Google Cloud CISO Phil Venables: ‘I’m short-term pessimistic, long-term optimistic’

Share This Post

This following is the (lightly edited) transcript of a fireside chat from the SecurityWeek Cloud and Data Security Summit 2024 with Editor-at-Large Ryan Naraine and Google Cloud Chief Information Security Officer Phil Venables.  

Venables, who leads the risk, security, compliance and privacy teams at Google Cloud, offers some frank thoughts on CISA’s secure-by-design secure-by-default initiative, buyers holding software vendors accountable, the murky world of cybersecurity regulations, and how security leaders should view transformational change.

Ryan Naraine: What does the CISO at Google Cloud do? How would you describe the mission of your organization?

Phil Venables: Our mission is easily stated, but quite complex. We look at our mission as really three things. One, secure the cloud. And interestingly, not just Google Cloud but all the bigger providers of multi-cloud solutions.  My team spends a lot of time looking at not only how do we secure Google Cloud, but how do we secure what we deploy in other clouds, and how do we help look at the security of all cloud infrastructure.

Secondly, we’re also very focused on securing the customer. Not just provide a base infrastructure, but how do we provide products and services and defaults and other things that help customers run securely, not just in the cloud, but across all of their environments. 

And finally, we think a lot about how we secure the planet. And that sounds like a lofty goal, but it’s really about engaging in the standards community, investing in innovation, doing work across the public-private partnership to generally improve the security of the ecosystem. We’ve led multiple industry initiatives, we’ve open sourced a lot of our tooling. 

We take that mission of securing the planet just as seriously as the secure-the-cloud and secure-the-customer mission.

You’ve had a long career in cyber and you’ve seen a lot over the years.  Have things gotten worse with all the headlines about malware infections and ransomware attacks?  Or are we too focused on all the negative stories?  Help us with the state of cybersecurity, if you will…

Advertisement. Scroll to continue reading.

I think it’s a little bit of a lot of things. I tend to be quite optimistic about things and it seems ironic, you know, because every day you wake up and read the news and there’s yet another security breach and yet another ransomware event.

It’s interesting, if you go back even just five years and you look at the rate at which we’ve digitized society, all of our lives, all of our critical infrastructure, we sometimes forget the focus that every day many organizations are adequately defending against many attacks. So there’s lots of positives to look at.

But where we do have incidents and repeated events like malware and ransomware and other types of issues, I think we still have a lot  to learn as an industry because the interesting thing is we know how to mitigate those risks. The question is, why do certain organizations find it harder to put in place controls to mitigate that than others?

I think this points to the fact that security is much more than just a technical discipline, although clearly at its core it’s a technical discipline. Security is a broader range of incentives, of policies, of societal consequences. And I think we know how to get these things done, but it’s still challenging to actually get them done.

For a lot of defenders, it feels unmanageable. Is that a fair assessment of how bad things are? 

I’m short term pessimistic because I think there’s a lot of pain we’ve still got to go through in the next few years.  I’m also long term optimistic because I think the combination of many organizations, including organizations like mine, we’ve invested a lot in building more defensible architectures where security is built-in, not bolted-on after the fact.

As more and more organizations move themselves to a more modern technical architecture where security is built-in, you gradually see them getting better and better defended. But the reality is most organizations around the world have still got decades worth of technology that was built on older architectures where security wasn’t of primary importance. As every year goes by, more and more organizations are upgrading their technologies to be more defendable and that will gradually improve everything. 

We’re also getting better as a profession, as a set of industries, about imposing more costs on attackers and making life harder for attackers. Sometimes those benefits just accrue but are not dramatic. We always see the big headline incident, but we don’t see that many types of security incidents are just not happening as much as they used to because of defenses companies have put in place and you look at the investments in just mobile device security or security in certain types of cloud services or investments in operating system and other types of security. 

