2022

The good, bad, ugly and

thoughts for the future.
TIME OVER THE LAST 14 MONTHS

OLAONIPEKUN, MARIE
Table of contents

INTRODUCTION 2

OVERALL OBSERVATIONS & THOUGHTS 2

JOB LEVEL 3

THOUGHTS 3

TOXIC WORK CULTURE 4

THOUGHTS 5
EVENTS 6
THOUGHTS 7

RACISM AND BIAS 8

EVENTS 8
THOUGHTS 9

POOR MANAGEMENT BEHAVIOURS 10

THOUGHTS 12
Introduction
This document is an account of my time over the last ~1-year, documenting, the good,
bad & ugly. Thoughts in general and for the future. It also talks through some of my
contributions as summarised here: Marie O Contributions

Readers may agree or disagree; however, this was my experience, my truth and for the
sake of posterity and continuous improvement, I hope as Leaders/Managers take some
learnings from it.

Overall Observations & Thoughts

Amazon’s (AWS) drive and principle of build and launch fast may become a disadvantage,
as the they continue to compete in complex environments and industries.

The heavy reliance on pen-testing at the end of the build cycle is a concern, AWS should
seek to if not already build a DevSecOps team to interact further upstream on executing
investments within the value generation cycle i.e. developing AWS features. Build with
security in mind, it may slow the build down but would ensure there is a diverse security
thought perspective. I suppose for this to happen a shift in mindset and culture will be
required.

AWS currently have the largest market share in the cloud market as pioneers in industry;
however, year on year growth has slowed down as competitors in industry such as
Microsoft Azure establish themselves as market leaders with AWS losing its clear-cut lead
as innovators in this space especially as buyer power and their attitudes towards cloud
services evolve.

I have advised many such organisations previously; companies that compete against itself
only gives opportunity to its industry competitors to take advantage. Internal competition
and the current culture may have been beneficial to Amazon in the past and AWS
(Amazon) being a cash rich organisation can adopt this principle of 2>0. Although multiple
ideas leading to innovation is greater than zero, it also this leads to duplication, wasted
efforts and low morale for the losing teams. It is also not cost effective. 1 > 2 > 0 is
definitely better as it allows for investments to have a varied perspective and fosters
communication and collaboration cross functionally to resolve a common problem or
solution an idea, a very important principle in DevOps. The current culture of competing
within itself may no longer be a viable option clearly indicated by the toxic culture and
decline in YoY growth. If AWS (Amazon) are to remain competitive in industry as
competitors, it is recommended that the company and its resources adopt a culture of
value driven outcomes over high performance and collaboration over internal competition

AWS (Amazon) must become very strong advocates against bias including optimising their
DE&I initiatives i.e. racial, gender, sociology bias etc

Without a culture shift at Amazon (AWS) Day 2 is coming! As buyers seek end to end cloud
solutions that offer security, are cost effective and integrate well with their company’s
eco/operating system (an edge Microsoft, AWS’s competitor has over Amazon).
Job Level
In March 2021 I received an invite on LinkedIn to apply for a role at AWS. In June 2021 I
joined AWS having turned down two other offers paying considerably more; however,
financial compensation wasn’t my motivator the opportunity to work at AWS and the
work to be done was truly what enticed me.

During compensation negotiations I did wonder why there was such a compensation
variance, it was later that I understood the reason why. As a consultant, intricacies such as
Job levels aren’t something that you pay particular attention to; however, I have wondered
how my almost 20 years’ experience landed me in an L5 role and how that compares to a
colleague with 5.5 years’ experience also landing an L5 role. A lesson I have now learned
and will pay particular attention to in the future regarding permanent roles.

When I spoke to peers at the same level but with considerably shorter years of experience
they often didn’t understand or have an appreciation for what I was conveying. This isn’t
a problem, in strategy or operations development you would often be misunderstood as
your foresight is something others may not understand yet especially if there isn’t direct
or immediate impact; however, at AWS if something isn’t understood it is viewed as
incorrect since everyone is right a lot. This behaviour once led a frustrated colleague who
had just joined to link “xxx for dummies” to a slack channel as they were accused of being
wrong instead of being asked to explain. I understood their frustration all too well as I too
was so frustrated prior that it led me to writing what I call ‘angry quip’: Pen-testing a
month following my arrival. Although a messy quip most of what is mentioned is still of
relevance and has either been applied, in the process of being applied or should be
applied.

