Episode Notes
With over 20 years of experience as a CISO, Phil Venables, Chief Information Security Officer at Google Cloud, talks about creating an AI framework, key use cases for AI in cyber, Google Cloud joining FS-ISAC's Critical Providers Program, how he approaches operational resilience, and gives advice on how CISOs can maintain work-life balance.
Notes from our Discussion with Phil
Google Cloud’s Security AI Framework
AI has presented new risks and very specific types of threats. The objective is to create a foundational framework on a basic set of control principles that can be replicated in other processes. It’s important to extend detection and response capabilities to include AI systems. This is particularly important when deploying large language models (LLMs). AI is the best defense against AI. There’s a need to embed AI in tooling, so that everyone doesn’t need to be an AI expert. The framework also needs to consider end-to-end business risks, including compliance, legal risks, reputation, trust, etc.
Expectations from the Framework
Google Cloud is looking to partner with organizations to develop the framework. This may not become “the” framework, as there are others like the NIST AI Risk Management Framework. The aim is to build on the framework to include other, more detailed recommendations and tooling. It should have a broader use, beyond Google and the customer’s use of Google’s AI.
Key Use Cases of AI in Cybersecurity
There are 3 areas – Threats, Toil and Talent.
Threats: Google is using LLMs, AI and GenAI to analyze, monitor and manage threats, like analyzing new malware discovered via Google’s VirusTotal service and using Sec-PaLM 2 LLM to decode and provide threat advice. LLMs need to be trained using a large corpus of security and threat data.
Toil: Security operational jobs have a lot of overhead and ineffective tools. Google Cloud is focusing on using Sec-PaLM 2 to help organizations automate security operations.
Talent: AI will be the great democratizer of talent. Giving people AI assistance to develop, expand and extend their skills can increase security talent.
AI Risks for Financial Services Organizations
AI as a democratizer of talent and a tool for enhancing people’s skills can also extend the capabilities of threat actors. Organizations will need to bolster their current defenses. For example, deepfakes across voice video and images are being used to confound authentication systems and organizations are strengthening their traditional authentication systems, like using hardware tokens. Using AI is also an option.
Impact of AI and Strategies to Secure the Cloud Environment
AI is driving an accelerated cloud adoption. Even the largest companies will need to migrate to the cloud for the processing capability to deploy the new LLMs. There will not only be a drive to the cloud to get access to AI, but also the use of AI tools to securely manage cloud configurations. Google has a bunch of tools like Duet AI powered by PaLM 2, which helps people define and deploy secured cloud configurations that is easier than many clouds.
Google Cloud Joins FS-ISAC's Critical Providers Program
As a cloud provider, Google provides support for many critical infrastructures and the financial services sector is among the most critical infrastructures in the world. With more banks moving to the cloud, it makes sense for Google to stay in touch with the community and make sure we’re meeting customers where they are. By joining FS-ISAC, Google Cloud wanted to be part of an organization that is promulgating best practices and sharing information and intelligence.
Supply Chain Risks in the Financial Sector
Google launched slsa.dev (SLSA stands for Supply-chain Levels for Software Artifacts) because it’s necessary to understand what is in software and how the software was built and protected, beyond looking at just the SBOMs (software bill of materials). SLSA is an open-source framework, and now FINOS (Fintech Open Source Foundation) is looking at how that plays into financial services projects. Supply chain risk should not be addressed in a third-party assessment way. Firms that build software on the Google Cloud Platform get inherently a high level of control, not only with the SBOM, but also SLSA, which includes different security requirements on the software supply chain.
Fundamental Forces of Information Security Risk
When you look behind all the threats, risks and controls, everything boils down to the fundamental forces. An example of a fundamental force is that information wants to be free, that is information flows everywhere. This means data governance and data controls are required. At the same time, information is the lifeblood of businesses and cannot be in silos. Data governance and data controls are increasingly coming together to manage integrity, privacy, and compliance, while maximizing an organization's value from the information.
Another example of a fundamental force is that code wants to be wrong, that is all codes have bugs and errors. Similarly, entropy is king, which means if you do nothing, things will degrade to an uncontrolled state. If you implement a control and walk away, at some point it will break. You need to continuously monitor and ensure the controls remain effective.
CISOs Taking a Leadership Role
Many security issues are symptoms of bigger issues. CISOs need to take a step back from dealing with security challenges and think about positioning their organization to better manage and mitigate all the symptoms. In many organizations, CISOs take the lead on the strategies of data management, tracking the use of data in different business applications and what data is fed into AI.
CISOs are also partnering with different executives to modernize their technology platforms, where security is not bolted on after the fact. CISOs need to partner with CTOs for technology transformation, not just security transformation.
Investing in System-Wide Resilience
Organizations need to be capable of operating even in the presence of attacks. The financial sector has been leading the way with its operational resilience concept. Planning is needed to operate when your defense fails. Earlier in the year, the US FAA (Federal Aviation Administration) system had an outage. Although this wasn’t a cyberattack, the result was that all North American planes were grounded for a few hours. The focus became on ensuring that the system never goes down again, while the main issue is the dependency on only one system.
Another concept is Cold Start Recovery Time. This considers how feasible it is to not just think of recovery time objectives for resilience in the conventional sense, but rather as the time it takes to restart a business function from nothing. This is a more rigorous approach than the conventional disaster recovery process.
Role of Sheltered Harbor in Recovery
Companies need to think about operating in degraded states, which is why the concept of operational resilience is broader in the financial sector. You don’t need to be perfectly recoverable as long as you’re able to run the critical aspects of your services to keep going while you do the longer recovery in parallel. This gives more flexibility to deal with attacks. Sheltered Harbor is a data store if you need to keep things going.
Maintaining Work-Life Balance
Two big lessons. Work-life balance is not about achieving the balance every day. You can think of it on a weekly or monthly basis. If you’re aiming for a balance every day, it may add to your stress during weeks when there’s a crazy amount of work. It’s best to look at work-life balance over longer periods of time. Secondly, maintaining work-life balance requires discipline. The answer is to talk to your future self. Often you say yes to meetings that don’t add much value. Talk to your future self to judge your decision about attending the meeting.
Final Thoughts
People working in security are defending the ideas and capital that is essential for human progress and, in many respects, defending lives and livelihoods.
