Cloud Control is back! This week with Jonathan Cran, a seasoned expert serving as Google's Product and Engineering Lead. From his early days on the help desk to spearheading startups and landing at the tech giant, Jonathan's journey in the industry is nothing short of extraordinary.

In this exclusive Cloud Control Q&A, he shares invaluable insights on cutting-edge topics such as GenAI, the evolving landscape of cloud security, and the intersection of artificial intelligence and cybersecurity. Gain a firsthand understanding of the challenges, opportunities, and transformative moments that have shaped Jonathan's career.

This is your chance to glean actionable perspectives and stay ahead in the ever-changing cybersecurity landscape. Don't miss out—dive into the full Q&A below!👇

P.S. Was this email forwarded to you? If so, sign up to receive Cloud Control interviews delivered to your email each week here.

Question 1 💭

Give us a quick background of your career and what you’re working on these days. What problems or emerging technologies in cloud and cybersecurity is most top of mind for you right now?

Answer 1 🎯

I’m a cybersecurity veteran. My journey took me from the helpdesk to network admin and developer to red teamer. When I graduated to running a P&L for a services team, I quickly realized a product was a better way to affect more of the industry and pivoted to engineer and PM, then to startup CEO, and now to angel investor. I guess I'm old but I think of myself mostly as a product builder these days, and I'm excited to work with startups to help them grow. I landed at Google Cloud when my company was picked up by Mandiant, which was picked up by Google shortly after. 

So many interesting problems and opportunities right now.  Some things I'm paying attention to. GenAI (obviously) - It’s just fundamentally changing the economics of software and services. I think we’ve only begun to scratch the surface. It will affect every industry in fundamental ways. Application security is the place I expect the biggest impact in the near to medium term. 

The transition to Cloud and managed infrastructure is also well underway. Cloud spend is just now overtaking traditional infrastructure spend. Thinking about that makes me realize we’re still pretty early. There are so many opportunities to evolve the traditional security model, and Gomboc is lighting the way forward for cloud infrastructure. 

Supply Chain compromise remains a challenging problem,  both from direct integration of compromised software, as well as from upstream partners - even partners of partners as the 3CX compromise demonstrated this year. 

Attacker capability speed-up is a reality that many faced this year (think: MoveIt), and I’ve maintained throughout my career that this is a reason there still aren’t enough cybersecurity companies. There is no shortage of opportunity to improve the status quo and change the economics of attack / defense.

Question 2 💭

Tell us about your approach to building products in cybersecurity. What is top of mind when building for security practitioners, developers, or platform engineers? How do you adjust to emerging processes and technologies (AI, low-code, etc)?

Answer 2 🎯

I’ll focus on B2B cybersecurity, since that’s where my expertise is, where I've spent most of my career. First and foremost, I think it’s foolish to focus on emerging technologies. They’re a means to an end. That said, when they can change the economics of an industry or even a specific problem in that industry, they shouldn’t be ignored. With GenAI, it’s relatively obvious that it meets this bar. Stuff that doesn't change economics in a significant way (like Low-code / No-code) is just a tool to me. 

The most experienced builders - usually serial entrepreneurs - generally focus on a problem, or maybe better said, find design partners that they trust, and then work together with them to address their problems. Keeping in touch with them, and letting them guide you and give you constant feedback is a surefire way to work on valuable problems. Basically, don’t ever stop doing product discovery. 

Choose the best technology available for the problem at hand, but don’t fret too much about it. Limit your innovation tokens and choose boring technologies wherever possible. It’s much easier to hire, and when you do need to re-write (and you will if you’re successful!) it’s much easier than trying to train someone on your custom work of art.

Question 3 💭

AI has obviously become the topic of the year. With threat actors beginning to experiment with GenAI, what are some successes and pitfalls you’re seeing teams fall into. What should we be thinking about?

Answer 3 🎯

Thinking specifically about how the threat will evolve, there’s some obvious evolution around highly customized / targeted phishing that will accelerate that trend. The ability to pull in all sorts of context (think, just reading their LinkedIn bio, and some information about their company … combined with the existing tactics around current events), and you’re now cutting custom/unique messages out to every target. Campaigns get harder to detect. 

I think we’re likely to see evolved malware that's harder than ever to detect, for the same reason we’ll see evolved software. A lot of capability can be generated, and the average software engineer is much more productive with GenAI. Building one-off binaries for evasion are a no-brainer for attackers to pursue. 

While not directly 1:1, it’s also easier than ever to analyze code and look for vulnerabilities, so I expect it to help attackers looking for zero days - particularly in the perimeter and server technologies. There’s a very long tail there, and that’s just going to continue and accelerate for a while.  But like any technology - it’s dual use. 

