Jump to Content
Security & Identity

Cloud CISO Perspectives: Easing the psychological burden of leadership

March 15, 2024
https://storage.googleapis.com/gweb-cloudblog-publish/images/2024_Cloud_CISO_Perspectives_header_no_tit.max-2500x2500.jpg
Phil Venables

VP, TI Security & CISO, Google Cloud

Hear monthly from our Cloud CISO in your inbox

Get the latest on security from Cloud CISO Phil Venables.

Subscribe

Welcome to the first Cloud CISO Perspectives for March 2024. Today I’ll be highlighting a section from our newest Perspectives on Security for the Board report, focusing on the importance of developing psychological resilience in cybersecurity leadership.

As with all Cloud CISO Perspectives, the contents of this newsletter are posted to the Google Cloud blog. If you’re reading this on the website and you’d like to receive the email version, you can subscribe here.

--Phil Venables, VP, TI Security & CISO, Google Cloud

Easing the psychological burden of leadership

By Phil Venables, VP, TI Security & CISO, Google Cloud

In our fourth Perspectives on Security for the Board report, we focused on three key topics: AI and security, cyber risk management, and why organizations should care about the psychological burdens that CISOs and their teams face. While I strongly encourage you to read the full report, I’d like to talk about that third topic today.

https://storage.googleapis.com/gweb-cloudblog-publish/images/Phil_Venables_small.max-2200x2200.jpg

The role of chief information security officer has never been an easy one. CISOs are the public face of an organization’s security team, and they sit at the nexus of the security experts, engineers, and developers who report to them, the organization’s security policies, and the executives and board of directors who they report to. They often are blamed for security breaches that occur on their watch, and yet CISOs are not fleeing their jobs — recent data suggests that, despite the stress of the role, they stay at their employer for more than four and a half years at a time.

While a CISO who has stayed with one company for five years has clearly demonstrated their dedication to defending their organization’s data and supporting its security teams, it doesn’t mean that they’re happy. High-profile data breaches are on the rise, and government agencies are imposing stricter regulatory requirements including increasing levels of legal accountability (and even personal liability) for their organization’s cybersecurity posture.

The stresses CISOs contend with can take a psychological toll, lead to poor decision-making, and even burnout. The constant stream of new threats, the knowledge that even the strongest defenses can be breached, the impacts of tight budgets and staffing on security decisions, and communicating crucial security risks with senior executives, all can create immense psychological pressure.

We recommend that boards assign a high priority to their CISOs psychological resiliency and security team ‘as a core component of their overall business strategy.’

While these burdens can make CISOs feel isolated and unsupported, they do not exist in a vacuum. An organization’s CISO is “part of a team, part of a department, part of an organization, part of a society; and all of these systems interact to create healthy or unhealthy patterns,” we wrote in the report. We recommend that boards and executives assign a high priority to their CISOs psychological resiliency and security team “as a core component of their overall business strategy.”

In practical terms, there are several ways that boards and executives can do more to lighten the CISOs burden and achieve better business outcomes for it.

  • Ask open-ended questions: They can better foster meaningful dialogue and deeper insights. Instead of asking if the security team has the right budget, we suggest reframing the question: “How can we ensure our security budget aligns with our current risk assessment and business priorities?”
  • Prioritize cybersecurity investment: Cybersecurity should be considered a core business risk, so appropriately funding an adequate budget, engaging with the CISO on budget and risk discussions at least quarterly, and investing in every level of security leadership can help address budgetary and staffing concerns.
  • Make it broader than just the CISO: Boards and executive leaders should spread accountability among business units and other control functions, and expect as much from the chief information officer and chief technology officer as they do from the CISO, to promote strong security and resiliency investments.
  • Invest in people: A good security posture can be strengthened with strong interpersonal development, supporting diverse personalities, and encouraging unique problem-solving skills ranging from analytical to intuitive to risk-averse. Be careful when mandating physically and psychologically taxing 24/7 on-call services, and support work-life balance for employees.
  • Collaborate on risk management: Focus on raising risk awareness throughout your organization to foster a security mindset. Boards can challenge management to design processes and training that acknowledge human tendencies and use behavioral design nudges to make secure choices simpler.

One of our Office of the CISO directors, MK Palmore, has also recently addressed the psychological burden that CISOs must bear. He said, “It’s incumbent upon leaders to make sure that they understand that while the work is extremely important, the wellness of your employees is equally as important… If you’re not allowing them to balance their lives and responsibilities along with the workload, ultimately, you’re setting yourself up for some kind of potential failure along the chain.”

