"Threat actors have a goal in mind and they'll use whatever path they see to get that goal" - AWS CISO tells us how your company can stay safe, by being more like Amazon
Being smart about AI in cybersecurity can make all the difference, AWS CISO tells us.
(Image credit: Shutterstock)
With AI now a common presence in businesses everywhere, a need for smarter and more intuitive cybersecurity is also paramount, with defenders and attackers alike harnessing the power of the technology.
But how should your business prepare? At the recent AWS re:Invent 2025 event, I sat down with Amy Herzog, Chief Information Security Officer, to get her views and advice on staying safe in the AI age.
Gen AI for good
Like many of the top announcements at AWS re:Invent 2025, a new security agent hit the headlines for its ability to work alongside human workers to relieve some of the strain in everyday work.
Herzog notes her team has been experimenting with using generative AI tools to help solve security problems at Amazon at scale over the past year, but outlines how using agentic AI to mimic humans wasn't the most successful way to think about agents - instead, they found these agents should focus on doing one specific job really well, then be pulled together into a larger framework which can help with human effort.
"If our product teams aren't grounding themselves in their customer experience, and I'm not grounding myself in the builder experience inside AWS, I can't do a good job,” she notes, highlighting the need for actual on the level information for security teams to ground themselves.
(Image credit: Future / Mike Moore)
Perhaps surprisingly, Herzog also notes that her role recently has included an attempt to deflate the hype around AI “a little bit” for customer, instead, looking at how they can pragmatically use the technology for something grander - in effect, not just adding AI to everything, but getting value too.
“You need to know what the agents want to do,” she says, explaining the need to de-mystify AI agents for customers, whilst noting while the same basic security needs that have always existed, expanding them in an agentic context is the challenge, as security is so fast-paced, “sometimes it's good to reset and realize this isn't too different to what we had yesterday.”
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
"I would encourage customers to think about going beyond the processes they have in place, towards focusing the risk you're trying to eliminate, measure that as well as you can, then you're going to notice when stuff is changing and you need to adapt to,” she adds, “sometimes security teams can get caught up in, what is my scanner producing, and "what am I resolving" rather than here's how quickly I'm fixing each of the individual things that my scanner is finding, which is a more coherent view to adapt from.”