×

What keeps Google's security chief awake at night

Google logo concept
Andrew Harrer | Bloomberg | Getty Images

Alphabet's Google collects a mountain of data on its users, and its algorithms often know what you want before you do.

And it's the job of the company's vice president of security and privacy engineering, Gerhard Eschelbeck, to defend the information users share with it — from family photos to personal emails — against an increasingly sophisticated, determined and well-funded army of hackers.

"We all have to assume that we are under attack," said Eschelbeck. "What really matters is how we can react, respond and take action based on what we see on our networks."

What keeps him awake at night? Among other things, potential vulnerabilities along Google's vast supply chain.

Any number of the many companies whose products interact with Google's could have weak points that expose the tech giant to an attack that it cannot control. It's a lesson that Target and Home Depot, among others, know well.

Google builds a lot of its own products — like its data centers — from the ground up. But like any large company, it also relies on other players in its supply chain to deliver products — from Chromebooks to Android apps — and because of that there is the potential for risk.

"You can't and shouldn't eliminate your supply chain," Eschelbeck said. "[But] It is something we all should be very concerned about."

A second worry is the fact that small- and medium-sized businesses don't always have the resources to improve their own security. At least some of the answer lies in the cloud, which will give those companies access to security tools they themselves could not build or acquire, he said.

Eschelbeck leads a team of 550 Google employees with the mission "to protect our users' data, all that data you are entrusting us with," he said at the RSA Conference in San Francisco. His team protects 2 billion lines of code, which 25,000 engineers interact with, making more than 45,000 changes on a daily basis.

A veteran of the security industry, Eschelbeck has spent the past 20 years working in security, and said he jumped at the opportunity to join Google back in 2014.

Gerhard Eschelbeck, Google VP Security & Privacy Engineering
Source: Google
Gerhard Eschelbeck, Google VP Security & Privacy Engineering

When not stress testing the company's defenses, Eschelbeck's team researches how Google add better, more sophisticated security into its products. They also review all Google products prior to launch and have the ability to block the release of new products that do not meet its security and privacy standards.

Google's security team is credited with many features, including spam protection, safe browsing and two-factor authentication, which Eschelbeck said is close to his heart. "It's scary to think that 12345 is still the most commonly used password on the Internet," he said.

"I certainly feel we have shown a great deal of innovation on the security side and we have done the same on the privacy side, but we haven't talked as much on privacy," he said. "You see some of the results already in action there, but it will continuously be an effort that I deeply care about."