Taming the Cloud Monster: Pierre Noel, CISO EMEA @Expel

Cloud was supposed to simplify security. Instead, as Pierre Noel puts it, we’ve created a Frankenstein’s monster, a system so flexible and configurable that it often overwhelms the very teams meant to secure it. In this episode, recorded live at our CloudHub Berlin event, Pierre brings one of the widest perspectives in modern cybersecurity. As CISO EMEA at Expel, and with a career spanning Microsoft, Huawei, Airbus, and advisory roles to national cybersecurity authorities, he’s seen cloud transformation from every angle: technical, political, operational, and geopolitical. We dive into why traditional security thinking collapses in the cloud, how identity and configuration drift now drive most incidents, and why CISOs must rethink the mental models they carried from the datacenter era. Pierre also breaks down the real state of AI in security, why attackers benefit more from it today than defenders, and how security teams should realistically integrate automation without falling for hype. But the heart of the conversation is human. Pierre shares scars from decades of work: moments where boards dismissed risks, where technical teams misjudged business priorities, and where psychology mattered more than any tool. His message is clear: behind every incident is a human, and behind every resilient organization is a CISO who understands people as well as technology.

This transcript was generated automatically by AI. If you find any mistakes, please email us.

Announcer: Hello, everyone. You're listening to Cloud. Next, your go-to source for cloud innovation and leaders' insight brought to you by Global Dots.

Ganesh the Awesome: Some call the cloud the greatest enabler of our time. Our guest today, Pierre Noel, once called it inevitable, but now he compares it to Frankenstein's monster. Something built with the best of intentions, yet threatening to overwhelm the very people meant to control it. Pierre is CISO of EMEA at Expel, and his career spans Microsoft, Huawei, Airbus, and government advisory boards from Oman to Saudi Arabia. Few have seen the cloud and security story from as many angles. I'm Ganesh, the awesome solutions architect at Global Dots, where we research innovations every day so you don't have to. We're at CloudHub Berlin, where physical meets digital, surrounded by tech leaders tackling today's biggest challenges. And Pierre, that's exactly where I'd like to start. When you were at Microsoft, you referred to the cloud as inevitable, as we said. Now you've described it as Frankenstein's monsters that CISOs must manage. What do you mean by that? And how do we control the beast?

Pierre Noel: Well, the reality is when the cloud appeared, it became so obvious. As a simple company, as a single company, you cannot manage all the bad guys. Even the large organizations such as the bank of America or Citibank, these are my friends, they had big billion dollars, budget, yet they would be attacked. So we realized that being alone doesn't work. You've got to find another way because the attacking framework, the attackant, are so many and the way they can attack you is so diverse that you cannot possibly, with your own company, address all these problems by yourself. And so when AWS and then Microsoft came with the notion of the cloud, and they came with the idea of making the cloud very secure and also especially in the context of Microsoft, where Microsoft having Windows all over, we would be able to collect a lot of information from these billions of machines and derive some information that no one else, no Citibank, no Bank of America, no government could collect. And we could use that information to secure the environment. So that was the reason why I thought the cloud was inevitable, because it made so much sense. If you were to move your workload in the cloud, you knew that you would be protected by an environment that would be much more effective than whatever you could build by yourself. So that was version one and then many people moved to the cloud and the cloud still is inevitable, but the cloud became more and more complex. The cloud does more and more things. And when you operate as a Normal customer of a cloud. When you operate the cloud you have so many tuning that you can do that you have to do. So the problem shifted. In the past we were worried about standard issues, standard attacks. Now these standard attacks, they're being handled by the cloud provider. The problem is usually your problem because you are fine tuning your cloud. You're not very good in your identity and access management. You're not very good in making sure that the code you generate is sound. And so you rely too much on the cloud and you realize that you created yourself another monster by sitting on top of the cloud and having all this flexibility which is an open door to security, incident. So cloud is a great thing, but cloud is also a Frankenstein or the monster of Frankenstein because it makes things incredibly more complex. And cloud security today cannot be solved the way we used to fix security before the cloud. There is a shift, there's a different way of doing things and many CISOs, the old one, like myself if you will, people who have been in this business for a long time had mental difficulty to understand that we have a different paradigm, we have a different environment. And what used to work when we had to protect our data center, you know, firewall and things like that, is irrelevant when you have a cloud system or when you operate in the cloud. Sorry, it's a long answer to your question.

