CyberWire Daily - Interview Select: MK Palmore from Google Cloud talks about why collective cybersecurity ultimately depends on having a diverse, skilled workforce.
Episode Date: December 27, 2022This interview from September 30th, 2022 originally aired as a shortened version on the CyberWire Daily Podcast. In this extended interview, Dave Bittner sits down with MK Palmore from Google Cloud to... talk about why collective cybersecurity ultimately depends on having a diverse, skilled workforce. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire the CISO for Google Cloud. We recently chatted about why collective cybersecurity
ultimately depends on having a diverse, skilled workforce
and efforts MK Palmore and his Google Cloud colleagues
are taking to improve the situation.
Especially in the technology field, I think,
is where we see such a disparity
as it relates to the presence of women
and underrepresented minorities in the
field of cybersecurity. The statistics tell us a challenging story. One, we know that, you know,
typically speaking, women represent somewhere close to 50, 51% of the population, and there's
nearly that much in terms of the workforce. Their presence in technology is somewhere around the low 20% realm. And as you
go up the ranks, those numbers get to be smaller and smaller. People of color, Black, Latino,
sometimes categorized as roughly 17, 18% of the workforce. And those numbers as it relates to
technology, you'll find hovering somewhere between 5% to eight percent at any one point in time when you take snapshots of the
industry. So the struggle for organizations today like Google and other organizations that are
trying to increase the numbers of women and underrepresented minorities in terms of
increasing the talent pool is in moving the needle on those numbers.
Where do you go to source the talent that has the requisite skills that you're looking for in order to bring them on board in your organization? How do you subsequently get them on board into the
organization? And then how do you, the big challenge for all organizations is retention.
How do you retain that kind of talent once you have them on board and create a pathway for them
to grow and be nurtured within the profession and ultimately succeed. So the numbers are daunting. They've been daunting,
quite frankly, for quite some time, for a number of years. And folks like myself and others who
do this professionally are engaged at any one point in time in a number of, for me,
internal issues here at Google Cloud in an effort to help move the needle
on this issue and also providing support to outside organizations and nonprofits in this realm to
also move the needle and impact change where we can. Well, so within Google Cloud itself,
where are you finding success? What sort of initiatives are making a difference there?
Yeah, so I think that, you know, broadly speaking, what we see in the industry is that if you can
train people, if you can give them the requisite skills that they need, baseline skills, in order
to be able to compete for entry-level positions that you oftentimes are helping to set them up
for success. In fact, there are some numbers out there that will tell you that training,
specific training around cybersecurity introductory skills,
is the number one way to translate someone from a zero start into the field.
And we have a number of programs,
one of which that I am shepherding here under the Google Cybersecurity Action Team
and others within Google that are much more mature
and much further along that help to enable the existing workforce. In other words, folks out
there who show an interest in cybersecurity or want to pique their interest. In other words,
they want to take some exploratory courses and try and get some exposure to the industry.
We have a number of efforts underway to actually take folks
through the training pipeline so that they get some baseline training for entry-level positions.
And we also have a number of things underway that will help to get exposure to folks who are,
again, zero start, but potentially interested in the industry. I always say there's two components
that you need. You need a level of interest and you need an aptitude. You don't necessarily need to come to the table with
specific skill sets like technology skill sets, but much of what it is that we do in cybersecurity
day in and day out can be taught and certainly it can be learned. When you're talking about
training here, I mean, is this something that Google offers internally or are folks going to
outside providers? How does that all work? Yeah, so it's happening in a number of different lanes.
There is an internal effort to increase the availability of cybersecurity training, certainly
among our own employees internally. But we also recognize that Google has a responsibility to the
industry and society overall to provide
assistance in this area because we all see the gap that exists in terms of getting qualified
folks into the pipeline and certainly expanding the aperture in terms of identifying the folks
that we may bring into this profession is a large part of what we're engaged in as it relates to
Google. In other words, identifying opportunities,
whether it be through nonprofit organizations that exist or our own efforts to deliver
cybersecurity-based training, targeting that training to women and underrepresented minorities
so that you can, again, gain some traction in an area where we know that folks have an interest
and aptitude and we can point them in the right direction and give them the skills that they're going to need to be able to get some baseline opportunities within the field.
And as you all know, once you get in, I mean, it's sort of, you know, pick your poison in terms of how many different areas and domains and other areas of depth that you would like to go into.
But we all know that the real barrier is getting that initial job in the industry. And we are, again, putting together
programs and have an effort afoot to increase that talent pool and to do it in such a way that we
enable folks to do well in that interviewing process, bring or show that they have some
experience in terms of gathering the skill sets necessary to get those entry-level jobs.
And then, of course, to get in and actually succeed,
there are many different lanes, many different efforts underway.
