Google’s famous 80/20 policy, under which employees are encouraged to spend one fifth of their working hours away from the daily grind, focusing on projects that satisfy their passion, creativity and innovative spirit, extends even to the team responsible for keeping the company’s products – and users’ data – safe and secure.
“We continuously conduct research,” Gerhard Eschelbeck, Google’s VP of Security Engineering told 500 attendees in a packed room at the 2016 RSA Conference in San Francisco. “I have a team of almost 600 researchers, engineers, product managers and others with one thing in mind: protect our users’ data.”
Of course, he said, the “bad guys” are always innovating, which means that Google’s team needs to do more than just deal with current attacks and vulnerabilities, but also to innovate themselves, so as to be as prepared as possible for the next thing – the thing nobody has thought of yet.
Eschelbeck has only been at Google since 2014, but has worked in computer security for more than 20 years, including CTO positions at Qualys, Webroot and Sophos. He said that while his long experience gives him perspective on the evolution of software attacks, nothing could have prepared him for the scale and speed at which things happen at Google.
“Our team continuously reviews every single product launch at Google – there are hundreds going on at any one time,” he said. “And we also look at how the threat landscape is changing. It provides important input into our decision-making about the defense mechanisms we’re putting in place.”
Eschelbeck has seen threat trends wax and wane over the years – viruses were big in the 1990s, and then worms took over in the early 2000s. Five years later, spyware became a big thing, followed by advanced persistent threats. Today everyone is trying to solve the issue of cloud security.
At each stage, the threats have gotten more complicated, and more has been at stake.
“I look back and smile at what we were dealing with before,” Eschelbeck said, taking a moment to marvel at the complexity of the material for whose safety he is responsible. “We have about two billion lines of code. It’s 25 terabytes of data. We make 45,000 changes every day. Meanwhile, the bad guys have become much more sophisticated in what they do.”
He predicts that by 2020, security teams will be dealing with a world of connected devices, working out how to build in security mechanisms like encryption and authentication to prevent new and nasty forms of hacking.
He acknowledged that not every company has the resources to prepare for the future by implementing an 80/20 policy. Get the foundation of your company solid first, he said, before building this kind of program into the formula.
Even as he works to anticipate future problems, Eschelbeck maintains his humility about how much we can really foresee.
“I didn’t realize where this was going 20 years ago,” he said. “There has not been a single boring day in my life in all those years.”
Picture credit - Ilton Duccini @iduccini