Ganesh the Awesome: No, no, it's a perfectly good answer. Makes a lot of sense. And I, I live through that paradigm myself. So I'm, I'm acutely familiar with, with all the challenges that came with that compared to traditional firewalls and, and, and like on Premise World, we want to talk a little bit about AI but of course we ah, can't not talk about AI and the way it's reshaping security. but it cuts both ways because the defenders can use it and the attackers can use it. What's your experience on, on where that's giving advantage to the adversaries as opposed to the the good guys?

Pierre Noel: that's a fantastic question. My, my very good friends from Section 8 to hundreds whom Tomo might, might know, you know, the Israeli Defense.

Ganesh the Awesome: Forces, the, the, the Israeli tech boys.

Pierre Noel: Essentially they say that they still don't see AI to be good enough to defend, but they stay, they see AI to be certainly good enough to attack. And I would agree there is some very basic logic behind that. AI is based on what has happened in the past. If today I come with something totally new, totally unexpected, I will not be able to derive anything from the past. That's also a reason why cyber insurance is such a difficult task. Because when you cyber insure a company, you are assessing a company based on the past. You cannot assess, ah, the company based on what's going to happen. AI is the same. AI from a defense point of view will always be one step behind. Always be one step behind. So AI is fantastic. It will help me to automate some aspects of my problem. But I need a human AI. One of the great AI genius said AI is like a hammer, but you have to know how to use a hammer. You have to know what question to ask. You have to know what nail you want to, to punch. That's what AI is. AI will not come up by itself with a brand new thing, with a brand new attack, or with a brand new way to protect against attacks that are unknown today. And so from that angle, AI is helpful from a defense point of view. But AI is not the panacea from a defense point of view. From an offense point of view, it's fantastic. It's making life so much easier for a lot of people, saving a lot of money.

Ganesh the Awesome: I definitely see that. and I read an interesting article about Expo who make the, the AI pen testing tool and it's now the number one top rated hacker on the, on HackerOne. So the best, the best pen tester slash bug bounty in the world is now AI, which makes perfect sense because it makes perfect sense basically.

Pierre Noel: But this being said, you know, I was at Microsoft, so I was the CEO of Microsoft for Asia, so I was very close to what happened at Microsoft. At Microsoft we relied, and we still rely on a very shop, on a very small company to test all our products, well, all day products, I'm no longer Microsoft to test all day products before they go production. So yes, they use AI and so on, but you still rely on the human side to make sure that the product, your next version of Windows, your next version of Xbox and so on, or your next Azure version is reasonably protected against all the foreseeable, types of attacks. So the human is still there.

Ganesh the Awesome: Makes sense. in our prep talk you said you carry many scars from years in the field for being CISO in various places. Can you give us some of those examples? Things you learned the hard way or other things you could advise to CISOs of the now.

