How Amazon CISO Amy Herzog responds to cybersecurity challenges

There is no such thing as a typical career path for many CISOs, and Amy Herzog’s journey is no exception. Herzog is one of several CISOs for Amazon, she is responsible for two large pieces of the company’s business: securing hardware devices and advertising products and services.

She joined Amazon in 2023 after holding IT management positions at Travelers insurance and at Pivotal, which was acquired by VMware. She has a deep security engineering background, working as an engineer for the MITRE Corporation for more than 15 years at the start of her career. There, she was co-author of two patents relating to cybersecurity.

How Amazon deals with common challenges CISOs face

One of the biggest challenges that many CISOs and CSOs have is to develop a collaborative working environment with other departments, so that security is not an after-thought or becomes a land of saying no to project plans and features. This isn’t just some empty corporate-speak: Amazon has had some success in this area, and Herzog describes how they accomplished this.

First, “we take a working backwards approach to product development. This means that we start by understanding our customers’ needs and build our products around them. From design time forward, our security and product teams work together to ensure our products meet our customers’ expectations for security.” 

The next step is to sit with the scientists and brainstorm their priorities to figure out who does which part of the protection. “Part of our mantra is that we bring in security specialists early in this process, so that they are part of the design and product teams and are very much collaborative partners, instead of addressing security later on in the development process,” Herzog tells CSO. 

This last point is sadly all too typical for many other companies because it puts security at odds with product development. “This means a security review is doing code scanning to find and fix stuff at the last minute,” she said. “Instead, we do scans throughout the coding lifecycle. While it is harder to do this, it provides a positive feedback loop and produces better and faster results and has the added benefit of having the security team feeling part of the development process as just another builder,” rather than some control point that could set up a more adversarial position. “Our goal is to engage early and often with the product team.” Call it the Chicago voting style of security management.

“Plus, if we do this right, when we do have a pre-launch review, it doesn’t take a lot of time because everyone has done their job all the way through the development lifecycle, which means fewer things to take care of before a launch.”

She says that “this collaboration has several other benefits, both in terms of building a better customer experience and also in terms of improved operational experience.” This collaboration also changes the way products are built “because security folks tend to think about products in a different way than product developers. But part of being a CISO is building strong foundations. We know the right steps to take, and now we must build the right systems and controls accordingly.” 

Throughout her career, Herzog has seen the evolution of cloud computing and the accompanying changes in cloud native security. “Some things we as defenders have gotten better at, such as establishing and enforcing trust boundaries among different organizations. Security across these boundaries requires a lot of care and nuance and thought, but fortunately the tools have gotten more sophisticated.” And that is a good thing, especially as the sophistication of attackers has also grown to develop malware that is better at hiding from defenders. 

Amy Herzog on securing internet of things, generative AI

Being responsible for device security means coming face-to-face with IoT, which is infamous for various security exploits. But she offers an alternative point of view: “Securing IoT isn’t all that different from securing heavily networked and interactive situations. All of them have controls to protect data. We dedicate significant resources to testing and maintaining the security of our devices.” Herzog said there are examples of automated scans and ongoing verification steps to ensure that software updates are authentic and applied properly.

A CoderPad survey of more than 13,000 developers found 59% said they use AI for code assistance, more than half said they use it for learning and tutorials, and around 45% said they use it for code generation.

Amazon is heavily involved in both developing new AI models as well as using it to secure their products and services. “We have a dedicated team of generative AI and security experts that develops security testing and controls for our AI models and services. They play an integral role in developing AI systems responsibly and ensuring they work as intended.” For example, Amazon tests their models using adversarial prompts and manual and automated red team exercises to identify vulnerabilities and address them early in the product development lifecycle. “These tend to surface unexpected responses and fine tune our models to discourage unreliable responses.” Amazon also makes use of extensive customer testing on disclosed use cases, and manual and automated security testing to identify potential vulnerabilities.