Google Cloud's New CISO Chris Betz on Integrating AI in Cyber Defenses

Written by

Chris Betz has officially taken the helm as the new CISO of Google Cloud. Transitioning from his previous role as Google's VP of infrastructure security, Betz is stepping up to lead the company’s security posture at a critical turning point in the industry.

In his very first interview since assuming the CISO title, he shared his vision on the role generative AI will play in defending global enterprises.

Coinciding with his transition, Betz published a key blog post on the Google Cloud blog titled Cloud CISO Perspectives: The 4 lessons that guided AI threat defense. In the article, he lays out Google's playbook for using AI to defend against AI, advocating for a multi-model approach, robust security harnesses and the irreplaceable value of human expertise in modern cyber defense.

Under his leadership, Google Cloud’s Office of the CISO reports directly to him. This organizational alignment places Betz at the center of both Google’s internal security engineering efforts and its customer-facing security advisory initiatives.

Betz previously served as the CISO of Amazon Web Services (AWS) and Capital One. He has also held senior security engineering and response roles at Microsoft, Apple and CenturyLink. His career began in the US Air Force, followed by intelligence and security work at the National Security Agency (NSA).

Infosecurity Magazine: You have recently moved jobs within Google Cloud, from VP of infrastructure security to CISO. What does it change in your daily missions?

Christ Betz: In practice, it is simply a title change and very much the continuation of the work I’ve been doing since I joined Google in 2025, only I get to do even more customer engagement now, especially on AI threats and the transformations we’re seeing in that space.

I've been leading the Google Cloud CISO team for a year now. I get to spend a lot of time with engineering groups across Google Cloud and inside of the CISO team.

I'm also responsible for the security of Google Cloud and its underlying infrastructure, meaning I also get to work with customers and help them be their most secure when they're riding on top of our cloud.

One of the things that I enjoy most about roles like this one is the fact that I get to make a difference not just to Google but to customers globally. My career began in the Air Force because I wanted to serve and do something that was meaningful at a global scale. This is one of those threads that have taken me through many hops in my career, and Google Cloud is just one of those places as it sits in the middle of a frontier AI lab, with billions of cloud customers around the world.

IM: What is the most pressing challenge that Google Cloud faces today?

CB: The world of cybersecurity is changing so rapidly, especially in the time of AI. Today, we can't bring traditional security to an AI-first battle, so we need to continue to develop, improve and share broadly with the community the capabilities that let us bring AI to defend ourselves against AI.

I'm in the fortunate position of being in a cutting-edge company that has a frontier AI lab, and so that gets to change that conversation.

I can't think of anybody that I've been talking to in the past several months within the CISO teams who is not using AI as a significant part of their workflow. This means their job is changing week over week, month over month, as they're getting more and more capabilities.

I think one of the biggest challenges for me right now is to figure out I can get them more AI capacity so they can move faster, which is a fun problem to have.

IM: What's your framework for integrating AI in cyber defenses?

CB: There are three key pillars when it comes to building AI-powered security defenses: the security expert, the harness, and the model – in that order. Use multiple AI models, have a well-developed harness and have it all guided by the right expert and you'll be the most impactful.

At Google Cloud, we don't use just one AI model, and I would recommend the same to our customers. We have our models, we’re part of Anthropic’s Project Glasswing and my teams are using all sorts of different models.

Different models have different strengths and even running the same model against the same problem will come up sometimes with different answers. Additionally, this world changes so rapidly that trying to keep up with any one particular model could become difficult, so we advocate for a multi-model approach.

"A less capable model with a good harness and a good expert is more powerful than the best model without a good harness or good experts."

Also, one key challenge with AI models is achieving the maximum capability while keeping the cost for tokens as low as possible. The multi-model helps achieving the best price point while getting the maximum coverage for the tasks we need to perform.

Then comes the harness. An AI harness is a tool plugged into the AI model that helps the user bring the context, the data and includes a threat model and guidance for the model about how and where to focus in order to perform a task, like finding vulnerabilities. A harness includes code and a complex set of skills, so it does take an expert engineer to make it work.

