Cloud CISO Perspectives: July 2022

Welcome to this month’s Cloud CISO Perspectives. Starting with this issue, we’re going to add even more top-of-mind content based on the hot topics we see emerge across the industry and with our customers, globally. 

Today, we're focusing on the evolving relationship between an organization's boardroom and its cybersecurity practice, especially in the context of digital transformation to the cloud. This has been a regular dialogue of late, driven in part by corporate risk processes, potential regulations, and ongoing drum beats to improve cybersecurity risk mitigation, all while managing the enterprise's strategic, competitive, and defensive risks.

As with all Cloud CISO Perspectives, the contents of this newsletter will continue to be posted to the Google Cloud blog. If you’re reading this on the website and you’d like to receive the email version, you can subscribe here.

Cybersecurity from the boardroom

In our conversations with Google Cloud enterprise customers, both prospective and current, we see three main types of relationship patterns emerge between boards of directors and their organizations related to digital transformation to the cloud.

• In a best-case scenario, there is close dialogue and collaboration between the board, business, risk, IT, and security teams that leads to organizational alignment. It’s the result of hard work, and of practices and patterns that Nick Godfrey, director in the Office of the CISO at Google Cloud, and I have previously documented in our research paper, “Board of Directors Handbook for Cloud Risk Governance.”

• Sometimes, an organization’s board is more cautious than its IT and security leadership teams. This is a common pattern where business leaders, IT, and security are fully onboard using cloud as a means to drive the modernization of their infrastructure, applications, and data environments. They recognize the cloud is about reducing risk, as opposed to being a risk to manage in and of itself. However, the board might not be in agreement yet, so there is work to be done to educate the board, listen to their concerns, and demonstrate that appropriate control frameworks exist to safely manage the organization through its transformation. 

• In other instances, it’s the board—not IT or security leaders—that calls for more urgency and more agility for an organization's digital transformation. This type of situation also requires continued collaboration and education with the board, and likely specific key board members, to ensure alignment between business, IT, security, risk, and the board. However, this pattern also highlights the need for more prioritization for IT and security teams, so they can put in place the right guardrails to move transformation quicker while ensuring the appropriate degree of risk mitigation.

Regardless of where any single organization falls within these patterns, there needs to be broader engagement between boards and enterprise-wide cybersecurity practices. Cybersecurity leaders need to have organizational buy-in and engagement to truly reduce risk and improve performance. That includes management, of course, but also boards of directors, yet the challenge remains a significant one for many organizations. 

There are many detailed checklists of cybersecurity goals that boards should expect to see from management, and many of those are good places for cybersecurity leaders to start. As I’ve noted on my personal blog, the National Association of Corporate Directors (NACD) in the U.S. and the Institute of Directors (IoD) in the U.K. have partnered with practitioners to produce some excellent leadership in this regard. There is also plenty of regular commentary from those who work closely with boards. 

However, the level of detail in all this guidance can sometimes be counter-productive. Board members can be beguiled into thinking that if they get what could be good answers to these questions then all shall be well. In working with and sitting on boards, I have found that board members actually may be best served by applying their considerable experience and judgment of strategic and corporate risk to instead ask more basic and fundamental questions. While these questions ostensibly appear basic, answering them would, in fact, challenge most management teams at most companies.

From my perspective, there are far more tips I can offer than just the four below, but they are a good place to start. Overall, the most important consideration is developing an effective approach for your organization—for completeness and alignment with your mission and culture. 

 1. Focus on risk. Questions that can help in understanding the risks an organization faces include: What are the most significant risks to our most critical assets and business services? What controls mitigate those risks? Who is continuously assessing whether those controls are in place and effective? What residual risks remain? Who deemed those risks to be acceptable, and with what compensating factors or risk transference? What executive management group regularly monitors the measured outcome of this process?

Notice that these questions never mention the words “cybersecurity” or “technology.” By focusing on risk, you’re making it clear what you mean, and what an organization is facing. Of course, it’s easy to ask these questions but it can be difficult to answer them well. It requires a significant amount of work to develop risk taxonomies, asset and service inventories, risk and continuous control monitoring, and an evolving apparatus of risk governance. 

2. Think beyond cyber. Cybersecurity is just one of many technology and information risks and shouldn’t be discussed in isolation. Many of the best mitigations for cybersecurity risk are great technology platforms which offer controls such as software and service lifecycle management, identity and access management, data governance, Zero Trust architectures, and highly resilient and monitored production services.

