Source URL: https://cloud.google.com/blog/products/identity-security/cloud-ciso-perspectives-boards-should-be-bilingual-AI-security-gain-advantage/
Source: Cloud Blog
Title: Cloud CISO Perspectives: Boards should be ‘bilingual’ in AI, security to gain advantage
Feedly Summary: Welcome to the second Cloud CISO Perspectives for September 2025. Today, Google Cloud COO Francis deSouza offers his insights on how boards of directors and CISOs can thrive with a good working relationship, adapted from a recent episode of the Cyber Savvy Boardroom podcast.As with all Cloud CISO Perspectives, the contents of this newsletter are posted to the Google Cloud blog. If you’re reading this on the website and you’d like to receive the email version, you can subscribe here.
aside_block
Boards should be ‘bilingual’ in AI and security to gain a competitive advantageBy Francis deSouza, chief operating officer, Google Cloud
Francis deSouza, chief operating officer, Google Cloud
AI is one of the fastest, most impactful technology shifts I’ve seen in my career. As adoption continues to surge, companies are facing complex and often technical questions about how AI intersects with corporate governance and strategy. One way forward is for boards of directors and cybersecurity teams to become “bilingual" in how AI and cybersecurity affect each other — to understand how AI needs to be secured against threats, how AI can be used to empower defenders, and how both needs affect business outcomes.Organizations that adopt AI should evolve its cybersecurity posture because AI models and agents expand the surface area that needs to be protected. That requires hardening existing data infrastructure, developing access controls for agents, and understanding how those changes affect governance and risk management.
By learning the language of AI for defense, boards can be better prepared to use AI to create a competitive advantage.Cybersecurity should be a core duty of every board member, not just those serving on audit and risk committees. Becoming bilingual in AI can help board members focus on why they should understand their organization’s security posture, and be prepared for potential breaches. But there’s much more that boards can do — here are four steps leaders can take to drive effective change in today’s dynamic environment.
Becoming bilingual in AI can help board members focus on why they should understand their organization’s security posture, and be prepared for potential breaches.
1. Integrate cybersecurity into business strategyWhat used to be a landscape dominated by individual hackers has now dramatically expanded to sophisticated groups that have been specifically formed to extract value from organizations by stealing and ransoming their data.While it’s important to be fluent in business strategy, boards should also work with security leaders towards integrating cybersecurity into their overall roadmap. Boards can encourage a collaborative approach to align cybersecurity with critical business services, which can help strengthen security posture, protect critical assets, and enhance resilience against evolving and emerging threats.2. Develop a framework for cybersecurity investmentsBoards should ask questions to ensure cybersecurity investments deliver real business value — beyond compliance. Key areas for boards to investigate include identifying and understanding the protection of critical digital and physical assets with software components, assessing the maturity level of protection, and knowing the potential cost of different types of breaches.Here’s where boards should encourage third-party assessments, running simulations, and tabletop exercises to help prepare an organization for breach responses. It’s also important for boards to develop a framework for cybersecurity investments to help them benchmark spending against industry data, and assess the effectiveness of that investment.When boards understand the risks and costs associated with different types of breaches, including remediation and reputational damage, they are better positioned to help assess the actual value of cybersecurity investments.3. Prioritize cybersecurity in mergers and acquisitionsOne area cybersecurity becomes especially critical is in mergers and acquisitions. Assessing a target company’s security posture is a critical component of due diligence, and can help create a roadmap for integrating the target company into the acquirer’s security and compliance posture.This approach includes non-negotiables for day one, such as issuing new, compliant laptops, planning network segregation, and a remediation roadmap for any existing vulnerabilities. Third-party assessments also have a role to play here to help inform post-acquisition plans.4. Create a cyber-aware culture from the top downWe’ve been vocal about how creating a cyber-aware culture starts at the top. Boards should set the tone by regularly placing cybersecurity on the agenda at the main board level at least once a year.They can also review internal and third-party attestations, and examine breach action plans to encourage a holistic approach to cybersecurity. Executive leadership must champion the security-first mindset, setting clear expectations, allocating necessary resources, and holding teams accountable. This top-down approach sends a powerful message that security is a non-negotiable priority.Why boards should have more AI cyber-awarenessCybersecurity has emerged as a board-level issue because of digital transformation and the emergence of AI, and this presents an opportunity and a challenge. By becoming bilingual in AI and security, boards can ensure their companies are moving decisively to not only improve efficiency and security, but to redefine what’s possible in their industries.For more on Google Cloud’s cybersecurity guidance for boards of directors, you can check out the resources at our insights hub.
