In the early 2000s, cybersecurity was often a small team tucked away inside an IT department. Today, it is a multi-billion-dollar industry and a mandatory topic for board-level discussions. However, as the technical landscape becomes more complex with cloud, mobile, and IoT technologies, the most critical factor for a successful security program is often the most underrated: Trust.
We sat down with Sandeep Agarwal, a security specialist at Google Cloud with two decades of experience across audit, compliance, and risk management. Sandeep shared his insights on why culture beats tools, how to move from being the “Department of No,” and why the cloud requires a shift from periodic audits to real-time awareness.
You can read the complete transcript of the epiosde here >
Defining Trust: Consistency and Control
Many security leaders are fixated on the latest, “fanciest” tools, but Sandeep argues that a good security culture is the true foundation of safety. He defines trust as being gained through two primary avenues:
- Consistency: Trust is established when teams observe a long-term alignment between what a security team says and what they actually do.
- Relinquishing Control: Security teams often fall into the trap of over-imposing restrictions (such as blocking news or social media), which breeds resentment. True trust is built by giving control back to teams and relying on their good judgment.
As the saying goes, it can take 20 years to build a reputation and only five minutes to ruin it.
Bridging the Gap: Moving to the “Path to Yes”
A common structural failure in organizations is the “isolation of objectives”. While CEOs generally care about increasing revenue, decreasing costs, and reducing risk, individual teams often work at cross-purposes :
- Business units focus solely on revenue.
- Operations focus on cost reduction.
- Security and risk teams focus exclusively on eliminating risk.
This mindset creates a culture where teams feel they can only succeed at the expense of others. To solve this, Sandeep recommends adopting a partner mindset. Security should not be a “Department of No”. Instead, security professionals should provide a “Path to Yes,” outlining the specific conditions or guardrails required to make a business initiative safe. The ultimate goal of any program should be to maximize business value at a minimum risk and minimum cost.
The Virtuous Cycle: Blameless Postmortems
Security is a field that is often only “felt” when it fails. How an organization handles an incident defines its culture.
- Avoid the Blame Game: If you look for a “proverbial neck to hang” when an employee makes a mistake, people will stop reporting incidents.
- Celebrate the Messenger: Organizations should make it extremely easy to raise an alarm and celebrate those who do, even if the alarm turns out to be false.
- Blameless Postmortems: Focus on why something happened rather than who did it. This fosters a “virtuous cycle” where transparency improves the collective security posture.
Modernizing Awareness: Tech Over Training
Sandeep is notably critical of traditional, hour-long security awareness training, which most users find miserable. He suggests that modern technology can “minimize the cognitive load” on users, effectively solving the problems that training aims to address:
- Phishing: Implementing FIDO-compliant hardware security keys provides phishing-resistant MFA, potentially eliminating the need for traditional phishing training.
- Passwords: Passkeys and passwordless authentication remove the burden of creating and rotating complex passwords.
- Data Leakage: Using cloud-native document sharing (sending links instead of attachments) ensures that even if an email is sent to the wrong person, no data is leaked unless they are explicitly granted access.
Security Boundaries and Real-Time Audits
Implementing the Principle of Least Privilege is essential but difficult. For technical resources, Infrastructure as Code (IaC) is the best tool because it allows an organization to define exactly what is allowed and disallowed in an environment.
For human users, Sandeep recommends a data-driven approach:
- Start Broad, then Narrow: Give wider permissions initially, then use policy intelligence tools to analyze historical activity. If a user only uses 70 out of 4,000 granted permissions, the policy can be intelligently narrowed down.
- Environment Specificity: Production environments should be highly risk-averse, while innovation sandboxes and dev-test environments should be liberal to encourage productivity.
Crucially, the cloud requires real-time auditing. Traditional periodic audits (every 6–12 months) are ineffective because the cloud is a “living, breathing animal”. By the time an offline spreadsheet checklist is remediated, the cloud environment has likely changed by 50-60%.
Compliance is a Milestone, Not a Destination
There is a common debate regarding compliance vs. security. Sandeep views certifications (like SOC 2 or HIPAA) as milestones and “checkpoints to benchmark yourself against the industry”. While they provide a necessary structure to otherwise nebulous risk management and build trust with external stakeholders, they do not equal 100% security. You can be compliant while still being “horrible in security”. Ultimately, the goal is risk management, not a “bunch of paper”.