Pierre Noel: Fantastic. You ask a great question. You know, here is an example, where I learned something very, very useful. I was asked by an airline company many years ago to do an assessment of the cyber security So I spent quite some time with the team trying to assess what could go wrong and trying to figure out some scenarios of things that could go wrong. And we found scenarios that things could go very badly wrong. And so I was very pumped up and I thought, I really need to speak to the board of that company and let them understand the reality of these risks. And so they granted me access because I knew these people. I knew some of these people. They said, yes, you can speak to the board. And I spoke to the board and the executive directors, the CEO and so on. And I started explaining the different scenarios we had unveiled. They laughed at me. They laughed at me because they told me in a very patronizing way, you know, Pierre, what you consider to be an extreme risk from your little perspective is barely an orange risk from our perspective because we are airline company where people can die if you tell me that because of this problem, we cannot sell a ticket for 15 minutes. And this is really important. Yes, but you have to put things in perspective. So the lesson that taught me is never work in a vacuum. When it comes to cybersecurity. You are here to service a business. You have to understand the business. You have to contextualize. For example, the way you assess your risk should not be something you do on your own. That should be enterprise risk management. You should embed within enterprise risk management. And then it makes you very humble because you will realize that some of these things that you believe are very important, in fact are barely noticeable, barely of any importance. So that was a lesson that I learned and that, that forced me in fact to become a chief risk officer for quite some time. Because I thought I know enough on cyber, but I don't know enough on how to speak business language, how to engage with people who are not technical people. And so I decided to make this career change and become chief risk officer and start advising board. And that helped me tremendously to the point where now when I speak to the board, when I speak to a CEO, when I speak to one of the largest banks in the world, they listen to me because I speak their language. I speak, I speak a language they clearly understand. They don't see me as one of these wizard who is going to speak a very strange lingua that nobody else understands. So my, my strong suggestion to any ciso. Well, two suggestion. My strong suggestion to any CISO is don't be too technical. Retain what you have learned from a technical angle. That's fantastic. But please learn the rest. Learn the business of the organization, be respected by the business side of the organization, don't be perceived as this technical wizard. That's number one. Number two is for people recruiting ciso. I am of the inclination right now that if you want to recruit a ciso, don't recruit a technical guy. Instead recruit someone who has been in a company for 10 or 15 years and understands the company, understands the politics. And the fact that he does not, he or she does not understand cyber is irrelevant. We will recruit the right technical people to work with him or her, but at least that person is trusted. And when that person says this is a risk, the board will listen to it. Because this miscommunication we continuously have between the cybersecurity team who is very unhappy because they don't have the budget they want or because they see that the world is going to end and nobody understands them, this is where we have a usual problem.

Ganesh the Awesome: I see that happen with a lot of areas actually. And it's funny you mentioned the airlines because, we, we do a lot of finops at Global Dots and we offered to save a, ah, very large European airline lots of money on their compute and there was a small project to make it happen. And the number was what I thought was compelling. And then the guy said, listen, that might seem compelling to you, but we spend 2 billion a year on fuel, so a few hundred thousand dollars on kubernetes, we just don't care basically.

Pierre Noel: So, right.

Ganesh the Awesome: So it's understanding those businesses which totally makes sense to me. You talked about risk there and now you're the chief risk guy. So from your wide angle across all these different industries and in governments, what's one area you think that technical leaders consistently underestimate the risk? and where do they tend to overcompensate?

Pierre Noel: well, to some extent you have answered the question technical. I usually say that behind every cybersecurity incident there is a human being. Okay, because you did not code your application properly, because you made a mistake, because you were tired that very morning, you did not configure your environment, blah, blah, blah, there is a human being. Yet the cybersecurity people tend to believe that everything can be solved by technology. They usually forget the psychological aspect. And I do believe that cybersecurity is by and large of psychological. It has to do with psychology much more than it has to do with, pure, technology. The way you educate your team, the way you make sure that they react appropriately whenever something happens, this is as critical as having a good encryption. That's even more critical in my view. As having a good encryption. So I spend a lot of my time and I advise my friend, my PLC so to spend a lot of time at, ah, looking at the psychological aspect and making sure that people are properly educated. Not only educated. Education is easy. You know, if you attend a training, a half day training, after five days, after one week, after two weeks, you would have forgotten most of it. You have to live it to understand it. So that's. That is the first thing that I find extremely important. The second thing goes also with the human DNA. We have survived as human beings because of our brain and our ability also to retain positive things. When we usually look backwards, usually we think positive. We tend to forget the very negative things that happen to us. Usually, not always, of course. Sometimes we can be depressive and think about the negative one. But the standard human being is wired towards positivism. and that's why we are where we are as human beings. So what does that mean? That means that when you go to a board and you show some statistics to the board saying there is 20% risk that you will be attacked and that will cost you $500 million and so on. Intellectually they listen to you, but in their heart and in their guts they say, cannot happen to me. Like, I will never die. That's number one. So such an incident will never happen to me. It will happen to my neighbor. And being able to crack that dot, being able to make sure that you let the senior executive of the organization or the government understand that this risk is as real for you as it is for your neighbor. Let them experience, let them feel, not in real life, hopefully, but, you know, organizing some tabletop exercise or things like that where they realize that, wow, I thought that cyber security was a problem dedicated to my ciso, but here I see that I've got to take a decision whether to tell all my customers that we have an attack or not. And I've got no clue if I should do it or not. someone tells me that I should pay 200 bitcoins for this ransomware attack. I don't even know if we have a bitcoin account. I don't know how to handle these things because I've never been prepared to these things. And that's a fascinating moment where people start, the big guts, start understanding the reality of the problem. And that's a critical moment.

