Clicky

The Six Five at Google Cloud Next ’22 with Phil Venables, VP and CISO, Google Cloud
by Daniel Newman | October 12, 2022

The Six Five is “On The Road” at Google Cloud Next 2022. Hosts Daniel Newman and Patrick Moorhead are joined by Phil Venables, Google Cloud’s VP and Chief Information & Security Officer. Their conversation centers on Google Cloud’s mission to provide enterprises with the industry’s most trusted cloud with security solutions for their on-prem, hybrid, and multi-cloud environments.

Be sure to subscribe to The Six Five Webcast so you never miss an episode.

Watch the episode here:

Listen to the episode on your favorite streaming platform:

Disclaimer: The Six Five Webcast is for information and entertainment purposes only. Over the course of this webcast, we may talk about companies that are publicly traded and we may even reference that fact and their equity share price, but please do not take anything that we say as a recommendation about what you should do with your investment dollars. We are not investment advisors and we do not ask that you treat us as such.

Transcript:

Patrick Moorhead: Hi. This is Pat Moorhead. And we are live and on the road in New York City here at Google’s incredible event, Google Cloud Next 2022, in their new building, Pier 57. I’m here with my Six Five co-host, Daniel Newman. How are you?

Daniel Newman: Pat, very exciting. Lot of energy here, here live at Pier 57. A very Google-y experience, I’ve got to say from the get-go. Great facility, great energy. Google Cloud Next. And we’re in the first interview just ahead of Thomas Kurian’s keynote that you and I will be attending.

Patrick Moorhead: That’s right. Very exciting, but more exciting is our guest, Phil Venables, CISO for Google Cloud. Phil, how are you?

Phil Venables: Yes. It’s great. Great to be here. It’s a fantastic facility. It’s new to us as well. So really enjoying it.

Patrick Moorhead: That’s great.

Daniel Newman: It feels so normal to kind of be back and be walking the place and just seeing the people, the movement, the energy. But security is what’s on our mind right now. And so, Phil, over the last year, you’ve been doing a lot of acquisitions. I want to kind of two part the question. First part is how is that all coming together? And now that you’re here at Google Cloud Next, kind of how are you telling that story? And what are you most excited about?

Phil Venables: Yeah. Well, so there’s some fantastic things. And I’m bound to say the best announcements today are the security announcements. The other stuff is… It’s kind of uninteresting. It’s like all of the security stuff’s crucial. I mean, the interesting thing is we’ve spent a long time as Google building a platform where security’s built in, not bolted on. It’s designed into the platform. But we know customers need security tools. And so we’ve invested a lot. We have Chronicle. We acquired a company Siemplify, which is a really great second generation SOAR product. It’s differentiate from the things that got acquired in the past few years by other companies. And then what we’ve done now clearly with the flagship acquisition of Mandiant, we’re able to piece this stuff together.

And so some of the announcements today, like Chronicle Security Operations Suite, which bring Chronicle as a really great SIEM technology with Siemplify as the SOAR technology plus Mandiant Threat Intelligence and Mandiant incident response capability, it’s going to be a great security suite for companies and that kind of next generation that gives people that scale, that ability to do key off to threat intelligence that we can provide in a unique way now, I think is just going to be… It’s going to be transformational for security operations teams.

Daniel Newman: All right.

Patrick Moorhead: Yeah. Two things in our analysis that we’ve seen that really fulfill the trend is first of all, end customers are looking for less security companies to deal with because they found was that the integration of pulling all these security best of breeds together, they were never able to get there on the new revision. So they’re actually being less secure about having to integrate all of this. The other thing I like about your strategy too it’s this is security not just inside of Google Cloud. It’s even security outside of Google Cloud. And as we’re in this multi-cloud environment, which I know Google supports, that’s super, super important. I’ve heard Google call itself the most trusted cloud. And listen, I did a lot of product management. Maybe I did a little marketing too. And it sounds like a marketing term, but security folks are not big on marketing. It’s more about reality. How does Google justify the moniker the most trusted cloud?

