Welcome to the second Cloud CISO Perspectives for May 2025. Today, Enrique Alvarez, public sector advisor, Office of the CISO, explores how government agencies can use AI to improve threat detection — and save money at the same time.
As with all Cloud CISO Perspectives, the contents of this newsletter are posted to the Google Cloud blog. If you’re reading this on the website and you’d like to receive the email version, you can subscribe here.
- aside_block
- <ListValue: [StructValue([(‘title’, ‘Get vital board insights with Google Cloud’), (‘body’, <wagtail.rich_text.RichText object at 0x3eaf795ca430>), (‘btn_text’, ‘Visit the hub’), (‘href’, ‘https://cloud.google.com/solutions/security/board-of-directors?utm_source=cloud_sfdc&utm_medium=email&utm_campaign=FY24-Q2-global-PROD941-physicalevent-er-CEG_Boardroom_Summit&utm_content=-&utm_term=-‘), (‘image’, <GAEImage: GCAT-replacement-logo-A>)])]>
Do more with less: How governments can use AI to save money and improve threat detection
By Enrique Alvarez, public sector advisor, Office of the CISO
Enrique Alvarez, public sector advisor, Office of the CISO
Government agencies have long been a pressure chamber for some of cybersecurity’s most confounding problems, particularly constrained budgets and alert fatigue. While there may not be a single, sharp kopis that can slice through this Gordian knot, AI offers a potential solution that we’d be foolish to ignore.
By many measures, the situation government agencies face is dire. Headcounts and budgets are shrinking, cyber threats are increasing, and security alerts routinely threaten to overwhelm security operations center (SOC) team members, increasing toil and reducing effectiveness. The fiscal austerity facing government agencies is further exacerbated by not being able to fill open cybersecurity positions — nor replace departing experienced workers.
Fortunately, advances in AI models and tools provide a way forward.
Cybersecurity threats present significant challenges for government agencies, one exacerbated by decades of patchwork defensive measures.
Discussions around what AI is and what it can do are often sensationalized. For government agencies, a clear understanding of the different AI types is crucial. At its core, AI refers to the ability of machines to simulate human-like cognitive functions such as learning, problem-solving, and decision-making. This broad definition encompasses everything from rule-based systems to complex neural networks.
Scoping the threat: Unique risk profile for government agencies
Cybersecurity threats present significant challenges for government agencies, one exacerbated by decades of patchwork defensive measures.
The lack of a clear strategy and standardization across agencies has led to a fragmented security posture and a limited common operational picture, hindering effective threat detection and coordinated response. This decentralized approach creates vulnerabilities and makes it difficult to share timely and actionable threat intelligence.
Many public sector entities operate smaller SOCs with limited teams. This resource constraint makes it challenging to effectively monitor complex networks, analyze the ever-increasing volume of alerts, and proactively hunt for threats. Alert fatigue and burnout are significant concerns in these environments.
Heightened risk from vendor lock-in
A crucial additional factor is that many government agencies operate in de facto vendor lock-in environments. A heavy reliance on one vendor for operating systems, productivity software, and mission-critical operations comes with greatly-increased risk.
While these tools are familiar to the workforce, their ubiquity makes them an attractive vector for phishing campaigns and vulnerability exploitation. The Department of Homeland Security’s Cyber Safety Review Board highlighted this risk and provided recommendations focused on protecting digital identity standards. Agencies should be vigilant about securing these environments and mitigating the risks associated with vendor lock-in, which can limit flexibility and increase costs in the long run.
By automating the initial triage and analysis of security alerts, agencies can better respond, predict resource allocation, and develop more accurate cybersecurity budgets. This automation can reduce the need for constant manual intervention in routine tasks, leading to more predictable operational costs and a more effective cybersecurity team.
The prevalence of legacy on-premises databases and increasingly complex multicloud infrastructure adds another layer of difficulty. Securing outdated systems alongside diverse cloud environments requires specialized skills and tools, further straining resources and potentially introducing vulnerabilities.
Addressing these multifaceted challenges requires a strategic and coordinated effort focused on standardization, robust security practices, and resource optimization.
How AI can help: Automating the future (of threat detection)
AI-based threat detection models offer a promising path toward a more resilient cybersecurity posture. By combining AI’s advanced capabilities with real-time cybersecurity intelligence and tooling, key cybersecurity workflows can be greatly streamlined.
Previously, these workflows required heavy personnel investment, such as root cause analysis, threat analysis, and vulnerability impact. As we’ve seen, AI-driven automation can provide a crucial assist in scaling for the true scope of the threat landscape, while also accelerating time-to-completion. At Google Cloud, we are seeing the benefits of AI in security today, as these three examples demonstrate.
However, achieving optimal effectiveness for government agencies requires a tailored approach.
Public sector networks often have unique configurations, legacy systems, and security-focused workflows that differ from commercial enterprises. By ingesting agency-specific data — logs, network traffic patterns, and historical incident data — AI models can learn baseline behaviors, identify deviations more accurately, reduce false positives, and improve detection rates for threats specific to public sector networks.
