Chad Lorenc: Security as a Practice in the Cloud Artwork

Kitecast

Kitecast features interviews with security, IT, compliance, and risk management leaders and influencers, highlighting best practices, trends, and strategic analysis and insights.

All Episodes

Kitecast

Chad Lorenc: Security as a Practice in the Cloud

February 20, 2025 • Tim Freestone and Patrick Spencer • Season 3 • Episode 40

With over two decades of experience in the cybersecurity domain, Chad Lorenc stands as a prominent voice in cloud security and enterprise security strategy. Currently serving as a security leader at Amazon Web Services (AWS), Chad has contributed significantly to advancing cloud architecture best practices and building robust security frameworks for some of the world’s most dynamic organizations. In this insightful Kitecast episode, Chad shares his expertise on cloud security, the evolving role of CISOs, and the integration of artificial intelligence (AI) into enterprise security strategies.

Evolution of Cloud Security: From Apprehension to Opportunity

In the early days of cloud adoption, organizations often hesitated to migrate their operations due to concerns over security and control. Chad reflects on this initial apprehension and explains how the cloud security paradigm has matured over the years. Many companies attempted to replicate on-premises security models in the cloud, often facing challenges with patching, incident management, and compliance. Cloud environments require unique security approaches, with a focus on building specific controls and aligning them with broader security operations and compliance requirements.

CISOs: Leading the Charge in Cloud and AI Adoption

A recurring theme in the podcast is the critical role of CISOs in driving cloud and AI strategies. Chad offers valuable advice to CISOs, encouraging them to lead cloud adoption initiatives rather than being pulled into projects at the last minute. He highlights the tangible security benefits of cloud environments, such as the ease of implementing encryption and other advanced security controls. By taking a proactive approach, CISOs can not only enhance security but also achieve cost savings and operational efficiencies.

Embracing AI and Navigating Regulatory Challenges

As organizations increasingly integrate AI into their operations, compliance and security become critical considerations. Chad discusses how the shift to data lakes and the acceleration of AI adoption have transformed cloud security conversations from traditional security measures to compliance and audit readiness. The conversation also touches on the complexities of shadow AI—where unsanctioned AI tools are used within companies—and how security leaders can address these challenges by aligning internal strategies with business demands. In addition, Chad sheds light on the regulatory landscape, including the growing importance of FedRAMP compliance for federal clients and the balance between rapid cloud innovation and regulatory adherence.

Charting the Future of Cloud Security with Chad Lorenc

The podcast concludes with Chad’s forward-looking perspective on the evolving cybersecurity landscape. He believes that while AI remains a dominant topic, true innovation lies in optimizing security operations and embracing technologies that drive business outcomes. Chad sees an emerging trend where CISOs are not only security experts but also strategic business leaders who contribute to overall organizational success. His parting advice to security professionals is clear: embrace new technologies like AI and cloud solutions with a strategic mindset to remain relevant and impactful.

LinkedIn: https://www.linkedin.com/in/chadlorenc/

Amazon Web Services: https://www.linkedin.com/company/amazon-web-services/

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Patrick Spencer (01:05.04)
This is going to be an interesting foray into something that we normally don't talk too much about. So Chad, thanks for joining me today.

Chad Lorenc (01:40.76)
Thanks for having me.

Patrick Spencer (01:42.413)
Looking forward to it. Let's start by talking about your role over at AWS. You're sort of an evangelist. You're an advisory. You're a consultant. You wear a lot of hats, I suspect.

Chad Lorenc (01:53.228)
I do. I wear a lot of hats. I think security in the cloud started out as there was a lot of apprehension on the side of the security that do we want to move the cloud? We don't have control. What does that look like? Even in the last four years, we've seen that continue to mature. And then the questions start to be, OK, how do we manage our security operations in a way that moves to the cloud? And I think

companies struggle with that. try to put onsite stuff into the cloud and it doesn't work. And you kind of slowly move towards this paradigm where you realize that cloud is its own security paradigm, but it still has to come back into your operations. So patching, incident management, those kinds of things. And so a lot of the work I do is helping build out the controls in the cloud, but then how do you pull that back into your security operations? How do you pull that back into your audits? How do you pull that into your compliance?

and really helping companies wrap their head around the dynamic new environment and how that affects controls like IAM or data protection.

Patrick Spencer (03:00.6)
Interesting. Now, are you working with clients that you're onboarding, existing clients, a mixture of the two?

