon below, and subscribe to AWS Conversations with Leaders podcast to never miss an episode.
Join Clarke Rodgers, Director of AWS Enterprise Strategy, as he sits down with Adam to discuss the topic of generative AI, including how business leaders should approach security in this new era and why it's important to develop a gen AI strategy that matches the needs of your customers and workforce. If you enjoy the conversation, make sure to check out Adam's other video, The CEO’s Role in Security Leadership.
Security foundations for emerging technologies
Clarke Rodgers (00:10):
When you have those sort of private meetings with customer CEOs and effectively your peers, what are they asking you? What are they talking to you about in terms of security and privacy and compliance and sort of the regulatory regime that we see out there? Can you give us sort of a little peek into those conversations?
Adam Selipsky (00:28):
Those are really important conversations, which a lot of CEOs really do care about, and these topics resonate with many of them, as they should. I guess I'd point to a few things, one of which is, well, generative AI of course is on everybody's mind. And we get a lot of questions around "How do I think about security in a generative AI world " and "Things are moving so quickly" and "What types of applications or technologies should I be using?” and “How do I know they're secure and how do I think about being secure inside of my company as well?" And the first part of the answer is,
You should expect from generative AI exactly the same level of security that you expect from any other service that you consume."
Somehow there's been this schism where people talk about enterprise security for all these services over here and then, “Oh, now let's talk about generative AI.” And it was actually quite astounding to me how some of the first generative AI chatbots or consumer-grade assistants came out really without a security model. And the data literally did go out over the internet and any improvements to the model literally would be shared by everybody using the models. That's why so many CIOs, CISOs and CEOs literally banned some of these assistants from their company for a good amount of time.
But it kind of amazes me because I think about going to a security-minded CEO or a CIO or a CISO and saying, "Hey, I've got this amazing new database service. There's nothing like it. You're going to love it. I really think you should adopt it. By the way, it's got no security model attached to it, but don't worry about it because I'll come around with v2 and it'll be secure then." I mean, I'd get thrown out on my you-know-what!
Clarke Rodgers (02:20):
Sure.
Adam Selipsky (02:21)
At least I hope I would, I would deserve to. And so, I think other companies in this space for some reason, I can't tell you why, are taking a different approach to security and somehow deemed it less important. And we're very predictable here. Our generative AI services like Amazon Bedrock, which is a managed service for operating foundation models, is no more secure and no less secure than any other AWS service.
So that's the first conversation around generative AI. And then there's some other topics as well and the topic of "How do I get a security mindset into my company?" And I think that gets back to culture. It gets back to some of the things you and I discussed today around really top-down leadership and sending signals from senior leaders that this matters. And the bar, the standards are incredibly high. And I often counsel my peers, a lot of it's about insisting on the highest standards and people need to see how high the standards are in security and what your lack of tolerance are for anything except those highest standards.
Investing in the right level of security for your organization
Clarke Rodgers (03:30):
What advice would you give your peer CEOs who maybe are not leaning in as much to security risk and compliance issues within their organization to get more involved in them?
Adam Selipsky (03:43)
I think the first thing would be to understand, how important is security to your business and in what ways is security important to your business? I think it's easy to say, "Oh, security is security, it always has to be the top thing that anybody is always worried about." And I already said for AWS it is, that's the statement about us and the type of business we run and the trust that our customers place in us to run their mission-critical workloads. But there are other businesses for which different aspects of their business probably have a different security set of risks and opportunities.
And so deciding, “Where does security really matter in my business?” And that's going to help me decide where to invest. Because I think it can be pretty daunting if the concept is, “Well, I have to invest a massive amount of money everywhere in security, irrespective of whether I manufacture farm equipment or whether I have a large social media website or whether I'm a startup in the data space.”
Clarke Rodgers (04:44):
Got it.
Adam Selipsky (04:45)
And I think the security priorities are going to be different. All of those types of companies are going to have security needs and the security will be important in one way or another. But I really encourage people to dive down deeper than that and figure out what the true priorities are. And that usually actually makes it a lot easier to invest because you say, "Hey, I'm going to start by investing more there and then we'll decide what the next spots are to invest." So that's probably the first thing I counsel folks.
How to communicate more effectively with your CEO
Clarke Rodgers (05:14):
So what advice would you give to CISOs who are trying to report security and compliance in a meaningful way up to the CEO, the board of directors, that kind of thing?
Adam Selipsky (05:26)
I'll tell you the advice I give my CISO and the requests that I have of my CISO, which I think
is probably very similar to what makes sense for other CISOs, which is to put a customer lens, a customer filter on your work, your job and the advice and the counsel that you're giving. The CISO's job is to enable the business to do what it needs to do and what it wants to do to delight customers and to provide value to customers, comma, securely.
So be innovative, be creative, find ways to say yes to the idea that the business wants to do, while at the same time being the champion of your customers in terms of operating securely."
And I think that creates great credibility because then the CISO becomes viewed as a valuable business partner, who is driving and enabling the business, as opposed to somebody you need to get a checkbox from.
And I think it totally changes the relationship and it also really helps with prioritizing the resources. So you can really then tell when viewing it through the customer lens of, “Where do we truly create customer risk if we do X?” Or “Where do we really create a great customer opportunity and security if we do Y?” If you think about it in that way.
And then by the way, I think also the CISO gains an enormous amount of credibility on those occasions where he or she does say, "I need to pull the Andon cord. We cannot, we should not do this. We need to fix something before we do." And if that is a rare occasion, then if you're smart, you will take that very, very seriously.
Clarke Rodgers (07:06)
That's fantastic advice. Adam, thank you so much for taking time out of your busy day to meet with me today.
Adam Selipsky (07:10)
It's a pleasure. Thank you.
About the leaders
Adam Selipsky
Chief Executive Officer, Amazon Web Services
Adam Selipsky is the CEO of Amazon Web Services (AWS), the world’s most comprehensive and broadly adopted cloud. He also leads Worldwide Sustainability for Amazon, overseeing efforts to scale and drive Amazon’s adoption of renewable energy, path to net-zero carbon emissions, and other company-wide initiatives. Having previously led AWS Marketing, Sales, and Support from its infancy, Selipsky was instrumental in launching and growing AWS from a startup into a multibillion-dollar business. In 2016, Selipsky left to become president and CEO of data visualization pioneer Tableau Software, where he led the company through its acquisition by Salesforce in what was the third-largest software industry acquisition at the time, before returning to AWS in 2021. Selipsky is the chair of the World Economic Forum Information, Technology, and Communications ICT governors community, serves on the Harvard Business School Dean’s Advisory Board, and is a minority owner of the Seattle Sounders soccer team.
Clarke Rodgers
AWS Enterprise Strategist
As a Director of AWS Enterprise Strategy with deep security expertise, Clarke is passionate about helping executives explore how the cloud can transform security and working with them to find the right enterprise solutions. Clarke joined AWS in 2016, but his experience with the advantages of AWS Security started well before he became part of the team. In his role as CISO for a multinational life reinsurance provider, he oversaw a strategic division’s all-in migration to AWS.
Take the next step
Innovation
Learn how industry leaders sustain continual innovation that grows their business and delivers differentiated customer experiences.
Listen and Learn
Listen to executive leaders and AWS Enterprise Strategists, all former C-Suite, discuss their digital transformation journeys.
Stay Connected
AWS Executive Connection is a digital destination for business and technology leaders where we share information, best practices, and event invitations.
Unlocking the Value of Generative AI for Business Leaders
Learn how to integrate generative AI/ML into your organization.