Menu
Cloud CISO Perspectives: Boards should be ‘bilingual’ in AI, security to gain advantage

GCP – Cloud CISO Perspectives: Boards should be ‘bilingual’ in AI, security to gain advantage

,

Welcome to the second Cloud CISO Perspectives for September 2025. Today, Google Cloud COO Francis deSouza offers his insights on how boards of directors and CISOs can thrive with a good working relationship, adapted from a recent episode of the Cyber Savvy Boardroom podcast.

As with all Cloud CISO Perspectives, the contents of this newsletter are posted to the Google Cloud blog. If you’re reading this on the website and you’d like to receive the email version, you can subscribe here.

aside_block
<ListValue: [StructValue([(‘title’, ‘Get vital board insights with Google Cloud’), (‘body’, <wagtail.rich_text.RichText object at 0x7f6c1d998340>), (‘btn_text’, ‘Visit the hub’), (‘href’, ‘https://cloud.google.com/solutions/security/board-of-directors?utm_source=cloud_sfdc&utm_medium=email&utm_campaign=FY24-Q2-global-PROD941-physicalevent-er-CEG_Boardroom_Summit&utm_content=-&utm_term=-‘), (‘image’, <GAEImage: GCAT-replacement-logo-A>)])]>

Boards should be ‘bilingual’ in AI and security to gain a competitive advantage

By Francis deSouza, chief operating officer, Google Cloud

FrancisdeSouza2396-hi

Francis deSouza, chief operating officer, Google Cloud

AI is one of the fastest, most impactful technology shifts I’ve seen in my career. As adoption continues to surge, companies are facing complex and often technical questions about how AI intersects with corporate governance and strategy. One way forward is for boards of directors and cybersecurity teams to become “bilingual” in how AI and cybersecurity affect each other — to understand how AI needs to be secured against threats, how AI can be used to empower defenders, and how both needs affect business outcomes.

Organizations that adopt AI should evolve its cybersecurity posture because AI models and agents expand the surface area that needs to be protected. That requires hardening existing data infrastructure, developing access controls for agents, and understanding how those changes affect governance and risk management.

By learning the language of AI for defense, boards can be better prepared to use AI to create a competitive advantage.

Cybersecurity should be a core duty of every board member, not just those serving on audit and risk committees. Becoming bilingual in AI can help board members focus on why they should understand their organization’s security posture, and be prepared for potential breaches. But there’s much more that boards can do — here are four steps leaders can take to drive effective change in today’s dynamic environment.

Becoming bilingual in AI can help board members focus on why they should understand their organization’s security posture, and be prepared for potential breaches.

1. Integrate cybersecurity into business strategy

What used to be a landscape dominated by individual hackers has now dramatically expanded to sophisticated groups that have been specifically formed to extract value from organizations by stealing and ransoming their data.

While it’s important to be fluent in business strategy, boards should also work with security leaders towards integrating cybersecurity into their overall roadmap. Boards can encourage a collaborative approach to align cybersecurity with critical business services, which can help strengthen security posture, protect critical assets, and enhance resilience against evolving and emerging threats.

2. Develop a framework for cybersecurity investments

Boards should ask questions to ensure cybersecurity investments deliver real business value — beyond compliance. Key areas for boards to investigate include identifying and understanding the protection of critical digital and physical assets with software components, assessing the maturity level of protection, and knowing the potential cost of different types of breaches.

Here’s where boards should encourage third-party assessments, running simulations, and tabletop exercises to help prepare an organization for breach responses. It’s also important for boards to develop a framework for cybersecurity investments to help them benchmark spending against industry data, and assess the effectiveness of that investment.

When boards understand the risks and costs associated with different types of breaches, including remediation and reputational damage, they are better positioned to help assess the actual value of cybersecurity investments.

3. Prioritize cybersecurity in mergers and acquisitions

One area cybersecurity becomes especially critical is in mergers and acquisitions. Assessing a target company’s security posture is a critical component of due diligence, and can help create a roadmap for integrating the target company into the acquirer’s security and compliance posture.

This approach includes non-negotiables for day one, such as issuing new, compliant laptops, planning network segregation, and a remediation roadmap for any existing vulnerabilities. Third-party assessments also have a role to play here to help inform post-acquisition plans.

4. Create a cyber-aware culture from the top down

We’ve been vocal about how creating a cyber-aware culture starts at the top. Boards should set the tone by regularly placing cybersecurity on the agenda at the main board level at least once a year.

They can also review internal and third-party attestations, and examine breach action plans to encourage a holistic approach to cybersecurity. Executive leadership must champion the security-first mindset, setting clear expectations, allocating necessary resources, and holding teams accountable. This top-down approach sends a powerful message that security is a non-negotiable priority.

Why boards should have more AI cyber-awareness

Cybersecurity has emerged as a board-level issue because of digital transformation and the emergence of AI, and this presents an opportunity and a challenge. By becoming bilingual in AI and security, boards can ensure their companies are moving decisively to not only improve efficiency and security, but to redefine what’s possible in their industries.

