3 themes to watch at AWS re:Inforce 2024

I’ve been looking forward to AWS re:Inforce 2024 for a while now. For one thing, it’s in my hometown this year, and this year has been an inflection point in the information security landscape for a few reasons.

The explosion of generative AI technology and usage is never far from anyone’s thoughts these days. The agenda promises a security learning event for the generative AI era. When I think of AI in the context of information security, I think about 3 topics:

1. How might bad actors leverage AI to increase the effectiveness of their efforts?
2. How might security practitioners leverage AI to augment their security team’s kill chain for cyberattacks?
3. How do organizations responsibly embrace the internal use of AI to innovate while ensuring security and governance, risk management, and compliance (GRC) controls protect themselves, their employees, and their customers?

A glance at the agenda shows workshops, lightning talks, and hands-on labs galore. There doesn’t seem to be a lack of AI-related sessions this year, unsurprisingly. I expect to find a lot of sessions touching on #1 and #2.

Topic #3 leads me to think about how many organizations will be developing AI technology and find themselves maintaining huge amounts of raw data for training. Are we facing yet another storage explosion driven by AI? A short time ago, petabyte-range data sets were relatively rare; today, a lot more companies are maintaining data sets in the petabyte range. Will the AI bonanza shift cloud storage needs into overdrive?

Of course, “securing AI workloads” is now on everyone’s mind. Bad actors will have new targets of opportunity if they penetrate an organization. The raw data required for training could be a rich target. Data flowing into training or inference could be “poisoned” to damage or skew how an AI might respond. How do we begin thinking about systematically learning to prevent, respond, and recover from potential threats like this?

Regulators at both the federal and state level continue to propose and enact stricter requirements on companies in various industries that require evidence of incident response planning, recovery planning, sufficient information security controls, risk assessment, and risk mitigation. Financial services and healthcare receive the brunt of the burden, but there are always downstream burdens to organizations that provide services to these industries. (For more on this, see Data compliance in 2024: Getting ahead of new requirements.)

GRC in the cloud has come a long way in a short period. I’m looking forward to attending several sessions in this area of focus, including:

• GRC322 | Continuous resilience: Managing your application risks
• GRC302 | Accelerating auditing and compliance for generative AI on AWS
• GRC252 | Automate assurance evidence for generative AI with AWS
• GRC351 | Best practices for using generative AI to manage cloud compliance

The burden of maintaining controls, detecting exceptions, and managing compliance programs continues to increase with emerging risks and new requirements. I’ve been pleased to see that AWS and AWS Partners continue to innovate to help their customers keep up with increasing GRC requirements via new services, better automation, and (you guessed it) AI technology.

I feel gratified that, year over year, more organizations are embracing that information security isn’t just a department or team in a company. It’s a core component of a company’s organizational culture. It needs to be integrated in such a way that doesn’t prevent innovation, but enables safe and responsible innovation that protects the org, the customers, and the employees.

I’m fond of talking about the PPT framework when it comes to an organization’s information security function. It’s the people, the processes, and the technology that are foundational to a successful culture of efficient operation and continuous improvement. What I’m looking forward most to at re:Inforce is the first component – people.

This conference is a stimulating environment. There are a ton of folks across many industries all coming together in one place. Partners and vendors will be showing their solutions; lecturers will be speaking. Security practitioners, researchers, executive management – all will spend a few days in close proximity because of interest in cloud security. Conversations will happen, thinking will be stimulated, and folks will return to their jobs with more knowledge, more ability to plan, and hopefully some strategies for improving their security postures at their organizations.

Have those conversations! Attend the sessions. Go through the expo hall and talk to the folks there, both at the booths and those wandering about like yourself. Go to a happy hour or two and chat with your industry colleagues! Stop by the Clumio booth #1503 and say hello to me, our Field CISO, and other security professionals. And don’t forget to register for the Clumio happy hour to unwind after the first day. I’m looking forward to chatting!