Can you share some insights on how far back we can go into that pipeline? I mean, I'm thinking of
getting in touch with kids in middle school and coming up through high school to even
plant that seed of possibility in their minds that this is an area
that they can pursue? Yeah, I think you hit the nail on the head there. This is one of the things
that as a society, I think that many of us have come late to the table on. One, the current
generation is growing up with technology being a substantive part of their growth and maturation.
So it's not a surprise to them, I think, that technology can play a role
in the future idea that they have for themselves around what kind of professions that they pursue.
But what we particularly don't do a good job at in cybersecurity is really, at an early age,
explaining to people that this too can be a domain and a pursuit in terms of your overall
future professional interests. And I do think
that we need to get access earlier, likely at the high school level, I think is probably the
time where you could introduce cybersecurity topics and subjects so that folks understand
that this is a viable pathway, this is a viable pursuit. And oh, by the way, it's as broad and as
deep as any profession out there, certainly from a technical
aspect, and it has equal numbers of technically related jobs and non-technically related jobs,
all contributing to the safety and security of, you know, wide-scale enterprises. And so,
there should be an interest at a very young age to identify this kind of job and then subsequently
study for it if, you know, going through the
normal four-year college path is a choice that a particular person makes, there should be a way
for folks to pursue that. But there also should be ways for folks to pursue it if they choose not to
go to college. There's lots of different lanes from which you can come and find entry into this
field. We know that lots of folks with backgrounds like mine come from the military or government work and come into cybersecurity.
We know that many people start, again, from stage zero, get some exposure to the field through a variety of programs,
and then subsequently find their way in the industry by building on success and getting experience in different places.
And then we also have to make room for that entry-level or mid-level employee who decides to transition
into cybersecurity.
And we've seen a lot of success in that route as well, bringing people to the table, bringing
them to the industry, again, by providing training and skills that will help and enable
them to get those initial landing jobs.
What's your advice for those folks who are finding some frustration in trying to identify those entry-level jobs?
I hear people say that I'm looking around and it seems as though most of the organizations are expecting me to be fully baked,
to have all those years of experience or all those certifications or that four-year degree,
and they're just finding it hard to break through.
Right. So there's two issues there. One, from the industry side of the house, I think we as
an industry have to do a better job at crafting those entry-level positions. Everyone knows about
the horror stories out there around job descriptions that ask for a requisite amount of experience,
a requisite amount of certifications for entry-level jobs. And I think that we're not
being honest with ourselves in terms of what it really takes to be successful in some of these
positions. So as an industry, if we can do a better job at writing those JDs and identifying
people with potential, understanding that there's going to be some component of on-the-job training
where they're actually going to learn the skills that they need while on the job.
I think oftentimes we are hyper-focused on getting folks through the door who essentially have already done the job.
And what we expect them to do is do that same job for us.
And that's why you have such a rotation of skills within the technology industry,
folks moving from one enterprise to the next because they're offered a higher salary.
We have to do and be better about crafting what it
is that we need for those entry-level jobs. So my advice to the new entrant, don't stop.
Put your head down. Identify training courses, opportunities to train and learn. And as you're
continuing that process of learning, and again, people learn in lots of different fashions.
There's a lot of asynchronous online platforms now that provide training. Our Grow with Google certificate is one way that folks can pursue technology training. There are other vendors for which we all know about that provide a litany of online cybersecurity focused training. And we have partnerships with some of those organizations, that is a viable way for someone to gain entry into the industry. So I would say,
don't get frustrated. Continue to train. In other words, get opportunities to train where you can
to learn the material and look for those opportunities in your current job that will
allow you some exposure to the industry. And then you can use that as the experience that you will gather
in an effort to do better in some of these job interviews and then potentially exposure to newer
opportunities. So continue to train, don't get frustrated, and stay focused on what is available
out there and keep pressing. Expand that network too. From your own point of view as a leader,
From your own point of view as a leader, why is this something to focus on?
What does having diversity in your team provide the organization as a whole?
So I think that from a, if we're just talking about cybersecurity workforce, I think that this issue of creating diverse teams and cybersecurity may be the most critical issue that organizations
are dealing with now and for
the foreseeable future. We have all awakened now at this point in history and time recognizing the
importance of cybersecurity, not just on business operations, but also on our lives. So it impacts
us widely as a society, but also impacts business operations. And this issue of creating more diverse teams, I think, quite honestly, is going to help us get better at solving problems.
At the heart of cybersecurity is this idea of problem solving.
And if we're not bringing different and varied mindsets and experiences to the table, we're going to continue to use some of those old approaches
to solving security problems. And quite frankly, I think that history has shown us that we are,
as an industry, probably not doing as well as we would like to in terms of combating adversarial
techniques and tactics. And I think increasing the diversity set, in other words, increasing
the diverse teams that we point towards these problems will actually help us solve them more quickly and potentially bring better solutions to the table.
That's MK Palmore from Google Cloud. Thank you. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.