In this exclusive interview straight from Las Vegas, theCUBE sits down with Clarke Rodgers of AWS Security for an exclusive Fal.Con 2025 interview. Hosted by Dave Vellante and Rebecca Knight, this conversation tackles how security leaders can flip the script: turning compliance and governance from blockers into accelerators.Rodgers breaks down the mindset shift from “department of no” to enabler, showing how risk-based thinking, automated guardrails and developer-focused security unlock faster innovation. He shares how Guardrails for Amazon Bedrock help organizations mitigate hallucinations and protect PII while experimenting with AI, along with how new offerings like AgentCore, Kiro IDE, and Amazon Q empower developers, analysts and business users alike.
The discussion also explores the rise of AI agents in the enterprise, why least privilege and strong entitlement reviews still apply and how ISO 42001 certification underpins AWS’s disciplined governance approach. Rodgers emphasizes the need for intellectual curiosity in building strong security teams and explains why junior roles paired with AI assistance remain vital. Finally, he highlights the AWS–CrowdStrike partnership: AWS delivers secure cloud infrastructure and services like GuardDuty and Security Hub while CrowdStrike extends endpoint and threat defense for shared customers.
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
CrowdStrike Fal.Con 2025. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open this link to automatically sign into the site.
Register For CrowdStrike Fal.Con 2025
Please fill out the information below. You will recieve an email with a verification link confirming your registration. Click the link to automatically sign into the site.
You’re almost there!
We just sent you a verification email. Please click the verification button in the email. Once your email address is verified, you will have full access to all event content for CrowdStrike Fal.Con 2025.
I want my badge and interests to be visible to all attendees.
Checking this box will display your presense on the attendees list, view your profile and allow other attendees to contact you via 1-1 chat. Read the Privacy Policy. At any time, you can choose to disable this preference.
Select your Interests!
add
Upload your photo
Uploading..
OR
Connect via Twitter
Connect via Linkedin
EDIT PASSWORD
Share
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
CrowdStrike Fal.Con 2025. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open this link to automatically sign into the site.
Sign in to gain access to CrowdStrike Fal.Con 2025
Please sign in with LinkedIn to continue to CrowdStrike Fal.Con 2025. Signing in with LinkedIn ensures a professional environment.
Are you sure you want to remove access rights for this user?
Details
Manage Access
email address
Community Invitation
Clarke Rodgers, AWS Security
In this exclusive interview straight from Las Vegas, theCUBE sits down with Clarke Rodgers of AWS Security for an exclusive Fal.Con 2025 interview. Hosted by Dave Vellante and Rebecca Knight, this conversation tackles how security leaders can flip the script: turning compliance and governance from blockers into accelerators.Rodgers breaks down the mindset shift from “department of no” to enabler, showing how risk-based thinking, automated guardrails and developer-focused security unlock faster innovation. He shares how Guardrails for Amazon Bedrock help organizations mitigate hallucinations and protect PII while experimenting with AI, along with how new offerings like AgentCore, Kiro IDE, and Amazon Q empower developers, analysts and business users alike.
The discussion also explores the rise of AI agents in the enterprise, why least privilege and strong entitlement reviews still apply and how ISO 42001 certification underpins AWS’s disciplined governance approach. Rodgers emphasizes the need for intellectual curiosity in building strong security teams and explains why junior roles paired with AI assistance remain vital. Finally, he highlights the AWS–CrowdStrike partnership: AWS delivers secure cloud infrastructure and services like GuardDuty and Security Hub while CrowdStrike extends endpoint and threat defense for shared customers.
In this exclusive interview straight from Las Vegas, theCUBE sits down with Clarke Rodgers of AWS Security for an exclusive Fal.Con 2025 interview. Hosted by Dave Vellante and Rebecca Knight, this conversation tackles how security leaders can flip the script: turning compliance and governance from blockers into accelerators.Rodgers breaks down the mindset shift from “department of no” to enabler, showing how risk-based thinking, automated guardrails and developer-focused security unlock faster innovation. He shares how Guardrails for Amazon Bedrock help organ...Read more
exploreKeep Exploring
What is the process of shifting from a cautious, risk-averse approach to a more innovative, creative, and collaborative mindset in the context of cybersecurity leadership?add
What are the benefits of integrating security measures into the developer's workflow?add
What is the approach taken by the company to understand and improve their products and services based on customer feedback?add
What qualities and attributes does the company seek in candidates for technical roles, particularly in relation to security?add
>> Welcome back everyone, and welcome back to theCUBE's live coverage of Fal.Con 2025 here in Las Vegas. I'm your host, Rebecca Knight. Alongside my co-host Dave Vellante, I would like to welcome back to the show, Clarke Rodgers, office of the CISO at AWS. Thank you so much for returning to the show, Clarke.
