Solution spotlight: The talent retention and the cybersecurity skills gap.

Solution spotlight: Simone Petrella sits down to talk with MK Palmore from Google Cloud about talent retention and the cybersecurity skills gap.

Simone Petrella: I am honored to be here today with MK Palmore, Director in the Office of the CISO at Google Cloud. MK, thank you so much for joining me.

MK Palmore: Thanks, Simone. I appreciate the offer and looking forward to the conversation.

Simone Petrella: Sure. To kick things off right away, we'll get right into it. Can you tell me a little bit about your role at Google Cloud and what work you do with your clients and the industry in your capacity as a strategic advisor?

MK Palmore: Sure. So I belong to a team at Google Cloud called the Office of the CISO, and we are essentially a team of all former security executives across the industry verticals. I think we will probably get into the conversation a bit, but I cover down on global public sector interests for the Office of the CISO. And our role in Google Cloud is establishing stateful relationships with CISOs and CIOs and helping them on their cloud journey, always with a bent towards security or cybersecurity.

Simone Petrella: Wonderful. So I know one of the reasons that we connected in the first place, and this is true both in your professional capacity at Google as well as some of the work you do outside is around just the coordination and the work that organizations are focused on in increasing the pipeline of not only talent in cybersecurity, but specifically diverse talent. How do you think about retaining talent within Google Cloud?

MK Palmore: So great question. Talent retention is I think the same across any organization, and that is if you can provide good leadership, if you can provide your employees with a pathway towards their own professional development and you can engage them in interesting work, then likely you have the elements necessary to keep employees on board. Now, as quickly as I said that though, you should recognize that I think any organization really has challenges with retention. It can be, especially in today's environment with things like remote work, the variabilities involved in where you work, what regions you're actually allowed to work out of and of course, all things pay. But at the end of the day, I do believe that the subject of leadership, people oftentimes leave employers because of bad leadership, not because of bad situations at work or anything like that. And so if you can provide good leadership, you can provide them a mission where they're effectively engaged and a pathway for their own success, people will likely stay where they are. But easier said than done, those challenges I think are felt across every enterprise on the planet.

Simone Petrella: Yeah, and specific to that, because obviously we wanna retain the talent, it's so difficult to get it in the first place, but we also want to increase the diversity that we see in the field writ large. So how do you think about that as it comes to identifying and bringing in new talent and then trying to retain the talent as they move through their careers?

MK Palmore: Yeah, so anyone that's listened to me, seen my musings in terms of writings, knows that this issue of increasing diversity in the cybersecurity workforce and pipeline is a real passion topic for me. I honestly believe that this is one of the core components of solving, if you will, the cybersecurity challenge. Diversity helps us in every aspect of life. And in the cybersecurity realm, the need to diversify the cyber workforce answers the mail on a couple of different issues. One, our ability to actually create and invent solutions that apply across the board. Here at Google, we're always trying to solve for global problems and cybersecurity happens to be one of them. When we think about solving problems, we think how can we solve this for the planet, not how can we solve it for some individual instance, although we do a pretty good job at that as well. How do we solve globally for a particular challenge? And when we think about issues like the cybersecurity workforce, we absolutely believe that diversity is a way for us to close down this gap, this ongoing gap of here in the US, 750,000 plus open cybersecurity positions annually. If you include the numbers globally, that number ekes up, I think, to probably 1.5 million annually open positions. And in addition to widening sort of the lens that we use to identify cyber talent, as an industry, all of us have to do a much better job at getting diverse talent to the table. And that happens in a couple of different ways. We know for a fact that training helps get individuals to the table if you can provide them with training, some of which, especially some of the best training in the world, can be truly expensive. If you're not already on board with one of the global providers, like the Googles of the world, where things like training may be covered by your employer, it can be extremely challenging for someone to actually get the certifications or academic training that they need in order to break into the cybersecurity field. But the second piece of that in terms of answering the challenge of the workforce is, of course, the piece of actually getting people experience. And hopefully we can dive a little bit deeper into that challenge because I actually think that that's really the critical piece that we're all challenged with trying to identify how we close that gap now because Google has put training certifications on the table. We, this year, released the Grow with Google cybersecurity cert. There are a number of certifications by other organizations and agencies out there that folks can get access to. Grow with Google is certainly, you know, one that we would promote that prepares people for entry-level jobs, but there's lots of opportunities to train. And I think as an industry, where we're really challenged is this area of actually getting work experience for these folks because the truth of it is, is that cybersecurity companies, big vendors like Google and others are challenged with hiring brand new talent. It's really difficult for organizations that have as much on the line as they do, you know, to open up the employment doors for folks with little to no experience. And that's really the area, I think, as we move forward, that's the area where all organizations are gonna have to start thinking about how do we solve that problem? Because that's the critical piece that we're missing now.