3. Take a business perspective. Contextualize all cybersecurity and technology risks in a business context that also takes into consideration the potential impact on customers. This is a good place to think about how the implications of the Risk = Hazard + Outrage formula can affect your organization. It’s vital to factor in reputational risk and brand impact, as well as the potential for direct losses. 

4.  Embed cyber in business initiatives. Discussions among boards are widely varied, and can cover topics as disparate as business initiatives, risk and control reviews, strategic discussions, financial reviews, and attestations, among others. Work with your peer executives across business lines and control functions to make sure that relevant content on cybersecurity and technology risk appears in their board content. Work to educate those leaders and prepare them for questions that come from your experiences of talking to the board. 

This creates what you really desire, the shared fate to mitigate these risks across the enterprise. It can be transformational if the board is asking everyone they encounter about how cybersecurity is managed in that activity or business process, as opposed to only asking the CISO.

Working with your board to manage cybersecurity risk is about more than getting the right presentation materials and metrics. Rather, it is about having a broader enterprise-wide risk management and business view that contextualizes cybersecurity risk and enables organizations to better establish risk tolerances. 

The cybersecurity challenges facing boardrooms are non-trivial, but working through them can lead to healthier relationships between boards and their organizations, and a healthier organization overall. To further your understanding of these critical issues, we have published guidebooks for CISO’s Guide to Cloud Security Transformation and Risk Governance of Digital Transformation in the Cloud. Along with the research we published in our aforementioned cybersecurity in the boardroom guide, these serve as a family of guides that can help sustain agility and speed in digital transformation while also managing risk and ensuring appropriate governance.

Google Cybersecurity Action Team highlights

Here are the latest updates, products, services and resources from our security teams this month: 

Security

• How to think about threat detection in the cloud: As organizations transition from on-premises to hybrid cloud or pure cloud, how they think about threat detection must evolve as well—especially when confronting threats across many cloud environments. Here, we proposed a new foundational framework to better secure digital transformations. Read more. 

• Why shifting security left helps your bottom line: The concept of "shifting left" has been widely promoted in the software development lifecycle. By reducing software-related security defects and identifying potential misconfigurations earlier (“to the left”) in the development cycle, we can reduce post-production defects. Here's how.

• How Google is preparing for a post-quantum world: Following NIST’s announcement in July that the third round of the Post-Quantum Cryptography standardization process has been completed, and a submission with Google’s involvement was selected for standardization, we highlight the four areas that Google’s PQC work has been focusing on. Learn more.

• Mind your metrics to achieve better Autonomic Security Operations: Security Operations Centers can learn a lot from what IT operations discovered during the Site Reliability Engineering revolution. How those lessons apply to SOCs, and are related to Service Level Objectives, is an important step in keeping SOCs ahead of threats. Read more.

• How (and why) empathy plays a critical role in security operations: Within SecOps, challenges often boil down to alert fatigue, skills shortages, and lack of visibility. But another hurdle is just as important: ensuring the extension of humility and compassion—to users, customers, third parties, colleagues, and even adversaries. Fortunately, this struggle can be met without the need for technology, and result in more productivity, effective relationships, diverse thinking, and more resilient security postures. Read more. 

• Apigee Advanced API Security comes to Google Cloud: To help customers more easily address their growing API security needs, we have introduced Advanced API Security in Preview, a comprehensive set of API security capabilities built on Apigee, our API management platform. Here’s a closer look at the two key functionalities included in this launch: identifying API misconfigurations and detecting bots. Read more.

• How Google Cloud SecOps can help untangle key MSSP conundrums: Security teams at organizations driven to the cloud during the Covid-19 pandemic face many key challenges, such as an overload of alerts, the need for more detection tools, and security skill shortages. Here's 6 common problems, and how to solve them.

• Overcoming familiar SecOps challenges: SecOps can be professionally rewarding—and professionally exhausting. To keep turnover down, it can be helpful to think about old SecOps challenges that never seem to budge in new ways. Here's 5 better strategies for SecOps burdens.