Chad Lorenc (03:07.726)
That's a great question. So I've had a couple of roles. One, I was over ProServe security for the West for all our commercial accounts. In the West, very dynamic, lots of, if you look at your cell phone, a lot of my customers are those icons you see on your cell phone. And there's a lot of fast moving, a lot of cloud native. I've now shifted to an industry. So I do about, I have about 60 % of the portfolio.

for Americas for commercial. So we're talking to manufacturing and what does security for IoT look like? And obviously IoT at scale is hard to do without the cloud. So how do you do that? How do you do that securely? But also looking at Greenfield, customers either who thought maybe there was a shorter path through another cloud and realized maybe that doesn't have all the functionality I want or

have been late adopters or new startup companies and really trying to figure out that dynamic of, you know, how do I start in the cloud and how much of my infrastructure do I want to be in the cloud? So security quickly bleeds into those strategic CTO, CIO, CEO conversations of, know, what do we want our company to be? What are the strengths and where does cloud play into that? And where, where, and what level of investment should I have in the cloud?

Patrick Spencer (04:34.724)
Hmm, makes less sense. Now, when you're talking to these CISOs about cloud security and their architecture, the board and the E-suite obviously is probably pushing them to go towards the cloud. There's a lot of business initiatives on that front. Is security part of that conversation at that level when they're given the edict that you need to move to the cloud, but make sure that it's secure at the same time as it moves to the cloud and is security and after.

Chad Lorenc (05:04.61)
A lot of it depends on the CISO. And one of my encouragements to CISOs is be the leader to the cloud and manage and control the narrative versus being the resistance that gets pulled in at the last second. So I see a mix. More and more, I'm seeing CISOs engaged at the front end, but they're being pushed top down into it. There is a lot of security benefit of the cloud.

on just like a high level, you can encrypt anything. And I know most of us CISOs would love to encrypt an Oracle database or some of these key repositories. And that's not a thing on site, right? There's no risk scenario that justifies the cost and the delay. That all goes away in the cloud. So you have a whole other set of mitigation controls. There's a whole lot of little nuances like that that actually make

security in the cloud faster, easier, simpler, if it wasn't kind of an add-on to everything you were doing, right? And that's where the tension comes in and really helping CISOs recognize, hey, I could show some leadership, some cost savings and some security improvements by getting on the front end.

It's pretty hard to do that on the backend when you're bolting your security on, right? And so getting systems to be leaders and drive towards cloud and say, yeah, I can do cloud, but this is how we're going to do it. And these are the things I need as a system to be successful.

Patrick Spencer (06:35.038)
Is it more of a checklist or is it suspect it's customized based on their environment and what apps they're using and you know, or dealing with the federal sector a lot of different factors

Chad Lorenc (06:44.792)
Yeah, I think about 80 % of it is pretty standardized, right? And then that last 20 % is a little bit of the magic with the customization. But at the end of the day, there's not that many ways to do IT, right? Apps tend to fall into certain development groups and architectures. The way you do it, we're less unique than we think we are a lot of times. And there is an unusual amount of flexibility in the cloud.

that you don't have on site that you don't expect that you're going to have as a CISO coming in where you can put mitigations in places with a click of a button, you know, versus I think it took me two and a half years to deploy IPS worldwide when I was a CISO, right? Like that in the cloud, that's, that's you write the code and you deploy it, right? You can do that in two weeks, four weeks, depending on how good your developers are. So understanding that dynamic and the ability to, and

Patrick Spencer (07:27.738)
Yeah.

Chad Lorenc (07:43.404)
I don't like where my IPS is or I want to break my WAF out. Now I'm just going to apply my WAF over here to the gateway, leave my IPS over here. There's a lot of two-way doors in the cloud where you can shift and make those decisions on the fly, whether it be cost, whether it be security, whether it be just change of business that you just couldn't do on site or it was really slow and painful.

Patrick Spencer (08:07.556)
Now, you in your role, you deal with a lot of different industries, which, you've been in a lot of different industries as well prior to coming to AWS. Do you find when it comes to the cloud that there's different conversations that need to take place with a retailer versus a manufacturer versus someone who's in financial services? that, does that conversation differ at all?

