Menu
Cloud CISO Perspectives: How Google Cloud’s security team helps build securely

GCP – Cloud CISO Perspectives: How Google Cloud’s security team helps build securely

,

Welcome to the first Cloud CISO Perspectives for May 2025. Today, Iain Mulholland, senior director, Security Engineering, pulls back the curtain on how Google Cloud approaches security engineering and how we take secure by design from mindset to production.

As with all Cloud CISO Perspectives, the contents of this newsletter are posted to the Google Cloud blog. If you’re reading this on the website and you’d like to receive the email version, you can subscribe here.

aside_block
<ListValue: [StructValue([(‘title’, ‘Get vital board insights with Google Cloud’), (‘body’, <wagtail.rich_text.RichText object at 0x3e7f61c98580>), (‘btn_text’, ‘Visit the hub’), (‘href’, ‘https://cloud.google.com/solutions/security/board-of-directors?utm_source=cloud_sfdc&utm_medium=email&utm_campaign=FY24-Q2-global-PROD941-physicalevent-er-CEG_Boardroom_Summit&utm_content=-&utm_term=-‘), (‘image’, <GAEImage: GCAT-replacement-logo-A>)])]>

How Google Cloud’s security team helps engineers build securely

By Iain Mulholland, senior director, Security Engineering

Iain Mulholland

Iain Mulholland, senior director, Security Engineering

Velocity is a chief concern in every executive office, but it falls to CISOs to balance the tension between keeping the business secure and ensuring the business keeps up. At Google, we’re constantly thinking about how to enable both resilience and innovation.

For decades, we’ve been taking a holistic approach to how security decision-making can work better. We believe that the success we’ve seen with our security teams is achievable at many organizations, and can help lead to better security and business outcomes.

My team is responsible for ensuring Google Cloud is the most secure cloud, and we approach security as an engineering function. It’s a different lens than traditional IT or compliance views, two parts of the business where security priorities are often set, which results in improved decision-making and security outcomes.

Our Office of the CISO security engineering team partners with product team software engineers at all stages of the software development lifecycle to find paths to ship secure software — all while maintaining product-release velocity and adhering to secure-by-design principles.

We’re still seeing too many organizations rely on defenses that were designed for the desktop era — despite successful efforts to convince business leaders to invest in more modern security tools, as Phil Venables and Andy Wen noted last year.

“To be truly resilient in today’s security landscape, organizations must consider an IT overhaul and rethink their strategy toward solutions with modern, secure-by-design architectures that nullify classes of vulnerabilities and attack vectors,” they said.

To turn this core security philosophy into reality, we’ve used it to guide how we build our teams. Cloud security engineers are embedded with product teams to help the entire organization “shift left” and take an engineering-centered approach to security. Our Office of the CISO security engineering team partners with product team software engineers at all stages of the software development lifecycle (SDLC) to find paths to ship secure software — all while maintaining product-release velocity and adhering to secure-by-design principles.

You can see this in action with our threat modelling practice. Security engineers and software development teams work closely to analyze potential threats to the product and to identify actions and product capabilities that can mitigate risks. Because this happens in the design phase, the team can eliminate these threats early in the SDLC, ensuring our products are secure by design.

With engineering as our security foundation, we can build capabilities at breadth, at depth, and in clear relationship to each other, so that our total power exceeds the sum of these parts.

Instead of simulating risk, we deploy our researchers to consider the whole cloud as an attack surface. They chain vulnerabilities in novel ways to improve our overall security architecture.

Protecting against threats is a great example of the impact of this approach. We characterize the vast cloud threat landscape in three specific areas: outbound network attacks (such as DDoS, outbound intrusion attempts, and vulnerability scans); resource misuse (such as cryptocurrency mining, illegal video streaming, and bots); and content-based threats (such as phishing and malware).

Across that landscape, threat actors often use similar techniques and exploit similar vulnerabilities. To combat these tactics, the team generates intelligence to prevent, detect, and mitigate risk in Google Cloud offerings before they become problems to our customers.

We “shift left” on threats, too: Identifying this systemic risk feeds into the lifecycle of software and product development. Once we identify a threat vector, we work closely with our security and product engineers to harden product defenses to help eliminate threats before they can take root.

We use AI, advanced data science, and analytics solutions to protect Google Cloud and our customers from future threats by focusing on three key capabilities: predicting future user behavior, proactively identifying risky security patterns, and improving the efficiency and measurability of threats and security operations.

It’s vital to our mission that we find attack paths before attackers do, reducing unknown security risks by finding vulnerabilities in our products and services before they are made available to customers. In addition to simulating risk, we push our researchers to consider the whole cloud as an attack surface. They chain vulnerabilities in novel ways to improve our overall security architecture.

Responding to threats is a critical third element of our engineering environment’s interlocking capabilities. Our security response operations assess and implement remediation strategies that come from external parties, and we frequently participate in comprehensive, industry-wide responses. Regular collaboration with Google Cloud’s Vulnerability Rewards Program has been a major driver of our success in this area.

Across all of these areas, there is incredible complexity, but the philosophy that guides the work is simple: By baking security into engineering processes, you can secure systems better and earlier than bolting security on at the end. Investing in a deep engineering bench coupled with embedding security personnel, processes, and procedures as early as possible in the development lifecycle can strengthen decision-making confidence and business resilience across the organization.

