For boards navigating the relentless advancement of AI, a pressing challenge looms: how to safeguard their organizations against increasingly sophisticated cyber threats without stifling innovation. At CBM’s recent Boardroom Summit, Alicja Cade, Director with the Office of the CISO at Google Cloud, and David Homovich with Google’s Office of the CISO, presented a solution-driven framework for tackling this complex issue. Cybersecurity, especially in the age of AI, is less about isolated technology solutions, they noted, and more about integrating digital defenses with overarching risk management, regulatory compliance, and AI-enabled innovations. Here are five key takeaways.
1. Embrace the “shared fate” model to mitigate cloud risks.
Cade advocated moving beyond the traditional “shared responsibility” model with cloud service providers to a “shared fate” mindset. In this approach, both the organization and the provider collaborate more deeply, ensuring seamless cybersecurity protection across their joint ecosystem. “We work very closely with customers in line with shared fate…our goal is to ensure your configurations are secure,” Cade explained. Homovich added that cloud service providers are working more collaboratively with companies today, which allows for a more cohesive, agile response to emerging threats and reflects a significant shift in how organizations and their partners address risk.
2. View cybersecurity as a “team sport.”
Cybersecurity is not solely the domain of the IT or security team, but requires engagement across the entire organization, said Cade noting, “The CEOs of your divisions should be aware, and the COO should be aware of what kind of cyber risk exposure they are sitting on, whether it comes from people or technology.” This approach helps foster a culture of shared responsibility, encouraging board members to seek input from multiple departments and get a fuller picture of the organization’s risk posture. “The board’s role is key here to make sure that you hear from all the parties and get all the views in terms of risk management,” she said.
3. Prioritize rapid response and testing in AI governance.
The rapid pace of AI adoption means cybersecurity frameworks must also evolve swiftly. “It’s a race,” Cade said. “AI is being used on both sides of the moon—the dark one and the light one.” She emphasized the importance of aligning AI and cybersecurity governance and advised leaders to adopt clear, central policies on AI usage, including ethical considerations such as fairness and data protection. For effective readiness, Cade recommended regular testing and joint simulations with third parties, stressing, “If you are relying on the provider, make sure you jointly test the process you are relying on.”
4. Use AI to address the “defender’s dilemma.”
For a company’s security team, “it’s very hard to get everything right,” said Cade. “The attackers, on the other hand, have to get it right only once.” Therein lies the “defender’s dilemma.” AI offers tools that could help tip the scales in favor of defenders, automating detection, response times and resilience measures. Cade advised against creating isolated AI governance structures, noting that cyber risk “should not be just on the lap of the CISO. It’s built within your business processes.” For effective governance, AI should be integrated into existing frameworks, ensuring it becomes part of the organization’s broader risk and resilience fabric.
5. Build resilience by monitoring third-party and cloud risks.
With increasing reliance on third-party providers, Homovich emphasized the importance of robust third-party risk management, particularly for “critical points of failure.” Cade added, “It goes back to that supply chain and third-party risk management. It’s really understanding your supplier, their extension of what you do. They part of your risk environment.” Companies must monitor AI usage by suppliers and ensure third parties meet the same security standards expected within the organization. Cade also recommended joint testing with third parties. “Don’t do just your simulation internally, but actually do joint exercises.”