CyberWire Daily - Solution Spotlight: Simone Petrella and Camille Stewart Gloster discuss the White House's cybersecurity workforce and education strategy. [Interview Selects]
Episode Date: December 25, 2023This interview from August 18th, 2023 originally aired as a shortened version on the CyberWire Daily Podcast. In this extended interview, Simone Petrella sits down with Camille Stewart Gloster, Deputy... National Cyber Director at the The White House discuss the White House's cybersecurity workforce and education strategy. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Camille Stewart Gloucester is Deputy National Cyber Director for Technology and Ecosystem Security in the Office of the National Cyber Director in the White House.
In this edition of our Solutions Spotlight, she speaks with N2K President Simone Petrella.
I am joined today by Camille Stewart Gloucester, Deputy National Cyber Director for Technology and Ecosystem at the White House. In her role, Camille leads technology, supply chain, data
security, and cyber workforce and education efforts for the Office of the National Cyber
Director and led the team that recently released the National Cyber Workforce and Education
Strategy last week. Camille, thank you so much for joining.
Thank you so much for having me, Simone. I'm excited to talk about the strategy.
Great. Me too. It's certainly an area I love to talk about all the time.
So I think we're going to have a great discussion here.
You know, just to sort of set the stage
before we really get into the meat of it,
the strategy that just was released
really is built around four pillars.
And those are equipping every American
with foundational cyber skills,
transforming cyber education,
expand enhancing the national
cyber workforce, and strengthening the federal cyber workforce. That's a lot of ground that's
covered across those pillars in this strategy. And there's more tactical recommendations here
than we've even seen before. What are the big takeaways that you want the industry to walk
away with as they review this very hefty document?
It is a big document, a big ambitious document that has a series of short-term, medium-term,
and long-term objectives. I want folks to take away from this is that the work builds on itself.
We embarked on a journey in July of last year with the National Cyber Workforce Summit at the White House to engage our partners around what are the challenges? What are the opportunities? We recognize that one page
in the National Cybersecurity Strategy wouldn't do workforce enough justice, but what should we
address? How should we address it? And if there's one thing I hope people have started to see from
ONCD is that we really want to make sure that the work
that we are doing is collaborative and considerate of all of the important perspectives that are
represented across the digital ecosystem. And so we worked with 34 different agencies across the
federal government and the executive office of the president. We worked with over 200 organizations
and SMEs across cyber workforce and across cybersecurity and cyber in general
to really understand the confluence of challenges because there are many.
Many folks kind of stop at the, well, there's a workforce deficit.
And there's so much more to it than that, right?
If the national cybersecurity strategy is to work, that means we are moving towards
an affirmative vision for the digital ecosystem. That means one that is resilient, defensible, and aligns to our values. And there's
some shifts that we talk about in that. And if we achieve that, that means that we're going to have
products that are secure by design, which means we need a workforce that is capable of understanding
security no matter where in the lifecycle of a piece of technology they said.
We need people that are able to adapt to and address the challenges of today, but also address
the challenges of tomorrow in an environment that we don't know what the technological landscape
will be. So this strategy is technology agnostic, but recognizes how things like AI, quantum, and other evolutions in
technology will change the digital landscape and what we ask of folks. And so across those four
pillars, we look at three imperatives. First, how do we get everybody to the table? Because we do
have a deficit. So we need more people to be doing this work, but not just more people,
more people of different backgrounds. And that benefits us
because one of the strengths of our nation is the myriad of voices and perspectives that we have.
So how do we get rural communities, veterans, people of color, and other underrepresented
groups as part of the cyber industry? It helps enrich the work and it also helps us adapt to a changing
environment. So let's get everybody to the table. So diversity. The second is skills. We need a
skills-focused workforce. We need the ability to gain lifelong skills. And that starts with
the foundational cyber skill for every American that you kind of talked about. Right now,
reading, writing, and arithmetic are what people picture as the foundational things that you need to operate in society.
But quite frankly, there are some foundational cyber skills that should be part of it.
And that is what we propose in the strategy.
And so you can build on top of that occupation-specific skills.
So if you're a nurse, you need the privacy skills to be able to protect the data of your patients. And then cyber skills, if you decide you want to work
in a cyber career. And then the last imperative is really focused on building ecosystems, because we
have found through all of that engagement that I talked about, that ecosystems, regional, local,
that can really tailor to the needs of community,
but also create these networks of feedback that can help inform how training happens,
how education happens, how employers find their workforce are really vital to a thriving
cyber workforce. So when employers can inform academics on what the education and training
apparatus should look like, and when those same academics can ask for skills-based opportunities
for their students, you know, and we can engage the community, you get a more robust dialogue that
not only solves the workforce challenge, but solves a number of other challenges.