Ganesh the Awesome: In very wise words, very true. I can think of many, many trainings that I undertook for many days and immediately it left my head almost immediately. This is very human Nature looking ahead. And as we come to the close, what's just over the horizon for CISOs? What's the next challenge that we're not talking about enough today? And we know the answer some way is always going to be about AI. But what else is out there? What else should CISOs be thinking about? They're not today.

Pierre Noel: It's a very difficult question. When, when I was the CEO of one of these big Fortune, Fortune 100, one of my tasks was to foresee what would happen within the next five years so that we could prepare for it. And of course always got it wrong, always got it completely wrong. So it's going to get worse. It cannot get better. That's, that's a fact. That is something I'm absolutely certain because during my days at Microsoft, we had already realized that the cybercriminals were making more money, excuse me, that the mafia, the criminals, were making more money through cybercrime than through prostitution or selling drugs. And they were having much less risks in doing cybercrime than selling drugs. So it became very logical, very natural for them to expand in that direction. And initially they started by attacking the most obvious type of, industry, the banks, and stealing money from the banks. And then they became very clever. They started doing ransomware where they encrypted the information so they didn't have to steal your money, they just asked you to give them money. And, and tomorrow, next week, next month, they will come with a new idea. We're not talking about technology, but a new way to benefit from you and force you to give money or something. And I'm not talking about, I'm not even talking about government and geopolitics, which is a totally different type of ball game. Our geopolitic has evolved in such a way over the next five, 10 years that people we believe, who believe we were out, who were our friends, are ah, perhaps not our friends anymore. And perhaps it's all for oneself. And perhaps, the notion of the Internet like a place where we share information is going to disappear and you will have, you know, an Internet per, country. Things are changing and are changing in such a dynamic way that all I could say is that as a ciso, have your fingers on the pulse. Do not just focus on technology, focus on geopolitics, focus on what's happening in the world. Focus, focus. You have to have your mind open to everything because it's your responsibility to think about what could possibly go wrong and anticipate what is being able to do an assessment and present that assessment to the board or the senior executive so that they can apply the risk appetite and determine whether this assessment is something that they can tolerate or they cannot tolerate. That's not your responsibility to decide that. It's your responsibility to. To bring the information and to be as accurate as possible so that they can determine what to do about that. That is the job of the CISO of tomorrow.

Ganesh the Awesome: That's solid advice for any budding CISOs out there. total pleasure chatting to you. Any parting words before we let you go?

Pierre Noel: let's work together. We will win in partnering together, and one CISO himself or one cybersecurity team will never win. We have to share information. People amongst people we trust. We have to share information, even information as to when we attack. We have to share that with our friends so that they know what to do. So communication, community is a very important matter. Something that is not used in health.

Ganesh the Awesome: Teamwork is dreamwork, Pierre. That's how it goes. thank you so much. Total pleasure.

Pierre Noel: The pleasure is mine.

Ganesh the Awesome: That's it for today. Thank you all for listening. If you're ready to rethink your cloud practices and cybersecurity strategy, then the team and I at Global Dots are at your disposal. We've been doing it for over 20 years. It's what we do. And if I don't say so myself, we do it pretty well. So have a word with the experts. Don't be shy, and remember that conversations are, always for free. I'm Ganesh Li. Awesome. And this episode was produced and edited by Tomma Mulvidzon, sound editing and mix by Bren Russell. Stay tuned for more episodes.

