Cloud CISO Perspectives: How CISOs can pursue technical and cultural resilience (Q&A)

Welcome to the first Cloud CISO Perspectives for April 2026. Today, Thiébaut Meyer and Lia Wertheimer from Google Cloud’s Office of the CISO share Thiébaut’s conversation with Matt Rowe, chief security officer, Lloyds Banking Group, on how security leaders can simultaneously pursue technical and cultural resilience.

As with all Cloud CISO Perspectives, the contents of this newsletter are posted to the Google Cloud blog. If you’re reading this on the website and you’d like to receive the email version, you can subscribe here.

How CISOs can pursue technical and cultural resilience (Q&A)

By Thiébaut Meyer, Director, and Lia Wertheimer, Program Manager, Office of the CISO

True resilience is more than a single initiative. It’s the intersection of two distinct disciplines:

• Operational resilience: This is the technical “shift down,” a process of radical consolidation and simplification that can reduce the noise of fragmented tools to build a secure-by-default foundation. It’s about creating a technical environment that is robust enough to survive shocks — without constant manual intervention.
• Cultural resilience: This is the organizational “safe system of work” that focuses on the mindset, behaviors, and psychological safety required to keep a team effective under pressure. This system can help a team adapt and thrive even when the technical systems are under fire (or on fire.)

When these two resilience strategies align, we move from a state of “chaos coordination to a sustainable operating model.

We sat down with Matt Rowe, chief security officer, Lloyds Banking Group, to explore how to pursue this alignment at a recent CISO Community event in Madrid. While our technical discussions at the event focused on shifting down the stack to manage sprawl, Matt offered a masterclass in the human side of the equation. We compared notes on how to scale these performance insights into a functional department that can endure the long game.

The following transcript has been lightly edited.

Thiébaut Meyer: We often talk about the CISO’s endurance as a personal burden to carry, but you’ve argued that we need to bake that resilience into the very fabric of the security function. In my view, high performance and resilience are inseparable — can you talk about how you see that relationship playing out in a high-stakes environment?

Thiébaut Meyer: I’ve observed a tug-of-war in our industry. We treat the CISO as a biological asset that must be ‘fueled’ for 24/7 performance, yet the mission often demands an unsustainable fusion of the leader’s identity with the role itself. How do you think we move toward a model where the organization, not the individual, is the shock absorber?

Matt Rowe: I think we need to have three things in balance: the needs of the individual, the needs of the team, and the needs of the company. While wellness is the engine, the team dialogue should be about how we get from good outcomes to great outcomes. We can’t just focus on the individual in a vacuum, we have to show how their unique strengths ladder up to the team’s success.

Thiébaut Meyer: Like many CISOs, I’ve spent my fair share of time on that continuous treadmill where you feel there isn’t a second to breathe. I’ve personally found that if we don’t force a pause, the team will eventually break. How are you building that into your own operating model?

Matt Rowe: You have to artificially create moments of pause and recovery. Because the mountains are endless, the leader must set the cadence. We have to get people inspired to have great impact and create conditions where people are striving to do even better.

When there is more to do than time allows, the answer is disciplined prioritization. It’s an opportunity to get really good at saying “not now,” so the team can focus on what actually moves the needle.

Thiébaut Meyer: I’m a firm believer that psychological safety isn’t something you can just delegate. You have to model it yourself, especially when things go wrong. How do you approach modeling psychological safety at a large organization?

Matt Rowe: For me, it starts with transparency. People need to see me being challenged and observe how I react. It’s about making it obvious that being brave — speaking up, or questioning a process — is what we value. We have to create proof points where people who operate with psychological safety are seen as the role models.

Thiébaut Meyer: We’ve both seen the risks of security teams becoming silos or even fortresses against the rest of the organization. How do you ensure a resilient team remains a business enabler?

Matt Rowe: You have to embed the team’s objectives directly into business priorities. If the company’s mission is to provide lending to small businesses, our mission is to enable them to get those products to market faster and safely.

When the team sees themselves as stewards of the business mission, it changes the mindset from one of security versus the business to one of shared resilience.

Learn more about building resilient organizations

Building a resilient organization is a continuous journey. As we navigate the mountains ahead, protecting our teams starts with protecting the people behind the roles.

• Seize the reset moment: Use consolidation as a catalyst to demystify complexity. Reducing the tool stack is the first step toward reducing the mental load on your team.
• Be like water: Adopt a mindset of flexibility. The most resilient organizations are those that can make quick, flexible decisions.
• Mandate the pause: In an environment of endless mountains, the leader’s primary job is to set the cadence of recovery and enforce disciplined prioritization.
• Architecture over effort: Resilience isn’t about being tough enough to handle adverse situations, it’s about being more intentional with our technology, our team design, and our shared mission so that we can achieve our goals and avoid burning out.