Clarke Rodgers
>> Thank you so much for having me. I think this is just an annual tradition at this point, right?
Rebecca Knight
>> Indeed. Indeed. A good one. A good one. So, one of the things that you've talked about before is moving security from the department of no to becoming an enabler. How does that transformation look in terms of moving from this cautious, risk-averse approach to a more innovative, creative, and collaborative?
Clarke Rodgers
>> Well, I really think it comes down to a mindset for the CISO and their security team, right? Once they realize that they are an integral part of the business and not just the people there to say no and put the walls up, then they realize they have a shared goal of we want increased revenue, we want more customers, we want to do all these things. We want to experiment with new technology. How do we do that? We have to take a risk-based approach to what line of business we're in, what industry we're in, knowing our threat models, all that good stuff, but then be a reasonable human being and say, here's what we have to do, right? Let's all work together to make sure we do that. And then let's give a little bit of reins, controlled reins, right? For people to experiment and do what they need to do for the business.
Dave Vellante
>> Clarke, when you think about security, you think about things like compliance. The business case generally is around risk reduction. And a lot of times we'll hear folks in the industry, marketing folks in particular say, Hey, we want to turn this, whatever it is, security compliance, let's use the case of security into a business accelerant. You say, "Okay, well how do you do that?" And I've heard examples where, look, the security team has a strong voice. They can block stuff. So, if you're compliant and you're following sort of the frameworks, stuff can get to market faster. So, that's one example. Are there others that the audience should know about? How valid is that where security can be actually an accelerant for the business? And do you have any sort of proof points either inside Amazon or customers that you know?
Clarke Rodgers
>> Certainly. So, security is a broad realm, right? From the development side to the network protection, all that sort of thing. If we focus on the sort of developer community, right? So, they're building and releasing code every day and they're going through their CICD pipelines, et cetera. If the security team can make that developer more effective, meaning automate some of the checks, give them hardened images, do all these things to reduce the burden on that developer so that he or she can focus on the functionality of what they're building, over time, all of a sudden they're going to be able to release more features more quickly, more securely. So, the business leader can now say, let's put this function in place first versus that one, here's a new opportunity in the market. I want to build this product. I want to experiment with AI. Whatever the case may be, they can move faster because those guardrails are in place. We recently announced Bedrock Guardrails or Guardrails for Bedrock, which on top of our Bedrock platform where customers love being able to experiment with all of the LLMs that they can access with all of the AWS security controls that they know and love. Now they add that level of Bedrock guardrails for now with AI hallucinations. They can put in checks for that. They can make sure that PII is redacted, all those sorts of things. It's a security and functionality combo that allows the business to actually move faster and make the business leaders to make quicker decisions.
Dave Vellante
>> So, it's classic AWS taking away all that heavy lifting of making those things secure, dealing with all the multitude of LLMs that you have to deal with. Bedrock has come a long way, and it's pretty fundamental, your three layer cake. Can you discuss how that's evolved and how it specifically fits into your security strategy?
Clarke Rodgers
>> Well, as you know, we are a customer first company. We listen to our customers. We get ideas from them. How are they using our products and services? So, then how do we make them better? One of the things I really enjoy about working in AWS security in the office of the CISO is I get to listen to those customers and I get to influence AWS at scale and how we serve them. So, specifically to Bedrock, as it's evolved, we realized, hey, the customer enjoys the security controls that they can apply to Bedrock. What else will delight them? Well, lots of customer's hands were raised up saying, "Well, I'm really confused about responsible AI. I'm really confused, or I need guidance on how to make sure that when I'm using these LLMs, the PII that I'm putting in there is redacted so it doesn't escape." So, there's a security component to that. The next evolution of that were AI agents. A, what are they? How do I use them? How would I think about using them inside of my enterprise? And then how do I secure them? Don't hold me to this. This was a couple of months ago. We announced AgentCore for Bedrock, Which again fulfills that objective for our customers. On the development side, we released Kiro, which is a native IDE for developers that is AI assisted. It allows them to vibe code, which is all the rage these days, in a secure enterprise-ready fashion, they can leverage Q Developer, they can leverage Q for business to again act as that assistant to make them that much more effective in whatever job they do. We typically pick on developers, infrastructure folks, security analysts, but all of those professions can benefit from this sort of assistant methodology.
