Cloud Security Podcast by Google
Cloud Security Podcast by Google focuses on security in the cloud, delivering security from the cloud, and all things at the intersection of security and cloud. Of course, we will also cover what we are doing in Google Cloud to help keep our users' data safe and workloads secure. We’re going to do our best to avoid security theater, and cut to the heart of real security questions and issues. Expect us to question threat models and ask if something is done for the data subject’s benefit or just for organizational benefit. We hope you’ll join us if you’re interested in where technology overlaps with process and bumps up against organizational design. We’re hoping to attract listeners who are happy to hear conventional wisdom questioned, and who are curious about what lessons we can and can’t keep as the world moves from on-premises computing to cloud computing.
info_outline
EP258 Why Your Security Strategy Needs an Immune System, Not a Fortress with Royal Hansen
01/12/2026
EP258 Why Your Security Strategy Needs an Immune System, Not a Fortress with Royal Hansen
Guest: , VP of Engineering at Google, former CISO of Alphabet Topics: The "God-Like Designer" Fallacy: You've argued that we need to move away from the "God-like designer" model of security—where we pre-calculate every risk like building a bridge—and towards a biological model. Can you explain why that old engineering mindset is becoming risky in today’s cloud and AI environments? Resilience vs. Robustness: In your view, what is the practical difference between a robust system (like a fortress that eventually breaks) and a resilient system (like an immune system)? How does a CISO start shifting their team's focus from creating the former to nurturing the latter? Securing the Unknown: We're entering an era where will call other agents, creating pathways we never explicitly designed. If we can't predict these interactions, how can we possibly secure them? What does "emergent security" look like in practice? Primitives for Agents: You mentioned the need for new "biological primitives" for these agents—things like time-bound access or inherent throttling. Are these just new names for old concepts like Zero Trust, or is there something different about how we need to apply them to AI? The Compliance Friction: There's a massive tension between this dynamic, probabilistic reality and the static, checklist-based world of many compliance regimes. How do you, as a leader, bridge that gap? How do you convince an auditor or a board that a "probabilistic" approach doesn't just mean "we don't know for sure"? "Safe" Failures: How can organizations get comfortable with the idea of designing for allowable failure in their subsystems, rather than striving for 100% uptime and security everywhere? Resources: and agents book book
/episode/index/show/cloudsecuritypodcast/id/39675245
info_outline
EP257 Beyond the 'Kaboom': What Actually Breaks When OT Meets the Cloud?
01/05/2026
EP257 Beyond the 'Kaboom': What Actually Breaks When OT Meets the Cloud?
Guest: , Technical Leader, OT Consulting, Mandiant Topics: When we hear “attacks on Operational Technology (OT)” some think of Stuxnet targeting PLCs or even backdoored pipeline control software plot in the 1980s. Is this space always so spectacular or are there less “kaboom” style attacks we are more concerned about in practice? Given the old "air-gapped" mindset of many OT environments, what are the most common security gaps or blind spots you see when organizations start to integrate cloud services for things like data analytics or remote monitoring? How is the shift to cloud connectivity - for things like data analytics, centralized management, and remote access - changing the security posture of these systems? What's a real-world example of a positive security outcome you've seen as a direct result of this cloud adoption? How do the Tactics, Techniques, and Procedures outlined in the framework change or evolve when attackers can leverage cloud-based reconnaissance and command-and-control infrastructure to target OT networks? Can you provide an example? OT environments are generating vast amounts of operational data. What is interesting for OT Detection and Response (D&R)? Resources: by Google blog paper by
/episode/index/show/cloudsecuritypodcast/id/39595305
info_outline
EP256 Rewiring Democracy & Hacking Trust: Bruce Schneier on the AI Offense-Defense Balance
12/15/2025
EP256 Rewiring Democracy & Hacking Trust: Bruce Schneier on the AI Offense-Defense Balance