Thoughts
Not being at the right level with right accountability and authority has resulted in
initiatives’ that required implementation and could have led to growth just didn’t happen
due to political agendas, self-preservation over business needs and the inability/authority
to overrule certain decisions.

The LP “Are right a lot” is one that should be reviewed it really just encourages tone
deafness even though the third sentence states “They seek diverse perspectives and work to
disconfirm their beliefs” most abide by “Leaders are right a lot” notion therefore, are
unwilling to learn or listen even when they truly do not understand, impacting growth,
limiting perspectives and diversity of thought. The LP title should change to “Seek
Diverse Perspectives” with the below sentences: Leaders seek diverse perspectives and
work to disconfirm their beliefs, enabling them to make smart insightful decisions. They
have strong judgement and good instincts.

Amazon seeks to hire and develop the best; however, they go out and hire very smart
people who are highly capable but then tell them what to do or have them doing non-
value add work.

Relevant Steve Jobs Quote: “It doesn't make sense to hire smart people and tell them
what to do. We hire smart people so they can tell us what to do.”
Toxic Work Culture
A culture of;

 Results and impact driven over value add

 Siloed working impacting innovation & growth
 Competition and hostility over of collaboration and support
 Shame and blame over learning and encouragement
 Command and control over open dialogue

I have had colleagues;

- Try to throw me under the bus i.e. give incorrect advice and then set up a meeting
with others to try catch me out.
- Withhold vital information that is required to complete work. When asked
privately they don’t have the information but when a manger or if raised publicly it
miraculously appears.
- Paint me in such bad light that random folks are hostile without knowing who I am
- Verbally attacked or rather as they said “freaked out at”, for trying to do my job;
however, against their command. We are all peers, so had to ask; are you my boss?
Even then should you speak to me in such a way?
- Publicly e.g. in Slack channels, reprimanded, harassed and accused regarding others
development or rather lack thereof, for coming up with ideas that didn’t conform
to their status quo and then privately send apologies.
- Mini campaigns with request to others to bear false testimonies about me and my
character, with requests asking them to say I am controlling and aggressive.
- Doc reviews become a way to be antagonistic as opposed to give critical feedback
delaying implementation of processes that would add value to the business and
team which doesn’t conform the Deliver results LP.
I escalated poor behaviour of an individual to management last year. I was told off for
causing anxiety/stress to that person with no regard in the world for my stress which led
to the escalation and frustrated email in the first place. The same individual then went on
to cause two members of the team distress at a team meeting leaving them wondering if
management condoned/encouraged such behaviour.

I once challenged a member of management about naming and shaming a colleague to

make a learning point in a slack channel. The learning point could have been made
without naming and shaming. The member of management told me, it’s how we learn
here and there is no shame in blame. I asked “did you check with the person being named?
Did you talk to them and do they understand what they did wrong? Are they okay with
being used publicly as a bad example? Do they know it is purely for learning and they are not
in any particular trouble?” The individual who made the error had only been in the
company for around a month. When challenged the member of management quoted LP
“Earn trust”, and that the individual must be vocally self-critical. I mentioned the key
there is “Self-Critical” so you can raise the learning without naming but you give them a
chance to hold their hand up and admit their failing by being self-critical and therefore
earning trust of their peers. Besides they are relatively new and may not understand being
used publicly as a bad example is the culture, an assumption has been made that they do.
For those of us watching as bystanders and are relatively new too it makes us feel
cautiously concerned that we could be publicly shamed too for the sake of learning.

At this point the member of management then threatened me by saying “I will give you
some unsolicited advice; they were watching me, everyone is watching me and I punted on
my first run of the QBRs (scorecard)”. To which I said, you just proved my point it is not a
safe space to fail and there is always shame in blame. Maybe I should name that particular
member of management as there is no shame in naming or blaming, right?! Or rather give
them the opportunity to be vocally self-critical as they should have done the individual who
made the error.

