NASHVILLE — For cybersecurity programs to keep up with increasingly complex and demanding
network architectures, environments, technologies and adversaries, they must become industrial in approach and in scale.
So argued Phil Venables, Strategic Security Advisor at Google and former CISO of Goldman Sachs, in a keynote address at the ISC2 Security Congress here this week.
"We've been depending on artisanal security too long," Venables said, and we've been creating "highly variable environments" that differ greatly from one organization to another.
"Our security programs need to be scalable and highly reliable and efficient," he said. "We have to adopt industrial practices."
Industrial cybersecurity, Venables explained, refers to cybersecurity programs that are designed to be scalable and flexible, using common tools, common metrics, and common standards. An industrial program should be predictable and, most importantly, able to be quickly replicated during a recovery process.
The opposite approach is what Venables called the "artisanal" one. That means cybersecurity programs that build up organically over time, adding new features and capabilities when necessary. Such programs can work well in essentially static environments but may impede an organization's progress when it needs to grow and change.
Why we need industrial cybersecurity programs
To illustrate the need for industrial cybersecurity, Venable related an anecdote from earlier in his career. A
directory server also acted as an authentication server, an obvious no-no in retrospect. As part of the natural course of things, the server needed to be replaced with a newer model.
But that opened a whole can of dependency worms. First, the organization's network file system relied on that double-duty directory/authentication server. Before the server could be replaced, the entire file system had to be updated.
Then it turned out that updating the file system required change-testing thousands of applications, some of which eventually had to be deprecated or rebuilt. From beginning to end, Venables said, the entire process took three years before it was safe to unplug the old directory server.
"We knew what to do, we knew how to do it, and we knew why to do it, but it still took years," said Venables.
Working with haphazardly designed artisanal systems is not just a collection of simple problems, he added.
"At sufficient scale," Venables said, "it becomes an entirely different problem."
How to implement industrial cybersecurity
Industrial cybersecurity programs should be built on four pillars, Venables explained.
First, precise and reproducible metrics, including
asset inventories, should guide security and IT decisions and priorities. Venables said he'd heard of one organization finding 3,000 forgotten and unpatched servers toiling away, and another that discovered it had misplaced an entire data center.
"Make sure you have reproducible software and infrastructure if you have to recover from a disaster," he said. "Make sure you don't have circular dependencies in recovery. For example, do your DNS and certification systems depend on each other?"
Next, organizations should harness the power of what Venables sees as "megatrends" — "natural forces" that arise within the IT and cybersecurity industries as they adopt new technologies and methods.
Some of these megatrends are familiar, like software-designed infrastructure, competition among
cloud service providers to deliver the best services to their customers, and rapid cloud-based or SaaS application deployments, updates and upgrades.
Others may seem new or radical, like the idea of a cloud-based "digital immune system" that enables rapid, automatic responses against new threats, or that cloud service providers will move from the current shared-responsibility model to one of "shared fates" with their clients.
Immunizing the planet
In an interview following his keynote, Venables explained how a cloud-based system could transmit
threat intelligence about newly detected attacks across the world, triggering thousands of systems to automatically apply patches and mitigations, immunizing countless systems and greatly limiting the impact of a new threat, vulnerability or exploit.
"If we can wire the planet up so that an attacker only gets to spend their attack once, then we win," Venables told us.
But, he added, this could only work as an automatic, dedicated system.
"It can't be just relationship-driven, where you and I are in different organizations, but I know you, so I'll call you up. That's not scalable," Venables told us. "This has to be like enduring pipes for data to flow at machine speed to stay ahead of the attackers."
Venables also tossed in a "sleeper" megatrend during his keynote: the rise of
generative and agentic AI. He said he foresees a "wall of vulnerabilities coming as a result of AI," but added that, "I firmly believe AI delivers a structural advantage for defenders."
The third pillar of industrial security is continuous, automated controls and monitoring. Software-based infrastructure now enables security controls and policies to be built right into systems. Instances where controls fall short should be investigated as security incidents, even if no harm results.
Finally, industrial security best practices should be observed. Venables sees these as the logical end results in the evolution of security policies.
For example, security technology was once bolted on to systems, then turned on by default, and the next and final stage is for it to be built in. Likewise, security operations were originally manual, then automated, and with the advent of agentic AI, they will be autonomic.
We've already seen how sharing of threat intelligence began as driven by relationships between individual human security personnel, is now machine-driven, and in Venables' idea of a digital immune system, will be built into dedicated, enduring data pipes.
Sink or swim together
Venables also said that risk was evolving as well. The shared-responsibility model between cloud service providers and clients was giving way to a shared-risk model, he said.
What comes after that is a "shared fate" model. We asked Venables to further explain that concept in our interview with him.
"You've seen some incidents in certain cloud providers where there's been a big
breach because a customer misconfigured something, but they didn't actually misconfigure something," he replied. "They just ran with the default, and the default was wide open. And then the cloud provider goes, 'Oh, that was under the customer's control."
Venables told us that when he joined Google, his team decided, "We're going to jump right across that line of shared responsibility."
"Every incident a customer had," he added, "we reviewed it and said, 'Could we have done better to help them?'"
"That then fueled this whole program of work that drove changing product defaults to be more shipping full safeties on," i.e. with all security options turned on by default, Venables said.
"We wouldn't have done [that], I think, unless we'd have talked about shared fate as being something that leadership at all levels just embraced."
Safeties-on by default should be the default for the entire industry, Venables added.
"If you're in the security business, if you're a hyperscale cloud provider, if you're a large tech company, if you're a critical SaaS company, and if you're a security company, then you should figure out a way of prioritizing that," he said. "Or you probably shouldn't be in that business."
