Get to Know the AWS CISO Circle Program

Clarke Rodgers (00:10):
Danielle, thanks for joining me today.

Danielle Ruderman (00:11):
Thank you for having me.

Clarke Rodgers (00:13):
So, if you'd be so kind, could you tell me a little bit about your background and what brought you to AWS?

Danielle Ruderman (00:17):
Sure. So my background is I actually started in IT as a computer programmer, and then I moved on to program and project management. And over time began working with some security clients. About three and a half years after that, I moved into a customer-facing role where I am today, with the Worldwide Security Specialist organization.

We created this program called the CISO Circles. It was an opportunity to bring together customers from all around the world to meet with each other and talk about topics that were important to them, but also meet with leaders from AWS Security.

This really gave us an opportunity to deeply lean into understanding our CISOs' concerns and what topics really resonated with them, and also develop a way to craft an event where we can encourage dialogue and encourage open sharing.

Clarke Rodgers (01:00):
What have you done to really facilitate customers meeting other customers and talking about security?

Danielle Ruderman (01:07):
One of the things we noticed is that there was an opportunity to bring our customers together to learn from and meet with each other. During the pandemic, this was a time where I think AWS and our customers were looking for ways to better interact and better share resources and information.

Some of the things that have enabled that is having NDAs in place for everyone and also following Chatham House Rule. When you bring a group of CISOs together, we really want everyone to be open. You need those things in place to facilitate a safe space for conversation.

Clarke Rodgers (01:34):
And has that worked out?

Danielle Ruderman (01:35):
It absolutely has worked out. The principle of Chatham House Rule is that you can use the information you hear in a closed-door discussion, but without attribution. That really gives everyone the freedom to share freely, speak candidly — which I think is very important in the security industry, that we can speak candidly — and then take that information and use it as you see fit.

Clarke Rodgers (01:55):
There are several popular security topics as of late. There's Zero Trust, generative AI and security — have those topics been broached in CISO Circles?
 

Chatham House Rule

Participants are free to use information gathered during the meeting, but neither the identity nor affiliation of the speaker(s), nor that of any other participant, may be revealed.
 

Danielle Ruderman (02:06):
We have seen Zero Trust especially be an enduring area of interest for our CISOs. They're getting asked a lot of questions by their boards, by their peer executives. It's an industry trend, and so we have really leaned in and offered some sessions and panel discussions around Zero Trust. Like how are we solving for Zero Trust?

Then of course, recently we've definitely seen the rise in interest for security and artificial intelligence come up in our surveys and our discussions, and so we've just started leaning in with that topic as well. Some other things that have come up is an interest in “What is AWS seeing in the emerging threat landscape? What can we share back to help our customers make actionable decisions about how to protect their environments?”

Some of the most candid discussions have been around the impact of ransomware, Log4j and incidents that customers have experienced, and giving CISOs a safe place to really talk about the impact to their business, how their executives dealt with some of these issues, how their boards responded. You know, talk about what really happened behind closed doors and give each other advice. We all know at some point we find ourselves in unfortunate situations, and knowing that you have the support of your peer community is very, very important.

Danielle Ruderman (03:18):
For every event that we do, we have two things. We have a written survey — so we actually have topics listed out that we ask CISOs to respond to and add to if they need to — but we also make this a part of every discussion, where we wrap up the meeting with an open discussion about topics. This gives us an opportunity to really dig in and find out what topics our CISOs are interested in and why, and then also tell us what we might not be thinking about, which has been very helpful.

So, we try to create an environment where our customers can learn from each other, but it is also an opportunity for AWS to learn from our customers, and we take that very seriously. Anytime we hear feedback about our services, about the way we do business, anything to do with AWS, we do surface that back to our leadership. Again, under Chatham House Rule, we don't attribute where it came from, but we do keep track of the rough edges where we need to lean in, and then we can turn around and make AWS, our services, better for all customers based on this feedback, and that's really the primary goal of this program.

And so, once we take that data back, we can see across the entire program globally what topics are resonating with our customers, but it also gives us a better understanding of what topics resonate within different verticals or within different geographies. Then we take that information and, when we build out a schedule for virtual events, we stick to one topic, right, because we know folks don't want to be online looking at a screen for longer than about an hour or 90 minutes.