Adding the automation inherent in agentic AI-driven threat detection leads to better security and more sustainable operations. By automating the initial triage and analysis of security alerts, agencies can better respond, predict resource allocation, and develop more accurate cybersecurity budgets. This automation can reduce the need for constant manual intervention in routine tasks, leading to more predictable operational costs and a more effective cybersecurity team.
Ultimately, automating threat detection will maximize the capabilities of SOC staff and reduce toil so that teams can focus on the most important alerts. By offloading repetitive tasks like initial alert analysis and basic threat correlation to agentic AI, human analysts can focus on more complex investigations, proactive threat hunting, and strategic security planning. This shift can improve job satisfaction and also enhance the overall effectiveness and efficiency of the SOC.
At Google Cloud’s Office of the CISO, we’re optimistic that embracing AI can help improve threat detection even as overall budgets are reduced. Sometimes, you really can do more with less.
To learn more about how to implement AI securely and safely, check out our research on common gen AI mistakes to avoid.
- aside_block
- <ListValue: [StructValue([(‘title’, ‘Join the Google Cloud CISO Community’), (‘body’, <wagtail.rich_text.RichText object at 0x3eaf795ca940>), (‘btn_text’, ‘Learn more’), (‘href’, ‘https://rsvp.withgoogle.com/events/ciso-community-interest?utm_source=cgc-blog&utm_medium=blog&utm_campaign=2024-cloud-ciso-newsletter-events-ref&utm_content=-&utm_term=-‘), (‘image’, <GAEImage: GCAT-replacement-logo-A>)])]>
In case you missed it
Here are the latest updates, products, services, and resources from our security teams so far this month:
- 10 actionable lessons for modernizing security operations: Google Cloud’s Office of the CISO shares lessons learned from the manufacturing sector on how to modernize security operations. Read more.
- Tracking the cost of quantum factoring: Our latest research updates how we characterize the size and performance of a future quantum computer that could likely break current cryptography algorithms. Read more.
- How Confidential Computing lays the foundation for trusted AI: Confidential Computing has redefined how organizations can securely process their most sensitive data in the cloud. Here’s what’s new. Read more.
Please visit the Google Cloud blog for more security stories published this month.
- aside_block
- <ListValue: [StructValue([(‘title’, ‘Fact of the month’), (‘body’, <wagtail.rich_text.RichText object at 0x3eaf795caa60>), (‘btn_text’, ‘Learn more’), (‘href’, ‘https://cloud.google.com/blog/topics/threat-intelligence/m-trends-2025’), (‘image’, <GAEImage: GCAT-replacement-logo-A>)])]>
Threat Intelligence news
- How cybercriminals weaponize fake AI-themed websites: Mandiant Threat Defense has been investigating since November an UNC6032 campaign that uses fake AI video generator websites to distribute malware. Here’s what we know. Read more.
- Pwning calendars for command and control: Google Threat Intelligence Group (GTIG) has observed malware that took advantage of Google Calendar for command and control being hosted on an exploited government website, and subsequently used to attack other government websites. The activity has been attributed to APT41. Read more.
- Cybercrime hardening guidance from the frontlines: The U.S. retail sector is currently being targeted in ransomware operations that GTIG suspects is linked to UNC3944, also known as Scattered Spider. UNC3944 is a financially-motivated threat actor characterized by its persistent use of social engineering and brazen communications with victims. Here’s our latest proactive hardening recommendations to combat their threat activities. Read more.
Please visit the Google Cloud blog for more threat intelligence stories published this month.
Now hear this: Podcasts from Google Cloud
- Betting on the future of security operations with AI-native MDR: What does AI-first managed detection and response get right? What does it miss? How does it compare to traditional security operations? Tenex.AI’s Eric Foster and Venkata Koppaka join hosts Anton Chuvakin and Tim Peacock for a lively discussion about the future of MDR Listen here.
- AI supply chain security: Old lessons, new poisons, and agentic dreams: How does the AI supply chain differ from other software supply chains? Can agentic AI secure itself? Christine Sizemore, Google Cloud security architect connects the supply-chain links with Anton and Tim. Listen here.
- What we learned at RSAC 2025: Anton and Tim discuss their RSA Conference experiences this year. How did the show floor hold up to the complicated reality of today’s information security landscape? Listen here.
- How boards can address AI risk: Christian Karam, strategic advisor and investor, joins Office of the CISO’s Alicja Cade and David Homovich to chat about the important role that board can play in addressing AI-driven risks. Listen here.
- Defender’s Advantage: Confronting a North Korean IT worker incident: Mandiant Consulting’s J.P. Glab joins host Luke McNamara to walk through North Korean IT worker activity — and how Mandiant responds. Listen here.
To have our Cloud CISO Perspectives post delivered twice a month to your inbox, sign up for our newsletter. We’ll be back in a few weeks with more security-related updates from Google Cloud.