Guest: Topics: Do you believe that AI is going to end up being a net improvement for defenders or attackers? Is short term vs long term different? We’re excited about the new book you have coming out with your co-author . We want to ask the same question, but for society: do you think AI is going to end up helping the forces of liberal democracy, or the forces of corruption, illiberalism, and authoritarianism? If exploitation is always cheaper than patching (and attackers don’t follow as many rules and procedures), do we have a chance here? If this requires pervasive and fast “humanless” automatic patching (kinda like what Chrome does for years), will this ever work for most organizations? Do defenders have to do the same and just discover and fix issues faster? Or can we use AI somehow differently? Does this make defense in depth more important? How do you see AI as changing how society develops and maintains trust? Resources: book "" book
/episode/index/show/cloudsecuritypodcast/id/39385725
info_outline
EP255 Separating Hype from Hazard: The Truth About Autonomous AI Hacking
12/08/2025
EP255 Separating Hype from Hazard: The Truth About Autonomous AI Hacking
Guest: , VP of Security Engineering, Google Topic: The term "AI Hacking Singularity" sounds like pure sci-fi, yet you and some other very credible folks describe an imminent threat. How much of this is hyperbole to shock the complacent, and how much is based on actual, observed capabilities today? Can autonomous AI agents really achieve that "exploit - at - machine - velocity" without human intervention for the zero-day discovery phase? On the other hand, why may it actually not happen? When we talk about autonomous AI attack platforms, are we talking about highly resourced nation-states and top-tier criminal groups, or will this capability truly be accessible to the average threat actor within the next 6-12 months? What's the "Metasploit" equivalent for AI-powered exploitation that will be ubiquitous? Can you paint a realistic picture of the worst-case scenario that autonomous AI hacking enables? Is it a complete breakdown of patch cycles, a global infrastructure collapse, or something worse? If attackers are operating at "machine speed," the human defender is fundamentally outmatched. Is there a genuine "AI-to-AI" counter-tactic that doesn't just devolve into an infinite arms race? Or can we counter without AI at all? Given that AI can expedite vulnerability discovery, how does this amplified threat vector impact the software supply chain? If a dependency is compromised within minutes of a new vulnerability being created, does this force the industry to completely abandon the open-source model, or does it demand a radical, real-time security scanning and patching system that only a handful of tech giants can afford? Are current proposed regulations, like those focusing on model safety or disclosure, even targeting the right problem? If the real danger is the combinatorial speed of autonomous attack agents, what simple, impactful policy change should world governments prioritize right now? Resources: article and blog blog
/episode/index/show/cloudsecuritypodcast/id/39295095
info_outline
EP254 Escaping 1990s Vulnerability Management: From Unauthenticated Scans to AI-Driven Mitigation
12/01/2025
EP254 Escaping 1990s Vulnerability Management: From Unauthenticated Scans to AI-Driven Mitigation
Guest: , Consulting Manager on Security Transformation Team, Mandiant, Google Cloud Topics: How has vulnerability management (VM) evolved beyond basic scanning and reporting, and what are the biggest gaps between modern practices and what organizations are actually doing? Why are so many organizations stuck with 1990s VM practices? Why mitigation planning is still hard for so many? Why do many organizations, including large ones, still rely on unauthenticated scans despite the known importance of authenticated scanning for accurate results? What constitutes a "gold standard" vulnerability prioritization process in 2025 that moves beyond CVSS scores to incorporate threat intelligence, asset criticality, and other contextual factors? What are the primary human and organizational challenges in vulnerability management, and how can issues like unclear governance, lack of accountability, and fear of system crashes be overcome? How is AI impacting vulnerability management, and does the shift to cloud environments fundamentally change VM practices? Resources:
/episode/index/show/cloudsecuritypodcast/id/39226095
info_outline
EP253 The Craft of Cloud Bug Hunting: Writing Winning Reports and Secrets from a VRP Champion
11/24/2025
EP253 The Craft of Cloud Bug Hunting: Writing Winning Reports and Secrets from a VRP Champion
Guests: , bug bounty hunter Sreeram KL, bug bounty hunter Topics: We hear from the Cloud VRP team that you write excellent bugbounty reports - is there any advice you'd give to other researchers when they write reports? You are one of Cloud VRP's top researchers and won the MVH (most valuable hacker) award at their event in June - what do you think makes you so successful at finding issues? What is a Bugswat? What do you find most enjoyable and least enjoyable about the VRP? What is the single best piece of advice you'd give an aspiring cloud bug hunter today? Resources:
