Gerhard Eschelbeck, Google’s VP of security and privacy engineering, worked at Qualys in the early- to mid-2000s and remembers it as a then-fledgling company brimming with passion and energy about its mission to change vulnerability management.
“It’s amazing to see the growth of the company, and the success and the trust you all have given to a technology that started about 15 years ago,” Eschelbeck said Wednesday at his keynote titled “My Life as a Chief Security Officer” during the Qualys Security Conference in Las Vegas.
Since then, the stakes have risen in the information security industry, driven equally by the aggressiveness of hackers and by the sophistication of protection mechanisms that have been developed. Qualys is emblematic of the latter, Eschelbeck said.
“Just looking alone at the expansion and growth Qualys has experienced over the past 15 years, it’s pretty impressive, from its start as a VM scanner in the cloud to a platform of technologies that protects enterprises today,” he said.
Security at Google
At Google, which he joined about two years ago, Eschelbeck leads a global team of about 600 tasked with protecting users’ data and privacy. “We look at security and privacy for Google as two sides of the same coin,” he said.
Google has made a big bet on the cloud, and it understands that security will be a deciding and determining factor for its success.
Diversity is at the root of Google’s approach to security. Eschelbeck’s team is spread out over 14 locations worldwide, and the staff – engineers, product managers, researchers — is very diverse in different ways, including background, education, capabilities and culture.
“That’s what’s needed in security,” he said.
During a question-and-answer period, Eschelbeck was asked about his opinion on the importance of network visibility in security – the main topic of the conference – and on how well Google is doing in this area.
“We have tremendous visibility into our infrastructure based on the defense mechanisms we have in place,” he said.
“We have a very clear picture of what we have on our network and therefore we can apply the respective defense mechanisms and protections,” he added.
Asked what keeps him up at night, Eschelbeck answered with a common concern for businesses everywhere: Supply chain risk.
He said that while Google is fortunate that it can build most of its computer systems itself, it still has to rely on hardware and infrastructure partners to a certain extent.
While it does very deep and granular security audits of those partners and products, it’s continually aiming for more transparency and openness.
“It’s an area where there are some blind spots,” he said.