As senior director of Google Cloud and global head of the Office of the Chief Information Security Officer (CISO), Nick Godfrey is responsible for educating employees on cybersecurity and handling threat detection and mitigation. We spoke with Godfrey via video call to learn how CISOs and other technology-focused business leaders allocate limited resources, gain buy-in for security from other stakeholders, and learn about the new challenges and opportunities presented by generative AI. As Godfrey lives in the UK, we also asked him for his views on UK-specific considerations.
How CISOs allocate resources based on the most likely cybersecurity threats
Megan Krause: How do CISOs assess the most likely cybersecurity threats their organizations may face, taking into account budget and resources?
Nick Godfrey: One of the most important things to consider when determining how best to allocate the limited resources any CISO, or any organization, has is the balance between purchasing pure security products and security services versus considering the types of potential technology risks. Organizations have. In particular, for organizations with legacy technologies, it becomes increasingly difficult to make legacy technologies defendable, even on top of security products.
So the challenge and trade-off is to consider: Do we buy more security products? Do we invest in more security personnel? Do we buy more security services? Contrast: Are we investing in modern infrastructure that is more defensive in nature?
Response and recovery are key to dealing with cyber threats
Megan Krause: Ransomware and data theft are often discussed when it comes to prioritizing IT budget spending. Do you think it’s good to focus on those, or that CISOs should be looking elsewhere, or does that depend a lot on what you’re seeing in your own organization?
Nick Godfrey: Data theft and ransomware attacks are very common; therefore, as a CISO, security team, and CPO, you must pay attention to these things. Ransomware in particular is an interesting risk to try and manage, and is actually very helpful in the way you think about building an end-to-end security program. It requires you to consider a comprehensive approach to the response and recovery aspects of your security plan, specifically the ability to rebuild critical infrastructure to restore data and ultimately services.
Focusing on these things will not only improve your ability to respond specifically to these things, but it will actually improve your ability to manage your IT and infrastructure because you move to a place where you don’t understand your IT and how you work. To rebuild it, you have the power to rebuild it. If you have the ability to regularly rebuild your IT and restore your data, it’s actually easier for you to proactively manage vulnerabilities and patch the underlying infrastructure.
Why? Because if you patch it and it breaks, you don’t have to restore it and make it work. Therefore, focusing on the specific nature of ransomware and the factors it causes you to consider can actually have a positive impact beyond your ability to manage ransomware.
See: Botnet threats in the U.S. target critical infrastructure. (Technology Republic)
CISOs need support from other budget decision makers
Megan Krause: How should technology professionals and technology executives educate other budget decision-makers on security priorities?
Nick Godfrey: First, you have to find a way to do it overall. If there is a disconnect between the conversation between your security budget and your technology budget, you could be missing out on a huge opportunity to have a joint conversation. You can create conditions where security is considered part of the technology budget, which I don’t think is necessarily very helpful.
Having the CISO and CPO work together to demonstrate to the board how the combination of technology initiatives and security can ultimately improve the technology risk profile, as well as achieve other business objectives and business objectives, is the right approach. They should not think of security spending just as security spending; They should treat a considerable amount of their technology spending as security spending.
The more we can embed conversations around security, cybersecurity and technology risk into other conversations that occur regularly in the boardroom, the more we can make it a mainstream risk and consideration in the same way that boards think about financial and technology risk. Operational risk. Yes, the CFO regularly discusses financial health and risk management across the organization, but you’ll also see the CIO on the IT side and the CISO on the security side talking about the financial side of their business.
Security considerations surrounding generating artificial intelligence
Megan Krause: One of the major technological changes in the world is generative artificial intelligence. What security considerations for generative AI should companies pay particular attention to today?
Nick Godfrey: At a high level, the way we think about the intersection of security and artificial intelligence is to break it down into three parts.
The first is to use AI for defense. How do we build artificial intelligence into cybersecurity tools and services to increase the fidelity of analysis or the speed of analysis?
The second aspect is attackers using artificial intelligence to improve their ability to do things that previously required a lot of human input or manual processes.
The third bucket is: How do organizations think about protecting artificial intelligence?
When we talk to customers, the first target is what problems they think security product providers should solve. We are, and so are others.
The second area, in terms of the use of artificial intelligence by threat actors, our customers are watching closely, but this is not a new area. We always have to improve our threat profile to react to whatever happens in cyberspace. This may be a slightly different version of what evolution required, but it’s still fundamentally what we have to do. You must expand and modify your threat intelligence capabilities to understand this type of threat, and in particular, you must adjust your controls.
The third topic—how to think about using generative AI within your company—spurred quite a bit of in-depth conversation. This bucket touches on many different areas. In fact, one of them is shadow IT. The use of consumer-grade generative AI is a shadow IT problem because it creates a situation where organizations try to do things with artificial intelligence and consumer-grade technology. We strongly argue that CISOs should not always hold back on consumer AI; they should do so. In some cases you may need to do this, but it’s better to try to find out what your organization wants to achieve and try to achieve it in the right way rather than trying to prevent it all.
But commercial AI gets into some interesting areas, including data lineage and where data comes from in an organization, how that data is used to train models, and who is responsible for the quality of the data—not the security of the data…the quality of the data.
Companies should also ask questions about the overall governance of their AI projects. Which parts of the business are ultimately responsible for artificial intelligence? For example, a red team for an artificial intelligence platform is very different from a red team for a purely technical system. In addition to the technical red team, you also need to think about the red team that actually interacts with LLM (big language). model) and generative AI and how to break it at that level. In fact, ensuring the safe use of artificial intelligence appears to be the most challenging thing in the industry.
International and UK cyber threats and trends
Megan Krause: In terms of the UK, what are the most likely security threats that UK organizations face? Do you have any specific advice you can give them about budgeting and planning for security?
Nick Godfrey: I think this is probably very consistent with other similar countries. Obviously there’s a degree of political affiliation to certain types of cyberattacks and certain threat actors, but I think if you compare the UK to the US and Western European countries, I think they all see similar threats.
Some of the threats are targeted along political lines, but many of them are opportunistic and based on the infrastructure that any particular organization or country is running. I think in many cases threat actors who are commercially or financially motivated aren’t necessarily too worried about the particular country they’re targeting. I think they’re motivated primarily by the size of the potential reward and the ease with which they can achieve that outcome.