/episode/index/show/cloudsecuritypodcast/id/39127570
info_outline
EP252 The Agentic SOC Reality: Governing AI Agents, Data Fidelity, and Measuring Success
11/17/2025
EP252 The Agentic SOC Reality: Governing AI Agents, Data Fidelity, and Measuring Success
Guests: , Deputy Group CISO, Allianz , Global Head of D&R, Allianz Topics: Moving from traditional SIEM to an agentic SOC model, especially in a heavily regulated insurer, is a massive undertaking. What did the collaboration model with your vendor look like? Agentic AI introduces a new layer of risk - that of unconstrained or unintended autonomous action. In the context of Allianz, how did you establish the governance framework for the SOC alert triage agents? Where did you draw the line between fully automated action and the mandatory "human-in-the-loop" for investigation or response? Agentic triage is only as good as the data it analyzes. From your perspective, what were the biggest challenges - and wins - in ensuring the data fidelity, freshness, and completeness in your SIEM to fuel reliable agent decisions? We've been talking about SOC automation for years, but this agentic wave feels different. As a deputy CISO, what was your primary, non-negotiable goal for the agent? Was it purely Mean Time to Respond (MTTR) reduction, or was the bigger strategic prize to fundamentally re-skill and uplevel your Tier 2/3 analysts by removing the low-value alert noise? As you built this out, were there any surprises along the way that left you shaking your head or laughing at the unexpected AI behaviors? We felt a major lack of proof - Anton - that any of the agentic SOC vendors we saw at RSA had actually achieved anything beyond hype! When it comes to your org, how are you measuring agent success? What are the key metrics you are using right now? Resources: blog Company annual report to look for risk by Dale Carnegie ” book
/episode/index/show/cloudsecuritypodcast/id/39037070
info_outline
EP251 Beyond Fancy Scripts: Can AI Red Teaming Find Truly Novel Attacks?
11/10/2025
EP251 Beyond Fancy Scripts: Can AI Red Teaming Find Truly Novel Attacks?
Guest: , CEO at Topics: The market already has Breach and Attack Simulation (BAS), for testing known TTPs. You’re calling this 'AI-powered' red teaming. Is this just a fancy LLM stringing together known attacks, or is there a genuine agent here that can discover a truly novel attack path that a human hasn't scripted for it? Let's talk about the 'so what?' problem. Pentest reports are famous for becoming shelf-ware. How do you turn a complex AI finding into an actionable ticket for a developer, and more importantly, how do you help a CISO decide which of the thousand 'criticals' to actually fix first? You're asking customers to unleash a 'hacker AI' in their production environment. That’s terrifying. What are the 'do no harm' guardrails? How do you guarantee your AI won't accidentally rm -rf a critical server or cause a denial of service while it's 'exploring'? You mentioned the AI is particularly good at finding authentication bugs. Why that specific category? What's the secret sauce there, and what's the reaction from customers when you show them those types of flaws? Is this AI meant to replace a human red teamer, or make them better? Does it automate the boring stuff so experts can focus on creative business logic attacks, or is the ultimate goal to automate the entire red team function away? So, is this just about finding holes, or are you closing the loop for the blue team? Can the attack paths your AI finds be automatically translated into high-fidelity detection rules? Is the end goal a continuous purple team engine that’s constantly training our defenses? Also, what about fixing? What makes your findings more fixable? What will happen to red team testing in 2-3 years if this technology gets better? Resource:
/episode/index/show/cloudsecuritypodcast/id/38954000
info_outline
EP250 The End of "Collect Everything"? Moving from Centralization to Data Access?
11/03/2025
EP250 The End of "Collect Everything"? Moving from Centralization to Data Access?
Guest: , CEO at , original founder of Topics: Are we really coming to “access to security data” and away from “centralizing the data”? How to detect without the same storage for all logs? Is data pipeline a part of SIEM or is it standalone? Will this just collapse into SIEM soon? Tell us about the issues with log pipelines in the past? What about enrichment? Why do it in a pipeline, and not in a SIEM? We are unable to share enough practices between security teams. How are we fixing it? Is pipelines part of the answer? Do you have a piece of advice for people who want to do more than save on their SIEM costs? Resources: and blog blog blog
/episode/index/show/cloudsecuritypodcast/id/38869905
info_outline
EP249 Data First: What Really Makes Your SOC 'AI Ready'?
10/27/2025
EP249 Data First: What Really Makes Your SOC 'AI Ready'?
