Join your hosts, Anton Chuvakin and Timothy Peacock, as they talk with industry experts about some of the most interesting areas of cloud security. If you like having threat models questioned and a few bad puns, please tune in!
What were you thinking before you took that “Google CISO” job?
Google's infrastructure is vast and complex, yet also modern. How does this influence the design and implementation of your security programs compared to other organizations?
Are there any specific challenges or advantages that arise from operating at such a massive scale?
What has been most surprising about Google’s internal security culture that you wish you could export to the world at large?
What have you learned about scaling teams in the Google context?
How do you design effective metrics for your teams and programs?
So, yes, AI. Every organization is trying to weigh the risks and benefits of generative AI–do you have advice for the world at large based on how we’ve done this here?
We say “identity is the new perimeter,” but I think there’s a lof of nuance to it. Why and how does it matter specifically in cloud and SaaS security?
How do you do IAM right in the cloud?
Help us with the acronym soup - ITDR, CIEM also ISPM (ITSPM?), why are new products needed?
What were the most important challenges you found users were struggling with when it comes to identity management?
What advice do you have for organizations with considerable identity management debt? How should they start paying that down and get to a better place? Also: what is “identity management debt”?
Can you answer this from both a technical and organizational change management perspective?
It’s one thing to monitor how User identities, Service accounts and API keys are used, it’s another to monitor how they’re set up. When you were designing your startup, how did you pick which side of that coin to focus on first?
What’s your advice for other founders thinking about the journey from zero to 1 and the journey from independent to acquisition?
The universe of AI risks is broad and deep. We’ve made a lot of headway with our SAIF framework: can you give us a) a 90 second tour of SAIF and b) share how it’s gotten so much traction and c) talk about where we go next with it?
The Coalition for Secure AI (CoSAI) is a collaborative effort to address AI security challenges. What are Google's specific goals and expectations for CoSAI, and how will its success be measured in the long term?
Something we love about CoSAI is that we involved some unexpected folks, notably Microsoft and OpenAI. How did that come about?
AI is moving quickly. How do we intend to keep up with the pace of change when it comes to emerging threat techniques and actors in the landscape?
What do we expect to see out of CoSAI work and when? What should people be looking forward to and what are you most looking forward to releasing from the group?
We have proposed projects for CoSAI, including developing a defender's framework and addressing software supply chain security for AI systems. How can others use them? In other words, if I am a mid-sized bank CISO, do I care? How do I benefit from it?
An off-the-cuff question, how to do AI governance well?
In your experience, what are the biggest challenges organizations face when migrating to a new SIEM platform? How did you solve them?
Many SIEM projects have problems, but a decent chunk of these problems are not about the tool being broken. How did you decide to migrate? When is it time to go?
Specifically, how to avoid constant change from product to product, each time blaming the tool for what are essentially process failures?
How did you handle detection content during migration? Was AI involved?
How did you test for this: “Which platform will best enable our engineering team to build what we need?”
Tell us more about the Detection as Code pipeline you use?
“Completed SIEM migration in a single week!” Is this for real?
Security transformation is hard, do you have any secret tricks or methods that actually make it happen?
Can you share a story about a time when you helped a customer transform their cloud security posture? Not just improve, but actually transform!
What is your process for understanding their needs and developing a security solution that is tailored to them? What to do if a customer does not want to share what is necessary or does not know themselves?
What are some of the most common security mistakes that you see organizations make when they move to the cloud?
What about the customers who insist on practicing in the cloud the same way they did on-premise? What do you tell the organizations that insist that “cloud is just somebody else’s computer” and they insist on doing security the old-fashioned way?
What advice would you give to organizations that are just starting out on their cloud security journey?
What are the first three cloud security steps you recommend that work for a cloud environment they inherited?
