Cloud CISO Perspectives: The high value of cross-industry communication

Welcome to the first Cloud CISO Perspectives for September 2024. Today I’m taking a look at how our initiatives to drive cybersecurity collaboration across industries, regulators and governments, IT consortia, and researchers and universities can help make everyone safer online.

As with all Cloud CISO Perspectives, the contents of this newsletter are posted to the Google Cloud blog. If you’re reading this on the website and you’d like to receive the email version, you can subscribe here.

--Phil Venables, VP, TI Security & CISO, Google Cloud

The high value of cross-industry communication

By Phil Venables, VP, TI Security & CISO, Google Cloud

Ensuring effective cyber-defense in today’s complex, multifaceted threat landscape has meant a shift in cybersecurity goals from making IT infrastructure impervious to making it more resilient. Fortifying the resiliency of our critical infrastructure, focusing development on technologies that can enhance defenses, and helping to guide policy to support a more cyber-secure world requires substantive, deep partnerships.

That need for collaboration and cross-sector communication drives our interest and investment in engaging with industry. Collaboration is critical to foster true resilience when it comes to the systems and networks we rely on every day.

To succeed at creating a more resilient future where the whole internet has been made safer, our investments must be more than just monetary. We’re working on solving problems that many other individuals and organizations are devoted to solving, and we stand a better chance of success when we work together.

Broadly, our commitment to collaboration encompasses four areas: industry organizations; nonprofits and other consortia; the research and development community; and governments and policy organizations. We encourage CISOs to consider how they may plug into these communities to learn and to contribute, so that we all may advance towards a more cybersecure world.

Partnerships with Information Security and Analysis Centers (ISACs)
As I wrote in a previous newsletter, ISACs represent an opportunity to connect with other entities in your sector to share and receive information on emerging cyber threats, technical mitigations strategies, and to connect with resources available from federal agencies to advance network resilience.

At Google Cloud, we are committed to building relationships with ISACs in the interest of cyber defense. Some of our work with ISACs includes:

• Partnering with the Multi-State ISAC to share cyber threat information.
• Collaborating with the Health-ISAC to better secure rural healthcare organizations and to deliver threat briefings and share information on their threat intelligence-sharing platform.
• Joining the Financial Services ISAC to enhance supply chain security and provide resources to defenders in the community.
• Joining with the Energy ISAC as a Vendor Affiliate to contribute subject matter expertise on critical vulnerabilities and security solutions.

CISOs should consider participating in their relevant ISAC and other information-sharing organizations to access resources and information in support of network resilience beyond what any one entity can engender alone.

Assisting industry consortia and non-profit organizations

Industry consortia and security-relevant non-profits provide tremendous potential as force multipliers for critical security efforts broadly. CISOs should consider whether their organization may benefit by plugging in with such organizations directly, or whether there are additional resources available that would be beneficial to their organization’s overall cyber posture.

For example, earlier this year we joined with other industry representatives to launch the Coalition for Secure AI (CoSAI), which advances comprehensive security measures to address the unique risks that come with AI. Google is actively participating in the PQC Alliance to help with developments in the post-quantum cryptography world, too. Similarly, we remain committed to advancing the work of Open Source Security Foundation to advance security in the open-source ecosystem.

We’ve contributed to various efforts in this venue, including advancing the SLSA framework for software supply-chain security. With the Confidential Compute Consortium we partner with other companies to support collaborative projects advancing Trusted Execution Environment (TEE) standards and technologies. Google has also partnered with the Open Compute Project (OCP) to raise the bar for security for chips using the Caliptra standard.

Supporting research and development at educational institutions

Collaboration is the cornerstone of our investments in research and development, especially at universities, where we recognize the importance of independent, creative thinking to solve the complex problems facing cybersecurity today. We’re supporting these projects around the world. These efforts include:

• A new engineering office and Google Security office on the campus of University of São Paulo;
• Funding for seven new sponsored research projects at the Technical University of Munich to investigate critical questions at the intersection of cybersecurity and AI.
• A $12 million investment in cybersecurity programs at local universities, including New York University, as part of the $10 billion pledge I mentioned earlier.
• Cybersecurity grants for 11 professors at nine City University of New York campuses.

Collaborations with governments and regulators

At Google, we are also committed to contributing to the development of sound security requirements that are fit for purpose without damaging innovation.

For example, we have submitted public comments to rulemaking on Infrastructure-as-a-Service requirements and cyber-incident reporting in the U.S. We have also weighed in on cybersecurity measures for critical infrastructure providers in the Asia Pacific region. In Europe, Google’s public policy team advocates for smart, well-scoped risk management rules with NIS2 and DORA that strengthen collective cyber defense.

In addition to providing feedback on regulatory issues, we contribute to other efforts in partnership with governments. Google Cloud is a flagship member of the U.S. Joint Cyber Defense Collaborative (JCDC), which is a public-private partnership aimed at advancing operational collaboration for shared resilience. We also participate in the IT Sector Coordinating Council, which is the principal entity for engaging with the U.S. government on a wide range of cybersecurity policies and topics.