Guest: , co-founder and CEO at Topics: We often hear about the aspirational idea of an "IronMan suit" for the SOC—a system that empowers analysts to be faster and more effective. What does this ideal future of security operations look like from your perspective, and what are the primary obstacles preventing SOCs from achieving it today? You've also raised a metaphor of AI in the SOC as a "Dr. Jekyll and Mr. Hyde" situation. Could you walk us through what you see as the "Jekyll"—the noble, beneficial promise of AI—and what are the factors that can turn it into the dangerous "Mr. Hyde"? Let's drill down into the heart of the "Mr. Hyde" problem: the data. Many believe that AI can fix a team's messy data, but you've noted that "it's all about the data, duh." What's the story? “AI ready SOC” - What is the foundational work a SOC needs to do to ensure their data is AI-ready, and what happens when they skip this step? And is there anything we can do to use AI to help with this foundational problem? How do we measure progress towards AI SOC? What gets better at what time? How would we know? What SOC metrics will show improvement? Will anything get worse? Resources: blog paper
/episode/index/show/cloudsecuritypodcast/id/38771065
info_outline
EP248 Cloud IR Tabletop Wins: How to Stop Playing Security Theater and Start Practicing
10/20/2025
EP248 Cloud IR Tabletop Wins: How to Stop Playing Security Theater and Start Practicing
Guest: , Director for Incident Response at Google Cloud Topics: What is this tabletop thing, please tell us about running a good security incident tabletop? Why are tabletops for incident response preparedness so amazingly effective yet rarely done well? This is cheap/easy/useful so why do so many fail to do it? Why are tabletops seen as kind of like elite pursuit? What’s your favorite Cloud-centric scenario for tabletop exercises? Ransomware? But there is little ransomware in the cloud, no? What are other good cloud tabletop scenarios? Resources:
/episode/index/show/cloudsecuritypodcast/id/38621345
info_outline
EP247 The Evolving CISO: From Security Cop to Cloud & AI Champion
10/13/2025
EP247 The Evolving CISO: From Security Cop to Cloud & AI Champion
Guest: , Board Risk Advisor, Non-Executive Director & Author, former CISO Topics: Drawing from the book's focus on continuous improvement, how have you seen the necessary skills, knowledge, experience, and behaviors for a CISO evolve, especially when guiding an organization through a transformation? Could you share lessons learned about leadership and organizational resilience during such a critical period, and how does that experience reshape your approach to future transformations? Many organizations are undergoing transformations, often heavily involving cloud technologies. From your perspective, what is the most crucial—and perhaps often overlooked—role a CISO plays in ensuring security is an enabler, not a roadblock, during such large-scale changes? Have you ever seen a CISO who is a cloud champion for the organization? Your best advice for a CISO meeting cloud for the first time? What is your best advice for a CISO meeting AI for the first time? How do you balance the continuous self-improvement and development with the day-to-day pressures and responsibilities? Resources: book book All blog blog
/episode/index/show/cloudsecuritypodcast/id/38529650
info_outline
EP246 From Scanners to AI: 25 Years of Vulnerability Management with Qualys CEO Sumedh Thakar
10/06/2025
EP246 From Scanners to AI: 25 Years of Vulnerability Management with Qualys CEO Sumedh Thakar
Guest: , President and CEO, Topics: How did vulnerability management (VM) change since Qualys was founded in 1999? What is different about VM today? Can we actually remediate vulnerabilities automatically at scale? Why did this work for you even though many expected it would not? Where does cloud fit into modern vulnerability management? How does AI help vulnerability management today? What is real? What is this Risk Operations Center (ROC) concept and how it helps in vulnerability management? Resources: blog
/episode/index/show/cloudsecuritypodcast/id/38456905
info_outline
EP245 From Consumer Chatbots to Enterprise Guardrails: Securing Real AI Adoption
09/29/2025
EP245 From Consumer Chatbots to Enterprise Guardrails: Securing Real AI Adoption
Guest: , CEO and Co-Founder, Topics: In what ways is the current wave of enterprise AI adoption different from previous technology shifts? If we say “but it is different this time”, then why? What is your take on “consumer grade AI for business” vs enterprise AI? A lot of this sounds a bit like the CASB era circa 2014. How is this different with AI? The concept of "routing prompts for risk and cost management" is intriguing. Can you elaborate on the architecture and specific AI engines Witness AI uses to achieve this, especially for large global corporations? What are you seeing in the identity space for AI access? Can you give us a rundown of the different tradeoffs teams are making when it comes to managing identities for agents? Resources: book
/episode/index/show/cloudsecuritypodcast/id/38369575
info_outline
EP244 The Future of SOAPA: Jon Oltsik on Platform Consolidation vs. Best-of-Breed in the Age of Agentic AI
09/22/2025