Phil Venables: Well, again, it comes back to this notion that over the past two decades and more, we’ve built a global platform and a global infrastructure that many of our products run on. I mean, we have between several billion people on the planet every day trust their online experience to Google. And when you look at Google Cloud, we’ve built on that infrastructure, this platform where, as I mentioned, security’s built in. It’s not bolted on after the fact. It’s part of the platform from the cables up through the network up through the servers that we build, the Titan security chips that we have in every bit of our infrastructure, an environment where everything is encrypted by default at rest, in transit, even now all the way up to the processor with some of our confidential compute offerings.

So when you look at that and our ability to stand behind that, I think we… And a lot of people kind of agree with us, that it’s a very trusted platform. Plus we’re doing things like talking about shared fate. So everybody knows the shared responsibility model in cloud. We’re moving beyond that and moving on to the side of the customer to say, “Look. We’re going to partner with customers with our skin in the game to make sure that we’re sharing that fate with customers.” And I think customers are responding to that. But ultimately it’s all about having security built in, not bolted on.

Patrick Moorhead: I do appreciate the bold statement. I really do, because one of the biggest challenges that I found is, unless you’re a massive enterprise, it’s hard for you to… There are no benchmarks in security. I mean, there’s FIP certifications and things like that, but I like the bold claim, because in lieu of benchmarks, in addition to certifications, it makes a big difference. And I actually have chronicled Google’s security, I used to be a vendor back in 2006, and all the way through. And I know I never… You never want to say never, but I have to tell you, I can’t remember when Google was ever hacked. I mean, it’s like I don’t see it. You don’t want to put a target on your back. But anyways, I like the moniker most trusted cloud.

Phil Venables: Well, so it’s interesting. I mean, the big one back in 2010 was Operation Aurora where Google was compromised by Chinese threat actors. And the fascinating thing though is response to that is kind of foundational. So from there, we created BeyondCorp, arguably the foundation of what is now called zero trust. And so we have an environment now that strong authentication, every employee has that, a lot of customers can take advantage of that, device integrity checks, continuous checks. And so the interesting thing is from that one experience birthed zero trust industry arguably, and what we run every single day.

Daniel Newman: Yeah. We’ve definitely seen that zero trust has taken hold as a marketing narrative. Execution’s a whole ‘nother story. But we’ve seen that, because right now you kind of mentioned the benchmarks. We love that as SEMI guys, but in security, it’s a little different. The scorecard is kind of binary in this. Either you were breached or you weren’t. And if you can say, “We were never breached,” you’re probably doing pretty well with your security. So the way we keep score as analysts is going to continue to be a little bit more binary that way.

Phil Venables: Well, the interesting thing as well is it’s not just that. It’s also we’re quite transparent on our vulnerability research. The bug bounty programs we run, we actually disclose all of the findings that we have in there. We do a lot of our own offensive security testing, red team exercises in fact. And again, there’s a lot of where we believe in kind of transparency around those things. And I think that’s the way customers get to trust us, because we kind of talk about these things in an open way in partnership with customers.

Daniel Newman: Yeah. I’m glad you pointed to that too, that proactive approach. That definitely seems to be part of the winning strategy for companies that are doing the best. But we know how tough it is. Great companies with great CISOs like yourself have had vulnerabilities. And so being really active. So let’s kind of bring this all home and bring this together. Announcements aside, I know at events, we love to talk about announcements, but the acquisitions, the growth of GCP and Google Cloud, the growth of your business and security, very exciting. But what is sort of the true north that’s driving your continued strategy for security at Google Cloud into the future?

Phil Venables: Yeah. I mean, ultimately it’s about making sure our customers are successful, making sure that they’re risk managed and protected on the cloud. And again, it’s back to this shared fate approach of how do we stride across that line of shared responsibility, give them secure products, products where the security’s built in, give them blueprints of how to run securely in the cloud and then also, to your point before, how do we think about giving them the ability to run security in a multi-cloud on-premise, hybrid way, because that’s the reality for most corporations.

