Amazon Takes Own Approach To Cybersecurity

 

“Many generally accepted cybersecurity benchmarks don't mean much to Amazon.com.

 

Amazon is so big, it has had to come up with its own methods to understand its cyber risk, said Stephen Schmidt, chief security officer.

 

Basic metrics, such as cyber spending as a percentage of the overall technology budget, might be useful for a business to compare itself with a direct rival but they don't reveal essential security weak spots, he said.

 

Instead, Schmidt wants to know, for example, when any employee adds a new phone, laptop or any other device to the corporate network. He also wants to identify the oldest technology in use at the company, which might be unpatched or otherwise not secure. These two chores are notoriously difficult but they are among the best pointers to where cybersecurity threats may gather against the second-biggest company in the U.S.

 

"If you don't have inventory right, you don't know how big the threat landscape is," he said.

 

With a combination of commercial and homegrown tools, Schmidt's team works with Amazon's tech group on these efforts, which are continuing, in real time. Each team in the cybersecurity group meets weekly to discuss metrics and new findings. Periodic scans -- the typical way companies inventory their technology -- age quickly, he said.

 

All companies should push for continuous tech inventory, he said. "Our adversaries are not going to get slower at exploiting things. We have to evolve," he said.

 

Schmidt, a former section chief at the Federal Bureau of Investigation, is an engineer by training and by heart. He joined Amazon in 2008 as director of software engineering and has carried an exacting approach to data from position to position, running cybersecurity at Amazon Web Services for 12 years before taking over as Amazon security chief in 2022.

 

Amazon, like many companies, runs dashboards that track various security metrics. But Amazon's are more granular than most. No green, yellow, red indicators or formulas that repackage raw data.

 

"I have actively resisted such a thing. It obscures the real detail necessary to understand [risk] and it allows practitioners to game things," he said.

 

He also dislikes averages, such as the average time it takes a team to patch a vulnerability. Instead, he wants to know, for example, the longest period it took and why. "When you're operating a large-scale distributed system, the outliers really matter," he said.

 

Amazon is the rare company whose board runs a committee dedicated to security. Just 15 firms in the S&P 500 have a cyber committee, according to MyLogiq, a public-company research provider.

 

The three-director security committee at Amazon met twice in 2024, according to the company's latest proxy report, and discussed ongoing investments in security infrastructure and internal audit findings related to cybersecurity, among other issues. "We present metrics to them every time we meet. They are interested. They care," Schmidt said.

 

---

 

Kim S. Nash writes for WSJ Pro Cybersecurity” [1]

 

1. Amazon Takes Own Approach To Cybersecurity. Nash, Kim S.  Wall Street Journal, Eastern edition; New York, N.Y.. 09 Dec 2025: B4.