Doc reviews are meant to be mechanisms that allow for informed decisions to be made in
a timely and fashionable manner, they are also used tacitly to evaluate contributions
made. In a toxic work environment; however, they have become a way to demean and
disparage people’s efforts i.e. individuals being unnecessarily aggressive and combatant
with feedback, antagonise and delay launching initiatives i.e. a political weapon

- A colleague had an idea to use sim labels to help understand pentesting churn, this
led to 5 meetings ~3-4 hours of wasted resource time because certain individuals
were being difficult and incompatible not for valid business reasons or that they
had any constructive feedback to provide but because they could.
These negative behaviours cause myself and others to be hesitant of raising ideas or
sharing them through doc reviews, as it became a way to lower morale and be a blocker to
progress when certain individuals were around.

Doc reviews have become counterproductive!

Individuals flat out lying about results to get noticed/promoted or for approvals. In
project/program management you may do a little budget padding and a minor
embellishing to drive home certain points to get approvals but flat out lying causes those
who need to make it a reality further work in backend which tends to be within limited
perspectives.

These are all indicators of a toxic culture.

Thoughts
I am purposely not being explicit i.e. use of weasel words because it isn’t my
colleagues/managers (workforce) that are entirely the problem. What I am trying to
highlight is they too are victims of a culture/system that forces them (in most cases) to
behave in such a way, most are operating from a place of anxiety and survival of the
fittest in an environment where it is not (in most cases) a safe place to fail, be vulnerable
or show empathy. Realising this, I try to treat even the worst of them with compassion
and empathy.

You can speak to a multitude of people and they will tell horror stories of how senior
members of management have tried to get them fired, placed them on focus/PIPs, how
colleagues set them up and threw them under the bus etc. Toxic individuals twisting and
weaponising the LPs to suit their agendas/points.

In many cases Individuals who display poor behaviour, are non-collaborators, literarily
bullies get promoted and rewarded as they understand that as long as they can be seen
to be high performers (result & impact driven) it doesn’t matter if they leave a trail of
dead bodies behind. It doesn't matter if what they delivered lacked perspective or would
cause others rework down the line, they delivered, results were seen and there was
impact. Based on that they are high performers which is what Amazon (AWS) strives for.

Events
Below is an example of where high performance over value add can be detrimental to
business and growth

In October 2021, ~3 months after my arrival, I had to run the Q3’ 2021 vendor scorecards
in preparation for that quarter’s QBRs whilst it was also re:invent and I was heavily
involved on Primary. Following a run of the pentesting operation report, the results
produced clearly indicated that there was a problem. I told my predecessor in role and
they said “Marie just use it as it is and manually plug in the missing data.” In hindsight I
realise why they said that but for the life of me I couldn’t understand why we wouldn’t
seek to fix our data especially if this impacts vendor renewals, millions of dollars but most
importantly, ensuring that the security of AWS products are indeed safe and secure as the
last line of defence. AWS is a company that prides itself on data driven insights, surely an
accurate representation of vendor pentesting performance should take precedence over
when a meeting (QBRs) takes place? I mentioned then that manual plugins only deal with
what we see and are prone to errors.

The QBR meeting was pushed back by a month to fix these data integrity issues and
coding errors with Management approval; however, I was attacked for failing or rather the
word used was “punted” i.e. you punted your first attempt at the QBRs (scorecards)
everyone is watching!

I will say this again; pushback a meeting over providing data with integrity issues. Upon
looking into, data erosion had been occurring since Q1’21 and truly failed in Q3’21, -85%
of data missing with gross code errors highlighting the issues with manual plugins and
that scorecards previously delivered were not an accurate reflection of pentesting
delivery.

I fixed the problem where -85% of data was missing in Q3’21, the QBRs took place with
Vendors commenting on level of detail and accuracy of information in a positive way.

I continued to be vilified for pushing the QBRs back and not delivering, instead of
recognising the value outcome realised. The meeting still went ahead, processes broken
were fixed and there wasn’t negative impact to service.

What is the problem? Is it that the meeting didn’t take place on a certain date? Irrespective
of the fact that the data used to make decisions would’ve been utter drivel and truly
misleading, with indirect negative impact to quality of pentesting delivery? If I had gone
ahead and used data that was missing 85% of information with code errors, I would have
been seen as a high performer? That to me, doesn’t show customer obsession, ownership
or insisting on the highest standards! Make it make sense, please?!

