Exclusive Interview: Google Cloud CISO Phil Venables Talks Ethical Hackers

KEY TAKEAWAYS

Google Cloud's CISO, Phil Venables, discusses 2023 and 2024 global security, new trends, and technologies. Venables assures that automation will play a vital role but advocates for the important role that ethical hackers have in securing modern digital environments.

If there is one tech issue that stood out throughout 2023 — besides generative AI — that is undoubtedly cybersecurity. Attacks are not just skyrocketing, impacting every industry and sector, they are diversifying.

The 2023 Official Cybercrime Report by Cybersecurity Ventures reveals that the global annual cost of cybercrime is predicted to reach $9.5 trillion in 2024. The number is but a reflection of a global threat landscape that is constantly challenging cybersecurity experts. Cybersecurity Ventures concludes that “there is no end to cyber risk.”

Techopedia talked to Phil Venables, Chief Information Security Officer (CISO) of Google Cloud, part of the U.S. President’s Council of Advisors on Science and Technology (PCAST), and a Board Member of HackerOne to get his view on the global threat landscape and what the industry should be looking into.

AI and Automation vs. Humans-in–the-Loop

The Splunk CISO report reveals that 35% of CISOs are already using AI for security, and more than half (61%) will likely use it in the next 12 months. More importantly, 86% of CISOs surveyed believe generative AI will alleviate security skills gaps and talent shortages.

As security teams, government, international law enforcement agencies, and organizations rush to find solutions that can mitigate ransomware, zero-day exploits, file-less attacks, backdoor malware, and the influence of the dark web, the grand solution is often presented as AI.

Google CISO Phil Venables
Google Cloud CISO Phil Venables

But Venables advocates for another solution: ethical hackers.

Advertisements

Venables told Techopedia:

“Automation is vital to assure security – whether it is producing secure code and configurations or discovering and mitigating vulnerabilities.

“Automation has always been important and will be increasingly so, especially with the more advanced generative AI capabilities. But, there is always scope for human creativity, and skilled penetration testers, ethical hackers, red teamers, or others can develop new ways of exploiting systems directly or at their seams.”

Venables said that ethical hackers’ talent will be enhanced with automation, and “the duet of AI and humans will always be vital.”

The State of Global Security and Cyberwarfare

Google’s Cybersecurity Forecast 2024 highlights the increased use of AI in cybercrime, warning that nation-state-supported cybergangs from China, Russia, North Korea, and Iran will continue to escalate their operations.

The report calls on leaders to focus on zero-day vulnerabilities (and edge devices), U.S. elections security, the rise of hacktivism, wipers, space-based infrastructure, hybrid cloud environments, extortion techniques, espionage, and “sleeper botnets” as 2024 draws closer.

We asked Venables why ethical hackers are critical under this specific global threat scenario.

“To keep up with threat actors, organizations must grow the sophistication of their own cybersecurity strategies. However, this can be challenging when many CISOs have limited resources at their disposal.”

He added:

“The global ethical hacker community solves this by extending resources and improving the scalability of security teams. This community is made up of thousands of experts with outsider knowledge that scales with the complexity of the threat landscape.

 

“Organizations that engage ethical hackers gain access to an economy of scale and skill that is almost impossible to replicate using their own internal resources.”

The CISO Budget-Risk-Cost Dilemma: Getting Buy-In for Ethical Hackers

The use and adoption of programs that deploy ethical hackers has always been challenged by the same dilemma: cybersecurity budgets. With many organizations believing that ethical hackers are not an essential solution but a bonus, penetration tests, bug bounty programs, and human-driven vulnerability searches are often left out of strategies due to cost concerns or priorities.

And this budget-security issues is only getting worse. Gartner’s Predictions for 2024 and Beyond suggests that by 2028, the cost of battling cybersecurity and compliance risks will not only go over the $30 billion mark but “cannibalize” 10% of marketing and cybersecurity budgets.

CISOs around the world, whether working with a medium or large private corporation or even in the public space or government space, deal with this issue daily.

Techopdia asked Venables what he would say to those CISOs who are struggling to get buy-in from boards and executives, are constantly balancing out risk costs versus mitigation capacities, and often barely get away with basic expenses to cover the most serious threats. How should they be approaching ethical hackers as valuable resources?

“Vulnerability reporting and reward programs indeed require upfront investment and resources to launch. But that investment is made back when the risk of cybersecurity incidents, which can wreak significant monetary and reputational damage, is reduced. HackerOne’s Hacker-Powered Security Report found nearly three-quarters (70%) of its customers avoided a significant cybersecurity incident thanks to the work of ethical hackers.”

Venables added that if CISOs don’t get the budget, even after sharing the potential cost-saving and risk-reduction benefits of hacker-driven engagements, they still have some cards to play out.

“In this case, they should work with leadership and other key internal stakeholders to build trust, collaborate, and address objections head-on,” Venables said.

Venables explained that, for example, IT may have concerns over the volume of new vulnerability reports from a bug bounty program, and leadership may worry about the cost of program rewards outgrowing budgets.

“These very legitimate concerns can be mitigated by closely controlling the program scope and offering visibility into the program structure, plans for hacker rewards, and the triage process.

