CyberWire Daily - Solution Spotlight: Simone Petrella is speaking with Tatyana Bolton from Google about ways to tackle the cyber talent gap. [Interview Selects]
Episode Date: November 24, 2023This interview from October 20th, 2023 originally aired as a shortened version on the CyberWire Daily Podcast. In this extended interview, our very own Simone Petrella is speaking with Tatyana Bolton ...from Google about ways to tackle the cyber talent gap. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. is Security Policy Manager at Google and a Senior Advisor on the U.S. Cyberspace Solarium Commission.
Our own N2K President Simone Petrella spoke with Tatiana Bolton about the challenges of
bridging the cyber talent gap. I am thrilled to be joined today by Tatiana Bolton, Security Policy
Manager at Google and Senior Advisor to the U.S. Cyberspace Solarium Commission. Thank you so much for being here today.
Thanks for having me.
So I want to start with some things that you're doing in your role at Google.
I know that Google has been busy since earlier in the summer,
rolling out a number of initiatives geared toward increasing talent in cybersecurity.
I've seen things including a specialized Google certificate in cybersecurity, preparing people for entry-level jobs, a new research program with universities in New York, and committing more than $20 million to help students get hands-on experience through a series of cybersecurity clinics.
I know it's still early for some of those, but can you tell us a little bit more about the ones you're most excited about and how they're going so far?
Yeah.
So these are some of my most sort of passion projects, if you will.
I love working on this issue because I think it's so critical to cybersecurity on the whole.
I think a lot of people focus on any number of issues, including vulnerability disclosure, cloud security,
et cetera. And I think all of those have a workforce element to them, which is why I think
addressing this issue and talking about it is so important. The work that you mentioned,
all of it, I'm very excited about. I think it's an effort to have a comprehensive approach to
cybersecurity workforce issues because no one program or project can ever really fix this issue in its entirety.
I think if anybody tells you that, they're lying.
It's such a stubborn problem.
It's been around for a while.
We have 650,000 openings in cyber jobs.
That number has continued to grow.
And so we're trying to address it from a number of different ways, right?
Building more pathways into cybersecurity, increasing the education, the training for
cyber professionals, and then also just the broader public.
And then also helping with curriculum and resources for learners.
helping with curriculum and resources for learners.
As you mentioned, we're doing,
we just in May released the cyber certificates,
which we're very excited about.
Those are available right now online and they are helping students get access to education
on cybersecurity from Google experts
who have been doing this for a really long time.
We have a great lineup of people in that certificate that train the students on
cybersecurity. I'm also extremely excited about the work that's happening in New York, where we
have committed over $12 million to research work on curriculum on cybersecurity. There are a lot
of issues there that need to be
addressed, including, for example, how cybersecurity is not yet a requirement in all computer science
curricula across the country or the world. So we're trying to help that by developing more
research, getting organizations and universities working together to try and figure out what a curriculum should look like
in cyber or, you know, it's expanding on the existing work that a lot of great organizations
have already done. And then lastly, the Cyber Clinics Program, which I've worked on or have
been tangentially connected with for the last five years or so, and that's from the Cyberspace Solarium Commission work
all the way to Google. The clinics are a really fantastic model to try and get hands-on learning
to students, because right now what we have is this sort of pipeline that trains some group of
people in cyber, right? People who think, people who are going to like a computer science program
at a university. But there's also a lot of people who aren't going to universities. And
then we've got, you know, offices, the companies that need cybersecurity expertise and the jobs.
But there's a squishy middle between the learning that's happening either through certs or
universities and the actual job. And what the real need here is this hands-on learning piece,
the piece that actually connects students and their classroom learning to actual positions
where you need experience and hands-on experience to actually get that position.
And so clinics are a fantastic way to do that.
Based out of universities with the
support of a faculty member, students work with community organizations in their city or their
state, and they help them develop things like a cyber risk assessment or a strategy or any number
of cyber policies that an organization might need. And so it's a win-win. The organization
gets cyber support that they
wouldn't otherwise get because they are under-resourced, you know, as a general whole,
small businesses, state and local organizations are really under-resourced for cyber. And so they
get help. And then on the other side, the students get hands-on training. And so it helps both sides.
