Google Cloud CISO Phil Venables on the future of cloud security

In March 2021 Google Cloud announced a new offering called Risk Protection Program, which is designed to help its cloud customers reduce security risk and connect with Google’s insurer partners, Allianz Global Corporate & Specialty and Munich Re. The insurers created a specialized cyber insurance policy exclusively for Google Cloud customers, called Cloud Protection +.

The intent of the offering, which Google says is the first-of-its-kind partnership between a major cloud provider and leading cyber insurance companies, is to boost the confidence of organizations considering moving critical workloads to the cloud. The program includes a new security diagnostic tool called Risk Manager, which enables customers to measure and manage their risk on Google Cloud and obtain a report on their security posture and possibly pay less for more targeted cyber security insurance.

CSO recently spoke with Phil Venables, former CISO of Goldman Sachs and now vice president and CISO of Google Cloud, to discuss cloud security trends and the impact of services such as the new Google Cloud offering. 

How much of an issue is it for CISOs to have to spend time filling out compliance questionnaires to certify their own cloud security posture for potential partners and customers?

Responding to customer, auditor, and regulator inquiries is a necessary part of operating any critical service. There has been a lot of progress in standardization of such assessment frameworks, not least in terms of the available certifications from ISO, SOC1/2 and more.

One of the advantages of a compliance-friendly cloud service is that they have a range of available certifications and help the CISO or other teams in their response by providing all the necessary information as part of using the service.

How do new services such as what Google Cloud recently announced address this problem?

Building on what we do for security health analytics and compliance reporting, the Risk Manager tool in our Risk Protection Program enables our customers to more efficiently and accurately measure and manage their risk on Google Cloud.

The Risk Manager tool generates a report that helps enterprises understand their security risk posture on an ongoing basis and serves as an indicator of their security baseline. The impact being that enterprises can spend less time communicating their security settings and manage them more efficiently through the tool. The report can then be shared with our insurance partners Allianz and MunichRe directly, to assess eligibility for specialized cyber insurance. 

What role is telemetry playing, or can it play, in evaluating a company’s security posture in the cloud?

Increased depth, breadth, and frequency of observability of security configuration is crucial and is one of many security and control advantages of the cloud. The importance of improving security metrics and driving accuracy in risk measurement is essential. We have a unique role as a cloud vendor where we can become a bit of a digital immune system for our customers, since we see issues and can rapidly provide support to our customers. A component of this work is to develop better metrics and measurement around security.

However, I think we are in danger of becoming too obsessed with finding the perfect set of metrics for all contexts. With Risk Manager, we are kicking off the program by looking at configuration best practices for cloud resources based on the Center for Internet Security standards.

What excites me about the program today is the ability to close the loop on outcomes. Our partners, Munich Re and Allianz, will gather data on what indicators are correlated with losses and continuously improve the depth of feedback that we give customers around risk.

How much extra visibility and assurance can telemetry really provide right now, and what needs to happen for this to keep improving?

The Risk Protection Program is the first step toward enabling our insurance partners access to actionable data that can be built upon. Data from the tool helps to streamline our insurance partners underwriting processes and evolve their insurance policies with the data-driven technology that their insureds deploy.

I’m a strong believer that we can raise the security baseline by reducing the cost of controls, and as we build more controls into our platform our customers benefit. We need customers actively adopting the security technology we provide, and we have an obligation to make the business case for adoption clear and the process of adoption easy.

The best security features we provide are the ones that customers never need to think about.

Are cloud providers edging toward automating compliance reporting, and what does that mean for CISOs and their organizations?

A significant part of running in the cloud is the ability to define, declaratively, your intended configuration and thus be able to monitor your ongoing adherence to that intention. This policy, or controls as code, approach is a vital part of continuous controls monitoring. In turn, along with mapping those controls to risk and compliance goals, this is a foundation for automated reporting that reduces a large amount of the toil that is present in compliance assurance for other types of environments.

How significant is it that a cloud provider and insurance companies are collaborating on something like this?

This is a first-of-its-kind collaboration between a major cloud provider and leading cyber insurance companies. For too long, customers have been responsible for building effective cloud security programs on their own. The result is that enterprises have viewed the cloud as a risk to be managed instead of a platform for managing risk. With the Risk Protection Program, we are [enabling] customers to move beyond the legacy model of shared responsibility to a new model of shared fate, which includes detailed guidance to optimize security in the cloud, tools to manage ongoing security and compliance requirements, and now simplified access to cyber insurance with pricing directly linked to a strong security posture.

In the past you’ve mentioned “structural changes” or advances on the defending side and noted the creation of information sharing and analysis centers and the rise of the CISO role as examples. Any recent developments rise to that level?

The cloud overall is a good example of this. In particular the economy of scale of the cloud is fundamentally changing the game of security. The pace of security enhancement and extent of security feature addition to products—secure products, not security products—is accelerating. The other cloud providers have, of course, similar progress. This massive, global-scale acceleration to keep increasing security in tandem with agility and productivity is a benefit to all.

Any other promising emerging technologies or processes that you see having a big impact on cloud and security?

Organizations need real-time business context for security data. Mapping security issues to business context to determine a risk level is a time-consuming process. This delay ultimately leaves organizations at more risk for a security incident.

With the cloud, we’re trending in a positive direction because cloud technology makes risk transparency easier from well-lit security paths, to declarative approaches like configuration as code, and more precise inventories and diagnostics.