EP244 The Future of SOAPA: Jon Oltsik on Platform Consolidation vs. Best-of-Breed in the Age of Agentic AI
Guest: , security researcher, ex-ESG analyst Topics: You invented the concept of – Security Operations & Analytics Platform Architecture. As we look towards SOAPA 2025, how do you see the ongoing debate between consolidating security around a single platform versus a more disaggregated, best-of-breed approach playing out? What are the key drivers for either strategy in today's complex environments? How can we have both “” and platformization going at the same time? With all the buzz around Generative AI and Agentic AI, how do you envision these technologies changing the future of the Security Operations Center (and SOAPA of course)? Where do you see AI really work today in the SOC and what is the proof of that actually happening? What does a realistic "AI SOC" look like in the next few years, and what are the practical implications for security teams? “Integration” is always a hot topic in security - and it has been for decades. Within the context of SOAPA and the adoption of advanced analytics, where do you see the most critical integration challenges today – whether it's vendor-centric ecosystems, strategic partnerships, or the push for open standards? Resources: Jon Oltsik podcast () book and its sequel
/episode/index/show/cloudsecuritypodcast/id/38283185
info_outline
EP243 Email Security in the AI Age: An Epic 2025 Arms Race Begins
09/15/2025
EP243 Email Security in the AI Age: An Epic 2025 Arms Race Begins
Guest: , CEO, , CTO, Topics: What is the state of email security in 2025? Why start an email security company now? Is it true that there are new and accelerating AI threats to email? It sounds cliche, but do you really have to use good AI to fight bad AI? What did you learn from your time fighting abuse at scale at Google that is helping you now How do you see the future of email security and what role will AI play? Resources:
/episode/index/show/cloudsecuritypodcast/id/38201100
info_outline
EP242 The AI SOC: Is This The Automation We've Been Waiting For?
09/08/2025
EP242 The AI SOC: Is This The Automation We've Been Waiting For?
Guest: , Principal Product Manager, , Topics: What is your definition of “AI SOC”? What will AI change in a SOC? What will the post-AI SOC look like? What are the primary mechanisms by which AI SOC tools reduce attacker dwell time, and what challenges do they face in maintaining signal fidelity? Why would this wave of SOC automation (namely, AI SOC) work now, if it did not fully succeed before (SOAR)? How do we measure progress towards AI SOC? What gets better at what time? How would we know? What SOC metrics will show improvement? What common misconceptions or challenges have organizations encountered during the initial stages of AI SOC adoption, and how can they be overcome? Do you have a timeline for SOC AI adoption? Sure, everybody wants AI alerts triage? What’s next? What's after that? Resources: report book book (and )
/episode/index/show/cloudsecuritypodcast/id/38105480
info_outline
EP241 From Black Box to Building Blocks: More Modern Detection Engineering Lessons from Google
09/01/2025
EP241 From Black Box to Building Blocks: More Modern Detection Engineering Lessons from Google
Guest: ,Uber TL Google SecOps, Google Cloud Topics: On the 3rd anniversary of Curated Detections, you've grown from 70 rules to over 4700. Can you walk us through that journey? What were some of the key inflection points and what have been the biggest lessons learned in scaling a detection portfolio so massively? Historically the content was opaque, which led to, understandably, a bit of customer friction. We’ve recently made nearly all of that content transparent and editable by users. What were the challenges in that transition? You make a distinction between "Detection-as-Code" and a more mature "Software Engineering" paradigm. What gets better for a security team when they move beyond just version control and a CI/CD pipeline and start incorporating things like unit testing, readability reviews, and performance testing for their detections? The idea of a "Goldilocks Zone" for detections is intriguing – not too many, not too few. How do you find that balance, and what are the metrics that matter when measuring the effectiveness of a detection program? You mentioned customer feedback is important, but a isn't possible, why is that? You talk about enabling customers to use your "building blocks" to create their own detections. Can you give us a practical example of how a customer might use a building block for something like detecting VPN and Tor traffic to augment their security? You have started using LLMs for reviewing the explainability of human-generated metadata. Can you expand on that? What have you found are the ripe areas for AI in detection engineering, and can you share any anecdotes of where AI has succeeded and where it has failed? Resources blog blog newsletter book
/episode/index/show/cloudsecuritypodcast/id/38014740
info_outline
EP240 Cyber Resiliency for the Rest of Us: Making it Happen on a Real-World Budget
08/25/2025
EP240 Cyber Resiliency for the Rest of Us: Making it Happen on a Real-World Budget