And that's why I'm such a fan of that program. But at Google, we're doing a number of these programs because not one alone will fix the issue.
Yeah. I think that kind of brings up a good point and a question I have around,
Google has the ability and is really leading the charge on a lot of these initiatives by
focusing on that pipeline and how we can take a dent in that large gap
that continues to grow in cybersecurity positions.
But beyond it being certainly not a one-size-fits-all,
what are some of the other challenges
that you see from a policy perspective
to try and scale some of these great initiatives
to make a little bit more substantive progress?
Because that number seems to be increasing at a pace
faster than we're able to
even come up with some of these solutions. Totally, totally right. And I will say at a higher level,
Google believes in sort of a comprehensive approach to security through open and secure
frameworks that foster collaboration, innovation, sharing solutions freely to resolve vulnerabilities,
and then creating secure by
default products services that embed the protections making everything secure by default so that is the
basis if you will for the way we think about workforce in cyber as well there's issues in
the very early learning space right k to 12 not having enough focus not having enough resources
learning space, right? K to 12, not having enough focus, not having enough resources.
There's the issue of that squishy middle I mentioned between the classroom learning or the CERT learning and actual jobs, right? So getting people in the door, I think that's a
huge problem. That's why we've actually focused, why we've chosen to focus on that particular area
because in all of that, and then including the issues with retention, that piece about
getting people in the door with sufficient training and experience, I think that's the
big issue. But longer term, I also will add the K-12 piece is really critical, because if you
don't have enough of a population that's even knowledgeable about the basics from an early age,
then they're not sort of inspired to go into cybersecurity and fix these problems, right?
If you're not even seeing cybersecurity professionals until you're older,
you're not really thinking about that as a career path.
And so that needs to change.
By the way, I see that in my own personal experience.
I have a five-year-old in kindergarten and security is absolutely not in that curriculum. And to be perfectly honest, I don't think that the school is equipped to implement it, even if one were just handed to them on a silver platter.
But like still people are not out there.
They're not really the site.
Like there's not enough cyber experts to go into every school in America and say, hey, I do cybersecurity for a living.
What does that look like?
Oh, well, I'm a security researcher or I do policy in cyber or I'm a comms person in cybersecurity. And what are those jobs look like?
And what does that you know, what does that even mean?
Most people are like you do what again?
Right.
Which is, you know, which is great in 2023.
But also it's like, but there's also the problem of like not enough teachers too, right?
So the teachers also, you know, you can't put it on them.
They're like massively overwhelmed as it is.
They do such great work with our kids.
I have four.
So, you know, I'm well acquainted with teachers and how hard they work.
And putting that on them is also very difficult.
So, like, you know, just getting them trained in this and showing, like, how to add case studies into an elementary school program and curricula, right, that's just a whole other issue.
They don't even have enough teachers or professors at the college level, right, let alone K-12. And so we've just, I think, you know, part of this is a, you know,
I don't want to be too negative about it. I think part of it is a, just growing pains of a profession
that's really only been around for, you know, at most 50 years. You know, we've only had the
internet for what, how long, right, when DARPA created it. So it's not surprising, I think,
that we're here, but I think it is really important that we focus on it and invest resources to try
and address the issue, that we raise awareness, that policymakers are prioritizing real changes,
because I think for me, it's, you know, the best thing is not just having panels and podcasts, which are amazing to drive awareness, but also getting policymakers to pick tangible, outcome-driven proposals that can work and include those into, you know, we've seen this in the National Cyber Strategy, the ONCD, the Office of the National Cyber Director, very much focusing on cyber workforce, getting people skilled in cyber.
The recent launch event and the White House fact sheet about it had a lot of different actual like tactical programs and support for particular people within the pipeline, including like educators, universities, professionals, et cetera. So you're seeing some
of it happen. And I think, you know, with the creation of the National Cyber Director's Office,
you're, you know, you're getting a focus like a, like a U.S. based focus on this. I'm sorry,
whole of U.S. focus on this, but more, just more needs to be done.
Do you see anything coming out beyond the National Cybersecurity Workforce Strategy?