Chad Lorenc (08:13.582)
Thank

Chad Lorenc (08:28.3)
Yeah, and came out of financial services and they've been ahead in security, but they've also been frontline adopters of the cloud. When you look at speed of transactions, when you look at scale, when you look at a lot of things that are important to a cloud or to a financial services that aligns well with cloud. so their conversations tend to be very mature. A lot of our newer entries are manufacturing.

and realizing, I could gain a competitive advantage by moving to the cloud. How do I do that? Especially with Gen.ai, it has some huge benefits for manufacturing. So yeah, we kind of get the whole spectrum. The other big thing is startups. Like if I was a native cloud company, how much faster could I gain on people that are locked into on-premise and slow growth, right? And so there's some of that dynamic too.

Yeah, it's interesting. Some things like life sciences. So I came out of life sciences, the ability to do massive compute that you have to do with life sciences, hugely beneficial in the cloud. So some of the data lake and stuff is also dragging some of those other organizations into the cloud where it doesn't make sense to try to manage those compute resources on site.

Patrick Spencer (09:49.678)
Yeah, yeah, makes sense. Now with the advent of AI, is that changing the cloud at all? Obviously there's more data going in there with AI and you have the concept of public AIs. Now you probably have a lot of your clients here saying, wait, we can't put all this data in a public LLM. We got to build our own. So they're coming to AWS to build out their own private LLM.

What are you hearing from clients on that front?

Chad Lorenc (10:20.844)
Yeah, it's interesting because that migration started with data lakes, right? So we saw a mass amount of data either moving to the cloud or wanting to be to the cloud, which really shifted a lot of our cloud conversations from being security to being more compliance and audit. Cause now you're moving protected data into the cloud, which that movement had been a lot slower before then AI and Gen. AI just...

put that on an accelerator, right? And so now it's happening quickly. We're, it's not that complicated to secure AI. In the end, it's still an application. You're looking at inputs and outputs. A lot of the attacks look very similar to what we might've done when we were trying to attack SQL, right? A lot of the elements are the same.

The problem is not everyone got to the cloud and got those security structures and those IT and audit compliance structures in place. And now they're trying to jump straight to AI. And so you're trying to get all that together at once. And that's where my professional services team gets really popular because it's pretty hard to do all that at once without bringing in kind of a host of experts to accelerate that and to ramp up your team and stuff. I do spend a lot of time.

with companies that hadn't matured their cloud, but all of a sudden they're trying to jump from one to eight on the maturity scale and we're trying to make that acceleration happen in three months.

Patrick Spencer (11:50.852)
Yeah, makes a lot of sense. Are you finding, like you had the White House executive order on AI, I it was in late 2023 that was issued, and there's been some permutations take place around it. Then you have the EU AI Act that was passed. You see regulations having an impact in terms of how organizations are approaching AI and specifically when it comes to the cloud at all.

Chad Lorenc (12:17.644)
You know, I'm not sure that the compliance teams have digested and pushed out feedback in all cases to their businesses. So we're actually having to go up and reach the compliance teams and saying, how do you interpret this compliance? What do you think we should be doing here? A lot of those teams can deal with that by piloting tools internal.

So right, there's a, I would say a huge portion of customers are in that early pilot phase of, Gen.ai especially. And so the switch to externals where a lot of those compliance pieces come into play. So that's how a lot of companies are dealing with it. The security side of AI, at least on AWS's side, we were building early on.

So our security is more advanced than the compliance requirements in many cases. So when you look at some of the responsible AIs, if you go to, we have a foundation that you just plug foundation models into called bedrock. Well, for our bedrock, it's a checkbox. And so now it doesn't matter if you grab Anthropic or Llama or any of the other cheaper model like the AWS Titan model, throw it in there. Those guardrails stay the same.

Patrick Spencer (13:11.523)
Interesting.

Patrick Spencer (13:22.756)
Mm-hmm.

Chad Lorenc (13:35.958)
And it's literally a check button, but that check button actually meets a huge amount of those requirements. So it's knowing and understanding some of those things, because there's a lot of fear around, Geni, I think in the security space and it's, very sensationalized. and there's, there's real threats to it. But, I remember in the early days when we were scared to put virtual machines on the internet, right? I remember when the iPhone came out, no one would put it in their corporate network, right? Like these.

These emerging technologies come and then we figure out how to secure them and they're going to get implemented. So really understanding them upfront is going to be key.

Patrick Spencer (14:14.552)
And then employees, it's, you you have this shadow IT that you and I know well about from our days in IT going back a number of years. You have shadow AI as well. Are you, when clients are coming to you and talking to you about, know, here's our AI strategy, how do we get it into a private cloud on AWS? Is that a concern for them?