That was kind of a lot, but I think those three imperatives
and really honing in on that
and the fact that all of those things
needing to address the entire ecosystem
of players and the four pillars,
but also those three things came from you all,
came from everyone who engaged on this strategy.
Yeah, no, it makes a complete sense.
And having been in this space so long myself,
just one of the many challenges
is there are so many stakeholders.
Thinking about who you reached out to,
it is a very robust and rich community,
which is wonderful,
but also a challenge at the same time.
And so given that,
what do you see as one of the things
or a number of the things that are critical to the success of this strategy?
Everyone taking ownership of the implementation of the strategy.
So what I hope is every person, every organization, every institution that picks up this document
recognizes that the federal government has the smallest piece of implementing this strategy.
We can provide funding.
We can work on the federal workforce. We can work on some strategic things and provide support. But the private sector,
academia, state and local governments, nonprofit partners all need to drive implementation. And
that work has begun. We saw some of that in the launch of the strategy and the commitments that
came out from our partners. But also we're embarking on an implementation roadshow where we are going to different regions
and locales around the country to have a dialogue about sparking an ecosystem or supporting an
ecosystem that already exists. That work started August 9th in Nevada at UNLV, University of Las Vegas, where we had our director,
Kemba Walden, really launch a collaborative effort with academia, private sector,
and a number of others to have a conversation about what a cyber workforce ecosystem looks like
there, what those needs are, how the state and local governments can continue to support them
so that folks can get into the good paying jobs that are in the cyber workforce.
I love that you say that because it's so incumbent on the industry, whether it's academia
or employers to kind of step up and take responsibility. And this strategy is such a great step in calling that out.
But another thing that struck me immediately that I think distinguishes this strategy versus other
executive orders we've had over the years on education and workforce and cyber is that there
actually are opportunities for funding and investment through the federal government to
kind of give a little bit more teeth and emphasis to some of these initiatives. What's your recommendation
for institutions or organizations looking to take advantage of those investments and really step up
to the plate? I'm so glad you said that. Some of our partners like National Science Foundation,
they are saying, we need more partners. We have more money to give, right?
That is an awesome opportunity. It's not very often in the government, right? We have more than enough money to meet the needs of our partners. And I mean, quite frankly, I don't know that that
means that we have more than enough money, but what it does mean is that there's a lot of
opportunity for organizations that aren't currently connected to institutions like the National Science Foundation to get connected.
If you are an academic organization, if you are a nonprofit, if you are eligible to get grant money from them, focus on some of these cyber workforce initiatives.
If you start to do work that is implementing this strategy, I encourage you to reach out to partners like National Science Foundation, CISA, NICE, that have money and
resources or can be a conduit to getting some. We are not the only source of funding. There are
funders and philanthropists who are doing this work. There are private sector organizations that
are doing this work as well. And so there's a lot of opportunity for funding. I encourage folks to
start to reach out to those organizations that have made themselves available
for them to get the resources.
So I want to go back to the concepts of ecosystems
that you brought up,
because it's also something that is something
I feel very passionate about,
which is we have so many stakeholders in play
when we talk about cyber workforce,
whether it's academia, whether it's academia,
whether it's employers, whether it's government agencies, whether it's training providers and
partners. And one of the challenges is the fact that it is a very busy space and it's hard to
scale a lot of great initiatives. You touched on this a little bit before with some of the
implementation roadshow that you'll be doing, but what is the White House's role going to be bringing these stakeholders together,
given the vastness of the industry and just how many providers there are in a space?
Yeah. I mean, we are conveners. Our goal is to pull folks together to help with resource sharing
and to catalyze action. What I don't want to be is a bottleneck.
So I want organizations, I want regions, I want locales to feel empowered to go do this work with or without my or the office's involvement. But where we can support, where we can bring
organizations together, where we can help spark a cyber workforce ecosystem, I want to do that as well.
So I've kind of been thinking about it in two parallel tracks. Where there are organizations
that get the work, please start this in whatever location, whatever region you think is right for
having a cyber workforce ecosystem. And on the other side, we will be going to areas with either an expressed interest in having a cyber workforce ecosystem, has one that's burgeoning or starting out and needs some support, or has a really robust one that can provide a lot of feedback and best practices for their counterparts.
And our goal is that those more robust ecosystems will be a model for their peers.
How do we extract the best practices
and the lessons learned
so that they can be adapted
to different environments?
