Cloud CISO Perspectives: How to think about security budgets

Welcome to the first Cloud CISO Perspectives for July 2024. Today I’m addressing the important and complex issue of budgets for security teams, a topic I’ve tackled on my personal blog that I’m presenting here for the first time.

As with all Cloud CISO Perspectives, the contents of this newsletter are posted to the Google Cloud blog. If you’re reading this on the website and you’d like to receive the email version, you can subscribe here.

--Phil Venables, VP, TI Security & CISO, Google Cloud

Supply + demand + risk = How to think about security budgets

By Phil Venables, VP, TI Security & CISO, Google Cloud

I’m a strong believer that building security into technology can help organizations see a higher rate of return on their security investments. In practice, this means that chief information security officers and chief information and chief technology officers (CISOs, CIOs, and CTOs) need to be coupled pretty well in vision and in strategy, especially on the subject of budgets.

While budgets and risk management may seem far apart, it can be helpful to think of both in terms of supply and demand. Demands can include anything that impacts your team’s time and projects it works on, such as reviewing and mitigating risks on business products, new projects, vulnerability management, incident response, acquisitions and divestments, and onboarding new vendors or new technologies.

On the supply side, you have your resources, including people, services, and products. Ideally, you want to balance your supply and demand. While factors ranging from business growth to IT changes to supply chain complexities to new threats often drive demand faster than supply, security and business leaders have levers at hand to slow demand and increase resource supply.

Too often, CISOs focus on getting a bigger share of the budget pie. While more money can certainly be effective at growing the supply side of the ledger, it comes with its own limitations (not the least of which is that the business has other constraints than its security budget.) There are also other ways to reduce demand and increase supply.

CISOs can work with their board of directors and executive risk committee to help their organizations redefine risk. (We have a lot of guidance on how to kickstart those conversations and mature them.) This approach can help reduce upward demand pressure by focusing on critical business assets and services. CISOs can also drive conversations around reducing risk by phasing out certain business services, products, vendors, and even whole classes of technology.

Increasing resource efficiency can be a very effective technique for getting more out of your supply. For organizations still using on-premises technology, this can mean moving to cloud-based systems with strong security designs and defaults. This is also where approaches to improve employee training, adopting more modern tools, and shifting to automation and orchestration tools can help.

Leaders can also accept that they will run a supply-side deficit, which comes with its own risk calculations and risk management techniques. Management must be on-board to operate in this way, and the risk debt should be paid down (and at the very least discussed each year) but some organizations have made this approach work for them.

This is an interesting time in cloud development. Generative AI is motivating organizations to rethink their approaches to technology and security. We have a big opportunity to change how we approach security and the building of secure products, and this extends to rethinking how we approach security budgets.

For more leadership guidance from Google Cloud experts, please see our CISO Insights hub and contact us at Ask Office of the CISO.

In case you missed it

Here are the latest updates, products, services, and resources from our security teams so far this month:

• Want more from your threat intelligence? Learn to think like an APT: While governments and larger enterprises are regular targets of APTs, no one is immune. Learn why planning for an APT can help you become more resilient to attacks. Read more.
• How to migrate to PQC: Practical considerations from Google’s Bug Hunters on how to migrate a classical cryptographic system to post-quantum cryptography. Read more.
• Generative AI misuse: A taxonomy of tactics and insights: New research from Google DeepMind, Jigsaw, and Google.org presents a taxonomy of gen AI misuse tactics, informed by existing academic literature and a qualitative analysis of hundreds of incidents reported from January 2023 to March 2024. Read more.
• Scaling the IAM mountain: An in-depth guide to identity in Google Cloud: Identity and access management may seem like a gentle hill at first, but it gets steep fast. Here’s a guide to IAM terms and concepts to keep you on solid footing. Read more.
• Navigating the EU AI Act: Google Cloud's proactive approach: The EU AI Act is a legal framework that establishes obligations for AI systems based on their potential risks and levels of impact. Here’s Google Cloud’s proactive approach to the new law. Read more.
• Announcing expanded Sensitive Data Protection for Cloud Storage: Our Sensitive Data Protection Discovery service now supports Cloud Storage, in addition to BigQuery, BigLake, and Cloud SQL. Read more.

Please visit the Google Cloud blog for more security stories published this month.

Threat Intelligence news

• Emboldened and evolving: A snapshot of cyber threats facing NATO: In this snapshot of cyber-threat activity, we look at the barrage of malicious cyber activity that the North Atlantic Treaty Organization faces, carried out by state-sponsored actors, hacktivists, and criminals willing to take actions previously considered unlikely or inconceivable. Read more.
• Hacktivism trends require increased vigilance from defenders: Mandiant has observed the revival and intensification of threat activity from actors using hacktivist tactics and techniques since early 2022. Our hacktivism threat landscape analysis includes tools to understand and assess the risks posed by these groups. Read more.

Now hear this: Google Cloud Security and Mandiant podcasts

• SOC at a crossroads: New research from Deloitte and Google Cloud points to two futures for most SOCs. They can focus on transformation, or on optimization. Cloud Security podcast hosts Anton Chuvakin and Tim Peacock talk with Deloitte’s Mitchell Rudoll and Alex Glowacki to discuss the findings. Listen here.
• Teamwork under stress: How defenders benefit from expedition behavior: Cybersecurity incident response can benefit from a mindset and training known as expedition behavior. Join Anton and Tim as they explore the importance of modernizing cybersecurity teamwork with Google’s Robin Shostack and Jibran Ilyas. Listen here.
• Defender’s Advantage: Mandiant's approach to securely using AI solutions: When your organization is looking to implement AI workloads, you want to do it securely. Mandiant Consultants Trisha Alexander, Muhammed Muneer, and Pat McCoy join host Luke McNamara to discuss Mandiant's recently-launched services for doing just that. Listen here.

To have our Cloud CISO Perspectives post delivered twice a month to your inbox, sign up for our newsletter. We’ll be back in two weeks with more security-related updates from Google Cloud.