Guest: , Chief Security Officer (CSO) at Health-ISAC Topics: How adding digital resilience is crucial for enterprises? How to make the leaders shift from “just cybersecurity“ to “digital resilience”? How to be the most resilient you can be given the resources? How to be the most resilient with the least amount of money? How to make yourself a smaller target? Smaller target measures fit into what some call “basics.” But “Basic” hygiene is actually very hard for many. What are your top 3 hygiene tips for making it happen that actually work? We are talking about under-resources orgs, but some are much more under-resourced, what is your advice for those with extreme shortage of security resources? Assessing vendor security - what is most important to consider today in 2025? How not to be hacked via your vendor? Resources:
/episode/index/show/cloudsecuritypodcast/id/37914405
info_outline
EP239 Linux Security: The Detection and Response Disconnect and Where Is My Agentless EDR
08/18/2025
EP239 Linux Security: The Detection and Response Disconnect and Where Is My Agentless EDR
Guest: , Founder and CEO, Topics: When it comes to Linux environments – spanning on-prem, cloud, and even–gasp–hybrid setups – where are you seeing the most significant blind spots for security teams today? There's sometimes a perception that Linux is inherently more secure or less of a malware target than Windows. Could you break down some of the fundamental differences in how malware behaves on Linux versus Windows, and why that matters for defenders in the cloud? 'Living off the Land' isn't a new concept, but on Linux, it feels like attackers have a particularly rich set of native tools at their disposal. What are some of the more subtly abused but legitimate Linux utilities you're seeing weaponized in cloud attacks, and how does that complicate detection? When you weigh agent-based versus agentless monitoring in cloud and containerized Linux environments, what are the operational trade-offs and outcome trade-offs security teams really need to consider? SSH keys are the de facto keys to the kingdom in many Linux environments. Beyond just 'use strong passphrases,' what are the critical, often overlooked, risks associated with SSH key management, credential theft, and subsequent lateral movement that you see plaguing organizations, especially at scale in the cloud? What are the biggest operational hurdles teams face when trying to conduct incident response effectively and rapidly across such a distributed Linux environment, and what's key to overcoming them? Resources:
/episode/index/show/cloudsecuritypodcast/id/37838870
info_outline
EP238 Google Lessons for Using AI Agents for Securing Our Enterprise
08/11/2025
EP238 Google Lessons for Using AI Agents for Securing Our Enterprise
Guest: , Senior PM D&R AI and Topics: When introducing AI agents to security teams at Google, what was your initial strategy to build trust and overcome the natural skepticism? Can you walk us through the very first conversations and the key concerns that were raised? With a vast array of applications, how did you identify and prioritize the initial use cases for AI agents within Google's enterprise security? What specific criteria made a use case a good candidate for early evaluation? Were there any surprising 'no-go' areas you discovered?" Beyond simple efficiency gains, what were the key metrics and qualitative feedback mechanisms you used to evaluate the success of the initial AI agent deployments? What were the most significant hurdles you faced in transitioning from successful pilots to broader adoption of AI agents? How do you manage the inherent risks of autonomous agents, such as potential for errors or adversarial manipulation, within a live and critical environment like Google's? How has the introduction of AI agents changed the day-to-day responsibilities and skill requirements for Google's security engineers? From your unique vantage point of deploying defensive AI agents, what are your biggest concerns about how threat actors will inevitably leverage similar technologies? Resources:
/episode/index/show/cloudsecuritypodcast/id/37734980
info_outline
EP237 Making Security Personal at the Speed and Scale of TikTok
08/04/2025
EP237 Making Security Personal at the Speed and Scale of TikTok
Guest: , Global Head of Security, TikTok Questions: Security is part of your DNA. In your day to day at TikTok, what are some tips you’d share with users about staying safe online? Many regulations were written with older technologies in mind. How do you bridge the gap between these legacy requirements and the realities of a modern, microservices-based tech stack like TikTok's, ensuring both compliance and agility? You have a background in compliance and risk management. How do you approach demonstrating the effectiveness of security controls, not just their existence, especially given the rapid pace of change in both technology and regulations? TikTok operates on a global scale, facing a complex web of varying regulations and user expectations. How do you balance the need for localized compliance with the desire for a consistent global security posture? How do you avoid creating a fragmented and overly complex system, and what role does automation play in this balancing act? What strategies and metrics do you use to ensure auditability and provide confidence to stakeholders? We understand you've used TikTok videos for security training. Can you elaborate on how you've fostered a strong security culture internally, especially in such a dynamic environment? What is in your TikTok feed? Resources: and