aside_block
<ListValue: [StructValue([(‘title’, ‘Tell us what you think’), (‘body’, <wagtail.rich_text.RichText object at 0x7f6c3f590e50>), (‘btn_text’, ‘Join the conversation’), (‘href’, ‘https://google.qualtrics.com/jfe/form/SV_2n82k0LeG4upS2q’), (‘image’, <GAEImage: GCAT-replacement-logo-A>)])]>
In case you missed itHere are the latest updates, products, services, and resources from our security teams so far this month:Blocking shadow agents won’t work. Here’s a more secure way forward: Shadow IT. Shadow AI. It’s human nature to use technology in the most expedient way possible, but shadow agents pose great risks. Here’s how to secure them, and your business. Read more.How to combat bucket-squatting in five steps: Threat actors target cloud storage buckets to intercept your data and impersonate your business. Here’s five steps you can take to make them more secure. Read more.How to secure your remote MCP server on Google Cloud: Here are five key MCP deployment risks you should be aware of, and how using a centralized proxy architecture on Google Cloud can help mitigate them. Read more.The global harms of restrictive cloud licensing, one year later: Microsoft’s restrictive cloud licensing has harmed the global economy, but ending it could help supercharge Europe’s economic engine. Read more.Introducing DNS Armor to mitigate domain name system risks: Google Cloud is partnering with Infoblox to deliver Google Cloud DNS Armor, a cloud-native DNS security service available now in preview. Read more.Solve security operations challenges with expertise and speed: At Google Cloud, we understand the value that MSSPs can bring, so we’ve built a robust ecosystem of MSSP partners, specifically empowered to help you modernize security operations and achieve better security outcomes, faster. Read more.New GCE and GKE dashboards strengthen security posture: We’ve introduced new, integrated security dashboards in GCE and GKE consoles, powered by Security Command Center, to provide critical insights. Read more.Please visit the Google Cloud blog for more security stories published this month.
aside_block
<ListValue: [StructValue([(‘title’, ‘Join the Google Cloud CISO Community’), (‘body’, <wagtail.rich_text.RichText object at 0x7f6c3f590d30>), (‘btn_text’, ‘Learn more’), (‘href’, ‘https://rsvp.withgoogle.com/events/ciso-community-interest?utm_source=cgc-blog&utm_medium=blog&utm_campaign=2024-cloud-ciso-newsletter-events-ref&utm_content=-&utm_term=-‘), (‘image’, <GAEImage: GCAT-replacement-logo-A>)])]>
Threat Intelligence newsBackdoor BRICKSTORM enabling espionage into tech and legal sectors: Google Threat Intelligence Group (GTIG) is tracking BRICKSTORM malware activity, which is being used to maintain persistent access to victim organizations in the U.S. across a range of industry verticals, including legal services, software as a service (SaaS) providers, business process outsourcers (BPOs), and technology companies. The value of these targets extends beyond typical espionage missions, potentially providing data to feed development of zero-days and establishing pivot points for broader access to downstream victims. Read more.Widespread data theft targets Salesforce instances via Salesloft Drift: An investigation into Salesloft Drift has led Google Threat Intelligence Group (GTIG) to issue an advisory to alert organizations about widespread data theft from Salesloft Drift customer integrations, affecting Salesforce and others. The campaign is carried out by the actor tracked as UNC6395. We are advising Salesloft Drift customers to treat all authentication tokens stored in or connected to the Drift platform as potentially compromised. Read more.Please visit the Google Cloud blog for more threat intelligence stories published this month.
