Welcome to the first Cloud CISO Perspectives for December 2024. Today, Nick Godfrey, senior director, Office of the CISO, shares our Forecast report for the coming year, with additional insights from our Office of the CISO colleagues.

As with all Cloud CISO Perspectives, the contents of this newsletter are posted to the Google Cloud blog. If you’re reading this on the website and you’d like to receive the email version, you can subscribe here.

--Phil Venables, VP, TI Security & CISO, Google Cloud

Forecasting 2025: AI threats and AI for defenders, turned up to 11

By Nick Godfrey, senior director, Office of the CISO

While security threats and incidents may seem to pop up out of nowhere, the reality is that very little in cybersecurity happens in a vacuum. Far more common are incidents that build on incidents, threats shifting to find new attack vectors, and defenders simultaneously working to close up those points of ingress while also mitigating evolving risks.

Security and business leaders know that readiness plays a crucial role, and our Cybersecurity Forecast report for 2025 extrapolates from today’s trends the scenarios that we expect to arise in the coming year.

AI will continue to bolster defenders, as well. We expect 2025 will usher in an intermediate stage of semi-autonomous security operations, with human awareness and ingenuity supported by AI tools.

Taylor Lehmann, health care and life sciences director, Office of the CISO

As Google CEO Sundar Pichai said recently, “more than a quarter of new code at Google is generated by AI.” Many will probably interpret this to mean that, broadly speaking, companies will be able to save money by hiring fewer software developers because gen AI will do their work for them.

I believe we're at the beginning of a software renaissance. Gen AI will help create more developers, because the barrier to becoming one has been lowered. We will need even more great developers to review work, coach teams, and improve software quality (because we'll have more code to review.)

Crucially, finding and fixing insecure software will get easier. This added attention to software quality should help us create better, safer, and more secure and resilient products. Accordingly, any person or business who uses those products will benefit. Now, we should all go write our “hello worlds” — and start building.

Anton Chuvakin, security advisor, Office of the CISO

While "AI, secure my environment!” magic will remain elusive, generative AI will find more practical applications. Imagine gen AI that sifts through reports and alerts, summarizing incidents, and recommending response actions to humans. AI can be used to identify subtle patterns and anomalies that humans often miss, and can proactively uncover hidden threats during threat hunting.

Marina Kaganovich, executive trust lead, Office of the CISO

We predicted last year that organizations should get ahead of shadow AI. Today, we’re still seeing news stories about how enterprises are struggling to navigate unauthorized AI use. We believe that establishing robust organizational governance is vital. Proactively asking and answering key questions can also help you experiment with AI securely.

The global stage: threat actors

Geopolitical conflicts in 2025 will continue to fuel cyber-threat activity and create a more complex cybersecurity environment.

The Big Four — China, Iran, North Korea, and Russia — will continue to pursue their geopolitical goals through cyber espionage, disruption, and influence operations. Globally, organizations will face ongoing threats from ransomware, multifaceted extortion, and infostealer malware. There are regional trends across Europe, the Middle East, Japan, Asia, and the Pacific that we expect to drive threat actor behavior, as well.

Toby Scales, advisor, Office of the CISO

Against the backdrop of ongoing AI innovation, including the coming “Agentic AI” transformation, we expect to see threat activity from nation-states increase in breadth — the number of attacks — and depth — the sophistication and variety of attacks.

While we don’t necessarily expect a big attack on infrastructure to land next year, it’s not hard to imagine an explicit retaliation by one of the Big Four against a U.S.-owned media enterprise for coverage, content, or coercion. Expect the weakest links of the media supply chain to be exploited for maximum profit.

Bob Mechler, director, Office of the CISO

Financially-motivated cybercrime as well as increasing geopolitical tensions will continue to fuel an increasingly challenging and complicated threat landscape for telecom providers. We believe that the increase in state-sponsored attacks, sabotage, and supply chain vulnerabilities observed during 2024 is likely to continue and possibly increase during 2025.

These attacks will, in turn, drive a strong focus on security fundamentals, resilience, and a critical need for threat intelligence that can help understand, preempt, and defeat a wide range of emerging threats.

