Cybersecurity is a tough game. With a bleak economic outlook for 2023, security teams are under increasing pressure to secure complex cloud environments against financially and politically motivated threat actors looking to capitalize on any small mistake. 

However, despite economic pressures, Google Cloud CISO Phil Venables suggested in a recent Q&A that investing in new security capabilities is still key to maintaining business transformation in 2023. 

Venables also shared his thoughts on how generative AI will impact security teams; what CISOs should be doing to secure the cloud; and why zero trust is “essential” for protecting workloads in the cloud. 

Below is an edited transcript of the interview.

VentureBeat: How do you think the economic outlook will impact the cybersecurity landscape this year? 

Phil Venables: I’m not an expert on the economy — and I can’t make predictions about what will happen — but what we’re hearing from customers is that our cloud solutions are helping them navigate their digital transformations, solve business issues and innovate in new areas. 

As we head into 2023, I’m optimistic that security will continue to be a priority — for Google, our customers and the industry at large. In fact, investing in new security capabilities enables business transformation and the innovations that are essential at the moment.

VB: What are your thoughts on advances in AI from a security standpoint, and the offensive vs defensive AI war we’re starting to see unfold?? 

Venables: As the use of AI continues to increase — both for defenders and malicious actors — we as an industry must work together to develop a common approach to ensure that these technologies are used responsibly in the security space. 

I anticipate that AI will continue to be a game changer for defenders, but we need to deploy it smartly and responsibly. As new and more powerful AI models are developed and released, adhering to responsible AI practices will be paramount. 

At Google, we’ve been working on security issues for over two decades and have been thinking about the intersection between AI and security for some time. In 2018, Google was the first major hyperscaler to publish our Google AI Principles to ensure we are bold and responsible. 

We’re continuing to evolve our own work in this space and are committed to driving continued progress in this area. Several of our products already make use of our leading edge AI capabilities, including many of our security products that customers can use today. 

Q: What are the top three factors CISOs should consider when looking to secure the cloud? (identity management, posture management configurations?) 

Venables:

1. Identity and access management (IAM) and the power of zero trust
   
   Of all the domains that look different in the cloud, IAM may be the most important to get right.
   
   With IAM tools, you’re able to grant access to cloud resources at a granular level, creating more access control policies for attributes such as device security status, IP address, resource type and date and time, to better ensure appropriate access controls are in place.
   
   Implementing a zero trust framework, where there is zero implicit trust, means that it has to be established via multiple mechanisms and continuously verified. This is essential to protect an organization’s workforce and workloads in the cloud.
   
   By shifting access controls from the network perimeter to individual processes, devices and users, zero trust enables employees to work more securely from any location and any device without traditional remote-gateway VPNs.
   
   Google has applied a zero-trust approach to most aspects of our operations. We believe it is certainly a framework that CISOs should consider when securing their cloud infrastructure.
2. Threat intelligence
   
   Successful CISOs keep a close [watch] on incidents that have occurred in other organizations that would signal changes in malicious activity or provide other lessons that could potentially alter an organization’s defensive cloud posture.
   
   Detecting, investigating and responding to threats is only part of better cyber-risk management — it’s also critical to understand what an organization looks like from an attacker’s perspective and if an organization’s cybersecurity controls are as effective as expected.
   
   Likewise, when it comes to securing the cloud, paying attention to threat intelligence trends — and selecting cloud providers that view threat intelligence as a priority — is a must.
3. Multicloud management
   
   It’s not uncommon for organizations to have data in multiple clouds, not just one. One of the bigger challenges for CISOs is not just ensuring that each individual service is appropriately secured, but that the collection of those services that make up a business or mission process is secure.
   
   It’s an even bigger challenge to assure the mitigation of other risks across resilience, compliance, privacy, data governance and other domains. As a result, CISOs should think comprehensively about their cloud security strategy and look at their cloud architecture as a whole versus in silos.

VB: Any comments on Google’s role in helping to secure the software supply chain and open source projects? 

Venables: Collectively securing open source and the software supply chain remains a priority for the private and public sectors. The supply chain is made up of a variety of different types of vendors — connected services, software providers, outsourced IT and other types of business process outsourcing. 

Any reasonably sized organization could have hundreds to thousands of vendors — and some Fortune 100 companies even have tens of thousands.

