Solving security problems for customers of cloud giant Amazon Web Services (AWS) is Principal Security Specialist Clayton Smith's primary mission. But sometimes it can feel like playing cops and robbers in the cyber realm.
That’s not to say Clayton doesn’t take his job seriously. He does. With AI moving at breakneck speeds—and companies from every industry rushing to implement it—security may be more serious than ever.
“We’ve seen the consequences when data gets out. It hurts organizations, it hurts your customers,” Clayton said. “Identity theft is real. There’s a whole list of things that can go wrong.”
How can an enterprise stay competitive while staying safe? Clayton, who sees security as a strategic differentiator for businesses, offers a few edicts. “Get your security professionals engaged because they really do want to be a part of this AI journey. And frankly, it’s a customer-focused way of looking at it.”
“Get your security professionals engaged because they really do want to be a part of this AI journey. And frankly, it’s a customer-focused way of looking at it.”
It’s also important to realize, Clayton said, that “there’s no such thing as perfect security. It doesn’t exist. The question becomes, ‘what is an acceptable risk profile?’ and that varies for every organization.”
‘Taking it up yet another notch’
There’s a lot to worry about in cybersecurity. A hallucination, a poison pill, a particularly astute group of threat actors—any of it, Clayton said, can put an organization at risk.
There’s also a lot to celebrate in cybersecurity. Consortiums and agreements that share threat intelligence among corporations and across competitive lines, for one. A foundation of data security well-laid by security professionals of yore, for another.
“The guardrails have been put in place,” Clayton said. “The security practices put in place to protect data—those still exist. At AWS, we haven’t circumvented those models. If anything, we’ve embraced those models and pulled them into the AI world.”
Clayton feels encouraged by all of this, and he is especially enthusiastic about the use of AI applications to help safeguard other AI applications.
“You’re going to see AI on both sides of the equation,” Clayton said. “The threat actors, obviously, are going to be using it as a way to try to break through our defenses in a more rapid fashion. Instead of having someone sitting at a keyboard, now they can train an AI model.”
“But the part I’m most interested in, of course, is the defensive side,” he continued. “We can use AI to look for the needle in a haystack of threat intelligence. I’m talking about taking it up yet another notch, looking for correlations in the data. We, as humans, just can’t look at that much data at one given time.”
“We can use AI to look for the needle in a haystack of threat intelligence. I’m talking about taking it up yet another notch, looking for correlations in the data. We, as humans, just can’t look at that much data at one given time.”
Can AI protect us from AI?
At the time of this interview, Clayton speculated that one day AI would be able to automate responses and block threats in real time. One month later, AWS unveiled its new large-scale security system, Mithra, that uses AI to spot and rank the trustworthiness of domains and identify potential threats—detecting up to 182,000 new malicious domains per day.
Since the 2010s, AWS had been using another threat disruption system recently revealed as MadPot. It combines data analytics with intelligence extraction to produce the insights needed to neutralize threats. Going back to the cops-and-robbers analogy, Clayton compared MadPot to “that bait car that police leave in a particularly crime-plagued area.”
“We want to see who breaks in there so we know who they are, and then we can use that information to stop them from breaking into the stuff we really want them to not get into,” he said.
It’s the kind of innovation that’s par for the course at major companies like AWS and Cisco where the goal is to stay relevant and move as fast as any startup.
Other security tools that excite Clayton are those that use natural language models making it easier to search big datasets of security logs.
“Now I can just say, ‘hey, show me all the connections from this IP address,’ because I’ve determined that IP address is bad,” Clayton said. “It makes the security operator’s job faster and easier. But I also think it opens up the door for more security professionals which we desperately, desperately need.”
Other security tools that excite Clayton are those that use natural language models making it easier to search big datasets of security logs. “It makes the security operator’s job faster and easier. But I also think it opens up the door for more security professionals which we desperately, desperately need.”
In the world of cybersecurity, Clayton sees automation and natural language tools breaking down career silos and ushering in artists, linguists, and others of diverse educational backgrounds. As Clayton said, the field is now open to “people who are just really good critical thinkers but don’t necessarily need to know exactly how to write lines of code.” (In a recent interview, People.ai CEO Oleg Rogynskyy similarly talked about the future of AI automation, comparing it to self-driving technology.)
Raised on a culture of security
In a way, Clayton has had a security mindset since college. He grew up in Albuquerque and studied marketing at the University of New Mexico. His college job at an IT help desk put him on a technology track. After graduation, that track led Clayton to an early career in IT consulting and sales, a Master of Business Administration from Colorado State University, and a graduate certificate in cybersecurity from Harvard Extension School. Along the way, Clayton landed a role as a cybersecurity specialist in Austin, Texas for global tech leader, Cisco, where he worked for seven years. In 2022, he joined AWS.
At AWS, Clayton has seen firsthand the value of “a culture of security.” This means security matters to everyone within the organization. It’s pervasive across the AWS value chain—from products to customers to staff in every department.
In his work with AWS customers, Clayton often leads workshops and guides the creation of programs, “essentially training non-security people to think with a security mindset.”
By giving people throughout the organization basic security training, AWS has seen its internal security reviews sail through 20+ percent faster.
“Our executives all the way through the organization talk about security all the time,” Clayton said. By positioning security as a shared responsibility, AWS has “built a culture that really emboldens people to report situations when they see them … even if it means stopping a project to address a security concern.”
On Embracing Change and Loving Life
Clayton’s division at AWS is known as the Worldwide Specialist Organization, a group AWS CEO Matt Garman called “the glue that connects our service teams to our customers.” Clayton wouldn’t have it any other way. He thrives on working collaboratively with AWS account teams and directly with customers.
“The only way to understand the trends is to actually be in the trenches with the customers,” Clayton said. “I get to solve problems all the time. Who wouldn’t like that?”
In moments of introspection, Clayton said he realizes two things: how much he loves his job, and how proud he is of his family. Clayton is the father of two sons, ages 23 and 9. After long days combating cyberthreats, Clayton unwinds by watching sports with his boys and his wife, Monica, who is a successful entrepreneur.
If a fellow security professional asks Clayton for advice, his number one answer relates to adaptability.
“You have to accept that change is constant,” he said. “It happens on the threat landscape—threat actors are coming up with new tactics. On the other side, the business is becoming more competitive and more receptive with their customers.”
As AI continues to drive even more change, the role of a security professional must evolve. The best strategy, Clayton said, is to “lean into that change, but still question everything.”
“Take a step back, take a deep breath, and embrace the fact that this is happening,” Clayton said. “As security professionals, how do we make sure it’s the best, most secure experience for our customers and our organization?”