I know that's under ONCD at the executive branch level, but given the situation in the
legislative branch, I mean, are we at a point that this will translate into anything we
can take a whole of government approach and see some?
into anything, we can take a whole of government approach and see some. I've seen bills from lawmakers on cyber workforce, either to invest in cybersecurity training, which is great, or
I've seen a bill on clinics to try and increase the amount of clinics across the country. NSA
has also just recently funded four additional clinics. There's also the philanthropy community
that I think should absolutely step up here and like help to establish some of this infrastructure that's needed for training,
for connecting students with or connecting graduates with jobs, building out this sort
of infrastructure of internships, apprenticeships, fellowships, clinics that can get students actual,
the actual experience they need to get
into the field at the beginning, or also transition. Google.org gave a donation to
a number of veterans groups to do cybersecurity training and help them transition into
cybersecurity because that's another great area, right? Like, just look outside of what we currently
have and look at people who
are trained, but just in other professions and see how we can get them in. And so I think
the philanthropy community can play a role there. I think companies obviously have a responsibility
and, you know, we're obviously, we are eager to help and partner with governments to do more work
here. The implementation plan from ONCD and the work that CISA has been doing,
getting out there, talking about cyber workforce.
Jenny Sterling, of course, has gone out
and is a big presence in the ecosystem,
encouraging and inspiring women and girls
to go into cybersecurity, which I think is fantastic.
Just trying to elevate the profession of cybersecurity
and make it hip and cool.
Because we are, you know, hip and cool people.
Absolutely.
I mean, of course.
But it's, you know, it's so interesting because when you talk about all these amazing initiatives
that are happening across the industry, including what Google's doing to increase the pipeline,
and, you know and not only the
pipeline of cyber talent, but even more diverse cyber talent.
It always strikes me that it's not possible to think about that pipeline unless you create
room within organizations to allow for those new candidates to actually come into entry
level positions and kind of upskill or give a path for those who are there in the companies already. And I'm curious if there's anything, even just anecdotally,
you can share about how Google thinks about talent in a retention sense. Because if you don't have a
way to retain and pathway people, it's hard to kind of create a world where we can take that
entry-level talent and actually grow them into the roles. Yeah, well, so Google does a lot. It helps us significantly with growing our expertise.
We've got great support to get training and upskill, try new positions at Google. So those
are all, I think, best practices that Google, you know, currently uses. But I think just generally, we need to make sure that we are thinking about, like, you're
talking about the issue of people coming in the door and, like, some of the requirements.
I think there's a number of things we could do there, right?
We've got bachelor's degree requirements, CISSP requirements, five years of experience
for entry-level positions.
That's just silly and i think we've been talking about this for a long time but it is inherent on the people
who are doing the hiring to take that in and really do strategic assessments of their hiring
documents and the position descriptions to determine whether a cissp is actually needed
for an entry-level position,
or if you could actually do better for your organization as a whole by bringing in more
entry-level talent, helping them, mentoring them. Obviously, that's a really critical component.
You can't, like, bring on entry-level talent and not help them along, not do the training,
because that, you know, presents a number of issues. But if you're committed to the mentorship
and the training piece, if you bring in the entry-level talent, you can get, you can really
help a person grow their career and it allows them to grow, develop as a professional with room for,
you know, with room for growth, right? So you don't always, I think in DC, you see this a lot
in the federal government, everybody's like a 13, 14. They're senior level policy people, right? They're senior level technical people. There's almost very little room
at the beginning. I think we need to address the structural underlying issues, such as those
position descriptions, the fact that managers are eager to get experienced talent. So we need to
address those types of things to make sure that it's easy or
easier for organizations to hire that entry-level person, professional, right? And make sure the
requirements are reasonable. And then to your point on retention, yeah, absolutely. Like it's,
I think culture plays a big role in this too. Pretend like you've got to have a good culture
in order to retain your talent. You need to give people room for growth. You have to allow them
training. That helps not only the person, the professional also helps your organization.
And so I think there's, you know, with some of those things built in, you can do a lot of work.
Obviously, CISA has focused on the pay piece, which is great. I think it's addressed some of
those problems by putting in cyber pay at CISA, making it more enticing to work there.
Obviously, they're competing against large name brands and organizations.
Like Google.
It is amazing to work here.
So, you know, what can I say?
But, you know, NSA also has a great recruitment and retention program, right?
NSA has almost a best-in-class within the federal government.
They allow rotations.