Securing the software supply chain is really going to take a combination of three things:

1. Driving adoption of best practices 
2. Building a better software ecosystem
3. Making long-term investments in digital security

At Google, we’re working with industry partners, governments and the open-source community to address these exact goals. Over the past few years, we’ve announced a number of initiatives to address these threats: 

• Last year, we announced the creation of the new Open Source Security Maintenance Crew, a team of Google engineers who will work closely with upstream maintainers on improving the security of critical open-source projects.
• We provided opinionated guidance for mitigating software supply chain risks in the first edition of our Perspectives on Security series.
• We launched Software Delivery Shield, the first fully managed software supply chain security solution that equips developers and security teams with the tools they need to build secure cloud applications.
• We released new products like OSV-Scanner and Open Source Insights data in BigQuery, which aim to directly support the open-source community as they secure their projects.
• In collaboration with the Open Source Security Foundation (OpenSSF), Google proposed [a] supply-chain levels for software artifacts (SLSA) framework, which formalizes criteria around software supply chain integrity to help the industry and open-source ecosystem secure the software development lifecycle. 

The work that the public and private sectors have done to address open-source security challenges must continue if we’re going to mitigate these threats. The recent CSRB report is a perfect example: It is guidance like this that is critical to our entire ecosystem.

VB: How do you define cyber-risk, and how can CISOs determine priority risks? 

Venables: Cyber-risk involves anything that could disrupt or damage a company due to a failure of its technology systems. With cybersecurity now deeply intertwined with technology and business strategies, it’s important that leaders treat cybersecurity as an overarching first-class business risk.

As any good CISO knows, you will always have more risks than you can immediately deal with — and thus, your risks require diligent management in an inventory. Strong cyber-risk programs continuously reevaluate whether certain risks need to be prioritized or deprioritized.

Cyber-risks should align with other business risk areas and should be managed as [part of] a larger portfolio. 

The best mitigations for cybersecurity risk are also great mitigations for all the other risks: solid IT project management aligned to business objectives, improved software development and testing, resiliency engineering, incident learning and continuous improving, engineering for scale and capacity testing, predictable configurations, system isolation and more.

The best security programs work alongside the wider business to protect the organization from vulnerabilities. 

VB: Do you have any comments on API security (particularly following the T-Mobile and Twitter API breaches)?

Venables: API traffic is dominating the internet. And, just like with any booming technology, it is becoming a prominent attack vector for malicious actors. 

Case in point: In 2022, Google Cloud Apigee revealed that half of the 500 technology leaders surveyed in the United States reported that they experienced an API security incident in the past 12 months.

Attack surfaces are expanding dramatically due to API proliferation. As a result, security leaders must invest in solutions that help consolidate governance and management of APIs and holistically protect APIs along their entire life cycle.

Forward-thinking organizations will “shift left with security” and start to move controls earlier into the product workflow by bringing security teams and API owners closer. Luckily, tools like Google Cloud’s Apigee API management can support this.

VB: How do last year’s acquisitions of Mandiant and Siemplify enhance Google Cloud’s security ecosystem?

Venables: With the acquisitions of Mandiant and Siemplify, Google Cloud can now deliver even greater security capabilities to support customers’ security operations across their cloud and on-premise environments. 

Google’s “reactive” SIEM (from Chronicle) and SOAR (from Siemplify) tech paired with Mandiant’s “proactive” threat intelligence and incident response capabilities has fueled an end-to-end security operations suite like no other. 

Speaking to Mandiant specifically, their expertise and resources in incident response are unique to the industry and allow us to better understand the threat landscape and catch vulnerabilities across our customer base in ways we couldn’t before. 

When we closed the Mandiant acquisition in September 2022, we set the expectation that we’d be investing heavily in cybersecurity offerings that can help customers mitigate risk — and in the short time since our two companies came together, we’ve acted on this vision, announcing new offerings like Mandiant Breach Analytics for Chronicle and Mandiant Attack Surface Management for Google Cloud.

We remain deeply committed to democratizing security operations and providing better security outcomes for organizations of all sizes and levels of expertise — and these acquisitions support our ability to do just that. 

VB: Is there anything else that you’d like to add?

Venables: There have been plenty of cases over the last decade in which companies have invested in a lot in cybersecurity and security products, but have not upgraded their overall IT infrastructure or modernized their approach to software development. 

Without a continued focus on IT modernization, organizations will not be able to realize the full benefits of advances in security. Organizations can be much better prepared to defend against today’s threats by investing in modern public cloud environments. 

My biggest tips for security professionals as we continue into 2023: Take advantage of what the cloud has to offer by investing in modern public cloud environments. If you haven’t already started thinking about modernizing your IT infrastructure, start now. And finally, prioritize building security and risk programs that are sustainable, comprehensive and fit your organization’s individual needs.