The fact that encryption is much more pervasive than it used to be. We don’t often look back and say, wow, [all that good stuff] happened in the last few years because we’re still dealing with a lot of incidents. 

So I’m definitely short-term pessimistic, long-term optimistic.

Are you worried that we are also imposing a significant cost on businesses to implement all of these new security technologies? I mean, the reason we have a ransomware epidemic in hospitals is because a lot of these small healthcare services don’t have security teams, don’t have the budget to do any of this..

Yes, I worry that our approach to security has been that problem of it’s bolted-on, not built-in. One of the things that I’ve always been very, very focused on is how we think about creating secure products, not just security products.

When we think about the incentives for building security in, when you look at businesses and organizations that have been successful on security, they’ve not just solved for security, they’ve solved for running technology better in a way that also delivers security. You look at organizations that are good at security, the one thing they’re also good at is being able to reproducibly build and manage all of their software in reliable ways and deploy that to infrastructure in reliable and repeatable ways. 

When you do that, you do it for business agility, the ability to be able to innovate, push changes, create new products, get to market quicker. When you do that well, you also get these massive security benefits in how you manage software and infrastructure, you get resilience and reliability benefits.  If you approach security as ‘just deploy security products to mitigate security risk’, that’s where it gets to be problematic. But if you approach it as how do I deliver end-to-end reliable, effective, modern technology with security and resilience as a key property alongside the business productivity, agility, and efficiency goals, then you actually get better security outcomes. 

For your example of small and medium sized organizations that don’t have large security teams, and many of them don’t even have large IT teams, they’re going to have to be more dependent on service providers, whether it’s SaaS providers, managed service providers, cloud providers. That’s why it puts even more of the onus on the big technology vendors and service providers to build security in by default and make good secure default choices.

Making sure products are shipped with full safety-belts that can protect those customers without assuming they’re going to have to have the expertise to then securely configure the products. I think a lot more expectations should be made of the large tech companies. 

Are you bullish on the government’s attempt to get secure-by-design, secure-by-default principles embedded in tech? What’s your take on this CISA initiative?

That’s been a great initiative from CISA.I think we’re getting the common message now that it’s important to do secure-by-design and secure-by-default. We signed the CISA pledge. We happen to have done a lot of it already because it heavily coincides with our mission of wanting to protect users and our customers. Whether it’s pushing default multi-factor authentication, pushing default secure configurations, providing tooling and frameworks, embedding security into products, I think you’ll see more cloud providers, SaaS providers, technology providers build on that. 

You mentioned the CISA Secure by Design Pledge. The pledge is entirely voluntary with no real consequences for breaking it. Is there a pessimistic take here that the pledge doesn’t really hold anyone accountable?

PV: There’s an expectation that those who sign the pledge will continually provide evidence that they’re meeting the spirit and the letter of the pledge. But I think the real onus is on everybody, it’s on all of us and all companies when they’re making purchasing decisions or selecting vendors to not just do their regular vendor risk assessment questionnaire, but to look more deeply.  Ask them the question of those eight things in the pledge. Are the products you’re selling me conform to that? If not, what’s the roadmap? When am I going to get that? 

Sure, we can look to governments and from regulators around the world to drive what are expected security properties but it’s on all of us — and actually not just us as CISOs or CIOs or CTOs — but on boards and executives of all levels in companies to be able to demand as part of their procurement of products and services that all of those secure-by-design and secure-by-default properties are in place.

Ultimately, if we create this transparency and market pressure, then things get better.

What’s the biggest friction point to getting secure-by-design done right? Is it expensive? Is it a resource issue? Is it a question of leadership? Why aren’t more companies here yet?

It’s a little bit of all of that. When you’re an organization that’s starting out on building new things, it’s relatively straightforward to build things well from scratch and to bring in all of these good architectural practices and these frameworks and these design patterns and adopt the latest controls.

