EP189 How Google Does Security Programs at Scale: CISO Insights

Guest: Royal Hansen, CISO, Alphabet Topics: What were you thinking before you took that “Google CISO” job? Google's infrastructure is vast and complex, yet also modern. How does this influence the design and implementation of your security programs compared to other organizations? Are there any specific challenges or advantages that arise from operating at such a massive scale? What has been most surprising about Google’s internal security culture that you wish you could export to the world at large?  What have you learned about scaling teams in the Google context? How do you design effective metrics for your teams and programs? So, yes, AI. Every organization is trying to weigh the risks and benefits of generative AI–do you have advice for the world at large based on how we’ve done this here? Resources: EP75 How We Scale Detection and Response at Google: Automation, Metrics, Toil CISA Secure by Design EP20 Security Operations, Reliability, and Securing Google with Heather Adkins EP91 “Hacking Google”, Op Aurora and Insider Threat at Google “Delivering Security at Scale: From Artisanal to Industrial” SRE book: CHapter 5: Toil Elimination SRS book: Security as an Emergent Property What are Security Invariants? EP185 SAIF-powered Collaboration to Secure AI: CoSAI and Why It Matters to You “Against the Gods - Remarkable Story of Risk” book

Om Podcasten

Cloud Security Podcast by Google focuses on security in the cloud, delivering security from the cloud, and all things at the intersection of security and cloud. Of course, we will also cover what we are doing in Google Cloud to help keep our users' data safe and workloads secure. We’re going to do our best to avoid security theater, and cut to the heart of real security questions and issues. Expect us to question threat models and ask if something is done for the data subject’s benefit or just for organizational benefit. We hope you’ll join us if you’re interested in where technology overlaps with process and bumps up against organizational design. We’re hoping to attract listeners who are happy to hear conventional wisdom questioned, and who are curious about what lessons we can and can’t keep as the world moves from on-premises computing to cloud computing.