Industry updates

• Building a resilient healthcare ecosystem with Health-ISAC: Last August, Google announced its commitment to invest at least $10 billion over the next 5 years to advance cybersecurity. As part of this initiative, Google Cloud is the first major cloud provider to partner with the Health Information Sharing and Analysis Center (Health-ISAC) to bring experts and resources, including our Threat Horizon Report and Google Cybersecurity Action Team, to partner with the healthcare community and its leadership. Read more.

• Google supports CSRB call for open source security improvements: The results of the first report from the U.S. Cyber Safety Review Board on the log4j software library vulnerabilities are in, and Google welcomed the opportunity to participate in the development of the CSRB report. Here’s our approach to address the log4j report’s recommendations. Read more.

Compliance & Controls

• Google Workspace earns DOD IL4 authorization: Google Workspace has achieved the U.S. Department of Defense’s Impact Level 4 (IL4) authorization, an important milestone in our ongoing commitment to serving the needs of federal, state, local, and education entities, through our recently launched Google subsidiary, Google Public Sector. Read more.

• Using Cloud Bigtable with IAM conditions and tags: Exposing data securely is one of the core functions of Cloud Bigtable, our low-latency, high-throughput NoSQL database. Here’s how IT and security teams can configure access control options for Bigtable resources. Read more.

• What GKE users need to know about Kubernetes' new service account tokens: When you deploy an application on Kubernetes, it runs as a service account—a system user understood by the Kubernetes control plane. Kubernetes service account tokens are the keys to the kingdom and can help configure Kubernetes clusters securely. Here's how it works.

Tips for security teams to share

We also published in July a series of four helpful guides on Google Cloud’s security architecture. These explainers by our lead developer advocate Priyanka Vergadia are ready-made to share with IT colleagues, and come with colorful illustrations that break down how our security works. 

• Network and Application Security: This primer details how we structure network and application security.

• Data Security: This guide focuses on data security architectures at Google Cloud and how you can use them to better secure your organization.

• Security Monitoring: Moving to the cloud comes with the fundamental question of how to effectively manage security and risk posture. This Security Command Center guide shows how our native security and risk management platform can help you to do just that. 

• Cloud Data Loss Prevention: Cloud Data Loss Prevention is a fully managed service designed to discover, classify, and protect your sensitive data, where it resides from databases, text-based content, or even images. Here’s how Google Cloud DLP works.

• Cloud Identity and Access Management: This guide details how organizations can use Identity and Access Management to define what resources their human users and service accounts can access. Here’s a closer look at Cloud IAM.
  

Customer Innovation

• How Ocado Technology delivers secure online grocery shopping with Google Cloud: Grocery shopping has changed for good in part thanks to the Ocado Smart Platform, which powers the online operations of some of the world's most forward-thinking grocery retailers. To proactively identify and tackle security vulnerabilities, Ocado uses Google Cloud’s Security Command Center Premium to centralize its vulnerability and threat reporting. Read more.  

• How Nordic Choice Hotels used ChromeOS Flex to recover from ransomware: Kari Anna Fiskvik, VP of Technology at Nordic Choice Hotels, explains how her team used ChromeOS Flex to bounce back from a ransomware attack so devastating it even disabled digital room key cards. Read more.

• How Exabeam delivers a petabyte-scale cybersecurity solution: SIEM and XDR company Exabeam partnered with Google Cloud so it could use BigQuery, Dataflow, Looker, Spanner, and Bigtable to better ingest data from more than 500 security vendors, convert unstructured data into security events, and create a common platform to store them in a cost-effective way. Here's why.

Google Cloud Security Podcasts

We launched in February 2021 a new podcast focusing on Cloud Security. If you haven’t checked it out, we publish four or five podcasts a month where hosts Anton Chuvakin and Timothy Peacock chat with cybersecurity experts about the most important and challenging topics facing the industry today. This month, they discussed:

• How Google scales detection and response, with our own Tim Nguyen, director of detection and response. Listen here. 

• How to evolve your SOC to output-driven detection and response, with Erik Bloch,  senior director of detection and response at Sprinklr. Listen here.

• The role that investment plays in improving cloud security, with James Luo, partner at CapitalG. Listen here.

• Powering secure SaaS (but not with cloud-access security brokers) with Ben Johnson, the CTO and co-founder of Obsidian Security. Listen here.

To have our Cloud CISO Perspectives post delivered every month to your inbox, sign up for our newsletter. We’ll be back next month with more security-related updates.