Shifting security left: Advice from Amazon Prime CISO Brian Lozada

Luke Tucker
Monday, Feb 13th, 2023

It was wonderful getting the cloud security community together in New York City last Thursday. We were so thankful to have Brian Lozada, CISO Prime Video & Studios at Amazon join us for a brief Q&A with Panoptica CEO and Cofounder, Vladi Sandler

Here’s a quick recap on the discussion. A common theme to winning together: SecOps working seamlessly with DevOps. Let’s dive in… 

Configuration Management: Is it better for DevOps / DevSecOps teams to use golden images/IAC/golden pipelines versus relying on automated remediation?

Auto remediation depends on developers. The less moving parts, the better. Brian notes there is opportunity here but must be approached with caution and done together hand in hand with developers. While it has the potential to save time and improve the efficiency of security operations, it can also be risky and cause more headaches for your DevOps teams if not implemented carefully. Read more about the Dangers of Corrective Auto Remediation in Your Public Cloud.

Talent: How you can scale security when engineering responsibility is owned by a CIO or CTO organization? What skills are necessary for success on a DevSecOps team?

First is recognizing there currently isn’t enough talent. Brian notes “Security has negative unemployment”. 

Leaders should assess, “How can your talent be successful in your environment?” And the key things is developer behavior and preferred practices. Security has to understand the developer pipeline and work streams. Make deposits, before you make withdrawals. Invest in getting an intimate understanding of them and their work. Then you can collaborate and advise on how security can be a part of that. 

Security must ENABLE, Brian says. Hire or train folks to think in a problem solving approach. At Amazon, he tells his team to be engineers first, then bring in security into that mindset. 

How do train and develop engineers and software developers to integrate security into their processes?

It goes back to their workflow. Especially in big organizations, bring everything back to their comfort level within the CI/CD pipeline. Since every team has their own pipeline, it is security’s role to educate themselves. Security has to understand first and then take action.

Become a value add. Devs DO NOT want to be slowed down. You’ll get stiff armed. Make it as easy as possible. Make it conceivable for developers … they need to consume it, Brian says.

Helping cloud engineers at every phase in their journey

It was great to bring 50 cloud security engineers and partners together for celebrations and learning for our second New York City cloud security meetup. We are so thankful for Brian for sharing his thoughts and can’t wait to do it again soon. 

Panoptica customers and team members alongside Amazon Prime CISO Brian Lozadav

Panoptica customers and team members alongside Amazon Prime CISO Brian Lozada

Popup Image