They all won't look the same
because they don't need to.
That's why there are local, regional,
and quite frankly,
even international ecosystems
so that they are tailored
to the outcomes, the communities,
the groups and organizations that
are part of it. There needs to be that flexibility and responsiveness to all of those factors.
But we want to help bring folks together. So that'll be my goal, the convening.
Well, and let this be a PSA to everyone listening that if you haven't picked up the strategy already
and read it, you need to. And if you are taking the time to read the strategy, then you should also be thinking
about how you can implement some of the initiatives that could help improve the workforce in your own
organization too. There's also a component of the strategy that addresses the federal cyber
workforce. And much of the tactical recommendations that you all have put forward include coordinating
efforts across multiple departments and agencies to build, expand programs, tap into grant funding.
How are you thinking about prioritizing those initiatives at the federal level?
Yeah, I think that's an important question. So the federal government, of course,
is a unique piece, a piece of the whole, the national ecosystem.
And so one of the things that I will prioritize is the connectivity between the private sector and the federal ecosystem.
But we really have to think about where are our resources, where do the budgets align, where do we have authorities, who owns what piece of the puzzle. And we'll use that to help us prioritize where we start
and what things are short, medium, and long-term wins
that'll help us get to that desired end state.
The nice thing is,
and I think the thing that gives this strategy
and this work staying power
is we've established
the National Cyber Workforce Working Group
and the Federal Cyber Workforce Working Group.
And those two bodies will help drive
implementation of the
strategy. The federal cyber workforce working group is most germane to this piece of the
conversation because that is where we're having the conversations about what are the priorities
for the federal government? What is the support we're needing? What's working across the federal
government as we transition to things like skills-based hiring? How do we continue to implement that?
How do we have shared resourcing around hiring fairs and things like that?
And so our partners, OMB and OPM have been very collaborative
as we seek to make sure that we're giving federal agencies
what they need to be successful and doing that prioritization exercise.
Well, I think it's safe to say that even though you are now at the culmination
of releasing a strategy,
really the work is starting now.
It starts now. Yes.
So a lot of exciting things in store.
Last question, certainly not least though,
on a personal note,
having been doing this for the last year plus now
and coordinating and herding all these
cats, what's the one area of the strategy that you're the most excited or proud of?
So I think to start, it's the look across the entire environment, right? Most strategies that
you see focus on the national cyber workforce, focus on federal, but coming together and thinking
about how do we equip every American? How does that feed into their access and opportunity such that they become
part of the cyber workforce? And then how do we look at the entire national cyber workforce,
including the federal workforce and our international partners and how they feed
into our understanding of what our best practice is, but also how we share that so that we're all thriving and getting the workforce that we need.
I think that holistic view and being able to set an affirmative vision around that is
the thing I'm most proud of.
In terms of being excited about the implementation work, I think the fact that we're taking it
outside of D.C. and getting to each local region and talking to folks
about what their needs are in context is going to be really important to the success of this.
Because for example, state and local governments, they lead on education. They will have to drive
what the needs of their communities are. They will be the conduits for getting rural communities more
engaged. And I think that is going to be really important.
I'm excited for people to realize that there are good-paying jobs across a number of different
disciplines in cyber.
Everybody has that misperception that cyber is just for super technical folks, engineers,
coders.
But there are a myriad of different job opportunities,
lawyers, marketers, training folks. I mean, there's so many opportunities and recognizing
the importance of each of those and how they all come together to attack the challenges and
realize the opportunities is going to be really important. And then the last thing I'll say, let's see, I have too many. Just so much excitement to go around. Exactly. It's probably the hardest
challenge in the strategy, but I don't want to shy away from it. It's the data challenge,
right? When I talked about the dynamism of the ecosystem, which means we have a changing set
of needs. We have a changing set of definitions for what cyber, we have a changing set of needs. We have a changing set of definitions for what's cyber. We have a changing set of technologies.
That's why we have not nailed down nationally
or federally that data question, right?
And been able to track it in a way
that's consistent and coherent.
I want to do the work to try to start to address that.
I mean, it will take time,
but that is one of the hardest problems in the strategy and one that I am looking forward
to taking a bite out of. Camille, thank you so much for joining us today and sharing all of your
insights. Really appreciate all of your support and putting out this strategy and getting it going
and best of luck as you hit the road with it. That's Simone Petrella speaking with Camille
Stewart Gloucester, Deputy National Cyber Director for Technology and Ecosystem Security
in the office of the National Cyber Director in the White House. Thank you. It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe
and compliant.