While it’s a full house at Google Cloud Next in Las Vegas, you can still be part of the action by registering for a complimentary digital ticket to access select sessions.

In case you missed it

Here are the latest updates, products, services, and resources from our security teams so far this month:

• How Google Does It: An inside look at cybersecurity: Learn how Google approaches some of today’s most pressing security topics, challenges and concerns, straight from Google experts. View the collection.
• Raising the security baseline: Essential AI and cloud security now on by default: To support the next generation of AI innovators, we are offering on by default essential AI security and cloud security in Security Command Center Standard. Read more.
• Guardrails at the gateway: Securing AI inference on GKE with Model Armor: Here’s how to secure AI inference on Google Kubernetes Engine with Model Armor and high-performance storage. Read more.
• Google Cloud named a Leader in The Forrester Wave™: Sovereign Cloud Platforms, Q2 2026: Google Cloud has been named a Leader in The Forrester Wave™: Sovereign Cloud Platforms, Q2 2026, validating our portfolio of choice approach. Read more.
• See beyond the IP and secure URLs with Google Cloud NGFW: Announcing domain filtering with a wildcard capability in Cloud NGFW Enterprise, providing increased security and granular policy controls. Read more.
• VRP 2025 year in review: How did Google’s vulnerability reward program do in its 15th year? $17 million awarded, more than 40% over the previous year. Read more.
• Google Workspace’s continuous approach to mitigating indirect prompt injections: We’re sharing more detail on the continuous approach we take to improve the layered architecture of our indirect prompt injection defenses, and to solve for new attacks. Read more.
• Protecting cookies with Device Bound Session Credentials: A significant step forward in our ongoing efforts to combat session theft, Device Bound Session Credentials (DBSC) is now entering public availability for Windows users on Chrome 146, and expanding to macOS in an upcoming Chrome release. Read more.

Please visit the Google Cloud blog for more security stories published this month.

Threat Intelligence news

• M-Trends 2026: Data, insights, and strategies from the frontlines: Grounded in over 500,000 hours of frontline incident investigations conducted by Mandiant globally in 2025, M-Trends 2026 provides a definitive look at the TTPs actively being used in breaches today. Read more.
• iOS exploit chain DarkSword adopted by multiple threat actors: Google Threat Intelligence Group (GTIG) has identified a new full-chain exploit that uses zero-day vulnerabilities to compromise iOS devices, and has observed multiple commercial surveillance vendors and suspected state-sponsored actors using it in distinct campaigns. Read more.
• vSphere and BRICKSTORM Malware: A defender’s guide: To help organizations stay ahead of the risks documented in recent BRICKSTORM research from Google Threat Intelligence Group (GTIG), we’ve created this guide to help you focus on essential hardening strategies and mitigating controls necessary to secure critical assets. There’s also an automated script to help you apply some of the guidance. Read more.
• North Korea-nexus threat actors abused compromised Axios NPM package in supply chain attack: GTIG is tracking an active software supply chain attack targeting Axios, a popular node package manager (NPM). We attribute this activity to UNC1069, a financially-motivated North Korea-nexus threat actor active since at least 2018. Read more.

Please visit the Google Cloud blog for more threat intelligence stories published this month.

Now hear this: Podcasts from Google Cloud

• Can AI-native MDR fix broken SOC workflows: Tenex.AI’s Eric Foster and Bashar Abouseido discuss the impact of AI on security operations center workflows, and how best to measure its success, with hosts Anton Chuvakin and Tim Peacock. Listen here.
• Why we keep failing at supply chain security: Have we reached the point where our security tooling is actually our largest unmanaged attack surface? Dan Lorenc, founder and CEO, Chainguard, chats about how convenience impacts supply chain security, with hosts Anton and Tim. Listen here.
• Defender’s Advantage: Using Google Threat Intelligence to hunt adversaries on the dark web: Host Luke McNamara sits down with Google Threat Intelligence experts Jose Nazario and Brandon Wood on the new dark web and underground monitoring capabilities, and how AI is fundamentally changing the way defenders track adversaries. Listen here.
• Behind the Binary: What happens when botnet operators show up in court: Host Josh Stroschein is joined by Pierre-Marc Bureau from Google’s Threat Analysis Group (TAG) to unpack the unprecedented takedown of the Glupteba botnet, from reverse engineering binaries to a surreal showdown in New York courtroom. Listen here.

To have our Cloud CISO Perspectives post delivered twice a month to your inbox, sign up for our newsletter. We’ll be back in a few weeks with more security-related updates from Google Cloud.