Vinod D’Souza, head of manufacturing and industry, Office of the CISO

Ongoing geopolitical tensions and potential state-sponsored attacks will further complicate the threat landscape, requiring manufacturers to be prepared for targeted attacks aimed at disrupting critical infrastructure and stealing intellectual property. The convergence of IT and OT systems for manufacturing, along with increased reliance on interconnected technologies and data-driven processes, will create new vulnerabilities for attackers to exploit.

Ransomware attacks will potentially become more targeted and disruptive, potentially focusing on critical production lines and supply chains for maximum impact. Additionally, the rise of AI-powered attacks will pose a significant challenge, as attackers use machine learning to automate attacks, evade detection, and develop more sophisticated malware.

Supply chain attacks will continue to be a major challenge in 2025, too. Attackers will increasingly target smaller suppliers and third-party vendors with weaker security postures to gain indirect access to larger manufacturing networks.

A collaborative approach to cybersecurity is needed, with manufacturers working closely with partners to assess and mitigate risks throughout the supply chain. Cloud technologies can become a solution as secure collaborative cloud platforms and applications could be used by the supplier ecosystem for better security.

Thiébaut Meyer, director, Office of the CISO

Digital sovereignty will gain traction in risk analysis and in the discussions we have with our customers and prospects in Europe, the Middle East, and Asia. This trend is fueled by growing concerns about potential diplomatic tensions with the United States, and "black swan" events are seen as increasingly plausible. As a result, entities in these regions are prioritizing strategies that account for the evolving geopolitical landscape and the potential for disruptions to data access, control, and survivability.

This concern will grow stronger as public entities move to the cloud. For now, in Europe, these entities are still behind in their migrations, mostly due to a lack of maturity. Their migration will be initiated only with the assurance of sovereign safeguards. Therefore, we really need to embed these controls in the core of all our products and offer "sovereign by design" services.

The global stage: empowered defenders

To stay ahead of these threats, and be better prepared to respond to them when they occur, organizations should prioritize a proactive, comprehensive approach to cybersecurity in 2025. Cloud-first solutions, robust identity and access management controls, and continuous threat monitoring and threat intelligence are key tools for defenders. We should also begin to prepare for the post-quantum cryptography era, and ensure ongoing compliance with evolving regulatory requirements.

MK Palmore, public sector director, Office of the CISO

I believe 2025 may bring an avalanche of opportunities for public sector organizations globally to transform how their enterprises make use of AI. They will continue to explore how AI can help them streamline time-dominant processes, and explore how AI can truncate those experiences to get in and out of the delivery cycle faster.

We should see public sector organizations begin to expand their comfort levels using cloud platforms built for the challenges of the future. They will likely begin to move away from platforms built using outdated protection models, and platforms where additional services are required to achieve security fundamentals. Security should be inherent in the design of cloud platforms, and Google Cloud’s long-standing commitment to secure by design will ring true through increased and ongoing exposure to the platform and its capabilities.

Alicja Cade, financial services director, Office of the CISO

Effective oversight from boards of directors requires open and joint communication with security, technology, and business leaders, critical evaluation of existing practices, and a focus on measurable progress. By understanding cybersecurity initiatives, boards can ensure their organizations remain resilient and adaptable in the face of ever-evolving cyber threats.

Boards can achieve prioritize cybersecurity by supporting strategies that:

• Modernize technology by using cloud computing, automation, and other advancements to bolster defenses;
• Implement robust security controls to establish a strong security foundation, with measures that include multi-factor authentication, Zero Trust segmentation, and threat intelligence; and
• Manage AI risks by proactively addressing the unique challenges of AI, including data privacy, algorithmic bias, and potential misuse.

Odun Fadahunsi, executive trust lead, Office of the CISO

The global landscape is witnessing a surge in operational resilience regulations, especially in the financial services sector. Operational resilience with a strong emphasis on cyber-resilience is poised to become a top priority for both boards of directors and regulators in 2025. CISOs, and risk and control leaders, should proactively prepare for this evolving regulatory environment.

Bill Reid, solutions consultant, Office of the CISO

The drive to improve medical device security and quality will continue into 2025 with the announcement of the ARPA-H UPGRADE program awardees and the commencement of this three-year project. This program is expected to push beyond FDA software-as-a-medical-device security requirements to using more automated approaches to address assessment and patching whole classes of devices in a healthcare environment.