Dave Vellante
>> And I think that was around the July timeframe at AWS NYC Summit. It was kind of like-
Clarke Rodgers
>> Yes, yes, thank you.
Dave Vellante
>> The mid-year review. And by the way, the hero, because I remember I wrote about it and I was like exactly how you describe it, but it's more than even vibe coding. It's vibe coding plus, I mean, if you want to be hardcore, if you're a hardcore developer, there's assistants there as well. Which brings me to AgentCore, brings me to agents. So, Mark Benioff famously wrote in the Wall Street Journal that we'll be the last set of managers to manage only humans. So, you think about that. How do you manage agents differently than humans? What does that mean in terms of hierarchies, organizational structures, but specifically what does it mean for security?
Clarke Rodgers
>> Well, the conversations I've had with my customers, primarily CISOs from every industry that you can think of, the way they're looking at it, and the way we look at it is when you think about an agent, it's really no different than a human account or a system account, right? We've been using system and server accounts for years. We've put controls around them, we give them access to what they need and block what they don't need to have access to. An agent is really no different once you define the lanes in which it operates. So, least privilege does not go away. The basics of security, eat your vegetables type of activities, doesn't go away. Entitlement reviews don't go away. If you are a regulated business, you're having to do regular entitlement reviews anyway. Why not also, you should be reviewing the system accounts within your line of business as well as your humans. The agents are going to be the same way. I think as we see them evolve in the enterprise, you're going to see agents doing very specific things at first with very narrow sets of permissions, and as it demonstrates that they're actually doing what you think that they're doing, because you have the backend controls to monitor that. Then they're going to be given more permissions and to act more interactively with the systems that -
Dave Vellante
>> So, let me push on that if I could.
Clarke Rodgers
>> Sure.
Dave Vellante
>> I know you want to jump in. So, agents are kind of similar to humans, but the difference is, well, maybe it's not different. The humans can get down the hallway and say, Hey, I don't know how to do this. So, I've heard experts, whether it's Elon Musk or other AI gurus talk about at some point, the whole sum of human knowledge is going to be encapsulated in AI. Should we make that assumption?
Clarke Rodgers
>> .
Dave Vellante
>> Right. It makes your brain go.
Rebecca Knight
>> Yeah.
Dave Vellante
>> Should we make that assumption for agentic? In other words, they're not going to have to run down the hallway and ask a human because they're going to have that knowledge, or is there always going to be a human in the loop? And isn't that where agents are different from humans?
Clarke Rodgers
>> It's early days, and if I had the crystal ball to give you the direct answer on that, I would be doing all right for myself. I think if we look as technology is involved, we had a very similar conversation with cloud 15 years ago. What is this thing? It's mysterious. It's somebody else's data center. Can I secure it? Where is my data? All of these same types of questions. I'll agree that agents take it one step further, but if we look at the basic building blocks of security, they have to operate in that world as well. So, it's upon us with whatever governance controls we decide to put in place to determine what the agent can do and what they can't do. The discipline to have the law of reviews afterwards. Well, the agent went and did these things that we thought it would do, and it did these three other things that we had no idea. What kind of discipline do we have to then go back, revisit our governance models? AWS was the first to achieve ISO 42001, and so glad all the other providers have come along as well. But these things are going to evolve. It's such early days. As long as we are disciplined and we have those strong governance controls, we will be able to keep a handle on this and do it responsibly.
Dave Vellante
>> And don't overcomplicate it, I guess is the message. Complicated enough for a -
Rebecca Knight
>> Right, right. Well, it is. When thinking about human and AI collaboration and how they work together, we know that there is a skills gap. We know that there's a worker shortage. One of the things that you have emphasized in the past is the importance of intellectual curiosity in hiring, because it is one of those characteristics that maybe you can't teach. It's intrinsic in someone. Why is it so important? Do you think AI has intellectual curiosity?