Changes to process without proper business impact assessments to deprecate processes

i.e. impact to backend, code/automation, meant that the AVP-ETL constantly broke and the
way pentesting data is aggregated across various systems is a major mess. I have in the
course of my time here manually updated 30k+ entries in excel, sim whilst also manually
reviewing ~ two thousand s3 buckets. A gross miss use of my time and skills impacting
the implementation of value-add work such as strategic quality and technological
initiatives I.e. pentesting governance process, Scorecard Evolution etc.

Quip, emails and slack channel (dedicated to scorecard issues) detailing issues with
escalations and request for help/resources, mostly fell on deaf ears and in Feb 2022
following my work stress crisis, management stepped in to fix what they could. It
shouldn’t have gotten to that stage, a lesson I hope management will learn and seek to
avoid in future.

Below shows a breakdown of what happened in Q3’21 Athena pull used to draw up
scorecards vs sim pull and once Athena was cleaned up what the percentage change was.
Somehow the tool (Sim) which is the original source of data’s database has less than
Dynamo DB following a clean-up of Athena and they were not duplicates indicative of
data aggregation and integrity issues!

Truly shocking and exhausting, till this day AVP-ETL is plagued with issues impacting
service deliverables, which for the life of me I cannot understand why management does
not see this as an item of priority.

Thoughts
There are fundamental issues with the culture as it means solutions produced lack
perspective, tend to be tactical as opposed to strategic solutions therefore are only meant
to function short term not long term. This is very evident with duplication of efforts, the
tools and processes that are forever failing i.e. PRT-ETL, AVP-ETL and the constant work
around of work arounds. Built in technical debt and constant refactoring due to incorrect
resources building tools in their spare time i.e. Security pentesting engineers building tools
that require a software development engineer. It’s like asking a carpenter to develop
software, yes, he is a builder but not that kind of builder! This is beyond scrappy, it is
retardant!

Racism and Bias

In my ~20 years in industry I have never faced direct Racism. In the UK it is an
undercurrent, micro aggression form but for the first time I witnessed individuals make
assumptions on my character and tried to incriminate me based on the colour of my skin.

In the first few months after my arrival certain individuals tried painting me as this
aggressive and controlling individual. Purposefully tried to aggravate me in the hopes
that I would react in a way that would confirm their notions/stereotypes. When that
didn’t occur, they approached other colleagues to bear false testimonies against to me.

Events
- Caucasian male calling two Caucasian women into a meeting to tell them that they
can say it; that I controlled them, forced them into completing an action because I
am aggressive and they were afraid of me
- A Caucasian female, telling another set of colleagues (male: Caucasian & female:
South Asian) that it was my idea, I forced a decision on them against their will.
Fortunately, I do not operate this way, so every time they tried to incriminate me as
something I am not based on preconceived racial biases, they were told that is not the
case and in one case, put in their place. i.e. informed that they would be reported to
HR. The individuals they had approached informed me about what had happened. The
irony of it all is that one of the individuals who went around trying to prove me to be
aggressive and controlling wasn’t someone I actually interacted with much or had an
altercation with from my perspective at the time, he had been influenced by another
colleague. The colleague who influenced him then apologised to me for the part they
played in influencing them. Till this day, that particular Caucasian male still exhibits
implicit (perception & Confirmation) bias and therefore treats me as a problem and
acts as though I am to be avoided as some kind of threat.

It was truly bizarre and from a racial standpoint in the UK and in Europe this is quite
brazen and appalling!

