Cloud Control: Q&A with Jonathan Cran, Google's Product and Engineering Lead, on Building Top-Tier Cybersecurity Products

February 13, 2024

Want weekly newsletters featuring interviews with security and cloud leaders delivered right to your inbox? Sign up for Cloud Control here.

Jonathan Cran, Google's Product and Engineering Lead, on Building Top-Tier Cybersecurity Products

Jonathan Cran is a seasoned expert serving as Google's Product and Engineering Lead. From his early days on the helpdesk to spearheading startups and landing at the tech giant, Jonathan's journey in the industry is nothing short of extraordinary. In this exclusive Q&A session, he shares invaluable insights on cutting-edge topics such as GenAI, the evolving landscape of cloud security, and the intricate intersection of artificial intelligence and cybersecurity. Gain a firsthand understanding of the challenges, opportunities, and transformative moments that have shaped Jonathan's career. This is your chance to glean actionable perspectives and stay ahead in the ever-changing cybersecurity landscape. Don't miss out—dive into the full Q&A below!

👇

‍

Question 1 💭

Give us a quick background of your career and what you’re working on these days. What problems or emerging technologies in cloud and cybersecurity is most top of mind for you right now?

Answer 1 🎯

GenAI...It’s just fundamentally changing the economics of software and services. I think we’ve only begun to scratch the surface. It will affect every industry in fundamental ways. Application security is the place I expect the biggest impact in the near to medium term.

I’m a cybersecurity veteran. My journey took me from the helpdesk to network admin and developer to red teamer. When I graduated to running a P&L for a services team, I quickly realized a product was a better way to affect more of the industry and pivoted to engineer and PM, then to startup CEO, and now to angel investor. I guess I'm old but I think of myself mostly as a product builder these days, and I'm excited to work with startups to help them grow. I landed at Google Cloud when my company was picked up by Mandiant, which was picked up by Google shortly after.

So many interesting problems and opportunities right now. Some things I'm paying attention to. GenAI (obviously) - It’s just fundamentally changing the economics of software and services. I think we’ve only begun to scratch the surface. It will affect every industry in fundamental ways. Application security is the place I expect the biggest impact in the near to medium term.

The transition to Cloud and managed infrastructure is also well underway. Cloud spend is just now overtaking traditional infrastructure spend. Thinking about that makes me realize we’re still pretty early. There are so many opportunities to evolve the traditional security model, and Gomboc is lighting the way forward for cloud infrastructure.

Supply Chain compromise remains a challenging problem, both from direct integration of compromised software, as well as from upstream partners - even partners of partners as the 3CX compromise demonstrated this year.

Attacker capability speed-up is a reality that many faced this year (think: MoveIt), and I’ve maintained throughout my career that this is a reason there still aren’t enough cybersecurity companies. There is no shortage of opportunity to improve the status quo and change the economics of attack / defense.

Question 2 💭

Tell us about your approach to building products in cybersecurity. What is top of mind when building for security practitioners, developers, or platform engineers? How do you adjust to emerging processes and technologies (AI, low-code, etc)?

Answer 2 🎯

I’ll focus on B2B cybersecurity, since that’s where my expertise is, where I've spent most of my career. First and foremost, I think it’s foolish to focus on emerging technologies. They’re a means to an end. That said, when they can change the economics of an industry or even a specific problem in that industry, they shouldn’t be ignored. With GenAI, it’s relatively obvious that it meets this bar. Stuff that doesn't change economics in a significant way (like Low-code / No-code) is just a tool to me.

The most experienced builders - usually serial entrepreneurs - generally focus on a problem, or maybe better said, find design partners that they trust, and then work together with them to address their problems. Keeping in touch with them, and letting them guide you and give you constant feedback is a surefire way to work on valuable problems. Basically, don’t ever stop doing product discovery.

Choose the best technology available for the problem at hand, but don’t fret too much about it. Limit your innovation tokens and choose boring technologies wherever possible. It’s much easier to hire, and when you do need to re-write (and you will if you’re successful!) it’s much easier than trying to train someone on your custom work of art.

Question 3 💭

AI has obviously become the topic of the year. With threat actors beginning to experiment with GenAI, what are some successes and pitfalls you’re seeing teams fall into. What should we be thinking about?