Chad Lorenc (14:39.906)
Yeah, so shadow, shadow AI is complicated because of the compute power. So the risk is, is that people are taking that data and dumping it out externally into some kind of AI, you know, like, and so that, that ends up getting into some of the, the CASB controls and other things that start moving a little bit further away from the cloud.

Patrick Spencer (14:52.503)
I see.

Chad Lorenc (15:03.906)
Customers, what more I would say is they recognize the demand. And I think this has always been a good CIO play. If there's shadow IT demand, that's demand that you're somehow not meeting as a CIO or a CTO, right? And so look at that demand and say, okay, what's driving this demand? And then figure out how to build it correctly, securely so that there's no longer that desire to do it.

And we're not always great at security, but the easy path should always be the right one. And the hard path should be the wrong one. Sometimes we forget that, I think, but that's another key is, you know, make, it as easy as possible to use the services you can control. Even if you don't have every control you want, you're going to have more control than you do if you're allowing demand to drive things.

Patrick Spencer (15:52.507)
Now you're on the commercial side, so maybe this isn't as applicable for you, but I suspect you probably have some insights on this front. have federal regulations like FedRAMP. We're finding with our customer base in the federal sector that that's becoming more and more a mandate. Are you seeing the same thing in FedRAMP comes into play, particularly with some of these AI large language models where you have a lot of data that's being transacted where FedRAMP is something that they want to.

insurers in place and you know, you're FedRAMP moderate, believe maybe even high, I'm not sure.

Chad Lorenc (16:29.078)
Yeah, the FedRAMP is definitely gaining traction. It's getting easier to implement. Its challenge is waiting for services and solutions to get approved, which sometimes includes your security protections. Where finally FedRAMP, I think, is getting an adoption. seeing that where you're not as limited by region or services that you can use. But that does become

That's been the complication of FedRAMP is the delay cloud moves really fast. FedRAMP doesn't necessarily. And I think they're working to change that dynamic a little bit, but that is, that's probably the biggest pain I see with FedRAMP is, you know, you look at re-invent coming up, we're going to make hundreds of announcements. None of those will apply to FedRAMP customers, right? Cause they're going to have to wait for that to get digested and approved and everything through. So that's...

That's the biggest, hardest pain point. And, you know, when, when we make those hundred announcements, those are a hundred features that everybody's waiting for, including FedRAMP customers, but they just have that extra, extra delay. So, we, really help customers look at why are doing FedRAMP? What are the benefits? Are, is it possible to achieve that other ways or is FedRAMP the best option and really going through that? Because there is, you do create that lag that has.

an impact on your ability to move quickly and innovate.

Patrick Spencer (17:57.956)
Now, speaking of that disruptive technologies, your team deals with a lot of customers, obviously, who are thinking in disruptive ways. Some aren't, some are obviously. What are you seeing AI, obviously, is out there on the horizon? What other things they're wanting to tackle and what types of security challenges are associated with those?

Chad Lorenc (18:21.006)
Yeah, you know, I would say AI has dominated the conversation for sure. on the security side, we work a lot with, I think what is the typical pain point right now, which is too much information, too many vulnerabilities, you know, just, just not enough ability to handle it. I think there's a generic promise on the horizon that Gen I is somehow going to solve that.

I don't know if that is the total solution of the problem. I would say the companies that are being a little bit more innovative are looking at more and more serverless solutions. You know, if I can completely eliminate everything under the database, so don't have to manage that. How many vulnerabilities, how much time did I save? If I can build something on the Lambda and not have to even patch the application layer, how much time and energy did I save? How, how much did I reduce my noise?

those strategies I think are the more effective short-term ones and probably even long-term. I do see a lot of possibility with AI. also see a lot of, you know, everybody loves to say silly things like SIM is dead, but SIM has been painful for a long time for us security professionals, right? You know, when you look at how many MSSPs are out there, you look at the

Patrick Spencer (19:27.664)
You're

Patrick Spencer (19:42.222)
Yeah, definitely.