In general, the healthcare industry will keep building on the emergent theme of cyber-physical resilience, described in the PCAST report. With the continued threat of economically and clinically disruptive ransomware attacks, we expect healthcare to adopt more resilient systems that allow them to better operate core services safely, even when under attack. This will be most acute in the underserved and rural healthcare sector, where staffing is minimal and resources are limited. New cross-industry and public-private collaboration can help strengthen these efforts.

We believe there’ll be a shift away from blaming CISOs and their security organizations for breaches, and a rebuttal of the shame-based culture that has plagued cybersecurity. Cybersecurity events will be recognized as criminal acts and, in healthcare and other critical industries, as attacks on our national security. New ways to address security professional liability will emerge as organizations have challenges attracting and retaining top talent.

Widya Junus, head of Google Cloud Cybersecurity Alliance business operations, Office of the CISO

Based on feedback from our security field teams in 2024, we anticipate strong demand for practical, actionable guidance on cybersecurity and cloud security, including best practices for securing multicloud environments.

Cloud customers will continue to request support to navigate the complexities of managing security across multiple cloud providers, ensuring consistent policies and controls. The demand also includes real-world use cases, common threats and mitigations, and industry-specific security knowledge exchange.

Key security conversations and topics will cover streamlined IAM configuration, security best practices, and seamless implementation of cloud security controls. There will be a strong push for cloud providers to prioritize sharing practical examples and industry-specific security guidance, especially for AI.

For more leadership guidance from Google Cloud experts, please see our CISO Insights hub.

In case you missed it

Here are the latest updates, products, services, and resources from our security teams so far this month:

• Oops! 5 serious gen AI security mistakes to avoid: Pitfalls are inevitable as gen AI becomes more widespread. In highlighting the most common of these mistakes, we hope to help you avoid them. Read more.
• How Roche is pioneering the future of healthcare with secure patient data: Desiring increased user-access visibility and control, Roche secured its data by implementing a Zero Trust security model with BeyondCorp Enterprise and Chrome. Read more.
• Securing AI: Advancing the national security mission: Artificial intelligence is not just a technological advancement; it's a national security priority. For AI leaders across agencies in the AI era, we’ve published a new guide with agency roadmaps on how AI can be used to innovate in the public sector. Read more.
• Perspectives on Security for the Board, sixth edition: Our final board report for 2024 reflects on our recent conversations with board members, highlighting the critical intersection of cybersecurity and business value in three key areas: resilience against supply chain attacks, how information sharing can bolster security, and understanding value at risk from a cybersecurity perspective. Read more.
• Announcing the launch of Vanir: Open-source security patch validation: We are announcing the availability of Vanir, a new open-source security patch validation tool. It gives Android platform developers the power to quickly and efficiently scan their custom platform code for missing security patches and identify applicable available patches. Read more.

Please visit the Google Cloud blog for more security stories published this month.

Threat Intelligence news

• Elevating red team assessments with AppSec testing: Incorporating application security expertise enables organizations to better simulate the tactics and techniques of modern adversaries, whether through a comprehensive red team engagement or a targeted external assessment. Read more.
• (QR) coding my way out of here: C2 in browser isolation environments: Mandiant researchers demonstrate a novel technique where QR codes are used to achieve command and control in browser isolation environments, and provide recommendations to defend against it. Read more.

Please visit the Google Cloud blog for more threat intelligence stories published this month.

Now hear this: Google Cloud Security and Mandiant podcasts

• Every CTO should be a CSTO: Chris Hoff, chief secure technology officer, Last Pass, discusses with host Anton Chuvakin and guest co-host Seth Rosenblatt the value of the CSTO, what it was like helping LastPass rebuild its technology stack, and how that helped overhaul the company’s corporate culture. Listen here.
• How Google does workload security: Michael Czapinski, Google security and reliability enthusiast, talks with Anton about workload security essentials: zero-touch production, security rings, foundational services, and more. Listen here.
• Defender’s Advantage: The art of remediation in incident response: Mandiant Consulting lead Jibran Ilyas joins host Luke McNamara to discuss the role of remediation as part of incident response. Listen here.

To have our Cloud CISO Perspectives post delivered twice a month to your inbox, sign up for our newsletter. We’ll be back in two weeks with more security-related updates from Google Cloud.