In August, Google Cloud pledged to invest $10 billion over five years in cybersecurity — a target that looks like it will be easily achieved, thanks to the $5.4 billion deal to acquire Mandiant and reported $500 million acquisition of Siemplify in the first few months of 2022 alone.
But the moves raise questions about Google Cloud’s main goal for its security operation. Does Google want to offer the most secure cloud platform in order to inspire more businesses to run on it — or build a major enterprise cybersecurity products and services business, in whatever environment it’s chosen?
According to the cloud provider’s chief information security officer, Phil Venables, Google doesn’t need to pick just one of those goals to focus on.
“To just focus on Google Cloud, we wouldn't be serving our customers. Our customers' reality is a hybrid, multicloud environment,” Venables said in an interview with Protocol. “But as part of serving them there, and working with them, they inevitably move more things to Google Cloud for all of the advantages that we have.”
On Tuesday, Google Cloud announced the newest addition to its menu of security offerings that are available to customers. The Assured Open Source Software service will curate secure open source software packages on behalf of customers.
Ahead of that announcement, Protocol spoke to Venables about open-source security, enterprise security concerns and the talent shortage.
This interview has been edited and condensed for clarity.
With the Assured Open Source Software, I gather that this is about more than just securing customers that are running on Google Cloud?
It is a Google Cloud-delivered product. But we're not just going to do this for things that run on Google Cloud. It could be for any software that enterprises consume into their on-premises systems, or in fact, other clouds.
What we've done at Google for a long time is we don't automatically consume open-source software into our critical systems. We take this open-source software and then we do a whole series of tests, and we find and fix security vulnerabilities before those open-source packages are consumed into our software builds.
So as we saw more organizations, over the past year or so, become increasingly concerned about [the security of] open source, we came up with the idea that we should probably commercialize what we do for ourselves. And thus was born the Assured Open Source Service.
Beyond offering services like this one, how is your security strategy accounting for the talent shortage in cybersecurity?
We recognize the big challenges customers have around cybersecurity skills, and the fact that we need to somehow create a lot more cybersecurity professionals. That's true — but we also need to spend a lot of time thinking about how we 10x the productivity of the cybersecurity professionals we've already got.
A big part of what we're doing with Chronicle and Siemplify and the Security Command Center and VirusTotal, and other things that are coming, is to arrange all those together so that when customers buy and use those services, they're 10x-ing the capability they've got without 10x-ing the number of cybersecurity people they've got. We're very focused on enabling customers to run their security more effectively with the resources they've got.
How would you summarize the security strategy for Google Cloud overall?
We think the fact that we've got this built-in security capability for Google Cloud, rather than something that's been bolted on after the fact, is one of our key strengths. Our whole approach to default security across the platform is important. Secondly, we're very focused on how we can bring all of these tools together to enable customers to manage all of their security — not just on Google Cloud. It helps customers across all of their environments.
This is driving a lot of the investments you see us doing with things like Chronicle, Siemplify, VirusTotal, BeyondCorp Enterprise. You can see how Mandiant, assuming that acquisition closes, will be a key part of that story about how we help customers manage all their security, not just their security on Google Cloud.
If your goal is to grow the use of Google Cloud, why provide security that enables customers to run elsewhere?
We recognize that while we have some customers that run everything on Google Cloud, there are lots of customers that still run on-premises, and run in multiple clouds. Modern businesses have been built up over many years, and have quite complex IT environments. For us to not recognize and not help them with that reality, I think, is not the greatest thing for the customers. So a lot of our security tooling is capable of ingesting content from on-premise environments and other clouds. We're very focused on the reality that our big customers have.
We think if we keep doing that, customers will be better off. And ultimately, they'll want to run things more on Google Cloud. But we're certainly going to support them everywhere.
So you think that the fact that you’re working to serve customers wherever they are on security, that could be an entry point for them with Google Cloud?
I think that's right. I think when customers have the experience of not just the security products we provide, but the base level of security and capability of the platform, they see a lot of advantage in moving across to us. But to get going with that, we have to work with them where they are.