Now hear this: Podcasts from Google CloudThe AI future of SOAPA: Jon Oltsik, who coined Security Operations and Analytics Platform Architecture (SOAPA), gives hosts Anton Chuvakin and Tim Peacock an update on the ongoing debate between consolidating security around a single platform versus a more disaggregated, best-of-breed approach — including how agentic AI has changed the conversation. Listen here.The AI-fueled arms race for email security: Email security is a settled matter, right? Not if AI has anything to say about it. AegisAI CEO Cy Khormaee and CTO Ryan Luo chat with Anton and Tim on how AI has upended email security best practices. Listen here.Cyber Savvy Boardroom: Enterprise cyber leadership: Francis deSouza, chief operating officer, Google Cloud, joins Office of the CISO’s Nick Godfrey and David Homovich to talk about the biggest challenge facing boards in the next three to five years: governing agentic AI. Listen here.Defender’s Advantage: How vSphere became a target for adversaries: Mandiant Consulting’s Stuart Carrera joins host Luke McNamara to discuss how threat actors are increasingly targeting the VMware vSphere estate, and leveraging in this environment to conduct extortion and data theft. Listen here.Behind the Binary: Inside the FLARE-On reverse-engineering gauntlet: Host Josh Stroschein is joined by FLARE-On challenge host and author Nick Harbour, and regular challenge author Blas Kojusner, for an in-depth tour of its history, and discuss how it has grown into a must-do event for malware analysts and reverse engineers. Listen here.To have our Cloud CISO Perspectives post delivered twice a month to your inbox, sign up for our newsletter. We’ll be back in a few weeks with more security-related updates from Google Cloud.
AI Summary and Description: Yes
Summary: The text discusses the importance of integrating cybersecurity and AI awareness within the corporate governance framework, emphasizing the need for boards of directors to be knowledgeable about both fields. As organizations adopt AI technologies, understanding their intersection with cybersecurity will enable boards to strengthen their security posture and navigate emerging risks effectively.
Detailed Description:
The article offers insights from Francis deSouza, COO of Google Cloud, focusing on the necessity for boards of directors to develop a bilingual understanding of AI and cybersecurity. Given the increasing adoption of AI technologies, organizations face complex challenges regarding the governance and security of these systems. The discussion highlights key strategies that boards can implement to enhance their oversight capabilities and ensure corporate resilience against cyber threats.
**Key Points:**
– **AI and Cybersecurity Integration**:
– Boards must understand how AI influences their cyber strategy to secure AI systems and leverage them for enhanced defenses.
– AI significantly expands the security landscape, necessitating upgrades to existing cybersecurity frameworks.
– **Strategic Business Alignment**:
– Cybersecurity should be integrated into overarching business strategies to align with critical services and bolster organizational resilience.
– **Investment Frameworks**:
– Developing frameworks to assess and prioritize cybersecurity investments is crucial. Boards must scrutinize spending for value beyond mere compliance, considering risks, potential breaches, and recovery costs.
– **M&A Considerations**:
– In mergers and acquisitions, cybersecurity assessments of target companies are vital for ensuring they can be seamlessly integrated into the acquiring organization’s security framework.
– **Cultural Leadership**:
– Cultivating a cyber-aware culture starts at the top, with boards needing to prioritize cybersecurity discussions and set a tone that champions security as a critical organizational pillar.
– **Importance of Cyber Awareness**:
– With the rise of AI and digital transformation, cybersecurity is increasingly recognized as a board-level issue. A deeper understanding of AI can help boards drive decisive actions to secure operations effectively and foster innovation.
The article underscores the shared responsibility between business leaders and cybersecurity professionals to develop an enterprise-wide understanding of both AI and security measures. By fostering this bilingual approach, organizations can better navigate the complexities of modern threats and enhance their strategic initiatives.