We of course support our customers that are full digital native on GCP, but most of our customers are operating across multiple complex environments. And how we help them secure that by default and then continue to evolve that, you mentioned that kind of staying current. We don’t take anything for granted. We test ourselves constantly. We’re always looking for vulnerabilities. We’re always upgrading those things. We’re always investing in research. We’re always figuring out how can we bake into the platform new defenses that mitigate whole classes of attacks and taking advantage of all of our global platform, not just cloud, but all of our other services collectively inform each other.

And again, the great thing about the Mandiant acquisition is we’re bringing 1000s of world-class security professionals alongside our existing 1000s of world-class security professionals, bringing that other different threat intelligence perspective into the machine. It’s like we’re building a digital immune system that’s constantly upgrading itself in the face of the attacks. And Mandiant’s a big part of that. And how we build that with Chronicle Security Operations Suite, it’s going to be the ability for customers to tap into that as well.

Daniel Newman: What a great analogy, digital immune system. I mean, in the world we’re in right now.

Patrick Moorhead: No. I like it. He’s a CISO and not a marketing guy too. Can you believe that? That’s wonderful.

Daniel Newman: Maybe a little bit of both.

Phil Venables: We think about that all the time.

Patrick Moorhead: Yeah. So Phil, one of the biggest changes that I’ve seen over the last 10 years in security is that we have nation states, nation state budgets and there’s AI and machine learning, which is a force multiplier for intrusions. And if nothing else, my big takeaway is scale matters. I mean, it used to be probably 15 years ago, there was this question of, “Hey. Gosh. Is it unsafe to be in the cloud?” And now based on scale and the need for scale and the fact that you’re literally competing with nation states now, scale matters, I wouldn’t say more than anything, but it is a top three attribute. And listen, I know you were a CISO, I won’t use their name here, but a very successful financial institution that everybody would know. You probably saw that scale mattered too. Is that right?

Phil Venables: Yeah. No. Absolutely. So we wrote this thing a few months ago, what we call the kind of cloud security mega trends, which are these driving unstoppable forces that propel cloud forward. And number one on that was economy of scale. And certainly as you mentioned in my last role as a CISO, even for one of the world’s biggest banks, we couldn’t scale to compete against attackers. So you move to the cloud to tap into this scale, because again, what we can do is we can invest as a hyperscale provider. We can invest large amounts in security because we can amortize it over a large fleet. And it becomes a kind of flywheel effect of the more you invest, the more you’re able to invest in security. And again, it becomes the epitome of raising the baseline of control by reducing the unit cost of control. And ultimately this is an economics game, is you want your feedback loop of responding, your economy of scale to outpace the attacker’s. And ultimately cloud is a machine for that.

Daniel Newman: Well, Phil, it’s been a lot of fun having you here. We got to head off. We’re heading into the keynote from Thomas Kurian here at Google Cloud Next. I do want to say though, security has to be one of the mega trends. I just published my top digital transformation trends on Forbes just this week. And it was funny. I got to the very end and I said, “The one thing that probably needed to be in this list more than anything is going to be security.” And in a tough market and in a tough economy, companies are going to have to tie up their efforts more, protect their customer data, and it’s going to be really at the epicenter of everything every company does. So your role is going to be more important than ever. And I think this is going to be a really big year for you and for Google Cloud.

Phil Venables: Well, and balancing security with business agility and figuring out how to do that. And the reason I’m at a cloud provider, and especially Google Cloud, is we just think the cloud gives you the ability to balance security and agility, as well as resilience and reliability. It’s good all round.

Patrick Moorhead: Yeah. So Phil, we want to thank you for coming on the show. And we’d love to see you again, talk about some announcements, some key trends. I would say probably 15, 20% of our show is talking about security. And we really, really appreciate the time. Thank you.

Phil Venables: Yep. Always happy to help. Thanks, guys.

Patrick Moorhead: Excellent. So this is Pat Moorhead with the Six Five on the road at Google Cloud Next 2022 here at beautiful Google Pier 57. And we are out of here. We’re going to go hit the keynote. Thanks, and take care.

About the Author

Daniel Newman is the Principal Analyst of Futurum Research and the CEO of Broadsuite Media Group. Living his life at the intersection of people and technology, Daniel works with the world’s largest technology brands exploring Digital Transformation and how it is influencing the enterprise. Read Full Bio