 Hello everyone, welcome to theCUBE's special presentation of the AWS startup showcase on cybersecurity. This is season three, episode three of the ongoing series, covering the exciting startups from the ADOS ecosystem. I'm your host, John Furrier, here at theCUBE. And today we're excited to be joined by Brian Lozada, CISO for a prime video, part of Amazon, Amazon Studios. Brian, great to see you, CUBE alumni, great to have you come on, headlining the keynote for the showcase. Thank you, John, appreciate the opportunity to look forward to being here. You know, as these startups kind of come out and tell their story about cloud security, data's huge, right? Data's a big part of it. We're living in the biggest hype market of all time since the web, in terms of new, net new things happening, building on existing capabilities, really perfectly positioned for what security needs because budgets aren't really increasing radically. But data is, and threats are. So this is a big topic, having automation, having data available for potentially doing new things. And this is the whole topic of the security startups in the cloud these days, is data-driven. This is a huge market. Totally agree. I think data is what allows businesses to actually move forward, make decisions, help improve the product, improve features, improve that customer engagement. So the responsibility of organizations to secure that data is where, I think a lot of organizations are either heavily investing and looking for that partnership with either startups or those trusted third parties that can help align, especially in the build cycle. When you think about it, like leveraging data to drive those innovations, there's a lot of risk that comes with it. So really, leaning in there is important for organizations. Brian, one of the things I want to talk to you about is the pace of play in the security business has increased, obviously with the tsunami of data and more faster action cloud scale. Obviously, before we get into that, pace of play reminds me of what Prime Video does with the NFL. You got a lot of sports on there. Well known consumer service. You're the CISO. So take a little bit of time to explain what's going on at Prime Video these days. What's the hot things? And as a CISO, what are you protecting? So we have a lot of exciting things going on at Prime Video with a lot of customer engagement, like things happening this week. We're excited about Thursday night football starting. So we have a lot of customers coming in to enjoy that content. So from a security perspective, our focus is to ensure that that stream stays available and stays ready for our customers and that the customer's going to enjoy the content. We have a lot of interesting features that are going to drive a lot of engagement with Prime Vision and bringing the customer closer to the game. So they could really enjoy the different aspects of the game that you've probably never seen before and only being offered on Prime Video. So it's pretty exciting. I had a chance to talk to some NFL CISOs and one of the things they all worry about is hacking the scoreboard in a little things like that. But that's what it is. Everything is surface area digitally now. So this is something you got to watch out for even on the Prime side, broadcast, the digital piece, anything you guys are putting out there has to be protected. Absolutely. The broadcast itself, anything that we're doing with our partners, the game itself, like you said, like altering the scoreboard or something like that, it impacts how customers are enjoying that content or it can impact what customers are doing with that content as well. So things that we just optimize for and ensure that we're taking care of that from camera all the way to the consumer. Okay, back to the pace of play. I've mentioned that earlier. One of the things we observed at our SuperCloud 3 event we just had last quarter on security and data AI is that it was unanimous amongst the practitioners and the industry experts that the pace of the industry is at an all-time high. The velocity of data, the velocity of change and the velocity of skill sets are all kind of the perfect storm is happening at once. And yet the tech is available too. You got some enabling platforms, you got the platforms versus tool argument. This is now part of the landscape. And so the conversations around architecture, how does an organization want to roll out their security strategy from an architecture standpoint when you got, okay, all kinds of configuration, telemetry, devices, tools, you got operations and you got talent. All these things are matched up into one melting pot. What's the current state of this market given the pace of play is so high and the new things that need to get done are now potentially available? So I think from an architecture perspective, it's something that the organizations need to look at as how they are servicing their customer, what offering they're giving their customers and look at the architecture from that point. Looking at from the customer back and saying how can we look at securing that infrastructure or that critical path of that customer coming into the service or coming into the product and then whatever that product or service is that's being delivered back to the customer. Those two critical paths need to be really focused on from a security perspective. And then you talk about talent and how security talent is to enable the business is to really look at those critical paths and say, this