Answer 3 🎯

Thinking specifically about how the threat will evolve, there’s some obvious evolution around highly customized / targeted phishing that will accelerate that trend. The ability to pull in all sorts of context (think, just reading their Linkedin bio, and some information about their company … combined with the existing tactics around current events), and you’re now cutting custom/unique messages out to every target. Campaigns get harder to detect.

I think we’re likely to see evolved malware that's harder than ever to detect, for the same reason we’ll see evolved software. A lot of capability can be generated, and the average software engineer is much more productive with GenAI. Building one-off binaries for evasion are a no-brainer for attackers to pursue.

I think we’re likely to see evolved malware that's harder than ever to detect, for the same reason we’ll see evolved software. A lot of capability can be generated, and the average software engineer is much more productive with GenAI. Building one-off binaries for evasion are a no-brainer for attackers to pursue.

While not directly 1:1, it’s also easier than ever to analyze code and look for vulnerabilities, so I expect it to help attackers looking for zero days - particularly in the perimeter and server technologies. There’s a very long tail there, and that’s just going to continue and accelerate for a while. But like any technology - it’s dual use.

There are huge improvements that can be made to code review and code quality, testing coverage, and other application security use cases, that will make the job of the security engineer much more automated and scalable. But there will also be a lot more code. So it’s hard to say yet whether it’s going to be a net positive for application and cloud attack surface. ML can be used to detect generated content. The cyber arms race continues.

Question 4 💭

In your role at Google Cloud, how do you navigate working in larger tech organizations and adoption of new technology. Are there unique challenges you encounter, and how do you address them?

Answer 4 🎯

I have so much to say about this, since I’m dealing with it now but I’d summarize it as, it’s challenging to move as quickly in large organizations. It can be done, but it’s challenging. “Focus” really is the killer app & advantage for early startups that are working on a specific problem. Sure, they’ll eventually slow down too, but that focus is so powerful and the reason i’m very bullish on our supposedly “crowded” cybersecurity market. There is no shortage of problems, and they need a lot of focused effort.

If you want to be successful shipping products quickly (enough) in large organizations, I'd say you need to also focus, but more importantly you need to align your leadership around your goal, and get them working to remove blockers for you. Processes that can be set aside should be set aside. Too much time gets spent on “that’s how we do it here”. There should be teams focused on tearing down processes in every sufficiently large organization. If you can do this successfully, and execute, the impact payoff is huge - due to the scale of GTM in the enterprise.

Question 5 💭

Since your acquisition by Mandiant, you’ve been busy investing and advising a number of cybersecurity startups. Can you share an interesting success story or unique approach from one of the startups you've recently invested in or advised? Perhaps a scenario where their solution not only addressed a critical cybersecurity challenge but did so in a way that surprised or revolutionized the conventional thinking within the industry?

Answer 5 🎯

Angel investing requires you to build an ever-evolving thesis about the future, and to try and understand the forces that drive markets and how security teams will approach problems. It’s an exercise in applied economics. I also love working with other entrepreneurs to understand how they approach product discovery and company building. It’s a learning experience.

Take Gomboc. For a long time, it has been gospel that remediation could not be done by the security team. You needed to involve a number of other players - whether operations or engineering and work with them to educate and explain the challenges. In the world of managed infrastructure, this can and should change.

Question 6 💭

For organizations looking to adopt AI-driven cybersecurity solutions (or emerging solutions in general), what practical steps should teams take or think about? Based on your experience, what challenges might they face, and how can these challenges be overcome?

Answer 6 🎯

It’s nothing new. Essentially, the goal needs to be to gain an understanding of the capabilities of your providers, and how your data flows into them. Ensuring you know how business critical sensitive data flows is the key. This is not magical, but it’s definitely challenging to do this continuously.

We’re still in early days here, but almost every cybersecurity vendor has some ML or GenAI models they’re using to augment their capabilities. This is a good thing, and something you want to take advantage of.

The more data your providers can aggregate across their customers and build models on, the more likely you are to benefit from the experiences of others.

Question 7 💭

What’s changing in the conversations around cloud and cybersecurity? We’ve heard about shifting left and shielding right. What are you talking and thinking about with your peers?