There are other issues that occurred;

- Management easily believing comments made about my character, instead of

getting to know me approached me with hostility, tone deafness i.e. telling them
the AVP-ETL is failing and being told it wasn’t broken before I took over the
program, informing them that the Scorecard (as an immediate action) needs to
focus more on technical quality (misses and audits) carrying more weight over
operations section. I was told to respect what came before and then sent my Job
description with a comment that I had questioned my role. This truly made the
work experience hell.
- Negative assumptions made about my intelligence based not only on the colour of
my skin but also my gender. This was mostly from male colleagues and wasn’t
 unique to me as other female colleagues expressed bias faced based on their
gender.
- Female colleagues passed up opportunities that they were clearly more than
capable of running or had been running in favour of their male counterparts who
don’t hold a candle to their capabilities, displaying explicit bias.
- Female colleagues told because they went on maternity leave are not capable or
eligible for promotions. Their experience, skills, education and capabilities doesn’t
just disappear and become void because they had a baby. This is discrimination!
An Explicit bias that should not occur or be tolerated!

Thoughts
A truly appalling and once again shocking experience. I was subjected to individuals who
would be contradictory for the sake of it, making it very difficult to implement any
initiatives or do my job. Two of such individuals have gotten promotions and/or given
opportunities that in some cases they are not qualified for.

Although AWS and the wider Amazon is an American company, allowances were given
around American and Amazonian peculiarities regarding the culture on my part and I see
that being done by other non-Americans as the American culture is the dominant one but
the same principle/allowances aren’t given by most Americans for other cultures. I am not
American certain things fly completely over my head, culturally even though we are
speaking a common language i.e. English. Something as simple as West Coast for an
American, I had to ask “what Timezone is that please?” Assumptions were made that I
should know what it is.

Approaching my manager when a colleague is being difficult and all actions to try to fix
myself have failed. Asking the manager to step in as a servant leader/people manager and
fix our issue is them doing their job, so we (colleagues) can move forward in an amicable
professional fashion. This doesn’t seem to translate to American managers as I guess the
culture doesn’t allow for it. Rather than explain or seek to resolve I am treated as the
problem and perceived a certain way for reporting a colleague without explaining these
tacit cultural nuances that is lost to a non-American.

I am not American and the only thing in common between a black American and myself
would most likely be the colour of skin. The way I speak, dress, how I was brought up, life
experiences including how I would react to certain situations would differ immensely. In
the DE&I Amazon global HR awareness training, it lacked a varied perspective as it was
based on American narrative sociology, therefore difficult to relate if not an American. I
suppose now that I have been subjected to racial bias from an American sociological
perspective I can relate somewhat. Yikes! there’s a morbid silver lining if you ever needed
one!

Assumptions were made about a person’s character and capabilities based on racial and
gender specific implicit and explicit bias which influenced behaviours and continue to do
so in a detrimental way to the recipients of such bias in the work place. It is truly sad to
realise people are subjected to this based purely on the colour of their skin or gender. It
also impacts getting on with work.
Amazon (AWS) the institution and its individuals have a role to play by ceasing to
perpetuate stereotypes. HR/organisation culture makers must identify risk areas where
implicit and Explicit biases may affect behaviours and judgments. Instituting specific
procedures of decision making and encouraging people to be mindful of the risks of
implicit/explicit bias can help to avoid acting according to biases that are contrary to (I
should hope) Amazon’s (AWS) values and beliefs.

Poor Management behaviours

I suppose this was the most painful of all, looking towards management and leadership
for support and guidance only to find the same bias but also;

a. Tone deaf leadership

b. Hypocrisy and Condescending attitudes
c. Favouritism/Nepotism
d. Political leadership

In my ~1-year (14 months) at amazon I have had four (4) managers, with a 5 th arriving this
week. All having different leadership styles driving varying agendas.

Timeline

I. Luke Potter: Q2-3’2021 (Step in Manager)

II. Chris Davis & Craig Gonzales Q3’2021 (Interim support Managers)
III. Lisa Dreznes Q4’2021 – Q2’2022 (Manager)
IV. Wes Snell Q3’2022 (Step in Manager)
V. Rama Chikkam Q3’2022 (Just arrived)

Luke Potter (Q2’21) was interim manager whilst Lisa was on mat leave upon my arrival at
AWS, such a wonderful individual. At the time Risk dashboard violations and ASA training
noncompliance was priority I was asked to fix it. I built a process to fix which saw this
issue fade into the background with Risk dashboard violations drastically reduced with
semi-autonomous actions making it a non-issue. The same applied for ASA mandatory
training, whilst training most of POM on primary. i.e. training 4 people i whilst on primary
for the first time! I was criticized and attacked for adjusting the process to allow for a
better i.e. less stressed experience with delivering and reduce errors and service
delinquency. The negative behaviours got out of control; however, Luke mediated to
facilitate a better professional working relationship with longer existing members of the
team and newer members including myself.

