With an increasing number of cyber threats aimed at their organizations, and having to deal with tight budgets, chief information security officers (CISOs) can feel an oppressive weight on their shoulders.<\/p>\n
There\u2019s a solution, says Phil Venables, currently vice-president and chief information security officer of Google Cloud, and the former CISO at U.S. financial giant Goldman Sachs: Don\u2019t take everything on yourself.<\/p>\n
\u201cThis is all about a partnership with their colleagues in IT and the CIO,\u201d he said in a recent interview.<\/p>\n
\u201cIt\u2019s about making sure their executive leadership is accountable for overseeing the risks so it all doesn\u2019t fall on the CISO. In many cases, the CISO\u2019s job is stressful because they feel like they\u2019re accountable for everything, yet [the security team] may not have enough resources and prioritization to do all the things the CISO is recommending. So putting in place the right risk governance structure, connecting the board and the CEO to the CIO or the CTO plus the CSO to make it a team effort in managing the risks, not all falling on the CISO, is the best stress reliever.<\/p>\n
\u201cThat\u2019s not dissimilar to any other critical aspect of how to run an enterprise. Any other critical risk role in a major corporation or government entity is going to be stressful if you feel like it\u2019s just you and it\u2019s all falling on you. The best antidote to that is [for the board] to create some governance structure where management collectively is on the hook for the risk, not one particular role.\u201d<\/p>\n
For example, he said, Google Cloud has a Cloud Risk Council that Venables chairs \u2014 but the co-chairs are the CEO and the person who runs all the technical infrastructure that underpins all Google services. \u201cSo when I find a risk I\u2019m not just taking it on for me. There\u2019s me and Thomas and Irv and all of the cloud and infrastructure leadership. We get to decide the prioritization and the resources to find and close particular risks. In some cases in our large and complex environment, things take longer than I would like. But the fact that we have reviewed things with the CEO and the global head of all our infrastructure takes a load off my shoulders.\u201d<\/p>\n
Venables, whose responsibilities include risk, security, compliance, resiliency, and privacy on the Google Cloud platform, was interviewed while he was here meeting with Canadian business and government customers.<\/p>\n
Google has two of what it calls regions in Canada, each of which is separate. Each has a number of zones, or data centres, and customers can store data in more than one zone, so if one goes down, it doesn\u2019t affect data in the other.<\/p>\n
Asked what a CISO\u2019s strategy should be for moving workloads to the cloud, he said \u201cthere\u2019s no one right approach because it\u2019s so highly dependent on the technology and services that are already operating.\u201d<\/p>\n
Google helps create what it calls \u201csecure landing zones\u201d for customers, which Venables described as places in the cloud where organizations can create new technology, or move existing technology, into a secure environment while staff develop the skills for taking advantage of the rest of the cloud services. There\u2019s also a Cybersecurity Action Team of consultants.<\/p>\n
\u201cOne of the biggest mistakes that have been made, and continue to be made, in cybersecurity is organizations buying too many security products without modernizing their technology environment,\u201d he added.<\/p>\n
A cloud provider should have security built into its platform, not bolted on after the fact, he said. \u201cYou should have a more defendable technology platform that reduces the need for you to drop in security products after the fact to try and secure that.\u201d<\/p>\n
The cloud should be seen as a way of efficiently, quickly, and cost-effectively driving that modernization through a more defendable platform, he said.<\/p>\n
Another problem infosec leaders have is trying to bring their traditional on-premises data centre mentality to the cloud, he said. \u201cThe cloud offers so much more security capabilities than have existed in traditional environments. if companies bring that traditional data centre mindset to the cloud they\u2019re not taking advantage of all the security features that are available.\u201d<\/p>\n
For example, he said, Google \u201cpervasively\u201d encrypts all customers\u2019 storage and communications, and every instance of every device has a firewall built into it by default. Google engineers can\u2019t go into a customer\u2019s environment without their permission.<\/p>\n
It also offers a service developed with AMD called \u201cconfidential computing\u201d, where customers can take encryption all the way up to the processor, where data is only decrypted within a secure enclave in the processor.<\/p>\n
However, he acknowledged that even in the cloud, some data security matters are in the hands of infosec leaders, and mistakes can be made. These include not managing data access effectively, not implementing strong forms of authentication, not securing mobile devices, and not keeping equipment and software up to date.<\/p>\n
Experts cite the need to have cybersecurity defence in depth to fight cyber attacks, Vendables said. The same is needed elsewhere. \u201cWe also talk about defence in depth from configuration errors. A lot of the well-known security breaches that have happened with customers who have cloud providers have mostly not been a case of the cloud provider being compromised. It\u2019s more the customer misconfigured access on some storage, or, on one of the other platforms that don\u2019t do encryption by default, has failed to turn on encryption for some reason.\u201d<\/p>\n
One solution is to look for cloud providers whose products come with all safety controls turned on, as well as having layered controls. For example, Google Cloud offers an optional layer of controls that can be put around a subset of customer services to lower the odds of configuration errors. These controls can be managed by the security team rather than the IT team.<\/p>\n
In his blog<\/a> Venables has said 30 per cent of his success has been due to \u201cflat out luck.\u201d<\/p>\n \u201cAnybody that would say otherwise is probably lying. When I talk about luck it\u2019s not luck as in \u2018lucky to avoid security incidents,\u2019 it\u2019s luck in terms of getting the right opportunities, finding the right people, figuring how to get people connected in the right ways. If any of us were to not acknowledge good fortune \u2026 If someone were to say all of their success is down to them as an individual, we should view them with suspicion.\u201d<\/p>\n The post Advice to CISOs: Don\u2019t shoulder everything<\/a> first appeared on IT World Canada<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":" Security is a team effort, says Google CISO Phil Venables. It shouldn’t all fall on the infosec leader’s<\/p>\n","protected":false},"author":17,"featured_media":20667,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[19,15,69,16],"tags":[520,391,400,605,393],"class_list":["post-26098","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cloud","category-leadership","category-people","category-security","tag-canadiancio","tag-di","tag-google-cloud","tag-it-leadership-awards","tag-security-strategies"],"acf":[],"_links":{"self":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/26098","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/comments?post=26098"}],"version-history":[{"count":3,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/26098\/revisions"}],"predecessor-version":[{"id":26125,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/26098\/revisions\/26125"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media\/20667"}],"wp:attachment":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media?parent=26098"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/categories?post=26098"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/tags?post=26098"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}