Profiles

How one person is securing all of Amazon from front door to firewall

Ron Miller

Ron Miller

3 min read
Head shot of Amazon CISO CJ Moses wearing a dark suit jacket with blue shirt opened at throat.
CJ Moses, CISO of Amazon Integrated Security. Photo courtesy of Amazon.

When you think about a company the size of Amazon, the idea of one person being responsible for everything from the locks on the doors to cybersecurity and employee safety might seem absurd. Yet that's exactly what the company decided to do.

That person is CJ Moses, who is CISO of Amazon Integrated Security. That means he is responsible for security across the entire company, while working with embedded security teams at subsidiaries like Whole Foods, MGM Studios and Amazon Pharmacy.

The company began by looking outside the organization to fill the role, but soon realized an outsider didn't have the requisite organizational knowledge and ultimately zeroed in on Moses. "We were interviewing, doing the normal search to find somebody to do it, and realized we're not going to find somebody from the outside who knows where all the bodies are buried, what things need to be done, or has the influence across the entirety of Amazon," he said.

Moses did. He combined deep internal knowledge with valuable external experience. Before joining Amazon in 2007, he served in the Air Force, where he worked on computer security. That experience led him to the FBI, where he investigated computer crimes. With almost two decades at Amazon, he grew with the company and developed a strong understanding of how things worked.

It was one thing to talk about putting all of Amazon's security apparatus under one roof, but another to actually put it into practice, especially in a company with 1.6 million employees spread out across the world. It required an entirely new approach to enterprise security.

A single security thread

When Moses took on the role, he had a big ambitious plan to bring together the entire security apparatus rather than using the fragmented approach most organizations take. "I had been pushing for us to have a single-thread leader that was closer to the work and owned all of security," he said.

In the majority of companies physical, personnel and digital security are divided up among different teams with HR or IT looking at personnel security, facilities management looking at the doors, locks and badges and one or more CISOs handling cybersecurity. While all those roles exist, they now report to one person, an approach Moses believes will lead to a more secure organization overall.

From a data collection and management perspective, Moses' boss Steve Schmidt and Amazon CEO Andy Jassy thought that the piecemeal approach was leaving gaps. "The idea is that we brought all the [data] together so that indicators from physical and personnel events within the company become pieces of intelligence we can act on across the board," Moses said. That could include signals like unusual badge activity at a facility, suspicious system access patterns or personnel activity that could suggest elevated security risk.

Putting the single approach to work

The company relies on AI to manage the vast amount of information and make sense of all the signals coming in. Like most large companies, Amazon has to balance employee privacy with the need to protect company systems and customer data.

The majority of the monitoring activity is automated where AI sifts through 80% of the information automatically. An incident only gets kicked out for further review when something unusual warrants additional investigation. "When I talk about all the automation and all of the things that happen without our involvement, a lot of that is AI‑enabled to handle large data sets that are flowing in, in order to identify which users are doing things that are indicative of something that could be detrimental, or rule out that they aren't," he said.

As they scan vast amounts of data, they are looking for signals such as unusual data access, for example someone accessing a GitHub repository that doesn’t match their role, or copying a large customer list to a USB drive. They may also be watching for signs of harmful behavior such as sexual harassment or a disgruntled employee.

Amazon spheres in Seattle Washington. Home of Amazon.
Amazon headquarters in Seattle. Image courtesy of Amazon.

When the system encounters suspicious activity, it doesn't necessarily mean that someone from Moses's security team would confront or fire the individual. Instead, Moses says the automated controls could “turn the knobs” on that person’s access. For example, it could automatically disable USB access and add extra monitoring, only escalating to a human reviewer if the pattern of suspicious behavior continues.

That risk‑based model depends on fine‑grained controls and constant adjustment, which can clash with how some regulators think about security. Despite the heavy reliance on monitoring and automation, Moses says regulators sometimes push for a blunter approach, such as blocking certain tools like Gmail or ChatGPT outright to prevent data leaks. To him, those kinds of blanket restrictions can lead to missing the real problems.

"I'm really not interested in taking a colander, blocking a few of the holes and calling it a bucket, which I know is just going to let water through anyway. That's called security theater," he said.

Read more