/episode/index/show/cloudsecuritypodcast/id/37641425
info_outline
EP236 Accelerated SIEM Journey: A SOC Leader's Playbook for Modernization and AI
07/28/2025
EP236 Accelerated SIEM Journey: A SOC Leader's Playbook for Modernization and AI
Guest: , Director of Security Engineering and Operations at Lloyd's Banking Group Topics: is hard, and it can take ages. Yours was - given the scale and the industry - on a relatively short side of 9 months. What’s been your experience so far with that and what could have gone faster? Anton might be a “reformed” analyst but I can’t resist asking a three legged stool question: of the people/process/technology aspects, which are the hardest for this transformation? What helped the most in solving your big challenges? Was there a process that people wanted to keep but it needed to go for the new tool? One thing we talked about was the plan to adopt and what we’ve been calling the “funnel model” for detection in Google SecOps. Could you share what that means and how your team is adopting? There are a lot of moving parts in a D&R journey from a process and tooling perspective, how did you structure your plan and why? It wouldn’t be our show in 2025 if I didn’t ask at least one AI question! What lessons do you have for other security leaders preparing their teams for the AI in SOC transition? Resources: blog site
/episode/index/show/cloudsecuritypodcast/id/37548405
info_outline
EP235 The Autonomous Frontier: Governing AI Agents from Code to Courtroom
07/21/2025
EP235 The Autonomous Frontier: Governing AI Agents from Code to Courtroom
Guest: , Partner at , one of the AI practice leads Episode co-host: , Office of the CISO, Google Cloud Questions: Agentic AI and AI agents, with its promise of autonomous decision-making and learning capabilities, presents a unique set of risks across various domains. What are some of the key areas of concern for you? What frameworks are most relevant to the deployment of agentic AI, and where are the potential gaps? What are you seeing in terms of how regulatory frameworks may need to be adapted to address the unique challenges posed by agentic AI? How about legal aspects - does traditional tort law or product liability apply? How does the autonomous nature of agentic AI challenge established legal concepts of liability and responsibility? The other related topic is knowing what agents “think” on the inside. So what are the key legal considerations for managing transparency and explainability in agentic AI decision-making? Resources: (, )
/episode/index/show/cloudsecuritypodcast/id/37459915
info_outline
EP234 The SIEM Paradox: Logs, Lies, and Failing to Detect
07/14/2025
EP234 The SIEM Paradox: Logs, Lies, and Failing to Detect
Guest: , Founder and CEO, Citreno Topics: Why do so many organizations still collect logs yet don’t detect threats? In other words, why is our industry spending more money than ever on SIEM tooling and still not “winning” against Tier 1 ... or even Tier 5 adversaries? What are the hardest parts about getting the right context into a SOC analyst’s face when they’re triaging and investigating an alert? Is it integration? SOAR playbook development? Data enrichment? All of the above? What are the organizational problems that keep organizations from getting the full benefit of the security operations tools they’re buying? Top SIEM mistakes? Is it trying to migrate too fast? Is it accepting a too slow migration? In other words, where are expectations tyrannical for customers? Have they changed much since 2015? Do you expect people to write their own detections? Detecting engineering seems popular with elite clients and nobody else, what can we do? Do you think AI will change how we SOC (Tim: “SOC” is not a verb?) in the next 1- 3 -5 years? Do you think that AI SOC tech is repeating the mistakes SOAR vendors made 10 years ago? Are we making the same mistakes all over again? Are we making new mistakes? Resources: blog book (as a management book) blog (the classic from 2019)
/episode/index/show/cloudsecuritypodcast/id/37379905
info_outline
EP233 Product Security Engineering at Google: Resilience and Security
07/07/2025
EP233 Product Security Engineering at Google: Resilience and Security
Guest: , Product Security Engineering Manager, Google Cloud Topic: Could you share insights into how Product Security Engineering approaches at Google have evolved, particularly in response to emerging threats (like Log4j in 2021)? You mentioned applying SRE best practices in detection and response, and overall in securing the Google Cloud products. How does Google balance high reliability and operational excellence with the needs of detection and response (D&R)? How does Google decide which data sources and tools are most critical for effective D&R? How do we deal with high volumes of data? Resources:
/episode/index/show/cloudsecuritypodcast/id/36977570
info_outline
EP232 The Human Element of Privacy: Protecting High-Risk Targets and Designing Systems
06/30/2025
EP232 The Human Element of Privacy: Protecting High-Risk Targets and Designing Systems