Clarke Rodgers
>> I'll save that for the second part of my answer. To start off, I mean, when we hired AWS, we're looking for technically competent, experienced people regardless of what the role is that they're applying for. But when you think about security, you want that level of curiosity of, well, what do you want me to do? What is this application? What do you want me to build? How can I break it? And then how can I make sure nobody else breaks it? So, it's that level of curiosity. If you look at things and you just want to be told what to do and follow sort of a rote manuscript, that's where AI's going to come in and have your lunch. But when you have that level of curiosity and that level of sophistication, you can tie business problems to technological solutions and security solutions and bring all those together and sort of think three steps ahead of things. That's the kind of person we're looking for, and that's what breeds great security teams.
Rebecca Knight
>> So, talking about that mindset shift that we first began saying that you want to move from the department of no to someone who is more empowering and innovative, what are the kinds of skills and mindsets that you would recommend for entry level workers in this industry if there even really will be entry level workers in this industry?
Clarke Rodgers
>> Well, it is funny you mentioned that Matt Garman, our CEO, had an interview a couple months back, and I think it was reported in the register where he was challenged with that, oh, you can replace all of your junior folks with AI, and I'm going to misquote them here. He said, "That's the dumbest idea I've ever heard." We need, in order to get your senior people, you have to start off with somebody. So, to answer your question more directly, that junior person have that intellectual curiosity about whatever you're doing, but have the AI skills, right? Because you need to be a human and a half or two humans or three humans. You pick the number of how advanced the AI is. If you know how to manipulate AI to do the workload that you need to do so then you can focus on those more human centric issues. That's what's going to set you apart as a junior person that when we look at our tier one SOC analysts at AWS, could we automate a lot of that stuff? Perhaps. But when we think about the senior SOC analysts that want to have, and the tier three and the investigators, we want them to have a path of knowing this is how you fix things manually. This is how the old school way of doing it. So, a lot of the systems that we've built are assistance in nature. Here's the type of tickets you got. Here's the five things you should probably check to make sure that has been buttoned up, so to speak from a remediation perspective, and here's the reports you need to fill out. Here's the email you need to send. Some of them are more automated than not to sort of push that analyst to learn as he or she develops through their journey.
Rebecca Knight
>> Exactly.
Dave Vellante
>> Can you talk to the audience about your relationship with CrowdStrike specifically as it relates to cloud security? So, CrowdStrike will talk about cloud security. People will hear cloud security, oh, that's AWS. So, there's a shared responsibility model between you and your customers, for sure. Similarly, presumably there's a shared responsibility model between you and your partners like CrowdStrike. What's your sandbox and where do you leave off and where do they pick up? What's that relationship like?
Clarke Rodgers
>> So, AWS has two areas that we play in. We have security of the cloud, which is everything we do at AWS to make sure it's the most secure cloud provider that customers can put their most sensitive workloads on. On top of that, we also offer services that can use to make their environments as a level of security that they need to have for their desires.
Dave Vellante
>> Like Security Lake would be an example.
Clarke Rodgers
>> Example, or GuardDuty or Security Hub, Inspector. All of these wonderful tools. Our tools don't do everything, however, and that's where there are areas for great partners like CrowdStrike to come in. They have their endpoint solutions. We don't have an endpoint solution. They can integrate with servers, and they're also building on top of AWS to deliver their solutions. So, it's a win-win for everybody. So, the most secure cloud platform supporting one of the top security vendors on the planet, again, to support our shared customer base.
Dave Vellante
>> All through an API that the developer can access.
Rebecca Knight
>> Yes, and as you said, when we were before the cameras were rolling, you were looking around feeling gratified that this is a shared responsibility.
Clarke Rodgers
>> It's absolutely fantastic. I see a lot of familiar faces in here from security partners and customers, et cetera, and we all have that one mission to make the internet a safer place to do business and live and work and play.
Rebecca Knight
>> Excellent. Well, Clarke, a pleasure having you on again, as always.
Clarke Rodgers
>> Thank you so much.
Dave Vellante
>> Yeah. Thanks for your time.
Rebecca Knight
>> I'm Rebecca Knight for Dave Vellante. Stay tuned for more of theCUBE's live coverage of Fal.Con 2025. You're watching theCUBE, the leader in enterprise tech news and analysis.
Rebecca Knight
Dave Vellante