is where the talent needs to be to help those builders build that critical path with security in mind and make sure security is part of that journey, part of that story. So that's where organizations should be shifting a lot of their focus Look, security practitioners, it's we're still a field with negative unemployment. So there's not a lot of security practitioners to go around. So using them in those critical paths of the business is crucial to ensure that we're protecting that data coming in or any of the service or product that's going out. I want to get your thoughts on the trends that are out there. So we saw cloud, gen one come in, kick ass, take names, SAS enabled, market, Amazon number one in the world, change the world, right? Cloud turns IT into DevOps. Now you have next gen cloud coming, which is more scale, Amazon's partners now have ecosystems of their own. Their platform's on top of Amazon. So you have the rise of application services within the stack. So once an IT stack is now an application stack. So all those things are in there, configuration, you got vulnerabilities. And so you got the dev piece comes down into the IT world, okay? And now you have a developer centric market. So you have developers shifting left. Okay, that's been discussed. But now you got the role of data. AI is here, right? AI has some risks. For example, LLMs are not always secure and integrating data amongst other things is a data supply chain potential problem. So you start to see the role of a data developer. What's your reaction to that? Do you see that same thing? And if there's a data developer, then they might be AI native app services or is AI native application? Again, this is kind of part of the hype market, but people are talking about how the stack is impacted by data and scale. I think data definitely does dictate a lot of what an architecture could be because you are learning from that data and actually how you use that data to change features or change how your response should be to the product or to the customer. So having a data driven developer, I think we've been there for years. I think we're just kind of like talking about it now as a core function, but I think that that's been available for a while. LLMs are definitely changing the way that we look at problem sets and we're definitely changing the way how we're looking at using data to solve a problem or looking at data for opportunities. So I think organizations need to look at how using LLMs within their work or within their work streams, it's going to be a risk-based approach. Are you going to use a public one or are you going to create your own, the data that goes into the LLMs? Do you have any insight onto how those models are being trained? Because if the data that's coming out of it and your developers or your organization is making decisions off of that, you need to do that diligence, right? So I think there's a huge, huge market, huge opportunity for really leveraging LLMs to enable business responsibly. And I think there's an opportunity for innovation to be driven there on the technical side, more so on the opportunity side of business side as well. Awesome, how is AI and machine learning being integrated into an organization's strategy? Obviously, AI is going to change the security landscape because it has advantages, but also it brings a double-edged sword. For the good side, there's a bad side, right? So talk about AI from the op standpoint to the threat detection and response and remediation. So I think like LLMs are being used, like we're using them as technologists, but threat actors are using them as well. They're innovating as well on their attacks, right? And LLMs don't really change, well, they change a lot, but I think what they give is the opportunity for threat actors to have higher scale of their attack and more sophistication to their attack. And it actually shrinks the cost of an attack when a threat actor is using it as a tool. So I think as security practitioners, we need to look at how threat actors are using LLMs and what our response could be to that. Also, how our internal employees are using LLMs and introducing risks to the organization unknowingly. So what can we do to help, again, maybe enable some of that responsibly within the organization? Then I think a third area that security practitioners need to look at is, how can we use LLMs responsibly internally for our employees and offer it as a business enabler? I think there needs to be guardrails that need to be built. I think there needs to be technology that helps drive that responsible use or that responsible use and enablement across the organization. Again, those are going to be a lot of areas of opportunity for innovation over the next few years around LLM and security alone. You may not be able to talk about it publicly, but I have to ask, because Amazon Prime is, I'm a customer, love the service, you guys are multimodal. You got video, you got images, you got computer vision, you got metadata, you got audio, you got text. As a company that's doing media, honestly, we love that. You're also an opportunity with all the AI foundation models emerging. So you got computer vision. How do you think about that? Obviously, from a hacking perspective, I'd love to take over the stream if I'm a hacker or maybe and want to or inject a mid-journey image in there. Or it could be a positive thing, could be advertising could be completely driven by AI, another cool thing. As a CISO, how do you look at that? Because you're