Serverless/ Lambda CyberSecurity: Unhinged realities and magnitude impacts

These past six months I have had the privilege of developing and building the cybersecurity strategy for the global digital products of a industry leader. We are working with traditional end-client products, serverless architecture (i.e., Amazon Lambda), IoT, and our own developed firmware that used by millions everyday. While I cannot share much of the success, technology, and methods fully, I aim to share what I can for our community.

One aspect of this experience has been the exploration and discovery of the most ideal strategy and practical safeguards to ensure maximum customer experiences across these extreme environments. My intention is to share these insights to encourage debate and development. Much like any discovery, perspectives from different multiple individuals creates the greatest utility.

Strategy unhinged

Having crafted digital strategies over the past decade, I was surprised how classic concepts and assumptions were easily challenged. Here are a few that top my moleskin notebook:

  • Roles and classic ownership disappear
  • Third parties are the product now
  • Permanency doesn’t exist, so don’t look for it

Greater detail of each of these observations I’ll share for a future reflection, as they deserve their own deep dive given their complexity. To share some leads to help your own environment better, here is what I have seen for each of these components.


— The RACI in a classic sense needs to be rebuilt. A solid first step is to reframe the areas of concern (the left column) to match your cybersecurity policy and app strategy elements. The roles should drill into the product principals and that authority chain.

Third Parties

 — Build a dependency inventory of the libraries, services, managed services, integrators, shims, and digital elements of your product. This requires patience and following the rabbit hole. Start with an XLS and move to something more dynamic and automatic to be sustainable long term.


— Flux is the nature of digital products and the honeymoon of web apps or smartphone apps with single platform and standards are gone. Adjusting the safeguard concepts; risk analysis flows, and honestly finding ways to accelerate product innovation and architecture discussions is the key to success here.


In a serverless environment calls and services can grow exponentially, in fact, magnitudes faster and more complex than most expect. As a result, innovation and buildout of these environments must be matched by similar innovation and responsiveness from across the organization. Those who have proven successful partners in this process include:

  • technical engineers actually writing the code of the product
  • team members who wrote the shims / interfaces between product and these serverless environments
  • hosting providers (Amazon in many cases) and their services to unearth data necessary for performance improvement, forensics, and analytics

How have you changed your risk management analysis with serverless architecture?

What new goals have been set with regard to these new digital solutions?

What is the tolerance level for impact to your customer’s experience with regard to quality and faults?

How are you using patterns and anti-patterns to discover faults in the transaction and performance of these REST end-points?

Just a few questions to consider…

Set goals, diagnose challenges, and build your cybersecurity strategy with heavy contemplation of 1st, 2nd, and 3rd order consequences (such as exponential cost curves on team members and $$)

Building a cybersecurity strategy requires a full appreciation of the business direction, current technical assets, and the technology being developed and supported. Many organizations began with a strategy — a basic one built on fundamental elements, such as have good availability and ensure our operations execute as expected. Simple.

Today though, we as leaders are now sought in a strategy around our digital assets, technology solutions, and customer experience. These require a rebirth of your strategy and is an awesome opportunity for everyone involved. My experiences here have seen great and bad. Great where teams collaborate, innovate, and customer feedback is fantastic. Bad, well, usually they are just false starts — where isolated ideas never become operational realties or in other cases when textbook ideas don’t fit reality of a business.

Having been in the center of reboots and uniquely blessed to build such programs (generally around digital products, IOT, and currently serverless / Lambda), I found a principle that has benefited me repeatedly. A first principle of sorts, on how to approach a strategy development and activation (the initiation of a new strategy within an operating organization whether 10 teams or 5,000 teams), and it is best approached by asking how your strategy answers this question:

How much do you respond to 1st order consequences at the expense of 2nd and 3rd order consequences?

Your strategy analysis can be accomplished with this question answered, and in my experience, when you structure that approach in the following process. A process that creates laser focus on achieving your goals, but not rushing into activities without the above 2nd and 3rd order consequences considered!

