Cloud CISO Perspectives: Early April 2023

Welcome to the first Cloud CISO Perspectives for April 2023. This is our first month moving to a  twice-monthly cadence, with a guest column at the end of April from my friend and colleague, Kevin Mandia. 

Today, I’d like to talk about the newest report from the Google Cybersecurity Action Team (GCAT), the first edition of our Perspectives on Security for the Board – a vital topic for cybersecurity and cyber risk.

Before we get to the report, I’d like to encourage everyone to consider joining Google Cloud and Mandiant together for the first time at the RSA Conference in San Francisco, April 24 to April 27. We’re excited to bring our capabilities, products, and expertise together, so you can better defend your organization against today’s threats. You can check out our full RSA schedule here.

I also recommend reading the new CISA report on security by default and by design. At Google, security by default and design is rooted deeply in our DNA and the way we build our products. This report is not only encouraging, but evidence of a shared goal to improve the security of the broader tech ecosystem.

As with all Cloud CISO Perspectives, the contents of this newsletter are posted to the Google Cloud blog. If you’re reading this on the website and you’d like to receive the email version, you can subscribe here.

Why cybersecurity needs better-informed boards

At GCAT, we frequently meet with and assist leaders from organizations across many sectors on cybersecurity and technology risk. In these engagements, it is clear that cyber is top of mind for every organization – and therefore, has become a board-level conversation. 

Board awareness and subsequent guidance in this area is absolutely critical to every organization’s long term success. Boards need to do more than just review indicators of cybersecurity performance, which are often lagging. 

Generally speaking, boards face two interconnected challenges that this report can help them begin to tackle. First, board members don’t necessarily know what questions to ask or what answers to expect from their organization’s leaders. Second, as cybersecurity threats and potential costs to business increase, the questions that boards ask should be probing and helpful so they can stay as informed as possible. 

We developed this report to help boards understand their role and responsibility in cyber risk oversight, provide guidance on how boards should navigate the cyber threat landscape, and explain how boards can best engage on emerging issues such as the intersection of artificial intelligence (AI) and cybersecurity. 

Cyber risk oversight and the board

Addressing cyber risk can be a complex challenge. Governments around the world are implementing regulatory measures to raise mandatory minimum cybersecurity standards, including requirements to report cyber incidents to the relevant government authorities. In recent weeks, we’ve seen two such initiatives from the U.S. Securities and Exchange Commission, which contain hundreds of pages of proposed rules on cybersecurity, incident reporting, and systems integrity.

Cyber risk is everyone’s responsibility — not just the CISO’s. To be effective, boards should view cyber risk through the lens of overall business risk. To do so requires effort to integrate cybersecurity and resiliency into business strategy, risk management practices, budgeting, and resource allocation. 

One way to achieve this goal is to think about cybersecurity as modeled by the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). The CSF gauges needs and capabilities across five functions: Identify, Protect, Detect, Respond, and Recover. When considered together, they provide a high-level, strategic view of an organization’s management of cyber risk.

How boards can navigate the global threat landscape

Last year, Mandiant, now part of Google Cloud, helped more than 1,800 customers prepare for or recover from cybersecurity incidents. Our experts saw more of everything: more zero-day vulnerabilities, more threat actor groups, more supply chain compromises, and more extortion tactics designed to hurt company reputations. We also observed unprecedented developments including the first time cyber operations played a prominent role in war. The threat landscape remains dynamic and complex, and we expect these trends to continue in 2023 and beyond. 

We’ve also seen positive trends emerge. Cybersecurity leaders believe that cloud modernization presents more opportunities to improve security, including a step change in detection and response capabilities. Additionally, frontline defenders are getting better at shortening the cybersecurity gap (the time it takes to discover a compromise and push out protections to organizations). When we shorten that timeframe as a community, we raise the cybersecurity bar for everyone.

There is a clear connection between threat intelligence and risk mitigation, yet organization leaders often experience a gap between knowing the need for better intelligence on threat actors, and why threat actors are targeting them in the first place. Boards can work to bridge these intelligence gaps and ensure this information is playing a leading role in risk management decisions by asking three key questions every quarter:

How good are we at cybersecurity? Boards should learn more about the people and expertise on the cybersecurity team, and their experiences. 

How resilient are we? Boards should ask the CISO about how prepared their organization is to keep the business running during an event like a ransomware attack. 

What is our risk? At a minimum, boards should ensure that the CISO’s risk management framework addresses five areas: 

an assessment of current threats to your organization; 

an explanation of what the cybersecurity leadership is doing to mitigate against those threats; 

examples of how the CISO is testing whether mitigations are working; 

an assessment of the consequences if those threats actually happen; 

and an assessment of risks that you aren’t going to mitigate, but will otherwise accept. 