Chad Lorenc (19:47.362)
the churn in the SIM space and there's always a new provider promising more than they can deliver. And it's, it's pain. think I've used every SIM out there and they're all painful, right? It's a painful, it's a painful, heavy investment. So the question is, is, is can you get around some of that pain? what we are seeing is more and more customers, you know, disadvantage of cloud is if you grab all your logs,

you pay to get those logs, then you pay to export them out of your cloud, then you pay to import them into your really expensive SIM, you're paying a lot of times for that cost. another move we're seeing is more and more pre-processing cloud stuff in the cloud and just sending the critical stuff, the after pre-processing to the SIM and doing some of that with the security lake.

Patrick Spencer (20:21.358)
in Fort Wreck.

Chad Lorenc (20:44.034)
which you can already overlay some AI on, you can already overlay some advanced reporting on. So I would expect that trend to continue. It's a great way to drive down costs, maybe be a little bit more efficient. It'll be interesting to see. obviously Splunk is one of our customer favorites, but Splunk has built a connector so that they can query our security lake in the cloud.

Patrick Spencer (20:55.467)
Yeah.

Chad Lorenc (21:13.408)
So they've accepted that that paradigm doesn't make sense anymore and are working on solutions for that as well. So, you know, those kind of things are, I think we're going to continue to see how do we optimize security? I don't know that AI is always the solution, but optimizing security is definitely the lead thing with CISOs I'm talking to. And figuring out how to tie the other...

piece we're seeing is, we kind of had traditional compliance CISOs or technical CISOs or risk-based CISOs. We're seeing a new kind of CISO CTO mix that is more about business outcomes and figuring out how security plays into overall business and being that tech leader, not just the security leader. And I think, I think that is the future for the CISO role.

And so I think that's another, as we see that change, it'll be interesting to see how that plays out. But I would say that might be the most disruptive change, even though it's not a direct technological change.

Patrick Spencer (22:24.848)
Interesting. Yeah, I remember the SIM days. I was at Sun Microsystems when we bought some SIM and Symantec when we bought some SIM technologies. like you said, none of it ever seemed to work quite the way that it was promised to your point. So that's an interesting approach that you decided, which actually brings up an interesting point when you talk about log. You have all this log data that's related to your network and your data.

Chad Lorenc (22:28.002)
Thank

Patrick Spencer (22:53.072)
you know, your incident response. I mean, you can go down the list. There's a long end point and so forth. Aggregating that into something that's actionable, I suspect, is something that organizations are looking to do. We find that a lot of our customers come to us and realize that their file sharing versus their managed file transfer versus their email versus their web form, all that's, you know, in different silos. And with our solution, they're able to get it all into one stream.

And then they can actually feed that into their salmon to something like Splunk, for example, and they get actual intelligence from it. And then you can become more proactive even with the advent and the introduction of AI, obviously, then you can start to proactively do anomaly detection. When you have anomalies on the network, you have anomalies on your endpoints and so forth. What do you see happening there in the consolidation of data, I suspect, enables organizations to become much more proactive with their security posture.

Chad Lorenc (23:51.04)
Yeah, I think that is going to be the expectation going forward. So AWS is playing kind of a facilitator role in that with security lake where everybody can dump all their data and then you can look at it holistically. But that is clearly the silo problem in security is still a huge problem.

The promise of big vendors that they're going to buy everybody up and bring it all together hasn't really panned out either. Right. So it's, it's there's, we're going to have to learn how to play across companies and security to be successful. And so it's interesting. There's definitely a broad range in the security community, but we are seeing a lot of, different security vendors coming together to kind of experiment and play in that security lake space. It's kind of a safe space.

You know, they don't feel like they're up everything, but you know, can we all collaborate in the cloud to dump it in a single place, be able to leverage each other's data with our oversight? I remember that was the old promise of Cortex way back in the day from Palo Alto, right? and it never really played out that way, but I, I do think that's that vision is probably the solution to the future where it's a data lake where we all agree to dump data, but we all process it in our own.

IP way, right? That benefits a customer specific to, you know, whatever challenges we're trying to help them solve.

Patrick Spencer (25:20.312)
Yeah. Here's a change of subject a little bit when someone, although it's related, someone engages your security practice and your team. You know, what's the size of engagement look like? You know, I was in professional services at Sun Microsystems way back in the day and I've dealt with PS organizations and some of the larger companies I've been at. Is it really short engagements or are these, it depends, I guess, probably on the customer, but what do those look like?

