For those of us who work in an industry where incessant and complex threats have the potential to impact the world as we know it, it’s often very difficult to keep a positive outlook. Adversaries are becoming progressively sophisticated, security professionals are dealing with burnout, and resources and budgets are stretched despite increasing funding at many organizations.
We're seeing an increasing number of new malware families, financially-motivated attacks such as ransomware, supply chain vulnerabilities, as well as rising cyber threats from nation-state-backed actors against critical infrastructure.
Against this backdrop I consider myself a short-term pessimist, long-term optimist. While securing businesses, governments, and critical infrastructure has become a substantial challenge – and one that we can’t solve overnight – there are many reasons to be hopeful about the future of cybersecurity.
There are three trends I’m seeing that fuel my long-term cybersecurity optimism: the emphasis on IT modernization, the uptick of emerging technologies that can support defenders, and increased public-private sector collaboration.
IT modernization: a growing business priority
We’re witnessing an encouraging and necessary shift in the industry as more organizations across sectors are working towards transitioning to modernized, more defensible technology platforms – in the cloud and beyond.
More organizations are adopting systems that have been purpose-built with stronger security at the foundational level – the same approach that we at Google have prioritized for decades. With modernized IT environments, security will become a “built-in” element of infrastructures instead of a “bolt-on” – so even with short-term challenges, the long-term benefits of IT modernization are paramount and important to mitigating evolving cyber threats.
Organizations will also reap more of the benefits of using “software defined infrastructure” in the cloud, or even on-premise, to deliver the promise of controls-as-code. For businesses, tapping into the constant security updates a secure and well-configured cloud provides will be like tapping into a global digital immune system that’s constantly growing in strength.
With board members, the C-suite, and IT leaders across industries asking the right questions and recognizing the need to invest in IT modernization, organizations are better positioned to unlock the full benefits of security innovation and mitigate malicious activity we commonly see targeting legacy infrastructures.
Emerging technologies stay one step ahead of attackers
We are building and leveraging new technologies to make our jobs as defenders more efficient.
Take AI, for example: AI, particularly generative AI, and cybersecurity have intersected for some time, but we’ve reached an inflection point where its use cases in the industry are more encouraging than ever. The potential generative AI has to identify and prioritize the most relevant risks to their unique environment or regulatory requirements, and quickly generate the queries and detections required to consistently monitor for threats, should not go unrecognized.
AI now plays a crucial role amid the ongoing cybersecurity talent shortage, ushering in a new era for security expertise that will profoundly impact how practitioners “do” security. Like any technological innovation, we expect adversaries are going to find applications for these tools. However, there’s far greater promise for defenders who have the ability to direct the development of it.
While some people will use AI for ill intent, I’m optimistic that defenders will out-innovate adversaries in the end. When it comes to the future of AI innovation and security integration, it’s still early days, but we’re already beginning to see its impact in achieving stronger security outcomes.
Increased public-private sector collaboration drives cyber resiliency
As public and private sector collaboration grows, in the next few years we’ll see deeper coordination between agencies and big tech organizations in how they implement cyber protections.
It’s reasonable to expect that the government may put more safeguarded checkpoints for organizations into effect to reflect how they meet regulatory requirements. Just last month, for example, the Securities and Exchange Commission implemented new rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incidents by public companies. As these checkpoints come to fruition, we can expect to see continued knowledge-sharing between public and private organizations, heightening transparency and protection around today’s biggest threats.
It's often hard to stay optimistic when burnout and resource constraints are genuine concerns for almost every security leader – but it’s important to step back and look at the bigger picture and find the purpose in our mission.
As an industry, we’re defending people's lives and livelihoods, defending the free flow of capital and ideas that are essential for human progress. This gives us the opportunity to shift our mindset from “I have to” to “I get to” which makes the job worthwhile, even the painful aspects of the job.
Cybersecurity is a team sport, and infrastructure modernization, security innovation, and industry collaboration make me optimistic for the future of security and encouraged that we're heading in the right direction. While I’m guarded in my optimism and know that we have a long road ahead, I see the scales beginning to tip in the defender’s favor.
Phil Venables, chief information security officer, Google Cloud