GCP – Cloud CISO Perspectives: Phil Venables on CISO 2.0 and the CISO factory

Welcome to the second Cloud CISO Perspectives for November 2025. Today, Phil Venables, Google Cloud’s current strategic security advisor and former CISO, and creator of this newsletter, shares his thoughts on how the role of the CISO is evolving in the AI era, and how organizations should shift their cybersecurity approach from fire stations to flywheels.

As with all Cloud CISO Perspectives, the contents of this newsletter are posted to the Google Cloud blog. If you’re reading this on the website and you’d like to receive the email version, you can subscribe here.

Phil Venables on CISO 2.0 and the CISO factory

By Alicja Cade, Senior Director, Financial Services, Office of the CISO, and David Homovich, Advocacy Lead, Office of the CISO

Organizations that encourage these behaviors, which Venables described as “CISO Factories” because they develop a disproportionate number of successful CISOs, aren’t magical. They share 12 common traits that can be replicated.

Through discussions at these CISO Community events and throughout the year, Google Cloud’s Office of the CISO has seen that the role of the CISO is widely varied and often misunderstood. Nevertheless, a successful security program is one of the highest-leverage contributions an individual can make to a modern enterprise, building resilience and durable trust with customers.

As their role evolves, CISOs should drive the evolution of their organization’s approach to cybersecurity from a fire station, reacting to disasters, to a flywheel, self-sustaining and continuously enhancing the business.

The following transcript has been lightly edited.

Alicja Cade: After three decades as a CISO, can you share your thoughts on what it means to be a CISO in 2025?

Phil Venables: I’m still connected quite deeply with the CISO community and the security community around the world. I’ve been spending more time observing and thinking about how the CISO role is changing — and it seems to be changing ever-quicker.

I’ve also spent a lot of time thinking about what it means to develop and build the next generation of security leaders. One of the things I’m seeing quite a lot is the CISO role going in many different directions. At many organizations, the CISO is in effect or actually becoming the chief technology officer, where CISOs are trying to push harder and harder for their organization to upgrade and enhance their technology.

In many cases, leadership and the boards are giving them the CTO responsibility, or the CISO is forming an ever closer partnership with the CTO or the head of infrastructure to massively upgrade their technology to be more inherently secure and defendable.

I think that’s good progress.

Alicja Cade: How is AI changing the role of the CISO?

Phil Venables: Boards of directors want to know if what their company is doing with AI is safe and compliant, is it respecting privacy and all the trust and safety boundaries — and they’re turning to the CISO to talk about that.

Now, that’s not all organizations. There are many large financial organizations that have got quite mature compliance and risk functions that are picking up their weight. But other organizations typically, especially those not necessarily in the historically very tightly regulated industries, the CISO is becoming almost like the chief digital risk officer. The CISO is being tasked with worrying about all of these other technology risks that are coming out as a result of AI.

AI’s not the only reason, but we’re certainly seeing an evolution of the CISO role to be something what you might call kind of CISO version two, a much more evolved role.

David Homovich: This leveling-up of the CISO is not exactly new, but the circumstances that are driving it have been changed by the AI era. How do you describe the current iteration of CISO 2.0?

Phil Venables: The CISO is absolutely, undeniably becoming a peer business executive alongside all the other executives. How you secure and defend what most of our businesses are, as digital businesses, is becoming so critical that the CISO has to evolve.

The version two CISO mindset is really all about being business first. While we’ve talked about this for years, in many cases CISOs have been catching up with where the business wants to go and not leading the business where it needs to be. There are three pillars to CISO 2.0:

1. CISOs should realize they’re peer business executives. They don’t just follow business initiatives to make sure they’re secure, but lead and educate the business on what opportunities may come about from the results of doing digitization in safe and secure ways.
2. CISOs need to be a peer technology leader and have technical empathy. While the most successful CISOs are not primarily engineering leaders, they certainly have to be technically deep — or at least have an appreciation of technology and be able to work at a detailed level with the technology and engineering leaders and officers. CISOs should be able to suggest ways of engineering technology to help the organization create more secure by default, secure by design implementations.
3. CISOs need to be long-term players. We all know many of the security activities and risk mitigation activities that we have to drive are things that just take years — even though we wish they would take quarters. This may be a little bit of selection bias, but the most successful CISOs are ones who manage to stay around for the longest time to see the results and drive the results of their change.

I’m not oblivious to the fact that there’s some organizations where people just have to go because they see the writing on the wall, that there’s no way they can have as much effect. But we also have to be honest with ourselves. There’s also plenty of cases where security leaders decide to go get the next job at the first point of resistance, as opposed to pushing through and realizing more long-term success.

Alicja Cade: How do CISOs engage in a way that can build that long-term success?

Phil Venables: When you look at the overall CISO 2.0 strategy, it’s all about actually having a strategy. CISOs should really be brutal with themselves when they look at their strategy, and ask if their strategy is actually a strategy — or just a long-term plan that just has the word strategy written on the front.

Strategy is a theory of how to win for your organization, and it’s distinct from plans. The plans come from the strategy, but strategy could be, for example, how we want the business to be able to pull help from the security team.

That’s a deliberate strategy that amplifies the engagement of the business. Then you plan, you go do things that are necessary, to create that pull.

Another example is that a big part of the strategy is encouraging transparency and accountability for risk, so that you get more self-correction in the environment. Then you’ve got to go do things to implement that strategy.

