As senior director and global head of the Google Cloud CISO, Nick Godfrey oversees employee cybersecurity education as well as managing threat detection and mitigation. We conducted an interview with Godfrey via video call about how CISOs and other technology-focused business leaders can allocate their finite resources, get security buy-in from other stakeholders, and the new challenges and opportunities introduced by AI. generative. As Godfrey resides in the UK, we also asked his perspective on UK-specific considerations.
How CISOs can allocate resources based on the most likely cybersecurity threats
Megan Crouse: How can CISOs assess the most likely cybersecurity threats facing their organization, while also considering budget and resources?
Nick Godfrey: One of the most important things to think about when determining how to best allocate the finite resources any CISO or any organization has is the balance between purchasing proprietary security products and services versus thinking about the type of underlying technology risks the organization has. Particularly for an organization that has legacy technology, the ability to make legacy technology defensible even with security products on top of it is becoming increasingly difficult.
So the challenge and trade-off is: do we buy more security products? Do we invest in more security people? Should we buy more security services? Versus: Do we invest in modern infrastructure, which is inherently more defensible?
Response and recovery are key to responding to cyber threats
Megan Crouse: In terms of prioritizing spending with an IT budget, ransomware and data theft are often discussed. Would you say it's good to focus on them, or should CISOs focus elsewhere, or does it largely depend on what you've seen in your own organization?
Nick Godfrey: Data theft and ransomware attacks are very common; therefore, as a CISO, security team, and CPO, you need to focus on those types of things. Ransomware in particular is an interesting risk to try to manage and can actually be very useful in terms of framing the way you think about your end-to-end security program. It requires you to think about a comprehensive approach to the response and recovery aspects of your security program and, in particular, your ability to rebuild critical infrastructure to restore data and ultimately restore services.
Focusing on those things will not only improve your ability to respond to those things specifically, but it will also improve your ability to manage your IT and your infrastructure because you're moving to a place where, instead of not understanding your IT and how it is, you're going to rebuild it. , you have the ability to rebuild it. If you have the ability to rebuild your IT and restore your data on a regular basis, that actually creates a situation where you will have a much easier time aggressively managing vulnerabilities and patching the underlying infrastructure.
Because? Because if you patch it and it breaks, you don't have to restore it and make it work. Therefore, focusing on the specific nature of the ransomware and what it makes you think actually has a positive effect beyond your ability to manage the ransomware.
SEE: A botnet threat in the US targeted critical infrastructure. (Technological Republic)
CISOs need buy-in from other budget decision makers
Megan Crouse: How should technology professionals and executives educate other budget decision makers about security priorities?
Nick Godfrey: The first thing is to find ways to do it comprehensively. If there is a disconnected conversation about a security budget versus a technology budget, then you can miss a huge opportunity to have that joint conversation. You can create conditions where you talk about security as a percentage of the technology budget, which I don't think is necessarily very useful.
Having the CISO and CPO working together and presenting together to the board how the combined portfolio of technology and security projects is ultimately improving the technology risk profile, in addition to achieving other business and commercial objectives, is the right approach . They shouldn't just think of security spending as security spending; They should think of a large portion of technology spending as security spending.
The more we can integrate the conversation about security, cybersecurity, and technology risk into the other conversations that always happen in the boardroom, the more we can make it an overarching risk and consideration in the same way boards think about financial and financial issues. . operational risks. Yes, the CFO will periodically talk about the organization's overall financial situation and risk management, but you will also see the CIO in the IT context and the CISO in the security context talking about the financial aspects of their business.
Security considerations around generative AI
Megan Crouse: One of those important global technological changes is generative AI. What security considerations around generative AI should companies be aware of today?
Nick Godfrey: At a high level, the way we think about the intersection of security and AI is to break it down into three categories.
The first is the use of AI to defend. How can we incorporate AI into cybersecurity tools and services that improve analysis fidelity or analysis speed?
The second group is the use of AI by attackers to improve their ability to do things that previously required a lot of human involvement or manual processes.
The third group is: How do organizations think about the problem of protecting AI?
When we talk to our customers, the first segment is something they perceive security product vendors should solve. We are and so are others.
The second segment, in terms of the use of AI by threat actors, is something our customers are keeping an eye on, but it's not exactly new territory. We have always had to evolve our threat profiles to react to what is happening in cyberspace. This is perhaps a slightly different version of that evolution requirement, but it's still fundamentally something we've had to do. You must expand and modify your threat intelligence capabilities to understand that type of threat and, in particular, you must adjust your controls.
It's the third segment (how to think about using generative AI within your company) that is sparking many in-depth conversations. This group reaches out to several different areas. One, in fact, is shadow IT. The use of consumer generative AI is a shadow IT problem as it creates a situation where the organization is trying to do things with AI and using consumer technology. We strongly advocate that CISOs should not always block consumer AI; There may be situations where it is necessary, but it is better to try to figure out what your organization is trying to achieve and try to enable it in the right way rather than trying to block everything.
But commercial AI gets into interesting areas around data lineage and where the data comes from in the organization, how it has been used to train models, and who is responsible for the quality of the data, not its security… its quality.
Companies should also ask questions about the overall governance of AI projects. What parts of the company are ultimately responsible for AI? As an example, red-teaming on an AI platform is quite different from red-teaming a purely technical system in the sense that in addition to doing technical red-teaming, you also need to think about interactional red-teaming. real with the LLM (large language). model) and generative AI and how to break it down at that level. In fact, ensuring the use of AI seems to be what challenges us the most in the industry.
UK and International Cyber Threats and Trends
Megan Crouse: In UK terms, what are the most likely security threats facing UK organizations? And is there any particular advice you would give them regarding budgeting and planning around security?
Nick Godfrey: I think it's probably pretty consistent with other similar countries. Obviously, there was some political undertone to certain types of cyber attacks and certain threat actors, but I think if you compared the UK to the US and Western European countries, I think they're all seeing similar threats.
The threats are partly directed along political lines, but many of them are also opportunistic and based on the infrastructure managed by a specific organization or country. I don't think that in many situations commercially or economically motivated threat actors are necessarily overly concerned about the particular country they're going after. I think they are primarily motivated by the size of the potential reward and the ease with which they could achieve that outcome.