There are huge improvements that can be made to code review and code quality, testing coverage, and other application security use cases, that will make the job of the security engineer much more automated and scalable. But there will also be a lot more code. So it’s hard to say yet whether it’s going to be a net positive for application and cloud attack surface. ML can be used to detect generated content. The cyber arms race continues.

Question 4 💭

In your role at Google Cloud, how do you navigate working in larger tech organizations and adoption of new technology. Are there unique challenges you encounter, and how do you address them?

Answer 4 🎯

I have so much to say about this, since I’m dealing with it now but I’d summarize it as, it’s challenging to move as quickly in large organizations. It can be done, but it’s challenging. “Focus” really is the killer app & advantage for early startups that are working on a specific problem. Sure, they’ll eventually slow down too, but that focus is so powerful and the reason i’m very bullish on our supposedly “crowded” cybersecurity market. There is no shortage of problems, and they need a lot of focused effort.

If you want to be successful shipping products quickly (enough) in large organizations, I'd say you need to also focus, but more importantly you need to align your leadership around your goal, and get them working to remove blockers for you. Processes that can be set aside should be set aside. Too much time gets spent on “that’s how we do it here”. There should be teams focused on tearing down processes in every sufficiently large organization. If you can do this successfully, and execute, the impact payoff is huge - due to the scale of GTM in the enterprise.

Question 5 💭

Since your acquisition by Mandiant, you’ve been busy investing and advising a number of cybersecurity startups. Can you share an interesting success story or unique approach from one of the startups you've recently invested in or advised? Perhaps a scenario where their solution not only addressed a critical cybersecurity challenge but did so in a way that surprised or revolutionized the conventional thinking within the industry?

Answer 5 🎯I love compliance and regulations.

Angel investing requires you to build an ever-evolving thesis about the future, and to try and understand the forces that drive markets and how security teams will approach problems. It’s an exercise in applied economics.  I also love working with other entrepreneurs to understand how they approach product discovery and company building. It’s a learning experience. 

Take Gomboc. For a long time, it has been gospel that remediation could not be done by the security team. You needed to involve a number of other players - whether operations or engineering and work with them to educate and explain the challenges. In the world of managed infrastructure, this can and should change.

Read the Full Q&A on Gomboc.ai

What’s New at Gomboc

In the magical land of Silicon Valley, where dreams and code converge, a tale is about to unfold…Imagine a sunny day in the Valley, with Kubernetes on the horizon, ready to set sail into production waters. But, as fate would have it, chaos ensues, and our beloved character, Streamline Willie, finds himself in the midst of a cloud conundrum 🚢💻

Watch Mickey as he goes on a rollercoaster of tech shenanigans, only to be saved by Gomboc 💪

Latest AWS and Azure Updates You Don’t Want to Miss

1. Sellers can now resell third-party professional services in AWS Marketplace

2. Stream data into Snowflake using Kinesis Data Firehose and Snowflake Snowpipe Streaming (Preview)

3. Amazon ECS and AWS Fargate now integrate with Amazon EBS

4. Public preview: AKS cluster control plane metrics in managed Prometheus

5. Generally available: Zone Redundant Storage for Azure Disks is now available in Canada Central

Top Articles and Resources of the Week

Articles

1. Motorola Solutions joins forces with Google Cloud to advance safety snd security

2. Azure account takeover campaign targets senior execs

3. SEC is taking cybersecurity obligations seriously, Gensler tells Congress

4. Cyber attacks spike suddenly prior to Taiwan’s election 

5. Three ways Generative AI can help teams solve security challenges

Resources

1. Major Cloud Security Events and Conferences

   1. Opt-in to this resource to receive updates on events and conferences in cloud security. Meet like-minded cloud-security professionals from around the globe to learn, exchange ideas, network, and more.

2. Top 50 InfoSec Networking Groups to Join

   1. Join these top 50 associations, LinkedIn groups, and meetups to stay ahead of the curve on all things InfoSec.

3. CIS Benchmarks

   1. The Center for Internet Security (CIS) is a fantastic resource for initiating, implementing, and upholding a robust cloud security strategy. Access their detailed benchmarks tailored for AWS, GCP, Azure, and more. For a deeper understanding, explore the CIS Controls Cloud Companion Guide.

4. SANS Practical Guide to Security in the AWS Cloud

   1. In collaboration with AWS Marketplace, SANS introduces an in-depth guide tailored for AWS enthusiasts. Whether you're a novice or an expert, this extensive resource delves into the intricacies of AWS security.

5. Security Best Practices for Azure Solutions

   1. Learn key security practices tailored for Azure solutions and understand their significance. This comprehensive guide offers insights into developing and deploying a secure Azure environment.