Cyberattacks are occurring more often in more places than ever before, but considering the scale of digitization afoot things could be so much worse. 

“Sometimes I think we’ve got the statistics wrong,” Google Cloud VP and CISO Phil Venables said. 

This perspective, in an era of spreading risk, helps explain why he describes himself as “short-term pessimistic, long-term optimistic.”

It's an ethos often portrayed by cybersecurity professionals and perhaps most notably among those who have unique access, allowing them to observe threats most people aren’t aware of, lurking in the shadows.

Venables appreciates the security wins, anything that makes life more difficult for threat actors, and credits existing defenses for foiling what could be a much greater rate of attacks.

“If you could look at incidents as a percentage of the potential incidents that there could be, I think that ratio is at least flat, if not down,” he said. “If it wasn’t, you would expect way more incidents.”

While modern levels of defense and control offer hope, Venables recognizes many organizations have yet to embrace important capabilities such as phishing-resistant authentication.

Phishing attacks are more than an example — they are a common vector for intrusion. Phishing poses a serious threat, as employees and cybersecurity teams at Cisco, Cloudflare and Twilio were all reminded of recently to varying extents.

Venables' short-term pessimism creeps in because of standing defense strategies: many points of potential compromise remain unmitigated and open to attack.

Sophisticated attackers aren’t breaking into sophisticated defenses as much as “supposedly-sophisticated attackers” are breaking into something that wasn’t as protected as it could have been, Venables said. 

Threat actors primarily break into systems via software vulnerabilities, business email compromise and phishing attacks.

Meanwhile, too much on-premises and legacy technology isn’t kept up to date, and much of that has to be upgraded. Human behavior and technology both play a role, carrying benefits and weaknesses.

Modernizing technology infrastructure, whether it's the public cloud or on-premise modern IT environments, still represents the best investment any organization can make in cybersecurity, according to Venables.

“Sometimes [organizations] invest too much in cybersecurity at the expense of not modernizing their IT, and that’s like building on a foundation of sand,” he said.

Attacks and threats aren’t going away but Venables is confident the industry will maintain momentum by consistently making attackers work harder. This comes from building security into products instead of bolting it on, ensuring cloud instances are properly configured and elevating security controls and encryption by default wherever possible, he said.

“Although, you know,” Venables said. “As a security person, I’ve got to be guardedly optimistic at best.”