You can read previous Perspectives on Security for the Board reports here.

In case you missed it

Here are the latest updates, products, services, and resources from our security teams:

  • Announcing Security Command Center Enterprise: Security Command Center Enterprise is the first multicloud risk management solution that fuses AI-powered SecOps with cloud security, built on Google’s security fabric and supercharged by Mandiant’s world-class threat intelligence. Read more.
  • Introducing Security Command Center protection for Vertex AI: Security Command Center Premium now works with organization policies to provide near real-time detection of changes to policies and to AI resource configurations. Read more.
  • How to prevent lateral movement techniques on Google Cloud: Following new research that highlights real-world lateral movement techniques in AWS, Azure, and Google Cloud, we recommend permissions settings to help protect your Google Cloud environment. Read more.
  • Take two of these: Cybersecurity lessons for 21st century healthcare professionals: Patient care is increasingly tied to technology. Taylor Lehmann and Bill Reid, from our Office of the CISO, explain why leveling up healthcare cybersecurity hygiene is an imperative. Read more.
  • Regulations, lock-in, and legacy: How CISOs can beat these manufacturing headaches: To secure critical infrastructure, we need context and clarity. Here’s how you can use your cloud transformation to help achieve that goal. Read more.
  • Google's threat model for post-quantum cryptography: Google's cryptography team shares its security thoughts and decision-making factors on migrating classical cryptographic algorithms to post-quantum cryptography. Read more.
  • Looking back at Google’s Vulnerability Reward Program in 2023: Last year, researchers from around the world helped Google identify and address thousands of vulnerabilities in our products and services, with $10 million awarded to more than 600 researchers in 68 countries. Read more.
  • Secure by design: Google’s perspective on memory safety: Memory safety vulnerabilities have been the standard for attacking software for decades. Here’s how Google wants developers to approach memory safety issues, and why we’re investing in a memory-safe ecosystem. Read more.
  • Move-in ready Kubernetes security with GKE Autopilot: GKE Autopilot uses Google Cloud’s deep Kubernetes security expertise to configure your clusters to be move-in ready for your production workloads. Read more.
  • Check out our first Security Talks of 2024: Earlier this month, our security experts shared strategies for fortifying your security posture and bolstering your resilience to cyber threats at our quarterly Security Talks. Read more.

News from Mandiant

  • Suspected Iranian threat actor targets Israeli and Middle East aerospace and defense sectors: Mandiant attributes this activity with moderate confidence to the Iranian actor UNC1549, which overlaps with Tortoiseshell — a threat actor publicly linked to Iran’s Islamic Revolutionary Guard Corps. Tortoiseshell has previously attempted to compromise supply chains by targeting defense contractors and IT providers. Read more.
  • Delving into Dalvik: A look into DEX files: Using a banking trojan sample, we examine the Dalvik executable file format, how it is constructed, and how it can be altered to make analysis easier. We’re also providing a tool to help modify DEX files. Read more.
  • Investigating Ivanti Connect Secure VPN exploitation and persistence: Our investigations into widespread Ivanti zero-day exploitation have continued across a variety of industry verticals, including the U.S. defense industrial base sector. Here’s the latest we’ve learned. Read more.

Now hear this: Google Cloud Security and Mandiant podcasts

  • Megatrend myths, realities, contentious debates, and (of course) AI: Google Cloud CISO Phil Venables joins our hosts Anton Chuvakin and Tim Peacock to talk about why AI is a late-addition ninth megatrend, which megatrends have ruffled CISO feathers, and which ones are manifesting the most. Listen here.
  • IAM in the cloud: What getting it right looks like: Despite years of trying, folks are still screwing up identity in the cloud. Why are they getting it wrong, and what can be done to popularize best IAM practices? Kat Traxler, security researcher, TrustOnCloud, goes deep on cloud’s identity issues with Anton and Tim. Listen here.
  • Director of NSA’s Cybersecurity Collaboration Center on this year’s trends: Morgan Adamski, director of the NSA's Cybersecurity Collaboration Center, joins host Luke McNamara to discuss the threat posed by Volt Typhoon and more. Listen here.

To have our Cloud CISO Perspectives post delivered twice a month to your inbox, sign up for our newsletter. We’ll be back in two weeks with more security-related updates from Google Cloud.

Posted in