dealing with multimodal asset base. No, totally. I think you bring up some interesting risks when you talk about hijacking the screen or the stream and then maybe injecting some content. We think about that. We think about that constantly. So that's why we're always kind of like focusing on from camera all the way to consumer, all of those points where that could be a risk and how we are looking to optimize to secure that. But I think the more and more media and taking the media industry as a whole, the more and more media goes towards a streaming or digital distribution kind of like outlay for customers, those risks are going to come out a lot more. And how media is distributed is, threat actors are thinking about it. Is it's either to inject ads or even distribution of their own ideology or their own kind of like messaging to a broad audience, right? So as security practitioners in the media space, that is constantly something that is going to be evolving. As the technology evolves for us to distribute that content and that media, the risk also evolved. And that's just something that it's going to be constantly changing for us. You have all the same risks that enterprise does, except it may not be known that Prime has a mobile crew that goes around city to city. So the ultimate IoT device, things like ransomware could be applied. So you got to lock this down. Is it OT or IT technology? Do you put processors in those cameras? Do they multi-threaded? I mean, these are things you have to look at. All of those things get thought about. Down to the hardware level. So you have to go all the way down to the zero trust hardware, firmware level. Absolutely. I think you have to. I think in, again, when it comes to the digital distribution of content as it continues to evolve in the industry, that security practitioners need to think at that level because any opportunity where the stream or that content could be interrupted, hijacked, or misdistributed is a risk. So on the flip side, AI could be used to improve cloud security, detect phishing attacks on equipment and devices, like essentially your manufacturing video, but you're like a rolling, like a lab and like a manufacturing lab. How do you guys look at using AI to improve security? Is there a directionally correct North Star? Are you guys deploying anything? What's the current state of your view there? It could be used. It has to be used with that lens of the diligence that you put into the AI technology and where you're going to use that tech within the tech stack. It can't be something that it's a broad stroke that's just going to help me solve a problem. That just doesn't work that way. You really need to do diligence on the particular problem that you're solving across the stack, what AI solution or tool you want to throw at that problem, and then the output that comes out of it, how you're going to apply it in your build and in your remediation phases. I don't think there's going to be something that says, hey, this is going to fix it. There's not going to be an easy button or a fix it button, but I think there could be ways where AI could help solve those problems quicker and drive to a remediation phase quicker that helps builders, helps enablers, helps security practitioners reduce that risk in a shortened timeframe. From events to on-demand libraries of content and everything in between, Prime's got a lot of action. AWS talks a lot about the shared responsibility model, cross different services or clouds or environments, tooling APIs, et cetera. There's also compatibility, interoperability theme of this showcase we're doing. Does this whole shared responsibility thing working out well? Does it create seams that adversaries could exploit? How do you look at that? Because you can think, okay, maybe there could be a seam in there somewhere between working with different environments, different platforms. How do you look at that as a seesaw? How do you sleep at night knowing that there may be a seam there or not? Yeah, it does. I'm a big fan of the shared responsibility model. A few reasons why. I think the shared responsibility model puts accountability across both teams. It puts it across the cloud side. It also puts it across the consumer side or the consumer of the cloud side. It drives innovation in my opinion because it helps folks that are using the cloud build in the security that they need to into their environment the way that they need it to service their customers. And I also think it helps cloud providers and AWS really drive that enablement towards customers to build that in. So I think that the shared responsibility model is appropriate. I think it's something that could really, really push innovation across both sides. The security industry is evolving fast. We got a lot of startups here in the ecosystem presenting their stories, their fast growing. What has cloud security done to the security market? I mean, obviously it's evolving faster. We're kind of on this next gen as I've been talking about. How is security evolving and how do startups participate in the large scale enterprises? Again, because this fatigue everywhere, again, budgets aren't going up, but data isn't the threats are. So take me through your view of the security evolution now and the role startups can play and where they win and why companies should look at the startups. Yeah, great question. I love working with startups. I think it's fun to work with innovators and how they're thinking about particular problems. When it comes