Digital transformation projects and growing availability of technologies like AI and cloud services are improving business operations. However, they also create significant security headaches for CISOs – expanding the attack surface in way that is often difficult to track and manage.
Google Cloud established its Office of the CISO to help security leaders counteract this issue, providing specialist advice and support on implementing strong cybersecurity across an expanding digital estate.
During the Google Cloud Next 2025 event in April, Infosecurity spoke to Senior Director and Head of the Office of the CISO, Nick Godfrey, about some of the biggest challenges facing security teams today.
Godfrey explained why the cloud offers a chance for organizations to become more secure, overcoming alert fatigue in security operations centers and how AI is impacting the industry today.
Infosecurity Magazine: Could you tell us about the set up and work of Google’s Office of the CISO?
Nick Godfrey: Five years ago I was hired as one of a number of people to help Google Cloud have CISO to CISO type conversations around the adoption of cloud. Then around four years ago, Phil Venables, CISO of Google Cloud, asked me to build a broader bench called the Office of the CISO. This is a team of people that have experience of being a CISO or another senior security role.
We have specialists in various sectors, including from financial services like myself, healthcare, life sciences and pharma and the public sector.
The rationale for that cross-sector expertise is that in addition to strong cybersecurity knowledge and understanding of digital transformations and cloud adoptions, in most of these industries we have a working knowledge of the specific regulations and the standard approaches to large-scale technologies.
At the Office of the CISO, we focus on the adoption of Google Cloud and helping security teams change the way they think about security to be cloud native.
As part of that, we explicitly focus on security transformation because we feel strongly that as part of the cloud you can move yourself to a far better security posture. Cloud is not a risk or a problem to solve, it’s an opportunity to rethink how you do security.
There are certain inherent properties of cloud that make it possible to be more secure as long as you take the right steps and transform your organization and reskill your teams. If you do that you are more likely to get better security outcomes than you are with traditional technologies.
IM: What feedback have you received from customers of the Office of the CISO, and how have you adapted your approaches as a result?
NG: The biggest purpose for our existence is capturing feedback and using it. We have relationships with a very large number of CISOs from the world’s largest companies, so that’s an amazing signal to tune into to understand what’s causing their pain and challenge how we can help with that through our products and solutions.
As an example, a lot of CISOs historically have struggled with how to think about the security operations center (SOC) and what technology to use underneath that, what processes to use.
Having been in that seat myself it is a difficult space because we have security products sprawled all over the place and there’s a high human toil associated with all that work.
It’s also expensive because we’re continuously buying more security products, and it’s very hard for the SOC and CISO to have a good end-to-end understanding of what actually is going on.
Read now: Google Cloud: CISOs Demand Simplified Security Tools Amid Growing Tech Complexity
Taking all that feedback and working with the Google product teams, you start seeing things come along like Google SecOps. It removed the challenge of managing large amounts of data because it’s a cloud-based SaaS solution.
There are a number of good things about the original concept of Google SecOps, but where we’re focused now is how we take those capabilities to the next level, leaning into this problem that CISOs have of millions of alerts, inconsistent visibility across siloed security tools and a heavy demand on employees.
We look at that in the round and have announced some things within the Google SecOps platform that are going to help. We call our vision Google Unified Security, which is a set of AI-powered capabilities that aim to reduce the complexity to give the CISO and the SOC visibility end-to-end with everything that is going on.
IM: What are the main challenges for CISOs in cloud environments?
NG: As I mentioned earlier, cloud comes with a number of inherent properties which lends itself to being more secure. As an example, you can deploy and manage your cloud environments using cloud operations and platform enablement (COPE) – it’s a great big software environment. If you do it well, you can build security into that code and logic that are managing your cloud environments.
"It’s very hard for the SOC and CISO to have a good end-to-end understanding of what actually is going on"
Every time a new workload is moved into cloud, it can include security policy and configurations that you’re required to have. It takes in effect some of the manual and human element of deploying IT out of the equation and makes everything structured. If something’s in code you can add other things to the code, such as security.