I was then asked in my second month to build a process (as priority) that would allow
POM to operate successfully through re-invent and to give visibility to escalations a Gap
that came up in the 2020 re:invent post mortem. I asked Luke at the time, what about the
KPI’s and governance initiative? I was told these were priority and I was doing fine, not to
worry about that. Luke left and managers were between Chris Davis & Craig Gonzales
whilst Wes Snell onboarded in Q3’21. I built the re:invent operations model utilising
process enabled by people i.e. individuals doing primary roles in scheduling, escalations and
operations with cover and technology e.g. PRT, reports from Quick sight with business
monitoring via Quip escalation tracker to allow for insight and optimisation in real-time &
thereafter especially for manual processes.

The process allowed us to pivot in real time to handle service Team and delivery gaps. E.g.
changing messaging to manage customer expectations and minimise the number of
escalations around “what is the status of my pentest?”

Created a decision tree around prioritising certain activities during re:invent, daily stand
ups to align with all involved from POM, workarounds to cope with MVP PRT tool step out
with multiple work around etc.

This saw us through a successful run of re:invent, even ST commended efforts, POM
members reported able to complete other programs whist on primary, something that
wasn’t possible previously due to burnout, etc. There was also information that would
allow us to learn and optimise in readiness for the following year. My efforts were
minimised due to racial and gender bias.

Q4’21 Lisa Dreznes returns. On Lisa’s first week back in an SVVT All meeting, the
substantially reduced risk dashboard violations were brought up and Lisa was commended
for the major reduction in violations, in all fairness Lisa said she had nothing to do with
and highlighted that it was through my effort and Sophie Fowles this has happened. One
of the VAPT managers at the time even messaged me jokingly saying, “Marie I can’t hide
behind Lisa’s violations any more”. Three weeks following Lisa’s phased return, I am told
by Lisa;

a. That was not the reason for hiring me and my efforts in said areas were not
required and therefore wasted. Made it a point to exclude me from activities
relating to optimising the Escalation/primary process Insinuated that I didn’t do
anything regarding Risk dashboard violations etc. all laced with implicit bias.
b. There were no data issues with AVP-ETL prior to my taking over, therefore I had
failed in my delivery by punting the QBRs. I mentioned that the data doesn’t lie,
there were problems prior to me taking over and it was unfortunate that it failed
massively when I took over and tried to run for the first time.
c. Nothing was wrong with the scorecard. Immediate Scorecard improvement
suggestions were met with resistance and that I hadn’t done what was required of
me. Ironically whilst on was on leave, a VP expressed his discontent with the
current scorecard and expressed what I had previously expressed as optimisation
opportunities, therefore upon my return things I had said previously were now
being met with open ears
d. Lazy and didn’t know how to prioritise. Requests for support/help on my program
were boiled down to me being unable to prioritise, showed lack of ownership on
my part, even though I had built semi automations, guidance, templates etc to
help with the amount of scaling that had occurred since taking over in Q3’21.
There were 11 vendors in Q3’21, 13 in Q4’21 and currently (Q3’22) 19 vendors,
number of tests performed per qtr has gone up. Upon return from leave, it had
become apparent that there truly was too much for a single person to try to do, so
a colleague (Julie Villegas) was assigned to help going forward.
 Overall, I was criticised for items that I did and for the ones I didn’t do.
Prior to Lisa’s departure, she had realised I wasn’t who certain individuals had
painted me to be prior and shortly after her return from mat leave and she
recognised all my efforts and we moved forward to build a better working
relationship based on openness, honesty leading to improved trust.