to cloud security, I think startups can help organizations drive their cloud adoption or drive their cloud migration quicker and with security built in or enable them to build that security in. I think there's a huge market still for a lot of organizations to move to the cloud or continue innovating with the cloud and they need startups to kind of like help get them there and jumpstart them into that phase. Now, there's areas where I think startups can help look at where a lot of cloud migrations have failures or have issues and focusing on their product in that area. You're going to get a lot more adoption from the industry to consume that product and really come onto that startups in that startups view. So I think those are areas that I think startups could really look at is like what are the pain points that organizations have when they're either moving to the cloud, building in the cloud and shorten that time up. That's where there's a huge, huge market for cloud security startups. And if you're watching this, the 10 startups presenting, check out their sessions. Definitely good, great companies. I think that, and to your other point too, about data and like everything matters about like the data that you're putting in the cloud, how it actually is being stored, how it's actually being used, all of the security around the lifecycle of that data is incredibly important. And again, when organizations are either migrating to the cloud or they're building in the cloud, coming up to speed on actually doing that, it's costly. It costs on the engineering side, it costs on the infrastructure side. So if startups can help drive that in a more effective way, they're really going to get the attention of the organizations. One thing I wanted to bring up that came out of the startup interviews we've been doing is that you got kind of a consumer vibe with AI. Obviously people see some of the consumer aspects and they go, oh my God, it's magic. All the insiders have seen, okay, we know machine learning does, okay, great. Generative AI is generating stuff, okay, cool. Now, if you look at the markets, really an enterprise market, security and where AI is going to win is going to be in the enterprise. So enterprise is not as easy as just saying, hey, it's a new startup and it's just rockets. You got to do a lot of thinking around integration, security. And so we're expecting to see a bolt on with AI and machine learning instantly, but also use cases that need to be thought out that are net new. So start building in use cases for either natural language or AI native, like use cases that are further downstream. This seems to be the general consensus of most of the experts in the companies. Okay, do you first, do you agree with that? And then two, how does an enterprise get ready? Because you have a lot going on at Prime. You got the entire franchise at Prime and you also work with other companies that aren't Amazon. You got relationship, you got APIs, you got to cross different platforms. So it's not easy, it's not trivial. Yeah, it's not trivial, I agree. I think it's a great point. I do agree to a certain extent that organizations need to start looking about building their future products or evolving their current products or their current infrastructure with LLMs, AIs, how it's going to enable. That's a big statement and that's a long journey. That is not something that's going to happen overnight. I think a lot of diligence needs to get into that process, into that vision on how it's actually going to happen with effectiveness so that it doesn't become something that introduces risk to the organization. It's just, you can't just say AI is going to solve your problem. You have to be particular on what you're going to do. I think organizations that are building in the cloud native or building a product from scratch, there is an opportunity to start saying we're going to build it with AI or LLMs from the start. That'll help it evolve over time. It doesn't absolve it of risk. It doesn't absolve the diligence that you need to do to get there, but I think it'll help shorten a lot of the integration points that you were talking about because you're building from the start with it. Brian, that's a great point. And by the way, I would agree with that statement 100% because if you look at the cloud, one data or Amazon was the only game in town at that point in late 2000s. Basically the SaaS cloud native born in the cloud, they were the ones that rose right out of the gate. Wasn't the enterprises adopting cloud? Yep, they didn't come until even today, some enterprises are still moving over. So to your point, similar trend line, right? The SaaS startups come out of the woodwork, Airbnb, no one's ever heard of them. Twitter started in the cloud, AWS. I mean, Amazon ran the table every single startup born after 2006, probably used AWS, almost. Totally agree. Yeah, totally agree. And I think, again, there's an opportunity for that same type of trend to happen with AI and LLMs now. Yeah, and I think what's interesting now is AI enterprises can do that AI native because cloud does exist for them. You know what I'm saying? So they're like the startup, you know. They are like the startup and they can ideate within their own environment, within their own cloud environment. So they absolutely an opportunity, but again, from a risk perspective, just that diligence. And also from a leadership perspective, like the organization needs to know that they're going to be using a technology that is