Then there are many, many large companies in the fortune 500 and beyond, companies with 30, 40, perhaps even 50 years of technology that’s been built up from many different types of systems. Sometimes we call these legacy systems. I prefer to think of them as systems that might be stagnant and unmaintained and hard to change. In many cases, when you think about upgrading security, all of the interdependencies between those decades of layered systems, it becomes hard to change. 

Companies need to focus on not just doing security for the sake of security but doing a bunch of IT modernization activities that deliver them business benefits and doing them in a way that then delivers the security. I think that’s easier to rationalize how you’re going to invest even more.

They have to make that investment, right? I mean, if you can’t modernize and get to a base level of security, it’ll affect your business. It becomes an existential issue…

Yes, exactly. I think we’ve been looking at security incentives wrong. When you look at security incentives, the incentives for doing security as just loss avoidance, brand protection, and conforming to regulations. If you’re in a regulated industry, I think if you do it for that, you can get so far. 

But if you flip the script and think about doing security, because doing that broader modernization gives you business agility. gives you much more flexibility, and by the way, you then get security. That becomes a much deeper incentive. And I think that compels this closer partnership between the CISO, the CIO, the business technology teams and the overall business executives to frame security is not just loss avoidance, but something that is part of a means of digitally transforming your company. I think that makes it more palatable.

You mentioned regulations. You spent 17 years at Goldman Sachs in heavily regulated financial services before joining the Google Cloud leadership. Is it easier to manage security in heavily regulated places?  I know CISOs grumble about regulations a lot, but in many ways it gives them budget and resources, it gives a framework for building a security program…

I think you’re right. People do kind of grumble about regulations, but actually in a highly regulated organization, you just don’t have to spend so much time justifying why you’re going to do certain things because it’s compelled by the regulation. 

Now there is a little bit of overhead in regulated environments because you have to invest a lot more time in demonstrating the effectiveness of your control and being subject to examinations and other types of scrutiny. But you can do that in fairly efficient ways if you apply yourself to it. 

Generally speaking, the appropriate regulation does drive companies to have better security. The thing I think we have to caution ourselves on though is that just because you’re a regulated organization doesn’t mean you’ve got good security. I’ve seen plenty of organizations that have approached it where they comply with the regulation, checking the box, doing nothing more, nothing less. That doesn’t necessarily mean they have great security. 

I’ve also seen unregulated organizations that prioritize security because they realize the need for it and have invested in deeper levels of control, whether they’ve been regulated or not. There’s not always a perfect correlation between regulated and good security, but certainly for organizations that are regulated probably spend less time justifying why they need to do security. 

I think consistent regulations about minimum levels of security on multi factor authentication, on access management, least privilege, supply chain oversight, collectively doing that has improved the environment. I don’t think there’s any denying that.

But, we’ve got to be careful to make sure we’re trying to harmonize some of these things so the regulations that everybody has to follow are more compatible with each other and that we actually keep the security regulations focused on security, not focused on other things bundled-in in the name of security. 

The important thing about regulation is that it’s consistently applied to create a level playing field. Nobody wants to be competing in a market where you’re one company that’s heavily regulated competing against somebody that isn’t. So I think having a level playing field for this is important as well.

Do you see all this government activity as a precursor to regulatory changes coming down the pike?. Secondly, on the flip side, do you think this latest Supreme Court Chevron ruling will upend things and put things in a state of turmoil? How are you looking at cybersecurity regulations in this environment?

We operate in multiple sectors, in multiple geographies. So I have a whole team that does a fantastic job of mapping all the regulations into common controls that work across our platform. We have a whole machine that does this and we support a lot of our customers in adhering to the regulatory environments that they have to do. 

We’re seeing more and more regulations everywhere. Most of it is generally quite good when it stays focused on security. We partner with governments around the world to help educate them on what the right means of setting the standards is and we’re generally kind of open and constructive about that. 

On the other question, when you look at that Chevron ruling, it’s really hard to say. Some things are probably going to get challenged. I think it would be disappointing if some things do get challenged, but it’s certainly something that I think all of us have to watch. 