That’s the promise. The challenge is the complexity of cloud and taking your organization on that transformation journey in order to get to places where you have that advantage.
You have to change the way that the whole organization thinks about technology, there’s various techniques to building technology and security that need to be bought into. That journey can take a long time and you need a common understanding to make sure that the decisions you’re making in the nearer term are consistent with where you’re trying to get to.
If you try to jump to it in one step it will cause problems and will ultimately fail.
You need that shared vision, you need the risk teams to understand why the security teams are changing how they do security. You also need the CTO and CIO to agree to technology delivery in certain ways that will ensure that we will unlock these advantages.
I think the other thing that CISOs worry about is the relentless demand for talent, and one of the things I think we haven’t got quite right as an industry is the tendency to focus on the supply side of that – how we find and train more people to feed the appetite of the industry.
We need to continue to do that and find ways of professionalizing the cybersecurity industry. This will make it more attractive and more visible to people at school and university as to what the career actually looks like and what the path is.
It’s less well understood than more traditional career paths like medicine, law and engineering, where you can see charterships and certifications.
We also need to think about demand, because if we let demand continue rising we’re never really going to address the problem.
Simplifying and standardizing your security operations platform and using AI to take some of the toil from the security analysts jobs is an interesting way of looking at that demand.
IM: What are you biggest concerns in cybersecurity today?
NG: I think at the moment AI is on the defenders’ side, but that is something we’re going to have to keep an eye on. We did publish research in January 2025 on how threat actors are abusing Gemini, which found APTs from 20 countries are using Gemini.
Crucially at this point we aren’t seeing any novel attacks being crafted, rather they’re using AI to improve their efficiency around existing attacks.
We’ve got to keep an eye on AI. It’s good that the industry is very focused on it and CISOs are leaning into it. We need to make sure we continue we do so and it’ll keep evolving.
Another worry is about the wider resilience implications of large cyber-attacks. There’s a lot of focus on prevent, detect and respond. Recover is a bit of an afterthought – it’s often a case of hoping we don’t get to the recovery stage.
IM: What are the biggest successes the cybersecurity industry is experiencing today?
NG: We’ve had some interesting successes in the sector over the years. This one goes back a very long way but if you think about putting encryption on mobile devices, there was a time when that was not something many organizations did or if they did it was done in targeted ways. Then, because public awareness and organizations pivoting the way they thought about it, everyone did it.
Sometimes the industry is very good at pivoting at crucial times to do things better and collectively. I think we’re very good at collaborating and sharing information. The industry and practitioners don’t view their security posture or what they’re seeing from threat actors as competitive or proprietary, it’s for the greater good. So that’s a positive aspect to the industry.
We’re also getting better as an industry at doing what we’ve always done, which is enabling the business to do what it needs to do. There’s been a few technology inflection points over the past 30 years – the internet, mobile, SaaS-based cloud and then full cloud. We’re getting better as an industry in getting inserted in those things at the right time to shape and steer them – but not in a manner that blocks them.
It’s really encouraging to see the conversation around AI within the CISO community, looking at areas like can we use AI to be more secure, how do we enable the business to use AI, and how do we understand the data aspects and governance?
That proactive stance of CISOs means that hopefully we’re going to see less shadow AI than we did with cloud. In some organizations, cloud became a big shadow IT problem.
Additionally, the technology industry is getting better at demanding security is built into products, secure by default. It shows that the tech industry is ensuring security is not something that’s bolted on anymore, it’s embedded and part of the actual core offering. That’s a strong demonstration of success.
IM: If you could give one piece of advice to fellow CISOs, what would it be?
NG: Step in and be proactive as your organization looks at new technologies. The current new one is AI.
As a principle, step in and get involved, and work to establish a joined-up understanding and vision of what you’re trying to achieve and how you would like to achieve it from a security perspective.
Also, push your technology providers to make their technologies secure by design, with the goal of reducing the number of security technologies you have to run on top of it.