For more on Google Cloud’s cybersecurity guidance for boards of directors, you can check out the resources at our insights hub.

aside_block
<ListValue: [StructValue([(‘title’, ‘Tell us what you think’), (‘body’, <wagtail.rich_text.RichText object at 0x7f6c1d998850>), (‘btn_text’, ‘Join the conversation’), (‘href’, ‘https://google.qualtrics.com/jfe/form/SV_2n82k0LeG4upS2q’), (‘image’, <GAEImage: GCAT-replacement-logo-A>)])]>

In case you missed it

Here are the latest updates, products, services, and resources from our security teams so far this month:

  • Blocking shadow agents won’t work. Here’s a more secure way forward: Shadow IT. Shadow AI. It’s human nature to use technology in the most expedient way possible, but shadow agents pose great risks. Here’s how to secure them, and your business. Read more.
  • How to combat bucket-squatting in five steps: Threat actors target cloud storage buckets to intercept your data and impersonate your business. Here’s five steps you can take to make them more secure. Read more.
  • How to secure your remote MCP server on Google Cloud: Here are five key MCP deployment risks you should be aware of, and how using a centralized proxy architecture on Google Cloud can help mitigate them. Read more.
  • The global harms of restrictive cloud licensing, one year later: Microsoft’s restrictive cloud licensing has harmed the global economy, but ending it could help supercharge Europe’s economic engine. Read more.
  • Introducing DNS Armor to mitigate domain name system risks: Google Cloud is partnering with Infoblox to deliver Google Cloud DNS Armor, a cloud-native DNS security service available now in preview. Read more.
  • Solve security operations challenges with expertise and speed: At Google Cloud, we understand the value that MSSPs can bring, so we’ve built a robust ecosystem of MSSP partners, specifically empowered to help you modernize security operations and achieve better security outcomes, faster. Read more.
  • New GCE and GKE dashboards strengthen security posture: We’ve introduced new, integrated security dashboards in GCE and GKE consoles, powered by Security Command Center, to provide critical insights. Read more.

Please visit the Google Cloud blog for more security stories published this month.

aside_block
<ListValue: [StructValue([(‘title’, ‘Join the Google Cloud CISO Community’), (‘body’, <wagtail.rich_text.RichText object at 0x7f6c1d998d90>), (‘btn_text’, ‘Learn more’), (‘href’, ‘https://rsvp.withgoogle.com/events/ciso-community-interest?utm_source=cgc-blog&utm_medium=blog&utm_campaign=2024-cloud-ciso-newsletter-events-ref&utm_content=-&utm_term=-‘), (‘image’, <GAEImage: GCAT-replacement-logo-A>)])]>

Threat Intelligence news

  • Backdoor BRICKSTORM enabling espionage into tech and legal sectors: Google Threat Intelligence Group (GTIG) is tracking BRICKSTORM malware activity, which is being used to maintain persistent access to victim organizations in the U.S. across a range of industry verticals, including legal services, software as a service (SaaS) providers, business process outsourcers (BPOs), and technology companies. The value of these targets extends beyond typical espionage missions, potentially providing data to feed development of zero-days and establishing pivot points for broader access to downstream victims. Read more.
  • Widespread data theft targets Salesforce instances via Salesloft Drift: An investigation into Salesloft Drift has led Google Threat Intelligence Group (GTIG) to issue an advisory to alert organizations about widespread data theft from Salesloft Drift customer integrations, affecting Salesforce and others. The campaign is carried out by the actor tracked as UNC6395. We are advising Salesloft Drift customers to treat all authentication tokens stored in or connected to the Drift platform as potentially compromised. Read more.

Please visit the Google Cloud blog for more threat intelligence stories published this month.

Now hear this: Podcasts from Google Cloud

  • The AI future of SOAPA: Jon Oltsik, who coined Security Operations and Analytics Platform Architecture (SOAPA), gives hosts Anton Chuvakin and Tim Peacock an update on the ongoing debate between consolidating security around a single platform versus a more disaggregated, best-of-breed approach — including how agentic AI has changed the conversation. Listen here.
  • The AI-fueled arms race for email security: Email security is a settled matter, right? Not if AI has anything to say about it. AegisAI CEO Cy Khormaee and CTO Ryan Luo chat with Anton and Tim on how AI has upended email security best practices. Listen here.
  • Cyber Savvy Boardroom: Enterprise cyber leadership: Francis deSouza, chief operating officer, Google Cloud, joins Office of the CISO’s Nick Godfrey and David Homovich to talk about the biggest challenge facing boards in the next three to five years: governing agentic AI. Listen here.
  • Defender’s Advantage: How vSphere became a target for adversaries: Mandiant Consulting’s Stuart Carrera joins host Luke McNamara to discuss how threat actors are increasingly targeting the VMware vSphere estate, and leveraging in this environment to conduct extortion and data theft. Listen here.
  • Behind the Binary: Inside the FLARE-On reverse-engineering gauntlet: Host Josh Stroschein is joined by FLARE-On challenge host and author Nick Harbour, and regular challenge author Blas Kojusner, for an in-depth tour of its history, and discuss how it has grown into a must-do event for malware analysts and reverse engineers. Listen here.

To have our Cloud CISO Perspectives post delivered twice a month to your inbox, sign up for our newsletter. We’ll be back in a few weeks with more security-related updates from Google Cloud.

Read More for the details.

Related Posts