KEYNOTE: Amazon Web Services -- Move Fast and Don’t Break Things: Security at Scale


Merritt Baer
Amazon Web Services, Principal, AWS OCISO

Merritt (Twitter: @MerrittBaer) is a Principal in the Office of the CISO at Amazon Web Services. Merritt provides technical cloud security guidance to complex, regulated organizations like the Fortune 100, and advises the leadership of AWS’ largest customers on security as a bottom line proposition. She also helps build strategic initiatives for how AWS secures itself, running on AWS, and how we externalize security services.

Merritt has experience in all three branches of government and the private sector. Before Amazon, Merritt served as Lead Cyber Advisor to the Federal Communications Commission. She has also served at the US Department of Homeland Security, the Office of US Senator Michael Bennet, and the US Court of Appeals for the Armed Forces. Before joining the government, Merritt started a business advisory for emerging tech companies.

Merritt speaks regularly on infosec, including cloud computing, AI/ML, quantum computing, and the future of the Internet. Her insights on business strategy and tech have been published in Forbes, The Baltimore Sun, The Daily Beast, LawFare, Talking Points Memo, and ThinkProgress. Her academic work has appeared in the journals of Temple, Georgetown, Santa Clara, UPenn, and UVA.

Merritt is a graduate of Harvard Law School and Harvard College. She is admitted to the Bars of New York, the United States Court of Appeals for the Armed Forces, and the United States Supreme Court. Based in Miami, FL, she has been a member of the Council on Foreign Relations, a National Security Fellow at the Center for New American Security, and a Cyber Fellow at the East-West Institute. She is founder of women’s tech expert network Tech & Roses; has served as Adjunct Professor of Cybersecurity at the University of Maryland and Penn State Law School; is a mother, and was an amateur boxer. 


Ada Lovelace was one of the first to recognize the ability of a computer to do higher order reasoning. Now, with the move to cloud, you too interact with infrastructure as code, and security as code.

It’s a new security reality: from the moment you start to build, you configure governance and security controls, identity and access management; you make choices around services and resources; you store data and backups and architect for redundancy and high-availability; and so on. To do security at scale, you must embrace the reality that security engineers are developers, and developers are architecting for security. Making the secure thing to do, the easy thing to do, is hard—but it is the only way to do security at scale.