Related Content

  • Operational Insights from a Zero Trust and Email Security Roundtable
    Zero Trust Access Management
    Operational Insights from a Zero Trust and Email Security Roundtable

    This blog is based on a closed roundtable discussion on Zero Trust and email security, where practitioners shared how these controls are implemented and operated in real-world environments. Not a conference. Not a product showcase. Just open conversations about what works, what breaks, and what needs to be adapted once theory meets reality. Across very […]

  • Your Data, Their AI: The Hidden Security Risk with Sean Gill (JumpCloud)
    Cloud Security
    Your Data, Their AI: The Hidden Security Risk with Sean Gill (JumpCloud)

    You might not know where your data goes after you feed it into AI — but someone else might. As AI tools spread across every corner of business, one question grows louder: how much control do you really have once your data enters the model? Live from CloudHub Berlin, Sean Gill, Head of New Business Sales EMEA at JumpCloud, joins us to unpack the hidden security gaps behind AI adoption — from fragmented systems and vendor lock-in to data inputs that could expose entire organizations. Sean shares what he hears daily from companies racing toward “AI-first” strategies: the tension between innovation and control, the blind spots created by legacy tech, and why secure identity management is now the foundation for trustworthy AI. If your company is embracing AI but unsure where its data truly lives, this episode offers a clear, grounded look at how to innovate without losing control.

  • The Security Blind Spot: Business Logic Failures and How to Catch Them
    Cloud Security
    The Security Blind Spot: Business Logic Failures and How to Catch Them

    Security leaders know the drill: vulnerability scanners run their course, reports stack up, and yet attackers still slip through. What’s going wrong? We sat down with Yosef Yekutiel, CISO & Data Privacy Officer at MaccabiDent, at GlobalDots’ recent “Red Team Reality Check” event to unpack this gap, and how modern offensive security can fill it. […]

  • Security Isn’t a Crisis: Melanie Ensign, Founder & CEO @Discernible
    Cloud Security
    Security Isn’t a Crisis: Melanie Ensign, Founder & CEO @Discernible

    Most security teams prepare for chaos, but they should be preparing for control. Melanie Ensign, founder of Discernible, a company that helps security leaders communicate effectively during high-pressure incidents, shares how weekly drills, better communication habits, and a rescue diver’s mindset can turn high-stakes incidents into manageable events. From Web3 breaches to boardroom briefings, this episode is about strategy, not panic.

  • Inside Playtika’s SOAR Strategy: Liran Sheinbox, CISO
    Cloud Security
    Inside Playtika’s SOAR Strategy: Liran Sheinbox, CISO

    Most security teams chase alerts. Liran’s team builds systems. Playtika’s CISO, Liran Sheinbox, reveals how automation with a developer mindset helped reduce MTTR to seconds, even with a lean team. He shares how real design partnerships build trust, why AI is no longer “just a feature,” and how working with startups can drive innovation and retain top talent. A must-listen for security leaders, vendors, and tech decision-makers alike.

  • MVP to Production-Grade: How to Fix Scaling Bottlenecks Before They Break You
    Automated Kubernetes Optimization
    MVP to Production-Grade: How to Fix Scaling Bottlenecks Before They Break You

    Scaling after Series A? This webinar-podcast hybrid is built for founders, CTOs & VPs ready to move beyond duct-tape infrastructure. Discover how Aquant tackled rapid growth, migrated from Heroku to AKS, and optimized observability and cost—without hiring an army. Plus: Git power tips from the King of Git himself, Nir Geier, that'll save your team hours each week. Watch now to avoid painful rebuilds later.

  • How to Secure AI Tools: Elad Schulman, CEO & Co-Founder @Lasso
    Cloud Security
    How to Secure AI Tools: Elad Schulman, CEO & Co-Founder @Lasso

    While AI budgets grow fast, security remains an afterthought. Elad Schulman, CEO of Lasso, joins us to explore the risks companies face when using AI tools—hallucinations, data leaks, and prompt injection attacks—and why securing LLMs must be part of every organization's strategy. As the founder of a company focused solely on AI security, Elad brings field-tested insights you won’t hear anywhere else.

