According to Dark Reading, Sara Duffer spent three years between 2020 and 2023 in Amazon’s shadow program working directly under Andy Jassy, both before and after his promotion to Amazon CEO in 2021. As VP of compliance and security assurance at AWS, Duffer normally focuses on helping customers meet cybersecurity regulations and AWS’s 143 compliance certifications. The shadow program pulled her completely out of her security role to experience the broader business perspective, where she documented a recurring theme of “voracious curiosity” in her daily journal. Through observing executive meetings about strategic priorities, she learned the importance of persistent communication and gained new insights about customer experience that she’s now applying back in her security role.
Voracious curiosity in action
Here’s the thing about shadow programs – they’re not just about watching someone work. Duffer discovered that the most valuable skill she developed was what she calls “voracious curiosity.” She literally wrote those two words in four different places in her journal. Basically, it’s about asking questions until you can explain the concept yourself. She thought she was already good at persistence, but watching Jassy operate at scale showed her what real persistence looks like in a massive strategic business.
Security meets business reality
The most interesting shift happened when Duffer returned to her security role. She realized that compliance teams often get stuck in certification mode – always focused on the next audit, the next control. But she came back understanding that “we are in the business of trust.” That’s a fundamental mindset shift. Instead of just checking boxes, she’s now asking how effectively they’re executing controls and what the actual customer experience looks like. It’s easy to create burdensome bureaucracy for the sake of bureaucracy without realizing the friction it creates for customers trying to move workloads to AWS.
Why leadership development matters
Look, we’ve all seen companies with rotational programs, but this is different. Duffer had spent her entire career in cybersecurity, and the program forced her to see beyond that single lens. She thought she understood the full breadth of AWS’s business from her security role, but the shadow experience revealed blind spots. And that’s exactly why programs like this are so valuable – they break people out of their functional silos. When technical leaders like Duffer can bring broader business perspectives back to their teams, everyone benefits. Companies that invest in cross-functional development often find their teams make better decisions because they understand how different pieces connect.
The future of security leadership
So what does this mean for security leadership going forward? Duffer’s experience suggests we’re moving toward security executives who think more like business leaders. The days of security being a pure compliance function are ending. Security leaders need to understand customer experience, business priorities, and strategic direction – not just risk postures and control frameworks. And honestly, that’s probably a good thing. When your security team understands what actually matters to customers and the business, they can build security that works rather than security that just checks boxes. The best security solutions, whether for cloud infrastructure or industrial applications, come from understanding the full context – which is why companies that invest in cross-training their technical leaders often come out ahead.