To achieve your goals:

  • Set Goals (high level, specific, prioritize)
  • Identify and mitigate problems (resources, buy-in)
  • Diagnose of root problems (Get to the nerve of the issue)
  • Design plan (be practical and creative, not all things need to be fixed)
  • Task and complete (tasks aren’t the goals, but require diligence to achieve goal)

Greater expansion on this idea is developed and articulated within the Management Principles of Ray Dalio of Bridgewater Capital, one of the most successful management companies in the world.

The Startup Idea Matrix – The Mission – Medium

Wow, I love this structure and brainstorming approach. This isn’t a mission to fill the voids, but an exercise I challenge all Strategy, Product Leads, and Digital executives to partake in for their customer groups.

There is something magical about laying out the ideas … talking to customers .. seeing around the curve, and maybe simply creating a beautiful experience in your App, at your location, or with your teams on those long tail (future!) clients.

Build something great – Ship it and create an amazing customer experience. Full link to the above matrix on Medium.

Keep innovating – James DeLuccia

The Startup Idea Matrix

I generally think it is smart to have patience in finding an idea that pulls you in: a market or opportunity you can’t imagine not pursuing. Patience in the near-term will save you a lot of time in the long-term. However, I’ve found one way to find this idea is to gain broad exposure to different markets until a specific opportunity and mission stands out to you. Credit to Chris Dixon who showed me this format a few years ago.

Source: The Startup Idea Matrix – The Mission – Medium

This is how you make Twitter profitable and safe – results of strategic analysis

This is how you make Twitter profitable and safe

These past few years we have heard the troubles of Twitter. Despite a brilliant founder and team, they are just not hitting the metrics and social impact possible.

I have heard dozens of banter on how to solve it, but I think the simplest solution is to practice what is already working. An approach that gains revenue, limits trolls, and raises the quality of the network in general. This has the potential to double and triple the value of Twitter. It would also increase the customer experience too!

This analysis is based on a detailed financial review and exploratory canvas of options across the start-ups and established businesses. If you spend time in the start-up scene — Atlanta to Silicon Valley, you know the passion and value of such customer experiences. There is more to be done, but let’s remove the noise.

To make Twitter Profitable and safe ….

Charge for accounts.

Imagine if web domains didn’t require you to pay for them — how could you ever manage them and let alone allow free market forces to self correct to quality? Charging for accounts will ensure that those (news outlets, media stars, etc..) who are making revenue off of the platform pay … those who use it to draw insights and have conversations also benefit by paying for it. EVERY start-up that led with a freemium model converted elegantly to a pay model … unless they had a superior platform for advertising.

Twitter is not a platform — it is a messaging space.

Have a twist on this idea? An alternative approach? Share it! Let’s make a sustainable business that we have all benefited, but maybe lost some love due to the filth.

Source: This is how you make Twitter profitable and safe – Medium

How Google positioned it’s size and security as a strategic advantage

Google published an in-depth outline on their cybersecurity initiatives around the Google Cloud Platform. While not as public as Amazon’s Cloud control details, it is worth a quick review for startups and business technologists looking to expand their offerings across this platform.

One item that I thought was well described, and aligned with my recent Strategy Article published here on Creating Value, is how they position their size as a benefit to the consumer.

Specifically, Google articulates, and engineered their offerings to take advantage of their size and scale to be MORE secure and MORE responsive to customer activities. Reinforces their position as a leader and illuminates many of the ‘Good to Great‘ qualities espoused by Jim Collins.

How you design your next solutions can be cumulative advantage, if done strategically.

A global network with unique security benefits

Google’s IP data network consists of our own fiber, public fiber, and undersea cables.This allows us to deliver highly available and low latency services across the globe.

In other cloud services and on-premises solutions, customer data must make several journeys between devices, known as “hops,” across the public Internet. The number of hops depends on the distance between the customer’s ISP and the solution’s data center. Each additional hop introduces a new opportunity for data to be attacked or intercepted. Because it’s linked to most ISPs in the world, Google’s global network improves the security of data in transit by limiting hops across the public Internet.

Source: Google Security Whitepaper  |  Documentation  |  Google Cloud Platform