  • Why C-Suite Executives Are Switching from VPNs to ZTNA
    Cloud Security
    Why C-Suite Executives Are Switching from VPNs to ZTNA

    Hybrid workforces and cloud-first strategies have exposed the cracks in VPNs. Designed for simpler times, these legacy tools now create more problems than they solve. They slow your team down, leave security gaps, and make scaling a headache. How do you secure remote access without these hurdles? The answer is Zero Trust Network Access (ZTNA). […]

  • Rethinking IT Security to Build Resilience for the Modern Threat Landscape
    Cloud Security
    Rethinking IT Security to Build Resilience for the Modern Threat Landscape

    The recent two decades have changed how applications are built, delivered, and used. We used to have isolated networks with predictable entry points, but today, that has been replaced with a dynamic, interconnected web of APIs. The consequence of this is the dissolution of the traditional security perimeter. Today, protecting a single network boundary doesn’t […]

  • Set Jira on Fire: A Field Guide to Tech Survival with Adam Korga
    DevOps & Cloud Management
    Set Jira on Fire: A Field Guide to Tech Survival with Adam Korga

    What if your IT survival guide read like a comedy roast? At our CloudHub Berlin event, Adam Korga joined us to decode IT Dictionary, a satirical manual for anyone who’s ever survived Agile rituals, corporate jargon, or “death by a thousand meetings.” We talk humor as therapy, the five realms of tech hell, and why laughter might just be the best debugging tool. In his book, he doesn’t pull any punches, which is exactly why he can’t even use his real name!

  • Inside the CFO Mind: What Your CFO Expects
    Cloud Cost Optimization
    Inside the CFO Mind: What Your CFO Expects

    Technical leaders often struggle to understand how CFOs view cloud costs, ROI, and efficiency. In this episode, two CFOs share exactly what they expect from their tech counterparts and how better communication can lead to smarter spending and stronger collaboration. Featuring Yaniv Lubinski, CFO at EX.CO, and Erez Storch, CFO at PlainID.

  • How NetRefer Cut Observability Costs by €96,000 Per Year in Just 3 Months with GlobalDots
    Monitoring, Logging & Observability
    How NetRefer Cut Observability Costs by €96,000 Per Year in Just 3 Months with GlobalDots

    Overview NetRefer, a leading iGaming affiliate marketing platform, utilized Azure cloud-native monitoring tools. Shortcomings needed to be resolved, and the business required next-generation observability.  Problems that needed to be solved: Through GlobalDots’ expertise in selecting and implementing the right observability solution, NetRefer achieved €96,000 in annual savings and gained real-time observability across their entire platform […]

  • DevOps Responsibility Shift – Gal Porat, Global Director of DevOps @Plarium
    DevOps & Cloud Management
    DevOps Responsibility Shift – Gal Porat, Global Director of DevOps @Plarium

    As AI tools become more accessible and infrastructure evolves, developers are taking on more responsibility, and DevOps is changing fast. In this episode, Gal Porat, Global Director of DevOps at Plarium, breaks down what the shift looks like inside teams. From debugging culture and tool selection to managing without formal training, Gal shares lessons and practical advice for today’s up-and-coming engineering leaders.

Amplify Your Cloud Security

Technology, security threats, and competition all change rapidly and constantly. Your security stack must, therefore, be ahead of every emerging threat and, just as importantly, enable full-speed business processes by reducing friction in critical workflows.

Achieve this with GlobalDots’ curated solutions:

    GlobalDots' industry expertise proactively addressed structural inefficiencies that would have otherwise hindered our success. Their laser focus is why I would recommend them as a partner to other companies

    Marco Kaiser
    Marco Kaiser

    CTO

    Legal Services

    GlobalDots has helped us to scale up our innovative capabilities, and in significantly improving our service provided to our clients

    Antonio Ostuni
    Antonio Ostuni

    CIO

    IT Services

    It's common for 3rd parties to work with a limited number of vendors - GlobalDots and its multi-vendor approach is different. Thanks to GlobalDots vendors umbrella, the hybrid-cloud migration was exceedingly smooth

    Motti Shpirer
    Motti Shpirer

    VP of Infrastructure & Technology

    Advertising Services