Cybersecurity is a tough game. With a bleak economic outlook for 2023, security teams are under increasing pressure to secure complex cloud environments against financially and politically motivated threat actors looking to capitalize on any small mistake. 

However, despite economic pressures, Google Cloud CISO Phil Venables suggested in a recent Q&A that investing in new security capabilities is still key to maintaining business transformation in 2023. 

Venables also shared his thoughts on how generative AI will impact security teams; what CISOs should be doing to secure the cloud; and why zero trust is “essential” for protecting workloads in the cloud

Below is an edited transcript of the interview.

VentureBeat: How do you think the economic outlook will impact the cybersecurity landscape this year? 

Phil Venables: I’m not an expert on the economy — and I can’t make predictions about what will happen — but what we’re hearing from customers is that our cloud solutions are helping them navigate their digital transformations, solve business issues and innovate in new areas. 

As we head into 2023, I’m optimistic that security will continue to be a priority — for Google, our customers and the industry at large. In fact, investing in new security capabilities enables business transformation and the innovations that are essential at the moment.

VB: What are your thoughts on advances in AI from a security standpoint, and the offensive vs defensive AI war we’re starting to see unfold?? 

Venables: As the use of AI continues to increase — both for defenders and malicious actors — we as an industry must work together to develop a common approach to ensure that these technologies are used responsibly in the security space. 

I anticipate that AI will continue to be a game changer for defenders, but we need to deploy it smartly and responsibly. As new and more powerful AI models are developed and released, adhering to responsible AI practices will be paramount. 

At Google, we’ve been working on security issues for over two decades and have been thinking about the intersection between AI and security for some time. In 2018, Google was the first major hyperscaler to publish our Google AI Principles to ensure we are bold and responsible. 

We’re continuing to evolve our own work in this space and are committed to driving continued progress in this area. Several of our products already make use of our leading edge AI capabilities, including many of our security products that customers can use today. 

Q: What are the top three factors CISOs should consider when looking to secure the cloud? (identity management, posture management configurations?) 

Venables:

    VB: Any comments on Google’s role in helping to secure the software supply chain and open source projects? 

    Venables: Collectively securing open source and the software supply chain remains a priority for the private and public sectors. The supply chain is made up of a variety of different types of vendors — connected services, software providers, outsourced IT and other types of business process outsourcing. 

    Any reasonably sized organization could have hundreds to thousands of vendors — and some Fortune 100 companies even have tens of thousands.

    Securing the software supply chain is really going to take a combination of three things:

      At Google, we’re working with industry partners, governments and the open-source community to address these exact goals. Over the past few years, we’ve announced a number of initiatives to address these threats: 

        The work that the public and private sectors have done to address open-source security challenges must continue if we’re going to mitigate these threats. The recent CSRB report is a perfect example: It is guidance like this that is critical to our entire ecosystem.

        VB: How do you define cyber-risk, and how can CISOs determine priority risks? 

        Venables: Cyber-risk involves anything that could disrupt or damage a company due to a failure of its technology systems. With cybersecurity now deeply intertwined with technology and business strategies, it’s important that leaders treat cybersecurity as an overarching first-class business risk.

        As any good CISO knows, you will always have more risks than you can immediately deal with — and thus, your risks require diligent management in an inventory. Strong cyber-risk programs continuously reevaluate whether certain risks need to be prioritized or deprioritized.

        Cyber-risks should align with other business risk areas and should be managed as [part of] a larger portfolio. 

        The best mitigations for cybersecurity risk are also great mitigations for all the other risks: solid IT project management aligned to business objectives, improved software development and testing, resiliency engineering, incident learning and continuous improving, engineering for scale and capacity testing, predictable configurations, system isolation and more.

        The best security programs work alongside the wider business to protect the organization from vulnerabilities. 

        VB: Do you have any comments on API security (particularly following the T-Mobile and Twitter API breaches)?

        Venables: API traffic is dominating the internet. And, just like with any booming technology, it is becoming a prominent attack vector for malicious actors. 

        Case in point: In 2022, Google Cloud Apigee revealed that half of the 500 technology leaders surveyed in the United States reported that they experienced an API security incident in the past 12 months.

        Attack surfaces are expanding dramatically due to API proliferation. As a result, security leaders must invest in solutions that help consolidate governance and management of APIs and holistically protect APIs along their entire life cycle.

        Forward-thinking organizations will “shift left with security” and start to move controls earlier into the product workflow by bringing security teams and API owners closer. Luckily, tools like Google Cloud’s Apigee API management can support this.

        VB: How do last year’s acquisitions of Mandiant and Siemplify enhance Google Cloud’s security ecosystem?

        Venables: With the acquisitions of Mandiant and Siemplify, Google Cloud can now deliver even greater security capabilities to support customers’ security operations across their cloud and on-premise environments. 

        Google’s “reactive” SIEM (from Chronicle) and SOAR (from Siemplify) tech paired with Mandiant’s “proactive” threat intelligence and incident response capabilities has fueled an end-to-end security operations suite like no other. 

        Speaking to Mandiant specifically, their expertise and resources in incident response are unique to the industry and allow us to better understand the threat landscape and catch vulnerabilities across our customer base in ways we couldn’t before. 

        When we closed the Mandiant acquisition in September 2022, we set the expectation that we’d be investing heavily in cybersecurity offerings that can help customers mitigate risk — and in the short time since our two companies came together, we’ve acted on this vision, announcing new offerings like Mandiant Breach Analytics for Chronicle and Mandiant Attack Surface Management for Google Cloud.

        We remain deeply committed to democratizing security operations and providing better security outcomes for organizations of all sizes and levels of expertise — and these acquisitions support our ability to do just that. 

        VB: Is there anything else that you'd like to add?

        Venables: There have been plenty of cases over the last decade in which companies have invested in a lot in cybersecurity and security products, but have not upgraded their overall IT infrastructure or modernized their approach to software development. 

        Without a continued focus on IT modernization, organizations will not be able to realize the full benefits of advances in security. Organizations can be much better prepared to defend against today’s threats by investing in modern public cloud environments. 

        My biggest tips for security professionals as we continue into 2023: Take advantage of what the cloud has to offer by investing in modern public cloud environments. If you haven’t already started thinking about modernizing your IT infrastructure, start now. And finally, prioritize building security and risk programs that are sustainable, comprehensive and fit your organization’s individual needs.