Chad Lorenc (25:50.594)
Well, we're really not positioned to price to be like Staff Hog. So we are, we are really, can we help you build a security program or make massive jumps? So we're really business outcome based. and we're trying to deliver, you know, in 18 weeks, a massive change in your security paradigm in the cloud. Right. So that's

That's our main strategy, our main, you we have other offerings, but that's kind of the big thing we're looking to do is can we come in and help you measure your maturity and then help you make a significant gain both in your security maturity, but then we try to do that next, that CTO layer too of what business outcomes, like how can we help your IAM speed up your delivery? How can we help your compliance speed up your delivery? Right? Cause a lot of those things are built as

as blockers for provisioning or for software release. And security has to figure out how to be as fast as the cloud. Otherwise we end up being the blocker. The benefit of that is as a CTO, as a CISO, you can come in and make huge gains and keep the security in place if you understand the technology. But, you know, IAM is a great example. You kind of have to break that least privileged thought and say, okay,

What are the guardrails, right? Because I can't say this, this box, this IP, this address, like we used to think of a firewall, because that's going to change every day, right? It's going to move all around. But what if I could say everything in this space does this, and I'm going to put guardrails around that. I'm going to let the developers do these five things in there, but I'm going to give them their space to, to be dynamic in. and so shifting that all of sudden.

dramatically changes how quickly you can onboard, how quickly you can develop, how quickly you can launch new projects. So learning to kind of understand how the cloud protections offer you the same level of protections but give you the flexibility, that's the mind shift. But the business outcomes can be pretty astounding as you figure out how to move security to the speed of the cloud.

Patrick Spencer (28:01.422)
Interesting, interesting. Well, you have a really interesting background from a security standpoint. You've worked in a lot of different industries. You've been a security leader. You've been a security architect. Now you're managing the security practice over at AWS, which is different. It's got to be interesting. Talk a bit about that career transformation or evolution or however you want to describe it, you know, and how you're able to orchestrate it. And then what does that mean to you? Because you're

sort of on the flip side of the equation now where you're serving the folks that you formerly held their role in many organizations.

Chad Lorenc (28:40.684)
Well, I would say this, this AI, whatever you want to call it, or you want to call it a bubble or interruption or disruption. I haven't seen one this big since.com. And so there's a huge opportunity. So, so my, my big start started in the.com days. I was an IT manager for retail space.

And dotcom came and I jumped in, got sucked up into the Cisco systems machine, went out and installed networks and got everybody online. And then all my customers called me and said, help, we're getting attacked. And I called Cisco and said, what do we do? And they said, we just bought this firewall company. We went and put a firewall on it. They called me back and said, help, we can't get into our environment anymore. And I Cisco just bought this VPN company. We went and put a VPN. And so.

Before I knew it, kind of moved from the Cisco network guy to the security guy and did that in the space of VAR. So consulting, value-added resellers, those kinds of companies are huge career accelerators because you get this broad exposure to all kinds of different companies and ways of thinking and ways of doing things.

And how to talk to executives and all those kinds of things. So that huge accelerator working for a bar, working with Cisco. I eventually, kind of started handpicking. are my favorite companies? You know, I was like, Ooh, I really like compassion international. really like and federal credit union. really like Agilent, and who I actually helped HP spin out Agilent. So I had some emotional connection there. And so.

Patrick Spencer (30:31.76)
Good rest.

Chad Lorenc (30:33.012)
I was like, like these, I like the feel of these companies, you know, out of the hundreds of customers I worked for. And, I ended up working for all three of those companies. So I went into as some of my other networking skills, like wireless, used to tune wireless, it or not. and some of my network management and stuff, all those things became kind of commoditized. In fact, I was an IP telephony specialist, but

That was really big and then it wasn't right. So all those things got commoditized, but security just kept on growing. so that, that path was not picked for me. I enjoyed it. It was kind of one of my four enjoyment areas, but it was definitely the one that didn't get commoditized. I, I ran towards security. I went to work for the financial service company. It was a CISO there. And it was, it was pretty big, 4 billion at the time assets, but

I was ready for something a little bit more. went in, actually right before that, I did a startup. So I did a startup and ran my own ISP telecom, built my own cloud. but quickly kind of said, you know, hardware was commoditized at that point in the, and I really wanted to get into a company. So I got, I went there. So I did, went from startup to financial services, financial services. Then I said, I kind of want something bigger. Right. And so once I,

Patrick Spencer (31:37.904)
Yeah.