Lisa leaves and Wes Q3 2022 (4th Manager) takes over as interim manager. In light of my
break due to stresses from work I could understand the concern that I might be a flight
risk, following Lisa and Julie’s departure; however, immediate conversations around Julie
leaving and needing a resource and support turned into questions about my ability to
manage my program and would require a discussion about change of ownership due to
my health. I have stated what support I require from management to avoid health
implications which didn’t include requesting for change of program ownership due to my
health. It is for leadership/management to state open and honestly what they need and
why maybe I am no longer a good fit but don’t play it as ‘in interest of my health.’ When I
chose to return I chose to give it my all as was discussed with my manager at the time but
I have been treated in such a manner that shows a lack of trust and lack of support yet
again with a change of management. Week commencing 29 th August 2022, a new
manager arrives to AWS, needing time to onboard. This will come with its own set of
agenda’s, expectation and no room for me to even discuss promotions or full
understanding or appreciation for efforts and/or point points.

Blatant Favouritism/a form of nepotism by management i.e.

- assigning opportunities to a colleague who is clearly a friend outside of work in a

meeting without consulting the rest of the team to see if that person can take it on
or whether they are best suited. Leaving colleagues feeling hopeless and
demotivated.
- Taking efforts of others and giving it to another who is grossly under qualified
which could lead to the detriment service delivery issues.

Leaders/managers taking very condescending and hypocritical tones especially when told
maybe their way isn’t the only way; however, they are right a lot!

I once again endeavour to treat them with compassion because I understand it is the
nature of the best that is the Toxic culture!

Thoughts
I gave insight into the management changes timeline because it shows how chaotic it can
be for the assignee dealing with changes in leadership/management and various personal
agendas, priorities, political aspirations etc.

Amazon Toxic Culture forces people managers to become political leaders, pitching
everything from a certain limited perspective creating tunnel vision. Instead of work to be
about what is best value for the customer or business it is about; What will get me my
promotion? What will allow me to be recognised as a high performer?
This mindset and culture will only serve to stunt growth, innovation and ability to truly be
competitive in industry as an organisation.

As AWS seeks to centralise and continue to scale it is noticeable sorry to say; that there is a
fundamental lack of understanding business competitive strategy & operating model
acumen. To scale and in general an operating model cannot function on people resources
alone, investment in the right Technology to enable process will be critical long-term
requirement. Remember! People and Technology are enablers of process. This wouldn’t
be a problem if leaders weren’t suffering from Tone deafness foiled with the need to be
seen as high performers in a highly competitive and hostile environment (toxic culture).

There is a centralised Tooling team for SVVT; however, they have their priorities and POM
processes and Tools are not it even though POM is the command centre of operations as
it relates to pentesting pre-launch and even supports post launch from time to time. PRT
seems to be the only POM tool currently prioritised and this tool is riddled with
issues/bugs and therefore blocking further optimisation relating to functionality needed
to scale and other projects/tools i.e. pentesting manager that would aid with pentesting
operations quality. POM itself requires its own SDEs as currently if tools are required it is
done via borrowed resources who are not SDEs and are required to deliver in addition to
their regular jobs, therefore technical debt is built into tool, leading to work arounds and
service issues further down the line. E.g. PRT.

With the plan to centralise I see the various Amazon organisations preparing to compete
instead of collaborating to build a robust pentesting program from
vendor management (Internal & 3rd party) through to performance and accountability.

When I joined AWS I was told within the org that I sit, employee attrition occurs on
average after ~1 year, knowing this, Leadership aim should be to strengthen process
through automation/technology so as to avoid bottle necks and major impact to work
force resignations where possible.

- Increase job satisfaction; people are working too hard and not smart! Promotions
are not the only factors that impact employee attrition. Most joined AWS to do
pioneering work. i.e. find 0 days vulnerabilities, test never before tested
technology, develop processes and potentially new security products but find what
they are doing to be the opposite of their aspirations. Based on what I have insight
on as provided by management regarding operations planning, Headcount and
promotions appears to the main solution.

Amazon is still a very long way from its LP “Strive to be Earth’s best employer” If Amazon
is unable to call to caution its toxic culture, it will continue to lose value add individuals.
Every resignation within my org is a loss 1-years knowledge both tacit and explicit at the
detriment of the org and wider company.

Employee attrition will always exist and in most cases will be outside the control of the
employer therefore when workforce planning i.e. as part of org design and yearly
operations planning; it is critical to see technology as a way to guarantee process longevity
and to ensuring people resources are doing value added work.