Amazon’s chief security officer says these are the 6 questions every board should ask its CISO

Like the SEC, Steve Schmidt, chief security officer at Amazon, doesn’t think that all corporate boards need to have a director with deep cyber expertise. 

The former FBI section chief, who also spent 15 years at AWS, believes that rather than understanding how a security plan works on a technical level the way a CISO does, it’s more important that leaders know how to examine the thinking that went into it.

“The world of espionage has changed from an implementation perspective over time, but the goals have remained the same since the Middle Ages,” Schmidt explains. That means that even though board members may not have tech chops, they can still be “asking the right questions.” 

Does a company’s plan demonstrate that security leaders are trying to predict their adversary’s next move—not just today, but several years out? Does it show an understanding of a bad actor’s psychology, their tolerance for risk, and how their comfort level might change over time or in response to world events?

“One of the reasons that [Amazon is] as good as we are at security is because security reports to the CEO and reports to the board regularly,” he says. Amazon’s board also has its own committee dedicated to security. 

For leaders to think about how robust their cybersecurity preparation is, Schmidt suggests that boards ask CISOs these questions:

Who owns security? The correct answer, in Schmidt’s view, is business line and division leaders who report to the CEO. If they aren’t invested in the safety of their department’s data, their staff won’t see security as their top responsibility. 

What kind of visibility do we have over all of our property? Adversaries are always looking for entry points into corporate systems, yet many companies do not have a catalog of their entire collection of data and hardware, including employee devices, servers, and software. Without that information, they can’t see where doors have been left unlocked and won’t know what to do when a breach occurs.

Boards also ought to ask how often said catalog is updated and how the security team is alerted when something has changed. “It’s often those little changes that occur over time that give adversaries opportunities,” Schmidt warns.

Who has access to what data? Why do they need it and for how long? Cyberattacks usually begin with someone stealing an employee’s identity, bribing an employee, or tricking them into handing over a password. Having legitimate credentials makes crimes easy to commit and difficult to detect, says Schmidt, so companies need to minimize each employee’s reach. He suggests boards ask their CISOs who can see what, why, and for how long, across the entire company. Also ask: How often are these parameters updated? At Amazon, the rule is that “you have access to no data,” says Schmidt, “unless it’s required to do your job at that particular point in time.”

How do we rank our assets, such as client data or trade secrets, by importance? The answer doesn’t matter as much as the fact that companies do the evaluation. Ask: “What are the things that I really care about? Where are they located? How are they protected?”

How many layers of protection do we have? No single layer of defense is 100% dependable, says Schmidt. Boards need to ask their CISOs: “Do you have a secondary line of protection, and can you respond quickly to that failure? Are we testing all the layers? What are the results?” 

How will we respond to an attack? Using simulation exercises, boards and management teams should design—and test—post-breach contingency plans tailored to each precious asset. “Plans which aren’t tested decay over time,” says Schmidt. “The world changes around us and businesses evolve.”

Lila MacLellan
lila.maclellan@fortune.com
@lilamaclellan

Noted

"This evidence is sufficient to support the SEC’s determination that regardless of whether investors think that board diversity is good or bad for companies, disclosure of information about board diversity would inform how investors behave in the market."

—In an opinion published last week, a federal appellate court in New Orleans explained why it supported the SEC’s approval of Nasdaq’s diversity rule, which requires Nasdaq-listed companies to disclose their board diversity metrics and have at least two directors from underrepresented groups on their boards. The court rejected arguments made by an anti-DEI activist group that had sought to have Nasdaq’s efforts blocked. 

In Brief

—Jeffrey Sonnenfeld, a professor at Yale’s School of Management and president of its Chief Executive Leadership Institute, has begun tracking companies that have made public statements condemning Hamas' attack on Israel that began on Oct. 7. Taking a public stance on the Israel-Hamas conflict is particularly fraught for multinational companies, but employees at Meta, Alphabet, Amazon, and others still expect their management to do so, the Washington Post reports. 

—Around 64% of CEOs foresee a complete return to the office, five days per week, by 2026, according to a new report from KPMG. The consulting firm surveyed more than 1,300 chief executives in 11 countries. 

—A Skechers shareholder is suing the company’s board for failing to stop senior leaders at the sneaker maker from booking corporate jets for private vacations. Specifically, the investor claims that Skechers’ directors neglected their fiduciary duties by allowing Robert Greenberg, the company’s CEO, founder, and chair, and his two sons—who are also Sketchers directors and executives—to take Bombardier jets reserved for business use to places like Hawaii, Bora Bora, and Fiji.  

—After running a successful proxy battle with Illumina this year, activist investor Carl Icahn is now suing several members of the biotech’s corporate board, alleging that the directors neglected to protect shareholders when they allowed the company to acquire Grail, maker of an early detection cancer test, over the objection of regulators in the U.S. and Europe. The complaint argues that the purchase tanked the company’s share price.

Editor's Pick

Sending and receiving personalized Cameo video messages from celebrities was fun for a while but—gasp!—it turned out to be a pandemic-era fad, according to a gripping new feature in the New York Times. 

Like many startups that have exploded into unicorns out of seemingly nowhere, Cameo’s growth—and eventual $1 billion valuation just four years after launching in 2017—was fueled by investments from overly exuberant venture capital firms, including Softbank. A few such early-stage firms “go on to become the next Facebook. But countless others blitzscale themselves off a cliff,” the story argues. Apparently, not even the star power of folks like Snoop Dogg, Alyssa Milano, and Brian Baumgartner (a.k.a. Kevin from TV’s The Office) was enough to prevent Cameo’s descent into the latter category. The company once employed nearly 400 people; now it has 33 workers and “operates as a husk of its former self.”