It does point to the need for a standard set of common regulations on minimum baseline controls that I think we would all accept and rather than relying on individual agencies to always push the right thing. But generally speaking, I do like the fact that individual agencies should be in charge of appropriately regulating their particular sector because they’ve got the expertise. 

You want the energy specialists to think about what the right set of standards are for the energy sector, same with finance, same with healthcare and other sectors.

I want to pick your brain on the work of the DHS Cyber Safety Review Board (CSRB). They’ve done a few investigations and issued some pretty strong reports and recommendations for cloud service providers. What’s your response to the work coming out of the CSRB and how do you view those recommendations?

On all the CSRB reports, especially on the last one, we were called to provide testimony and provided a lot of details of what we do. We (Google) and actually some other companies got called out positively in the report for some of the controls that we have around identities and keys and other processes. 

Like most good security teams, we’re just institutionally paranoid. So whenever there’s an incident, whenever there’s a government report, whenever there’s an investigation, we look at that and we just go through it line-by-line and find something to learn from.

Every time there is anything like this published, we spin up teams to do some introspection and find where we can improve internally. We’ve always got dozens of these projects on the go, taking what some people would consider good and trying to take it to the next level. We’re just very institutionally paranoid about this because ultimately the measure of success of any security program is how do you keep improving to stay ahead of the threat. 

The CSRB reports are a great body of knowledge that’s being built up over what good practices are that everybody should have. That’s why the CSRB was created so people can learn from these things. 

If anything, we’d love to see the CSRB have more staff and more authority to be able to drive more reports out. I think it’s useful. The CSRB should have a more permanent staff and have more authority, but that’s something that’s granted by Congress, not something they can do themselves..

Anecdotally, CISO tenures are becoming shorter and shorter. At a time when we were talking about long-term transformational things, when a CISO is only there for two or three years, is it possible for him to make that kind of lasting impact? 

Tenure is an interesting one. I’ve not done a study on this and I suspect it’s highly causal to see that low tenure is associated with low tenure in other leaders. Typically, if an organization hires a new CIO every two years, they’re probably going to have a new CISO every two years.

As you mentioned at the beginning, I was CISO at Goldman Sachs for 17 years. The people I worked with were around for two decades. So the CIO, the CTO, the Chief Risk Officer, all of these people were longtime Goldman Sachs partners like me. 

The great thing about everybody being long tenured is to your point is these investments in security, you can get some quick wins in like six to 24 months, but the real long -term sustainable stuff takes years and as a leadership team, you’ve got to feel like you’re going to be around for a few years to get the benefit from that. 

So I don’t really blame CISOs that have short tenure because there’s usually other extenuating circumstances, but on the flip side, I’ve seen some CISOs leave at the first sign of resistance. I’ve worked in many organizations and I’ve been very lucky to work for organizations that take security very seriously, that there’s great tone at the top. 

But even in those supportive environments, every decision to invest a lot of money and effort gets a lot of pushback, and gets a lot of debate. If you aren’t willing to drive that debate and have a bit of moral courage to keep driving things, you will struggle. As a CISO, you’ve got to be part of a kind of a vigorous process to drive things forward. Occasionally you see some people at the first sign of resistance decide to go do something else. 

Ultimately, it’s kind of clichéd, but tenure comes with tenure. The longer you’re in an organization, the more successful you can be. The more successful you are, the longer you stay.  I think if people can try and get past that first couple of years, push through the friction points, you’ll start to see the fruits. 

This post was originally published on this site

More Articles

Article

Navigating SEC Regulations In Cybersecurity And Incident Response

Free video resource for cybersecurity professionals. As 2024 approaches, we all know how vital it is to keep up to date with regulatory changes that affect our work. We get it – it’s a lot to juggle, especially when you’re in the trenches working on an investigation, handling, and responding to incidents.