You can learn more about how you can incorporate security best practices into your organization’s engineering environment from our Office of the CISO.

aside_block
<ListValue: [StructValue([(‘title’, ‘Join the Google Cloud CISO Community’), (‘body’, <wagtail.rich_text.RichText object at 0x3e7f61c98940>), (‘btn_text’, ‘Learn more’), (‘href’, ‘https://rsvp.withgoogle.com/events/ciso-community-interest?utm_source=cgc-blog&utm_medium=blog&utm_campaign=2024-cloud-ciso-newsletter-events-ref&utm_content=-&utm_term=-‘), (‘image’, <GAEImage: GCAT-replacement-logo-A>)])]>

In case you missed it

Here are the latest updates, products, services, and resources from our security teams so far this month:

  • How boards can boost resiliency with the updated U.K. cyber code: Here’s how Google Cloud can help your organization and board of directors adapt to the newly updated U.K. cyber code. Read more.
  • What’s new in IAM, Access Risk, and Cloud Governance: A core part of our mission is to help you meet your policy, compliance, and business objectives. Here’s what’s new for IAM, Access Risk, and Cloud Governance. Read more.
  • 3 new ways to use AI as your security sidekick: Generative AI is already providing clear and impactful security results. Here’s three decisive examples that organizations can adopt right now. Read more.
  • Expanding our Risk Protection Program with new insurance partners and AI coverage: We unveiled at Next ‘25 major updates to our Risk Protection Program, an industry-first collaboration between Google and cyber insurers. Here’s what’s new. Read more.
  • From insight to action: M-Trends, agentic AI, and how we’re boosting defenders at RSAC 2025: From the latest M-Trends report to updates across Google Unified Security, our product portfolio, and our AI capabilities, here’s what’s new from us at RSAC. Read more.
  • The dawn of agentic AI in security operations: Agentic AI promises a fundamental, tectonic shift for security teams, where intelligent agents work alongside human analysts. Here’s our vision for the agentic future. Read more.
  • What’s new in Android security and privacy in 2025: We’re announcing new features and enhancements that build on our industry-leading protections to help keep you safe from scams, fraud, and theft on Android. Read more.

Please visit the Google Cloud blog for more security stories published this month.

aside_block
<ListValue: [StructValue([(‘title’, ‘Learn something new’), (‘body’, <wagtail.rich_text.RichText object at 0x3e7f61cd8df0>), (‘btn_text’, ‘Watch now’), (‘href’, ‘https://www.youtube.com/watch?v=jaTPpr7mMb0’), (‘image’, <GAEImage: GCAT-replacement-logo-A>)])]>

Threat Intelligence news

  • COLDRIVER using new malware to steal data from Western targets and NGOs: Google Threat Intelligence Group (GTIG) has attributed new malware to the Russian government-backed threat group COLDRIVER (also known as UNC4057, Star Blizzard, and Callisto) that has been used to steal data from western governments and militaries, as well as journalists, think tanks, and NGOs. Read more.
  • Cybercrime hardening guidance from the frontlines: The U.S. retail sector is currently being targeted in ransomware operations that GTIG suspects is linked to UNC3944, also known as Scattered Spider. UNC3944 is a financially-motivated threat actor characterized by its persistent use of social engineering and brazen communications with victims. Here’s our latest proactive hardening recommendations to combat their threat activities. Read more.

Please visit the Google Cloud blog for more threat intelligence stories published this month.

Now hear this: Podcasts from Google Cloud

  • How cyber-savvy is your board: We’ve long extolled the importance of bringing boards of directors up to speed on cybersecurity challenges both foundational and cutting-edge, which is why we’ve launched “Cyber Savvy Boardroom,” a new monthly podcast from our Office of the CISO’s David Homovich, Alicja Cade, and Nick Godfrey. Our first three episodes feature security and business leaders known for their intuition, expertise, and guidance, including Karenann Terrell, Christian Karam, and Don Callahan. Listen here.
  • From AI agents to provenance in MLSecOps: What is MLSecOps, and what should CISOs know about it? Diana Kelley, CSO, Protect AI, goes deep on machine-learning model security with hosts Anton Chuvakin and Tim Peacock. Listen here.
  • What we learned at RSAC 2025: Anton and Tim discuss their RSA Conference experiences this year. How did the show floor hold up to the complicated reality of today’s information security landscape? Listen here.
  • Deconstructing this year’s M-Trends: Kirstie Failey, GTIG, and Scott Runnels, Mandiant Incident Response, chat with Anton and Tim about the challenges of turning standard incident reports into bigger-picture review found in this year’s M-Trends. Listen here.
  • Defender’s Advantage: How UNC5221 targeted Ivanti Connect Secure VPNs: Mandiant’s Matt Lin and Ivanti’s Daniel Spicer join host Luke McNamara as they dive into the research and response of UNC5221’s campaigns against Ivanti. Listen here.

To have our Cloud CISO Perspectives post delivered twice a month to your inbox, sign up for our newsletter. We’ll be back in a few weeks with more security-related updates from Google Cloud.

Read More for the details.

Related Posts