Advice to CISOs: Don’t shoulder everything
With an increasing number of cyber threats aimed at their organizations, and having to deal with tight budgets, chief information security officers (CISOs) can feel an oppressive weight on their shoulders.
There’s a solution, says Phil Venables, currently vice-president and chief information security officer of Google Cloud, and the former CISO at U.S. financial giant Goldman Sachs: Don’t take everything on yourself.
“This is all about a partnership with their colleagues in IT and the CIO,” he said in a recent interview.
“It’s about making sure their executive leadership is accountable for overseeing the risks so it all doesn’t fall on the CISO. In many cases, the CISO’s job is stressful because they feel like they’re accountable for everything, yet [the security team] may not have enough resources and prioritization to do all the things the CISO is recommending. So putting in place the right risk governance structure, connecting the board and the CEO to the CIO or the CTO plus the CSO to make it a team effort in managing the risks, not all falling on the CISO, is the best stress reliever.
“That’s not dissimilar to any other critical aspect of how to run an enterprise. Any other critical risk role in a major corporation or government entity is going to be stressful if you feel like it’s just you and it’s all falling on you. The best antidote to that is [for the board] to create some governance structure where management collectively is on the hook for the risk, not one particular role.”
For example, he said, Google Cloud has a Cloud Risk Council that Venables chairs — but the co-chairs are the CEO and the person who runs all the technical infrastructure that underpins all Google services. “So when I find a risk I’m not just taking it on for me. There’s me and Thomas and Irv and all of the cloud and infrastructure leadership. We get to decide the prioritization and the resources to find and close particular risks. In some cases in our large and complex environment, things take longer than I would like. But the fact that we have reviewed things with the CEO and the global head of all our infrastructure takes a load off my shoulders.”
Venables, whose responsibilities include risk, security, compliance, resiliency, and privacy on the Google Cloud platform, was interviewed while he was here meeting with Canadian business and government customers.
Google has two of what it calls regions in Canada, each of which is separate. Each has a number of zones, or data centres, and customers can store data in more than one zone, so if one goes down, it doesn’t affect data in the other.
Asked what a CISO’s strategy should be for moving workloads to the cloud, he said “there’s no one right approach because it’s so highly dependent on the technology and services that are already operating.”
Google helps create what it calls “secure landing zones” for customers, which Venables described as places in the cloud where organizations can create new technology, or move existing technology, into a secure environment while staff develop the skills for taking advantage of the rest of the cloud services. There’s also a Cybersecurity Action Team of consultants.
“One of the biggest mistakes that have been made, and continue to be made, in cybersecurity is organizations buying too many security products without modernizing their technology environment,” he added.
A cloud provider should have security built into its platform, not bolted on after the fact, he said. “You should have a more defendable technology platform that reduces the need for you to drop in security products after the fact to try and secure that.”
The cloud should be seen as a way of efficiently, quickly, and cost-effectively driving that modernization through a more defendable platform, he said.
Another problem infosec leaders have is trying to bring their traditional on-premises data centre mentality to the cloud, he said. “The cloud offers so much more security capabilities than have existed in traditional environments. if companies bring that traditional data centre mindset to the cloud they’re not taking advantage of all the security features that are available.”
For example, he said, Google “pervasively” encrypts all customers’ storage and communications, and every instance of every device has a firewall built into it by default. Google engineers can’t go into a customer’s environment without their permission.
It also offers a service developed with AMD called “confidential computing”, where customers can take encryption all the way up to the processor, where data is only decrypted within a secure enclave in the processor.
However, he acknowledged that even in the cloud, some data security matters are in the hands of infosec leaders, and mistakes can be made. These include not managing data access effectively, not implementing strong forms of authentication, not securing mobile devices, and not keeping equipment and software up to date.
Experts cite the need to have cybersecurity defence in depth to fight cyber attacks, Vendables said. The same is needed elsewhere. “We also talk about defence in depth from configuration errors. A lot of the well-known security breaches that have happened with customers who have cloud providers have mostly not been a case of the cloud provider being compromised. It’s more the customer misconfigured access on some storage, or, on one of the other platforms that don’t do encryption by default, has failed to turn on encryption for some reason.”
One solution is to look for cloud providers whose products come with all safety controls turned on, as well as having layered controls. For example, Google Cloud offers an optional layer of controls that can be put around a subset of customer services to lower the odds of configuration errors. These controls can be managed by the security team rather than the IT team.
In his blog Venables has said 30 per cent of his success has been due to “flat out luck.”
“Anybody that would say otherwise is probably lying. When I talk about luck it’s not luck as in ‘lucky to avoid security incidents,’ it’s luck in terms of getting the right opportunities, finding the right people, figuring how to get people connected in the right ways. If any of us were to not acknowledge good fortune … If someone were to say all of their success is down to them as an individual, we should view them with suspicion.”