still in its infancy. So there is going to be, it's not gonna be a smooth road. There's going to be areas that you're gonna have to grow as that technology is growing as well. Brian, you're a practitioner for a prime video. Your peers are out there. They're trying to prepare for the future, set the foundation now, Gen 1 cloud, prepare for this next generation wave coming. And yes, the cloud is already out there. So they're on the cloud. So they can be agile, they can move fast. They can be like a startup, okay, from a speed standpoint, whether it's business transformation, whatever project. So a lot going on for the enterprises now, unlike how hard it was to move before, as we just talked about. So what's your advice for the folks watching and for the startups out there too, we're also trying to get a position in there to navigate the landscape, to be in the right position, to take that tailwind when the gust of the wave comes, they can be on the right side of the history here. What's your advice? Yeah, that's a great question. I'd say, listen, for the enterprises that are out there that are already in the cloud and they're looking to continue to maintain their environment, to build them and IDAID on top of them is continue to look at those areas that there is opportunity to take advantage of new technology and see where you could actually push a little bit, lean a little bit more to, whether it's good for customer acquisition, customer engagement or on the security side, drive better security operations and remediation. On the startup side is again, if you really, you have a great idea and your product is really going to solve that problem. For us as practitioners, you need to help us understand where that fits into our tech stack, into our already existing tech stack, into our already existing operation, our enterprise operation and help us bring that into our organization as a sales point, right? This is how it's going to either replace an existing tool or shorten the time window for us to solve a problem. I think startups sometimes come into the environment and they, hey, we're the silver bullet, we could do this and it's, hold on, like you don't know my world, you don't know my problems, you don't know what I'm trying to accomplish. You don't know my yearly roadmap. So understand your customer first, understand your customer problems and then start talking about how your particular tool, product or solution is going to address that. That helps us, again, as CSOs or as security practitioners, get the startup in quicker and to really evaluate it. I like being design partners with startups. I think it's important to give that feedback to the startup so they can incorporate that into the product, I mean, get it firsthand from a practitioner, somebody at the ground and it just helps, it helps on both sides. That's great advice and nice bar you just raised for all the people who want to sell you something. Well done. Keep that for later. Watch the video, you'll know to get in front of you. Final question for you, you're the tech athlete out there, you're on the front lines, you're moving fast, the pace of play is high in security. You got a target in prime video, I'm sure every hacker would love to have that prize. It's well-known franchise growing. How do you keep up? I mean, how do you stay ahead? How do you stay in shape, so to speak, in terms of staying on top of things? Share your philosophy on being a CSO at the tier one. I think tier one, thank you, that's a great question. I leverage my network a lot when it comes to seeing what is the latest area to either threat actors or latest areas to actually lean into when it comes to innovation. So I think my network is something that I can leverage. It does help that working at Amazon, there is a lot of ideation, a lot of innovation going on here that really helps keep us up to pace with everything that's happening. But I also like to look at those areas that are not so much public, right? When I go to like conferences, like your big conferences, your RSAs or something like that, I don't go to the middle of the floor for the vendors. I actually like going to the outskirts, the ones that actually can't afford the marketing budget of the $25,000 per pop, right? Those are ones that could only afford like the, those are the technologies that I kind of like to lean in on. I'm like, what problem are you looking at? What threat actors are you tracking that maybe no one else is kind of like looking at? So those are the areas that kind of like keep me, I guess, in shape, if you will, from a tech security perspective, and it's the fun area, and this is why we do what we do in security. Let's find those gold nuggets, the diamond in the rough, as they say, and great strategy. And Brian, we've got 10 presenting this episode of season three here. It's on cybersecurity. I mean, it's basically everything is now something plus data, right? So. Yeah, everything's data, everything, everything's data. Great to have you on. I know you're super busy with your schedule and a lot of big things happening. You got to get to, I really appreciate taking the time, keynoting the showcase here this year, this episode three. Thanks for your time. Now, thank you very much, John. I appreciate it. Have a good one and I look forward to the showcase. Awesome. This is season three, episode three, the ongoing series covering the exciting hot startups from the Amazon Web Services ecosystem. John Furrier, your host. Thanks for watching. See you next time.