Danielle Ruderman (04:41):
For our in-person events we have the opportunity to really expand, so we can do anything from a half day to a full day of content, and we'll look at the topics that have resonated for our customers and we can pick several of those topics. What we do is we ensure that we have a minimum of one hour per topic to talk about.

So typically what we'll do is bring in an AWS expert on the particular topic for the beginning of the hour, just to set the stage, and then open it up to discussion with the attendees. We have had some very lively and very engaged discussions in this format. Another thing that's been very popular is to do panel discussions. Sometimes we'll have a mixed panel with AWS leaders and customer leaders.

Clarke Rodgers (05:19):
Oh, cool.

Danielle Ruderman (05:20):
Or we'll do an entire customer panel on a particular topic. This really, again, allows our CISOs to hear directly from their peers, challenge them, ask questions, and again, provoke that very open dialogue.

Clarke Rodgers (05:30):
How are these CISO Circles divided up? Is it like all financial services CISOs together, retail CISOs together, or do you mix it up by global region?

Danielle Ruderman (05:20):
We actually do all of the above. And so over time we've started to specialize in different verticals. So we've actually done several CISO Circles for the energy sector, for example. We're leaning into the automotive industry, financial services, and so there'll be more like that coming.

Many of the problems are very similar across the industries, and that is one reason why we've had success with these mixed-cohort groups. However, there are in some industries, for example, I'll give you the energy sector. We've done some energy CISO Circles recently, and of course the topic of critical infrastructure comes up. And so, making sure we have speakers who can speak to how AWS is solving for some of these challenges and other experts to really lean into those particular problems has been very helpful. So, while the general themes are the same — we're all concerned about ransomware, we're all concerned about identity — there are these very specific nuances to some of the industries that we're able to cover.

I think it's good to have that mix, because sometimes it's good for different industries to learn from each other or they want to talk to someone who does the same thing that they do, but we've also seen great cross-pollination between different industries, smaller customers with larger customers. It's a real opportunity for everyone to learn something new or something unexpected.

Clarke Rodgers (06:54):
What, if anything, are you doing for other parts of the security organization, so security engineering, security developers, that sort of thing?

Do you have to be a CISO to attend a CISO Circle?

Danielle Ruderman (07:02):
That's a great question. Our CISOs enjoyed the program so much, they actually said, "Wow, I would love my team to be able to experience something like this," and thus was born the sister program, the Security Builders Circle, and we created it with a very similar format. Again, we want to be under NDA and follow Chatham House Rule, to give the security leaders under our CISOs the same opportunity to come together, lean in and discuss these topics with each other.

For those circles, we tend to go more deeply into the tech, go more deeply into the services. This has really given us an opportunity to understand how our security leaders are implementing our services and solving for their challenges, and where the rough edges are for AWS and how we can do better. So, again, it's another opportunity for our customers to learn from each other, but also for us to learn from them and make sure that we are really meeting them where they are.

Clarke Rodgers (07:49):
Anything else coming down the way for other security or compliance practitioners?

Danielle Ruderman (07:54):
Yes, so based on the success of the program, we're looking at some other ways to support our customers. One thing we're going to be doing is expanding into the risk and compliance space.

So, we'll be creating circles specifically focused on governance, risk and compliance, so we can get those subject matter experts and those executives together, again, to focus on those issues that are really important to them. Something else we're leaning into is the emerging leaders, so aspiring CISOs.

We have deputy CISOs or other senior leaders on the CISO's team who are looking to, "How can I move into that role?" There's a lot that we can do to support them and bring them together as a cohort. How are they learning and preparing for those future roles? It's very important in security. We need to be constantly building our future leaders.

Then we've also had some discussions about women in security circles, so the women CISOs, women aspiring leaders, so something like that, again, to bring together these cohorts in this kind of environment.

Clarke Rodgers (08:47):
So, if I'm a customer and I'm interested in learning more about the CISO Circles, how do I go about it?

Danielle Ruderman (08:54):
We recommend you reach out to your account manager and they can find out if there's a cohort in your area, in your industry, let you know the schedule when one's going to happen. If we don't have a cohort near you, then we'd love to talk about creating one.

► Request more info