We participate regularly in formal advisory committee studies on cybersecurity topics of concern to key government stakeholders, such as the National Security Telecommunications and Advisory Committee. We have also contributed subject matter expertise to government investigations of specific cyber incidents (such as CSRB investigations) to inform future policy approaches and improve domestic preparedness efforts.

Google representatives participated in Cyber Storm, CISA’s biennial cyber crisis-response exercise, as part of efforts to support cloud customers and help the federal government identify and address gaps in its incident-response planning. We are also a proud signatory of CISA’s Secure by Design Pledge.

CISOs may consider joining entities focused on operational collaboration, like JCDC. CISOs may also consider whether joining a Sector Coordinating Council would be beneficial for plugging into federal efforts to promote resilience in their sector. Additionally, many trade associations can also offer helpful opportunities to provide feedback into policy development processes, including on emerging technical compliance requirements.

Learn more about how you can support collaboration
It’s very likely that your organization already collaborates in some or all of these areas, but if it doesn’t, we encourage CISOs and other security leaders to reach out and begin the conversations now. For more leadership guidance from Google Cloud experts, please see our CISO Insights hub and contact us at Ask Office of the CISO.

In case you missed it

Here are the latest updates, products, services, and resources from our security teams so far this month:

• mWISE Conference 2024: Your front-row seat to the future of cybersecurity: Experts from Mandiant, Google Cloud, and the wider cybersecurity community will come together September 18-19 at mWISE in Denver, Colo. This is your chance to immerse yourself in the latest threat intelligence, cutting-edge tools, and engage with the strategic minds that are shaping the future of cybersecurity. Register today.
• AI in the workplace: Adoption and impact in this DORA report preview: How has AI affected DevOps? Check out this sneak peak of our annual DevOps report. Read more.
• Moving shields into position: How you can organize security to boost digital transformation: Want to react quickly and successfully to changes like customer preferences and security threats? That’s a vital skill you can build with transformation. Here’s how to get started. Read more.
• Automate access control with Sensitive Data Protection and conditional IAM: The first step towards protecting sensitive data begins with knowing where it exists. Our Sensitive Data Protection solution can help. Read more.
• Backup and DR service adds immutable, indelible backups: Protect your data with Google Cloud's enhanced Backup and DR service, featuring immutable backup vaults and streamlined management for data protection. Read more.
• How Electronic Arts protects their game servers with Cloud Armor: DDoS attacks can have a devastating impact on gaming companies. Here’s why EA Sports chose Google Cloud Armor. Read more.

Please visit the Google Cloud blog for more security stories published this month.

Threat Intelligence news

• Protecting multicloud resources in the era of modern cloud-based cyberattacks: New Mandiant research delves into the intricacies of managing disparate cloud identities, roles, and access control models, highlighting the vulnerabilities that arise from misconfigurations and fragmented security practices. Read more.
• Insights on cyber threats targeting users and enterprises in Mexico: Google's Threat Analysis Group (TAG) and Mandiant's frontline intelligence team up for this look at the threat actors, with an array of motivations, who seek opportunities to exploit the digital infrastructure that Mexicans rely on. Read more.
• DeFied expectations: Examining Web3 heists: The rapid growth of Web3 has presented new opportunities for threat actors, especially in decentralized finance (DeFi), where the heists are larger and more numerous than anything seen in the traditional finance sector. Read more.
• How attackers weaponize digital analytics tools: Mandiant and Google Cloud researchers have witnessed threat actors repurposing digital analytics and advertising tools to evade detection and amplify the effectiveness of their malicious campaigns. Read more.
• Uncovering an Iranian counterintelligence operation: Mandiant has released details of a suspected Iran-nexus counterintelligence operation aimed at collecting data on Iranians and domestic threats, who may be collaborating with intelligence and security agencies abroad, particularly in Israel. Read more.

Please visit the Google Cloud blog for more threat intelligence stories published this month.

Now hear this: Google Cloud Security and Mandiant podcasts

• CISO insights on how Google does security programs at scale: Royal Hansen, CISO, Alphabet, joins host Anton Chuvakin to discuss how security happens at a company like Google, with vast, complex, and yet modern infrastructure. Listen here.
• Beyond the buzzwords: Identity's true role in cloud and SaaS security: Wrangling identity is a critical function of security teams, and Dor Fledel, formerly of Spera Security, now Okta’s senior director of product management, explores myriad identity challenges that face modern organizations with Anton. Listen here.
• How TAG tracks commercial surveillance vendors: On this episode of the Defender’s Advantage podcast, host Luke McNamara is joined by Clement Lecigne, security researcher at Google's Threat Analysis Group, to discuss his work tracking commercial surveillance vendors. Listen here.

To have our Cloud CISO Perspectives post delivered twice a month to your inbox, sign up for our newsletter. We’ll be back in two weeks with more security-related updates from Google Cloud.