Answer 7 🎯

Identity is the new perimeter in the world of managed infrastructure. This has been happening for years, but it’s accelerating with cloud growth
Everyone’s building out a SASE / Zero Trust capability, and this changes where security can be applied. Security can be applied at new layers in this evolved architecture.
The idea of a centralized managed security data lake is powerful, but still very early and missing the killer apps. Expect this space to evolve over 2024.
GenAI is bringing the ability to structure or label previously unstructured data - opening up all sorts of opportunities.

GenAI fundamentally changes the economics of the possible in cybersecurity (and really software as a whole). The ability to add structure, context, and meaning to data is so powerful.

Question 8 💭

Given your extensive background in cybersecurity and leadership at Google Cloud (Mandiant), how do you envision the intersection of artificial intelligence and cybersecurity evolving? Are there specific challenges or opportunities that you find particularly compelling in your current role as a Product Leader?

Answer 8 🎯

GenAI fundamentally changes the economics of the possible in cybersecurity (and really software as a whole). The ability to add structure, context, and meaning to data is so powerful. There are so many areas you can apply GenAI to augment capabilities where you’d previously need to build a custom ML model, or have an analyst manually do something.

Many companies have shipped a GenAI capability in their products. Sure most of the products are simply asking a RAG to summarize across their dataset, and that’s getting commoditized quickly, but what’s coming is a bunch more capability … TODO. Unique data is the key here, as we’ll see play out in 2024. Unique data is going to get more and more valuable.

My current thinking is that a new “intelligence layer” in security focused on aggregating data and deriving insight / enabling better decisions will eventually emerge. The Cloud Providers, CNAPP/CAASM (aka posture), and SIEMs are in a good position to execute on this.

Question 9 💭

In your experience as a founder and investor, what gaps or opportunities do you see in the market? Specifically, what kind of innovative product or solution do you believe the cybersecurity industry needs the most, and where do you see huge opportunities for growth and improvement?

Answer 9 🎯

An intelligence layer - across multiple diff areas of cybersecurity. Something that can take the landscape and threat profile of a given organization, and deliver proactive action to shore up the attack surface. This one’s so huge that it’s hard to know how it’s going to come together. I think it’s a new layer.

Better scenario planning or tabletop - today this is mostly delivered as a service, and there’s so much room to make this more continuous and valuable. Cybersecurity is a team sport, and we need to do more reaching across the aisle with our partners in Legal, Finance, Engineering, etc.

I think a lot of web3 tech is still very underinvested from a cybersecurity perspective. While PKI obviously exists, and you can build most any service without a blockchain, web2 infrastructure is not particularly durable, since a breach of the CA or the application provider will compromise security. We’ve seen this play out over and over again. Users and enterprises should own their data and have the ability to auth or unauth at any time. Think like a password manager - you’d be much better off with individual CAs per user, decentralized storage. I think the FTX noise, and the general “crypto” or financial focus of that market has prevented the valuable capabilities of the wallet-centric or PKI-native approach from being well understood. It’s a true paradigm shift for the Internet and I for one can’t wait to see it happen.

If anyone’s working on ideas like these, I’d love to chat. :]

Question 10 💭

Reflecting on your career in cybersecurity, especially considering your journey as a founder, could you dive into specific pivotal moments that proved transformative? What valuable lessons did you draw from these experiences as both a founder and cybersecurity professional, and how do they continue to resonate in your day-to-day life? What is the best piece of advice you've received in your career, and how has it influenced you?

Answer 10 🎯

As far as advice, my view is that a lot of it is contextual and generally worth what you pay for.

When you’re trying to figure out how a market will evolve, “Follow the data” … it’s a kind of principle or razor I always come back to… the more unique data you can gather, the more opportunities you have to create value.
For entrepreneurs - what’s slowing you down? What would help you ship faster? Grow faster? There’s this great note from DJ Patil (the first WH data scientist) that I always like to point to.
For anyone thinking about starting a company, get educated about the SAFE and raise your first money. What’s stopping you from pulling together enough money to get a year of runway? Worst case is you go back to work. But this is the first step of jumping off the cliff into owning your own destiny.
For folks early in their career - putting yourself in a place where you’ve got no choice but to succeed is a way to help remove the noise and sharpen the mind. When you’ve got no other choice, you’ll almost always cut away what’s not important and focus on the prize.

‍