Our 4-6-3 rule for strengthening security ties to business

For decades, business leaders have been hearing the same refrain from their security counterparts: Bring us into the conversation. Give us a seat at the table. We can help you.

The ask has merit. The desire to move rapidly to transform a business can sometimes convince leaders to de-prioritize security and resilience.

Fewer guardrails might make it seem like the transformation is happening faster, but at Google Cloud’s Office of the CISO, we find that this is a good way to introduce risks that need to be managed down the line. Increased risk, less secure — ultimately, it can bog down the process and even make cloud technologies less impactful.

“I truly believe complexity is terrible for operational stability, and that equates to security stability. It's a root cause of a lot of issues: Complexity in the organization drives complexity in tooling drives complexity inside of [people issues,]” said Dave Hannigan, CISO, NuBank, in a recent episode of the Cloud Security Podcast. “People want to be on the most well-maintained image. It's not about security, it's about operational excellence.”

So how can security and risk management leadership ensure that security and resilience needs are given sufficient attention? Prioritizing security can unlock business value, and help drive good outcomes for security and resilience, and also for quality and good customer experience.

By implementing automation tools, promoting collaboration between the first and second lines of defense, and fostering a culture of security awareness, you can build a secure and resilient cloud environment. To make security-first a reality, it should be woven into the fabric of how your organization operates in the cloud, baked in from design and development to deployment and maintenance.

Security-first follows our secure-by-default approach, but goes further by actively and continuously prioritizing security measures. Your organization can grow into a security-first approach by following our 4-6-3 guidance: Adopt these four principles, put them into action with six steps, and stay the course by regularly taking three key measurements.

4 foundational principles

Security starts at the top. When leaders prioritize and champion security, it sets the tone for the entire organization.

1. Lead by example: Executive leadership must champion the security-first mindset, setting clear expectations, allocate necessary resources, and hold teams accountable for their performance. This top-down approach sends a powerful message that security is a non-negotiable priority. Check out our Board of Directors Insight Hub for additional resources on risk governance.
2. Prioritize security: Prioritize security as a core requirement from the start. Make security a non-negotiable requirement from the initial planning stages. Integrate it into your cloud architecture and design principles.
3. Foster a culture of security: Promote a security-conscious culture where everyone shares responsibility. Security isn't just the security team's job; everyone plays a role.
4. Collaboration is key: To evolve into a security-first culture, the security and risk management leadership needs to use the strengths of the operational teams and the security risk-control management team. Operational teams, responsible for day-to-day tasks, must embrace security as a core principle. Security teams, providing oversight and risk management, play a crucial role in guiding and supporting operational teams.

Take these 6 steps

While shifting an organization to a security-first approach is more of an art than a science, acting on these six suggestions can really help make security-first a reality.

1. Empower your teams: Invest in security training and continuous learning.
2. Implement strong access controls: Enforce least privilege and limit user permissions with Identity and Access Management (IAM) controls. (Here’s how to get started with IAM.)
3. Automate security controls: Use Infrastructure as Code (IaC) tools to automate security controls, reduce human error, and ensure consistent security. IaC tools and Cloud Security Posture Management (CSPM) tools such as our Security Command Center can help reduce human error and ensure consistent security.
4. Integrate security into development: Embed security checks and tests within your Continuous Integration and Continuous Deployment (CI/CD) pipelines to catch vulnerabilities early in the development process.
5. Regularly test and monitor: Conduct routine security assessments and monitoring to identify and remediate security gaps and issues such as misconfigurations before they can be exploited.
6. Consider external expertise: Enhance your in-house capabilities with third-party security tools and services that can provide additional layers of protection and expertise.

3 tips on gauging improvement

The sheer number of ways to evaluate how successful a plan is may seem overwhelming, so we suggest following these three key points.

1. Measure your progress: Establish metrics to track progress and identify areas for improvement. These can include tracking misconfiguration incidents, measuring the time it takes to detect and fix misconfigurations, monitoring compliance with security standards, tracking vulnerability scan results, assessing employee security awareness, and measuring the adoption of security automation.
2. Incentivize and enforce: Reward secure practices, including public acknowledgement of security champions, and implement consequences for non-compliance, such as clear disciplinary actions for repeated violations.
3. Regularly review and update: Stay vigilant by adapting to new threats and best practices.

Lean into security-first to become business-strong

While embracing a security-first approach can help mitigate risk, it's really about enabling innovation and seizing the full potential of the cloud. Fostering collaboration and implementing proven, effective strategies can empower organizations to confidently navigate the cloud landscape and achieve their business objectives.

To learn more about how to balance security and innovation in the cloud, you can explore Google Cloud’s Board of Directors Insights Hub.