At Google’s Singapore office last week, Mark Johnston, Director of the Office of the CISO for Asia Pacific, delivered a sobering message: after half a century of cybersecurity innovation, defenders are still losing ground.
“In 69% of incidents in Japan and Asia Pacific, organisations were notified of their own breaches by external entities,” Johnston told a room of reporters, underscoring how many companies still fail to detect intrusions themselves.
The roundtable discussion, titled Cybersecurity in the AI Era, laid bare both the promise and the peril of artificial intelligence in the security landscape.
A 50-year problem that persists
Johnston traced today’s vulnerabilities back to 1972, when cybersecurity pioneer James P. Anderson observed that systems “really don’t protect themselves.” Despite massive technological advances since then, the basics remain unresolved: Google Cloud’s data shows that over three-quarters of breaches begin with configuration errors or stolen credentials.
“Last month alone, we saw a zero-day vulnerability in Microsoft SharePoint that was exploited continuously,” Johnston said, pointing out how common, widely used tools remain prime targets.
AI as weapon and shield
The arrival of generative AI has turned cybersecurity into what experts call a high-stakes arms race. Defenders now deploy AI to analyse data, detect anomalies, and automate responses—but attackers use the same tools to refine phishing campaigns, scan networks, and churn out malware at scale.
“AI affords the best opportunity to upend the Defender’s Dilemma,” Johnston argued, highlighting Google Cloud’s push to give defenders an advantage.
The company is rolling out AI-driven use cases across vulnerability discovery, secure code generation, threat intelligence, and incident response.
One standout example is Project Zero’s “Big Sleep” initiative, where AI models have identified dozens of vulnerabilities in open-source codebases—discoveries that once required extensive manual effort.
Automation: power and pitfalls
Google Cloud envisions a four-step journey for security operations: Manual, Assisted, Semi-autonomous, and eventually Autonomous. Already, AI systems can manage routine monitoring and escalate complex threats to humans.
But automation isn’t without risk.
“There is the potential that this service could be attacked and manipulated,” Johnston admitted, warning that over-reliance could open new vulnerabilities. Kevin Curran, professor of cybersecurity at Ulster University, agreed: “There is still a need for a human copilot, and roles need to be clearly defined.”
To mitigate risks, Google Cloud is testing safeguards such as Model Armor, which filters AI outputs to prevent irrelevant, off-brand, or unsafe responses. The company is also targeting “shadow AI”—unauthorised tools deployed by employees without oversight—by expanding its sensitive data protection solutions.
Budgets under pressure
Even as threats multiply, many Asia Pacific CISOs face budget ceilings.
“We’re seeing more noise,” Johnston said. “It may not be super sophisticated, but more noise is more overhead, and that costs more to deal with.” Security leaders increasingly seek partners to stretch limited resources rather than expand headcount.
Preparing for tomorrow’s threats
Looking beyond AI, Google Cloud is already preparing for quantum computing risks, deploying post-quantum cryptography across its global data centres. The move reflects a broader strategy: staying a step ahead, even as new technologies shift the landscape.
The bottom line
Google Cloud’s AI initiatives underscore the dual reality of modern cybersecurity. AI is enabling faster detection and smarter defences, yet attackers are equally quick to exploit the same innovations.
As Johnston concluded, “We should adopt these in low-risk approaches,” reminding organisations that technology alone won’t solve the security crisis. The winners of the AI security race will be those who combine innovation with sound governance, strong human oversight, and a focus on getting the basics right.
