In the opening keynote at ISC2 Security Congress 2025 in Nashville and online, Google advisor Phil Venables called for a fundamental push for scale.
Artificial intelligence (AI) will hand cybersecurity defenders a structural advantage over attackers if they can move to an industrial approach to cybersecurity, Google Cloud’s former CISO told the ISC2 Security Congress 2025 audience.
Phil Venables also questioned the nature of the post quantum threat and said security leaders should think in terms of “stacked benefits” from AI rather than grand transformations.
Venables, who remains a strategic security advisor at Google Cloud, used his opening keynote at Congress to outline exactly what it takes to move from an artisanal approach to security to a scalable, industrial approach.
He said that cybersecurity had long been the preserve of experts, essentially highly skilled artisans. However, this model simply doesn’t scale in line with the massive, complex systems the world relies on today.
“When you get to sufficient scale, it becomes an entirely different problem,” he said.
This meant that cybersecurity had to shift to an industrialized approach. Moreover, he said, the model was high tech manufacturing, such as semiconductors, rather than 19th century steel mills.
This called for shared tools and approaches, predictable continuous refinement and system wide performance and scale. This meant adopting “precisely measurable” metrics, he said, with an emphasis on leading indicators that go beyond breaches, vulnerabilities, and incidents.
More broadly, this encompassed areas such as software and infrastructure reproducibility, he explained, or cold start recovery times.
“If you can't rebuild and deploy your software at will, you're resistant to doing security change,” he said.
Organizations that had policies in place – as code – to reproduce their software and infrastructure “are in massively great shape and they can scale, and they can meet the challenges of those dependency issues.”
This should be combined with a “blameless” approach, he added. A team looking after one environment might be well behind on headline scores on an SLO, for example. But that might not take account of the fact that they had taken on a particularly troublesome legacy environment which had to be rebuilt.
The Critical Role of Megatrends
When it came to “natural forces” and megatrends, “In IT we’ve got to harness these or get crushed.” In the broader world, that meant demographics, supply chain structures and changing economies. In the IT world, he cited hyperscalers’ techniques which can be applied on premise, economies of scale and reduced unit costs of control.
Venables cited the “profound benefits” of software defined infrastructure, as one of the trends that can allow cybersecurity professionals to “get a free ride on your security program.”
AI is an obvious megatrend. Machine learning had been used for years in security, Venables said. But the industry was seeing “tremendous results” from gen AI, and in some cases, neurosymbolic AI.
This came in the form of supercharged workflows and tools, and the ability to surface vulnerabilities.
AI could also benefit attackers, he said, though that was “not really happening yet”. This was “depressing” he said, as it suggested hackers were having plenty of success with more basic attacks.
However, he said, “I believe AI gives structural advantage for defenders – we can tune these things for our own environments.”
Allied to this was the need for automation. He said there were multiple techniques for this, he said, but he focused on continuous controls monitoring.
“One of the most important characteristics I see in all in environments that radically scale security is when they have the ability to know where all their controls should be,” he said.
Those organizations continuously monitor the effectiveness of those controls and use the data they emit to validate them. If controls can’t be validated, they are replaced.
Changing the Industrial Base
Tying this together was a shift in industrial practices. Cybersecurity leaders can’t just “wish” for a better security culture, Venables said. They had to take active steps to create it and ensure it is engineered into the system, and not just a bolt on.
That included the engineering team taking on accountability for security, not just the CISO’s organization.
Organizations need to consider more broadly how systems can be more autonomic and self-defending. For example, when it comes to agentic AI, the “naïve approach” was to simply automate somebody’s job. Rather, the aim should be to automate tools and have an agent to orchestrate them. This could result in outcomes that are quite different when dealing with tools and processes designed around human constraints, he said.
Ultimately, security teams needed to “relentlessly deliver” to these goals to keep ahead of attackers, Venables argued. “Speed is our main advantage in everything we do.”
Taking questions after his presentation, Venables added that while security teams stood to benefit from AI, this might not come in the form some pundits expect.
“If you equip your teams with the ability to just experiment and use this, you might not get any transformational use cases,” he said, “But hundreds of little stacked benefits of using this ability to improve workflows and improve people's productivity can be a 10x overall improvement in productivity for the team.”
Venables also addressed the prospect of quantum computers breaking existing cryptography standards. While he’d previously expected a “cryptographically relevant quantum computer” between 2035 and 2040, he now expected the time frame to be more like 2030 to 2032.
“There’s a lot still to do on this,” he said. Adding, “Everybody talks about this kind of store now and decrypt later, problem, which I think is largely nonsense.”
Rather, he said if an adversary had a cryptographically relevant computer, “They're going to be attacking authentication systems, software signing systems. They're going to be using it for attacks, not for decryption in the first instance.