“CISOs can also encourage leadership buy-in by identifying success stories of other programs within the same industry — or from organizations the board already advises.”

What Ethical Hackers Bring to the Table

The Hacker-Powered Security Report of HackerOne suggests that it is riskier for companies not to work with hackers. The study highlights 2023 research that shows that one-third of companies have already slashed security budgets in the past 12 months and are planning for bigger cuts for the year ahead.

Naturally, security teams will be reduced, and their ability to mitigate threats will be impacted. HackerOne stresses the importance of ethical hackers in the report.

“In this climate, you’re more at risk if you’re ignoring the benefits a huge community of talented tenacious ethical hackers can bring to your organization’s security.”

But what do ethical hackers bring to the table? Why have they become the go-to solution for thousands of leading brands around the world? We asked Venables what makes an ethical hacker good at their work.

“Top hackers match cybercriminals in their ingenuity, technical skill, and deep curiosity — they’re on an eternal search for knowledge. The best hackers are also highly collaborative and recognize the power of community: hearing the techniques and perspectives of one another, particularly for emerging threats and technologies, is often one of the best ways to learn and hone skills.”

Where Organizations Should Start

From vulnerability reporting, bug bounty programs, and penetration testing, ethical hackers drive a wide range of solutions and programs, each program with its strengths and challenges. For companies that are new to ethical hackers, knowing where to start may be an overwhelming task.

Venables explained that the type of hacker-driven program an organization should prioritize depends on its security priorities.

“Vulnerability reporting and reward programs are not time-bound and are better for organizations seeking to reduce risk continuously across a broad scope of digital assets.”

Venables added that the most basic of these programs, vulnerability disclosure programs (VDPs), are simply a public process for anyone to report a security flaw in an organization’s products or services.

“VDPs are a stepping stone to vulnerability reward and bug bounty programs, which incentivize ethical hackers with monetary rewards. These can be either public or private and are a better fit for more security-mature organizations that can handle a higher volume of vulnerability reports.”

READ MORE:

In contrast, penetration tests (pentests) are focused, point-in-time security assessments. The scope for these engagements is narrower than ongoing rewards programs and typically used for in-depth testing on a particular product or system.

“Organizations under more regulatory scrutiny can also use pentesting results to help assure security compliance against some cybersecurity standards. As they’re smaller in scope, pentesting can be an option to explore hacker-driven engagements without the full commitment of an ongoing bug bounty program.”

Think Big, Take Small Wins

There are several best practices, tips, and approaches that leaders can consider before starting their ethical hacker journey.

“It’s always better to start with a small, focused scope and a manageable number of vulnerability reports so internal teams can adapt and build upon program success incrementally. Bug bounty companies like HackerOne can also provide pro-forma programs and policies that get organizations up and running — saving them a ton of work in the process.”

Venables advised organizations to evaluate their security maturity and readiness to receive and manage external vulnerability reports launching a program.

“They must have established guidance and clear plans for hackers and internal teams to follow throughout the vulnerability reporting and management process.”

Venables added that this includes plans for reporting and triage logistics, policies for disclosure, guidance on ethical conduct for hackers and security teams, and rigorous checks and balances for evaluating security issues.

“Organizations should also have a clear understanding of the capacity of their internal team and the resources they can dedicate to the new program.”

Organizations that want to launch programs involving bounties should define what services fall within the program’s scope, what qualifies (and does not qualify) as a rewarded vulnerability, reward amounts, and clear guidance for hackers on program engagement and vulnerability reporting.

The End of All Cyberattack Loops

The international cybersecurity industry seems to be trapped in a loop where DevOps builds new cybersecurity software for organizations to operate while cybercriminals constantly find new and unexpected ways to breach these systems.

Later vulnerabilities and zero-day exploits are caught in the wild or reported, they are patched up and remediated, regulators and law enforcement jump in if necessary, and then the cycle starts all over again. We asked Venables how CISOs can break this loop.

“This isn’t a challenge with an immediate solution,” Venables said. “As long as there’s new technology, there will always be new zero days and threat actors seeking to exploit vulnerabilities. It will take a collective effort across everyone who touches cybersecurity to improve the security of the broader internet.”

“However, CISOs can contribute to this collective effort today by embracing cybersecurity best practices, including engaging ethical hackers as appropriate, to reduce the chances their organization plays a part in the next widespread and costly cybersecurity incident.”

Despite the level of global threat and rate of cyberattacks, which many dare to refer to as a global crisis, and despite the rise of new technologies that are expected to accelerate these criminal trends, Venables remains confident and positive.

“Ultimately, if we apply secure by design and security by default principles as well as seeking new architectural approaches to mitigate whole classes of risk then we’ll make progress.”

Advertisements

Related Reading

Related Terms

Advertisements
Ray Fernandez

Ray is an independent journalist with 15 years of experience, focusing on the intersection of technology with various aspects of life and society. He joined Techopedia in 2023 after publishing in numerous media, including Microsoft, TechRepublic, Moonlock, Hackermoon, VentureBeat, Entrepreneur, and ServerWatch. He holds a degree in Journalism from Oxford Distance Learning, and two specializations from FUNIBER in Environmental Science and Oceanography. When Ray is not working, you can find him making music, playing sports, and traveling with his wife and three kids.