How AI and cybersecurity can affect board decisions

Smart applications of AI can enable organizations to improve, scale, and accelerate the decision-making process across many business functions. We’re committed to helping developers and organizations stay on top of these developments — that’s why we recently announced new generative AI capabilities for our Google Cloud AI portfolio and committed to launching a range of products that responsibly infuse generative AI.

To maximize the benefits of AI technologies and minimize risks, we recommend that boards work with the CISO to take a three-pronged approach. Boards should understand how their organization plans to deploy secure AI systems. They should work with their CISO to understand how best to leverage the power of AI to achieve better cybersecurity outcomes at scale. Furthermore, boards can help anticipate threats by working with their CISO to stay informed on AI developments. 

Next steps for boardsCybersecurity presents many challenges for boards, but we can summarize our report’s focus as emphasizing three principles for effective cyber risk oversight: Get educated, be engaged, and stay informed. 

Collaborating with the CISO and technology, business, and compliance stakeholders can help foster greater collaboration between boards and company leaders. At Google Cloud, we look forward to working with boards towards that goal. We have more information in the full report and at our Board of Directors Insights Hub.

In case you missed it

Here are the latest updates, products, services, and resources from our security teams so far this month: 

Get ready for Google Cloud Next: Discounted early-bird registration for Google Cloud Next ‘23 is open now. This year’s Next comes at an exciting time, with the emergence of generative AI, breakthroughs in cybersecurity, and more. It’s clear that there has never been a better time to work in the cloud industry. Register now.

Google named a 2023 Strong Performer in the Gartner Peer Insights™ Voice of the Customer for SIEM: We are thrilled to announce that Google’s Chronicle SIEM has been designated as a Strong Performer in the 2023 Gartner® Peer Insights™ Voice of the Customer report for Security Information Event Management (SIEM). Read more.

Get hacked by a pro: Use red teams to expose security shortcomings: What can you expect from a red team engagement? A Mandiant red team leader explains how the process can make organizations even more secure. Read more.

Prepping a cloud migration? Center security questions to ease your burden: Next in our Security Leaders Survival Guide, we discuss how to best evaluate priorities when planning your digital transformation. Read more.

Google Cloud security tips, tricks, and updates

Assured Open Source Software service is now generally available: Assured OSS gives any organization that uses open source software the opportunity to leverage the security and experience Google applies to open source dependencies by incorporating the same OSS packages that Google secures and uses into their own developer workflows, now generally available and at no cost. Read more.

How to secure digital assets with MPC and Confidential Space: Multi-party computation (MPC) can help reduce risk from single points of compromise and can facilitate instant, policy-compliant digital asset transactions. Here’s how your organization can use our Confidential Space to implement MPC solutions. Read more.

Use Dataplex to improve data auditing, security, and access management: Managing data comes with the responsibility of preventing data misuse, especially in regulated industries. You can automate the discovery, classification, and protection of your most sensitive data using Cloud DLP, Dataplex, and the Dataplex Catalog and Attribute Store. Here’s how.

Announcing Firewall Insights support for firewall policies and trend-based analysis: Firewall Insights can help you understand and optimize your Cloud Firewall rules by providing insights, recommendations, and metrics about how your firewall rules are being used, with new capabilities now generally available. Read more.

Realize policy-as-code with Pulumi through CrossGuard on Google Cloud: When it comes to creating and deploying infrastructure on Google Cloud, more organizations are using CrossGuard from Pulumi, a policy-as-code offering that lets you set guardrails to enforce compliance for resources. Read more.

Compliance and Controls

Best Kept Security Secrets: How Assured Workloads accelerates security and compliance: Assured Workloads is a unique Google Cloud service that allows governments and organizations from regulated industries to meet stringent compliance requirements at scale on commercial cloud infrastructure. Here’s what you need to know about it. Read more.

Google Public Sector achieves CJIS compliance in Florida: Google Public Sector has completed the process with Florida Department of Law Enforcement to ensure Google Cloud supports the requirements necessary to store, process, and support criminal justice information. Read more.

Google Cloud Security Podcasts

We launched a weekly podcast focusing on Cloud Security in February 2021. Hosts Anton Chuvakin and Timothy Peacock chat with cybersecurity experts about the most important and challenging topics facing the industry today. Earlier this month, they discussed:

Do all roads lead to SBOM: Why is everyone talking about software bills of materials? Security leaders are being asked to integrate SBOMs into their projects. We talk about why they matter, their relationship to software liability, and what role SLSA should play, with Google’s Isaac Hepworth, who’s focused on software supply chain security. Listen here.

The cloud is just someone else’s computer, right? Many organizations still approach the cloud as a rented data center. Why that is, and why there’s much more to the cloud that organizations aren’t taking advantage of, is the focus of our conversation with the Down the Security Rabbit Hole podcast’s Rafal Los, head of services strategy at Extrahop. Listen here.

To have our Cloud CISO Perspectives post delivered twice a month to your inbox, sign up for our newsletter. We’ll be back at the end of the month with more security-related updates.