David Homovich: The relationship between CISOs and their board of directors can often feel lacking. Can you talk about why boards and CISOs should be more important to each other?

Phil Venables: We talk a lot about interactions with boards and with the board and what the board expects. One of the great common patterns of some of the best security organizations is they just aren’t good at interacting with the board. They haven’t given the board the right metrics, or they just don’t figure out how to educate new board members.

It’s under the control of the CISO and the wider leadership team to educate the board, to build relationships with board members and equip the board with how to be an effective overseer of what the CISO needs to do. The good news is that when you actually speak to board members, they’re eager to be educated. They want to be better board members to oversee security.

CISOs can influence board members, and boards can help influence business leaders. An example of this is when organizations more consciously use their buying power to drive the right behaviors in suppliers. Take a supplier that tells a customer that they’re the only company asking for a necessary security improvement that should be there by default, whereas in reality the supplier just wants to charge everybody for it.

It only takes a few companies of reasonable scale to actually call out the CEO of those companies to start triggering better behavior. It’s important that we think about all of our roles in the security and business community more broadly.

To stay on top of CISO Community events in 2026, sign up now.

In case you missed it

Here are the latest updates, products, services, and resources from our security teams so far this month:

• How Google Does It: Network security in a nutshell: At Google, we consider our fundamental network security perimeters to be state-of-the-art, in part because we rely on defense in depth. Here’s how we do it. Read more.
• How to build a best-practice Cyber Threat Intelligence program: Many organizations struggle to operationalize CTI and translate it into actionable security outcomes. Check out these best-practice recommendations from Mandiant. Read more.
• Introducing the Emerging Threats Center in Google Security Operations: To help organizations learn if they’ve been affected by vulnerabilities, we’re introducing the Emerging Threats Center in Google Security Operations. Read more.
• Supporting Viksit Bharat: Announcing AI investments in India: We’re investing in powerful local tools in India to foster a diverse ecosystem and ensure our platform delivers controls for compliance and AI sovereignty. Read more.
• Announcing the Google Unified Security Recommended program: Introducing Google Unified Security Recommended, a new program that establishes strategic partnerships with market-leading security solutions. Read more.
• Secure by design in the wild: We’re announcing two new initiatives in pursuit of Secure by Design approach: Contributing to the Secure Web Application Guidelines Community Group in W3C, and introducing Auto-CSP in Angular. Read more.
• Supporting customers as a critical provider under EU DORA: The ESA have officially designated Google Cloud EMEA Limited as a critical ICT third-party service provider under EU DORA. Here’s what that means for our European customers. Read more.

Please visit the Google Cloud blog for more security stories published this month.

Threat Intelligence news

• Cybersecurity Forecast 2026: Built on real-world trends and data, our forecasts come directly from Google Cloud security leaders, and dozens of experts, analysts, researchers, and responders directly on the frontlines. Read more.
• Frontline Bulletin: Unauthenticated remote access via Triofox vulnerability: Mandiant Threat Defense has uncovered exploitation of an unauthenticated access vulnerability within Gladinet’s Triofox file-sharing and remote access platform. This now-patched n-day vulnerability allowed an attacker to bypass authentication and access the application configuration pages, enabling the upload and execution of arbitrary payloads. Read more.
• Get going with Time Travel Debugging using a .NET process hollowing case study: Unlike traditional live debugging, this technique captures a deterministic, shareable record of a program’s execution. Here’s how to start incorporating TTD into your analysis. Read more.
• Analysis of UNC1549 targeting the aerospace and defense ecosystem: Following last year’s post on suspected Iran-nexus espionage activity targeting the aerospace, aviation, and defense industries in the Middle East, we discuss additional tactics, techniques, and procedures (TTPs) observed in incidents Mandiant has responded to. Read more.

Please visit the Google Cloud blog for more threat intelligence stories published this month.

Now hear this: Podcasts from Google Cloud

• The agentic SOC meets reality: Governing AI agents and measuring success: Moving from traditional SIEM to an agentic SOC model, especially at a heavily regulated insurer, is a massive undertaking. Allianz’s Alexander Pabst, deputy group CISO, and Lars Koenig, global head of detection and response, discuss data fidelity, the human in the loop, the risks of agentic AI, and more with hosts Anton Chuvakin and Tim Peacock. Listen here.
• Can AI red teams find truly novel attacks: Ari Herbert-Voss, CEO, RunSybil, shares his perspective on building an agent that can discover novel attack paths with Anton and Tim. Listen here.
• The possible end of ‘collect everything’: Balazs Scheidler, CEO, Axoflow, and founder of syslog-ng, explores how data pipelines can help us move from collecting all the data to getting access to security data — and what that means for the SOC, with Anton and Tim. Listen here.
• Defender’s Advantage: UNC5221 and the BRICKSTORM campaign: Sarah Yoder, manager, Mandiant Consulting, and Ashley Pearson, senior analyst, Google Threat Intelligence Group, join host Luke McNamara to discuss UNC5221 and their operations involving BRICKSTORM backdoor. Listen here.
• Behind the Binary: Wrapping up FLARE-On 12 with the FLARE team: Host Josh Stroschein is joined by Nick Harbour, Blas Kojusner, Moritz Raabe, and Sam Kim for a deep dive into the design and execution of FLARE-On 12. Listen here.

To have our Cloud CISO Perspectives post delivered twice a month to your inbox, sign up for our newsletter. We’ll be back in a few weeks with more security-related updates from Google Cloud.