Chad Lorenc (31:59.426)
had that CISO experience. I said, okay, I want to get into Fortune 500. Went down the street to my buddies at Agilent that I spun out of HP. Got in there. And interesting from a career path, networking was hot. And then there was this space where everything was application security. So in the bank, I got into application security, built an online banking system from scratch, learned application security, used application security to get into

Patrick Spencer (32:18.384)
Hmm.

Patrick Spencer (32:23.715)
intro

Chad Lorenc (32:29.108)
Agilent however, didn't, wasn't an Agilent very long before I ran my first application security project, launched that and they realized, you're really good at networking. so then I was on the big networking project and then they realized, you've run a vulnerability management program at a bank. And so then I ran the vulnerability management risk program. so a lot of it was building on previous stuff, but also moving to what the hot technology was. So I became.

the virtualization guy and the mobile guy there because iPhones were big, right? And getting them onto the network. so kind of, and getting the virtual. so virtual kind of led me into cloud. And then my company struggled with their cloud adoption. So I have a lot of experience with the mistakes and making those mistakes. And I got to the point where I'm like, I'm ready to be, you know, kind of a fortune.

100, Fortune 25, CISO, and the big gap was the cloud. They were all really getting serious about clouds. So when AWS knocked on my door, I had a couple of executive positions, but I was like, I think maybe the faster path to where I want to go is AWS. And I've been there and it's been super fun, but really challenged my previous 15, 20 years of

of security thinking really made me work through, how have our vendors, how have some of our thinking worked us into corners and what does it look like to be that strategic CISO CTO? How do you do both, right? Enable the business and secure the business. And really when you take off some of the shackles, realizing how much power you have in the cloud to adapt to that.

and meet some of those requirements. And so I kind of fell in love with the cloud, to be honest with you, and I've really enjoyed that. And of course, I think we got connected through LinkedIn. That's been a great opportunity for me to take that knowledge because of my failures and experience in the cloud when I was basically in interim CISO position and say, OK, here's the right way. Here's some models. Here's some paths. Here's some thinking.

Chad Lorenc (34:53.966)
and really helping educate the security community so that we don't become irrelevant. Right? I mean, I think even the CIO role, the CTO role is a threat to making the CIO irrelevant. And some of it's the CIO and CSO pushed back against the cloud and missed that level of innovation as it came around. And I think we need to not make that mistake again with AI, or I think both the CIO and the CSO risk are.

Patrick Spencer (35:06.01)
Yeah.

Chad Lorenc (35:22.762)
our roles are at risk to the CTO.

Patrick Spencer (35:25.346)
I think that's true of any disruptive technology. Certainly AI is probably the most disruptive technology we've seen, but you just can't be like an ostrich and put your head in the sand. Employees will find ways to work around it. Organizations will bring in other folks. From a business standpoint, it was a simply demand that those technologies be adopted to your point. So, well, you have a really interesting role where you get to work with a very diverse number of

industries and companies and companies of different sizes that all have different types of challenges. So I suspect a lot of our listeners are thinking, gee, I'm envious. I'd like to have Chad's role at the end of the day. So Chad, for audience members who want to engage with AWS, obviously go to the AWS website and purchase solutions from AWS there. But if they want to, they're in the West or a commercial account in the U S they want to engage with you.

Chad Lorenc (36:08.43)
Yeah.

Patrick Spencer (36:24.09)
talk it up on LinkedIn or what's the best way to get in touch with you.

Chad Lorenc (36:27.042)
Yeah, yeah, absolutely ping me on LinkedIn. Obviously in the end, I'm an implementer and an engineer, so they don't, they don't let me play with numbers and sell stuff. So I have teams that I engage for that, but yeah, always open for conversations and for, you know, helping, helping the industry kind of wrap our brains around how do we, how do we embrace cloud and now AI and what does that look like? And, Breaking through some of the fear factor.

that we have with new technologies and unknowns and security to help us be leaders in that space and make sure that we stay on the forefront of protecting companies. Because you don't have to read the news for very much to know that we were desperate need of that leadership.

Patrick Spencer (37:13.474)
I completely agree. Well, Chad, thanks for your time. This has been a fascinating conversation. Our listeners are absolutely going to find it helpful. I found it very engaging and I learned a lot at the same time. So thanks.

Chad Lorenc (37:25.208)
Thank you for having me.

Patrick Spencer (37:26.746)
For our audience, make sure you check out other Kitecast episodes at Kiteworks.com slash Kitecast.

People on this episode