They encourage training, trying new things.
They hire at the entry level.
They grow their talent.
So it is possible, right?
And I think there's pockets of this excellence across the world, and I think we should take some of those best practices and put them into work across the ecosystem.
Because CISA has cyber pay, but have they really implemented the rotational part of what makes NSA hiring so great and retention so great?
No.
attention so great? No. And so I think we need to, we still have work, we still have work to do and room to grow that. But nothing, you know, Rome wasn't built in a day. I just hate myself for
having said that cliche out loud. I'll put it on my bingo card. Yeah. I was, you know, I,
I said I was cool. Right. So obviously I had to, we had to take it down a notch. Right.
But it's, you know, your point on job descriptions is so
salient because, you know, not to sound overly crass, but the amount of times I've worked with
organizations on their job descriptions and frankly, they suck. And it's because people are
busy, hiring manager is busy. We take one off the shelf and we kind of repurpose it. And at the end
of the day, even
though it might take extra effort to get them right, what I hear you saying and what I kind of
see myself is you have to know where you want to go with those rules before you can create a path
or an opening for someone to get into them. Right. I think this speaks to the need to develop
a workforce strategy within your organization. If you're an organization
that's struggling to get cyber talent, which many of them are, you need to think about it
strategically. You need to sit down and it should be an executive level exercise. This is, I think,
one of the areas where it goes wrong. There's not executive level review and investment into the cyber workforce.
And that is the level at which this needs to be done.
With that, you can do an assessment.
Are these the right people?
Where are we going in five years?
Where do we want to be in 10 years? And what does that workforce look like that gets us there?
Because it's not necessarily the workforce you have today.
And, you know, obviously technology changes.
The, you know, the times change.
A pandemic happens.
Who predicted that one?
So, like, you obviously, and it's a hard task for companies.
I'm not going to lie.
It's not, you know, you have to almost look into a crystal ball and, like, but do some, you know, do some data analysis.
CyberSeek.org, plug for them.
Amazing work. They have great data points broken out by sector, broken out by levels of hiring.
So definitely a place to look as a resource as you're trying to do some of this review and analysis for your organizations.
Also, one point, because I mentioned emerging technologies.
technologies. AI, I think, also is definitely a place that will have an impact on the cyber workforce, as it will, I think, on most of the workforce. At Google, obviously, we've been
working on and developing AI technologies for more than a decade already. But I think now,
you know, there's a really big focus on it and we are, you know, moving ahead boldly but responsibly,
you know, but we see opportunities in the workforce space, right? For example, how AI can
be used in a safe manner. We actually just put out the AI Safe Principles, S-A-I-F, so you can take
a look at those. But they talk about how you can actually use the AI to secure your networks and how it can help the defender, right?
What defender doesn't have issues identifying, prioritizing, and addressing the insane number of vulnerabilities that exist and applying patches in a prioritized manner, right?
What if we could figure out a way how AI can help that, right?
Right. What if we could figure out a way how AI can help that? Right. So there's this some of this toil that a lot of people experience and leads to burnout in the industry that we can also think creatively about how we can apply AI to help that.
So, you know, I think it's there's a lot of opportunity.
And I think we were already looking at looking at how to apply these things.
So we are so there's stuff out there.
At DEF CON, for example, we just did an AI red team, right?
And so we're looking at like, not just talking about the, you know, the defense of the past, but what it looks like in the future.
Training those professionals to think about AI, making sure they're engaged, making sure they're aware of the technology,
how to work with it, how to address and then utilize the technology to best effect. And,
you know, obviously from my perspective to defend our networks and systems.
I think one of the things that, you know, I'm taking away, just getting this conversation is
it's really a multifaceted solution and it's part of a broader security strategy. So we have this talent or skills gap. It's not just about
finding more people to solve it. Can we use creative technologies? Can we think about the
processes and controls that we put in place as we implement frameworks like Zero Trust? It's
kind of this whole of strategy that we have to think about as opposed to just one. So a really, really great point
overall. Tatiana, thank you so much for joining me today. And I appreciate all of your insights,
and I'm sure the audience will too. Well, I appreciate you having me on. It was a pleasure.
That's Tatiana Bolton, Security Policy Manager at Google, speaking with N2K President Simone Petrella.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.