Ami Luttwak of Wiz wants to change the culture around security

Ami Luttwak, the CTO and co-founder of the cloud security startup Wiz, thinks the culture of security in tech is making it harder for developers to fend off attacks. The era of isolated security teams laboring to chase down threats is over, he says. It’s critical for every software engineer to have the tools they need to proactively address the most pressing issues, particularly as cloud technologies and AI accelerate the pace of development.

“The cloud gives you power,” says Luttwak. “You can create anything you like.” But, he adds, that power comes with a mandate to own and proactively address the security requirements for those new tools. At Wiz, Luttwak hopes to democratize security by breaking down information silos and extending responsibility for vulnerabilities across entire companies and teams.

Luttwak co-founded Wiz after serving as the CTO of the Cloud Security Group at Microsoft. Prior to that, he was the CTO for Adallom, a cloud access security broker, which Microsoft acquired in 2015. While at Microsoft, Luttwak was instrumental in the company’s R&D group, launching several projects such as Azure Security Center, Azure Sentinel, and Azure Advanced Threat Protection.

Following Wiz’s launch in January 2020, the company quickly rose to prominence. Today, it supports 45 percent of the Fortune 500. Just four years old, the startup made headlines earlier this year when it rebuffed a $23 billion acquisition offer from Google.

Luttwak joined Caroline Hyde, host of Bloomberg Television’s flagship technology show, at Bloomberg’s Park Avenue office in New York City on Thursday, December 12, 2024, for a conversation as part of the Cornell Tech @ Bloomberg Speaker Series. He spoke about the cultural challenges facing the security community, the importance of shared responsibility, and how best to address the fact that security professionals are outnumbered and outgunned in an AI-powered world.

Reimagining security’s role in a complex landscape

Luttwak suggests that the challenge for security teams is maintaining ownership, while contending with finite resources and ensuring that risk reduction does not impede the rate of innovation. In fact, most developers want to create new features and work with their customers, not moonlight as a security practitioner when their workload is already sky high. “Do you wake up in the morning and want to do security? No,” says Luttwak. “You want to build stuff.”

It’s a problem that’s compounded over the last decade, as the sector has become more complex. Advancements in cloud and AI have accelerated to the point where thousands of new services appear every day – and all of those services and apps need to be protected against attacks.

“What we’re trying to do is change the core way people feel about security. And that starts with trust,” says Luttwak. With Wiz, he and his team are hoping to ensure every engineer trusts their security system and feels ownership over that project. The best way to achieve this, he says, is to “take the complexity of security and attacks and simplify it into a single thing so that I, as an engineer who owns an application, understand exactly what I need to do.” Providing developers with the tools they need to find clarity, he says, will enable them to focus their efforts on the most important tasks.

Democratizing security by contextualizing threats

When Wiz launched, it had raised a significant amount of capital, but it was a difficult time for a new business. COVID-era restrictions changed the nature of the work quickly. “No one wants to address something futuristic when they’re worried about today,” Luttwak says. But, he had learned at Microsoft that “innovation comes from stress.”

Luttwak uses the metaphor of a building’s security system to explain what his team invented. For instance, in an office building, there might be a team securing the doors, a team securing the windows, and a team securing the elevator. But securing the windows on the highest floors isn’t quite as important as securing the lower doors or the elevator, based on the probable threat.

“We’ve built a tool that actually understands the context, that understands that this is the 22nd floor, and probably no one is going to come up there.” By making contextual threats incredibly clear to development engineers, he hopes to democratize security.

Changing the culture around security

Ten years ago, says Luttwak, a security specialist would have likely focused on firewalls. Today, the industry has transformed so much that security is an entirely different profession.

“When everyone moved to the cloud, everything about security changed,” he says. The goal now is to understand the cloud in partnership with developers.

AI has added additional strain. With AI, “security is outnumbered,” says Luttwak. It’s impossible for a security team to chase after every threat, so Luttwak favors giving entire teams visibility into a project’s security apparatus. “You cannot continue to work manually, because it just doesn’t make any sense. If you don’t change the way you operate, you will become irrelevant,” he says.

When it comes to this proactive security approach, “everything is about culture,” says Luttwak. “You need to have a culture where people take ownership, and a culture of actually sharing information across teams.”

As Wiz’s CTO, he sees himself as a necessary corrective to traditional organizational structures. “If everyone cares about org structures, then, by definition, you start seeing silos,” he says. Luttwak believes Wiz should be connecting the dots between different parts of a company, because, after all, “The attacker doesn’t care about your org structure.”

You can watch the entire discussion below:

This article was originally published by Tech at Bloomberg.

Related Articles