If you can only pick two of these three pillars, we recommend expertise and harness. A less capable model with a good harness and a good expert is more powerful than the best model without a good harness or good experts.

IM: When you were CISO at AWS, you said the best security defense is good offense. How are you applying this at Google Cloud?

CB: This is why we’re so deeply involved with discovering vulnerabilities and fixing them. Attackers try to use the same tools defenders use. Doing it first for ourselves and our customers before an adversary does is the name of the game.

I've talked with CISOs in France, Germany and the UK and every single one of them said they’re seeing more than 10 times the number of vulnerabilities than ever before.

I've got multiple red teams across Google. Some are focused on Google Cloud and they have been involved in developing projects and products to ensure we can find and fix vulnerabilities before anybody else does – like Naptime, Big Sleep and CodeMender.

In 2024, our Naptime project focused on automating vulnerabilities finding, then Big Sleep focused on doing that at scale.

Now, fixing vulnerabilities is the key next step, and so that's where CodeMender, launched last fall, helped us gave us some set of proof points around fixing vulnerabilities. CodeMender is designed with a ‘bring-your-own-model’ approach. You can certainly use Gemini but you can use other models as well.

There is no one model, no one method that finds all the vulnerabilities today, but the cool thing is that those capabilities are even more powerful in the hands of defenders, who have context, relevant data and the full insight on the stack – something that attackers only dream of. We’re looking to an absolutely exciting next six to 18 months.

IM: Vulnerabilities in open-source projects are getting a lot of attention as they are causing large-scale breaches. How is Google Cloud contributing to improving the software supply chain?

CB: We have a rich and incredibly valuable open-source community.

What you're talking about is exactly why we've invested in programs like Alpha-Omega, an initiative sponsored by the Linux Foundation that aims to invest with others in funding open-source projects in order to implement security improvements.

Internally, I'm reviewing where I want to use open-source assets and where I don't need them and can replace them with AI-developed code. I'm looking at building frameworks that help us change that open-source model from non-memory-safe languages (C, C++ etc.) to memory safe ones, like Rust.

We’ve found that there's a large number of open-source dependencies where we actually consume very little of the code. In those cases, it's not helpful to carry the dependency, and so and AI-based software development could allow us to have the right solution at the right place in order to de-risk and reduce the patch churn.

IM: Are you not worried that AI-powered codes might also bring some more vulnerabilities?

CB: That's exactly why we do human in the loop development. We've got automated AI-based code review processes and security code review processes on all the code we ship, because we need to maintain that quality bar.

That’s also why I want to emphasize the importance of a deep relationship between the security team and the engineering teams. A security team that finds vulnerabilities but does not have the right engineering partnership to actually put the fixes into production isn't going to be successful in protecting their customers.

IM: What is the most significant challenge in cybersecurity at the moment?

CB: The speed at which AI is driving us to innovate and how we apply AI defenses to a set of AI threats is the biggest technical challenge we're facing now, and probably over the next couple years.

Coupled with that is finding the right set of people who help us lean into that problem, who innovate at a massive scale, because no CISO can do this on their own, this is a people problem. They're using tools and developing tools in ways they never have before, but getting the right talent is equally challenging.

IM: What's exciting you the most in cybersecurity today?

CB: I'm excited about where the vulnerability story could go two years from now.

We've been fighting vulnerabilities for decades. Now we've got a hard few years ahead of us, but the number of vulnerabilities that we may see in software a couple years from now may be minuscule compared to where we are today, and where we've been.

IM: If you could give one piece of advice to fellow CISOs, what would it be?

CB: Take advantage of this moment right now.

The public awareness of the vulnerability space is like it's never been before. This is an opportunity for us where business leaders and boards will understand the problem like they never have before. Now is the time to help take them on the journey, so that you can solve that problem for your business.

Image credits: Sundry Photography /  Jonathan Weiss / Shutterstock.com

What’s Hot on Infosecurity Magazine?