Guest: , Privacy Engineer, Google Topic: You have had a fascinating career since we [Tim] graduated from college together – you mentioned before we met that you’ve consulted with a literal world leader on his personal digital security footprint. Maybe tell us how you got into this field of helping organizations treat sensitive information securely and how that led to helping keep targeted individuals secure? You also work as a privacy engineer on , Google’s new operating system kernel. How did you go from human rights and privacy to that? What are the key privacy considerations when designing an operating system for “ambient computing”? How do you design privacy into something like that? More importantly, not only “how do you do it”, but how do you convince people that you did do it? When we talk about "higher risk" individuals, the definition can be broad. How can an average person or someone working in a seemingly less sensitive role better assess if they might be a higher-risk target? What are the subtle indicators? Thinking about the advice you give for personal security beyond passwords and multi-factor auth, how much of effective personal digital hygiene comes down to behavioral changes versus purely technical solutions? Given your deep understanding of both individual security needs and large-scale OS design, what's one thing you wish developers building cloud services or applications would fundamentally prioritize about user privacy? Resources:
/episode/index/show/cloudsecuritypodcast/id/36977485
info_outline
EP231 Beyond the Buzzword: Practical Detection as Code in the Enterprise
06/23/2025
EP231 Beyond the Buzzword: Practical Detection as Code in the Enterprise
Guest: , Staff Adoption Engineer, Google Cloud Topic: Detection as code is one of those meme phrases I hear a lot, but I’m not sure everyone means the same thing when they say it. Could you tell us what you mean by it, and what upside it has for organizations in your model of it? What gets better for security teams and security outcomes when you start managing in a DAC world? What is primary, actual code or using SWE-style process for detection work? Not every SIEM has a good set of APIs for this, right? What’s a team to do in a world of no or low API support for this model? If we’re talking about as-code models, one of the important parts of regular software development is testing. How should teams think about testing their detection corpus? Where do we even start? Smoke tests? Unit tests? You talk about a rule schema–you might also think of it in code terms as a standard interface on the detection objects–how should organizations think about standardizing this, and why should they? If we’re into a world of detection rules as code and detections as code, can we also think about alert handling via code? This is like SOAR but with more of a software engineering approach, right? One more thing that stood out to me in your presentation was the call for sharing detection content. Is this between vendors, vendors and end users? Resources: book
/episode/index/show/cloudsecuritypodcast/id/36977320
info_outline
EP230 AI Red Teaming: Surprises, Strategies, and Lessons from Google
06/16/2025
EP230 AI Red Teaming: Surprises, Strategies, and Lessons from Google
Guest: , Principal Digital Arsonist, Google Topic: Your RSA talk highlights lessons learned from two years of AI red teaming at Google. Could you share one or two of the most surprising or counterintuitive findings you encountered during this process? What are some of the key differences or unique challenges you've observed when testing AI-powered applications compared to traditional software systems? Can you provide an example of a specific TTP that has proven effective against AI systems and discuss the implications for security teams looking to detect it? What practical advice would you give to organizations that are starting to incorporate AI red teaming into their security development lifecycle? What are some initial steps or resources you would recommend they explore to deepen their understanding of this evolving field? Resources: Video (, ) [RSA 2025]
/episode/index/show/cloudsecuritypodcast/id/36977250
info_outline
EP229 Beyond the Hype: Debunking Cloud Breach Myths (and What DBIR Says Now)
06/09/2025
EP229 Beyond the Hype: Debunking Cloud Breach Myths (and What DBIR Says Now)
Guest: , Associate Director of Threat Intelligence, Verizon Business, Lead the Verizon Data Breach Report Topics: How would you define “a cloud breach”? Is that a real (and different) thing? Are cloud breaches just a result of leaked keys and creds? If customers are responsible for 99% of cloud security problems, is cloud breach really about ? Are misconfigurations really responsible for so many cloud security breaches? How are we at configuration? What parts of DBIR are not total ? Something about vuln exploitation vs credential abuse in today’s breaches–what’s driving the shifts we’re seeing? DBIR Are we at peak ransomware? Will ransomware be here in 20 years? Will we be here in 20 years talking about it? How is AI changing the breach report, other than putting in hilarious footnotes about how the report is for humans to read and and is written by actual humans? Resources: Video (, )
/episode/index/show/cloudsecuritypodcast/id/36865370