Simone Petrella: Yeah, I would love to dive into that specifically because, you know, one of the things that we talk a lot about around here is we talk and focus on the shortcomings of developing individuals. And not to say that it's, you know, a misstep or that it's not going to help solve the problem to train or develop individuals. But we talk a lot about how do we take a team-based approach? How do we think about what's effective to buy down risk to the organization? And how do we strategically think about the people that are required to fit in roles to ultimately kind of increase the security posture overall? And that's a difficult thing to do because we don't necessarily think about the industry that way today. But what you recognize is, you know, we don't have the luxury without having people with experience, but the people with experience are limited. That talent pool is limited. So how do we solve that problem? How do you think about that problem in the context of, you know, a large organization like Google that is probably more advantaged in taking some liberties and steps forward in that department than, you know, certainly smaller organizations?

MK Palmore: Yeah. Employers have to buy into the idea that they will train their employees. There was a famous saying out there, like what would you do without training them? Why would you want an untrained employee? And so employers have to get over this hump of, I am going to have to invest training in an individual employee. We have to do it across the board because this field is too dynamic. There are too many changes going on. There's too much, I think, that we learn from month to month and year to year. As we continue to transform global enterprise, cybersecurity is the number one topic. Organizations want to transform, they want to develop, but guess what? They also want to figure out how to do it safely and securely, and that's where cybersecurity comes in. And so as an industry, we have to understand that when we bring on board cybersecurity employees, experts or otherwise, you know, when I say SMEs, I mean everything from new entrants into the industry all the way up to folks that you may consider subject matter experts, there's still a need to train and develop those individuals at whatever point they happen to be along the lines of their matriculation or development. And the way that I think about it is employers need to understand that, guess what? You might have to invest time and effort training up these employees. They will be better producers for you in the long run if you invest that time. There's certainly an argument to be made that by investing in employees that you're going to get more out of them in terms of longevity. You know, people feel a certain loyalty to organizations that have invested in them where others might not. And so instead of looking at, if I train this employee, they're going to move off and go work for someone else, think about training them, the benefits that you will get from the time that they're with your organization and the amount of goodwill that you establish with the employee from making that investment with them. And then if they do choose to move on to another organization, it is always with, I am sure a gratitude for having had the experience with an employer that has taken the time to invest in them. And the industry, because of that becomes better as long as we understand that, you know, there's very, very little situations now, I think where employees and employers join forces. In other words, someone joins a workforce and says, hey, I'm going to be with this employer for the rest of my remaining professional days. That just doesn't happen as much as it used to maybe two decades ago. You know, I certainly spent nearly the entirety of my professional career with one organization being the US government, but the days of folks investing that kind of lifetime cycle with employers I think is probably coming to a close. So we have to take advantage of the time periods that we are spending together, employer and employee, invest in one another. And I think that will ultimately yield better outcomes.

Simone Petrella: Yeah, really great point. One thing that I would be curious if you could share your perspectives as a leader in a large organization is what are your recommendations when you think about that necessity to train and to invest in people? How do you think about or what are the recommendations you have to evaluate and measure not only the team skills that are required for the business to achieve its security strategy, but then what are the pathways or what are the recommendations and how you prioritize those investments if you're already going to make them in order to align the need with the actual training you're going to send someone to? If you're going to make that investment, you want it to be related back to the business in some way.

MK Palmore: So there's a lot to unpack there. And I think that certainly in the curriculum realm, the cybersecurity curriculum realm, they're starting to understand this. I think that the certifications realm maybe has a better handle on this than say the traditional academic environments and say four-year colleges and that kind of thing because they're still kind of training towards -- I won't call it an outdated model, but one that doesn't necessarily keep pace with all of the changes that are in the industry. And there are certainly shorter return on investment, time and effort that you can make in terms of investing in certifications because the turnaround on those types of things are quicker. You mentioned the term skills. And I think as an industry, we absolutely have to start thinking about what skills are needed in order to do the job and get better at the job. And that is where the concentration of investment and training needs to happen as opposed to thinking about domain specific overriding strategic knowledge. We need to start thinking about what does this person need in order to be excellent at this job so that they get what they need to get out of the experience and the organization gets the kind of productivity that they're expecting. Security operations, case in point, is a fantastic example of that. You need to teach folks how to use and manipulate the tools of the SOC in order for their productivity in the SOC to be good, to be positive. Right? That doesn't necessarily require a four-year degree in cybersecurity in order to operate in a SOC environment. There are training evolutions, certs for instance, the Grow with Google cert was built essentially to prepare an individual for entry-level training in the SOC environment. There are other certs out there on the market that do very similar things in regard to preparing folks for their first day on the job. And I think that as an industry, we need to start concentrating on what skills does this person need in order to be successful in that particular role? And that is how it is that you determine, okay, well, what do they need to be trained on? What additional things can I provide to this individual so that they can be successful? Certainly as a team, I'll give you an example. Internally, my team in the office of the CISO, we spend a fair amount of time in cycles just learning new product. There are hundreds of products, security or otherwise at Google Cloud. There is no way that you can be an absolute expert on all of those products. There are a handful of individuals who even could probably run down the list and provide you at least level one, level two on what those products do and what they're capable of. And so as an organization, the office of the CISO, we spend some of our cycles taking time aside and making sure that we get deep dives on products that we think will come up in conversations with our customers as it relates to cybersecurity. And so we don't need to learn the entirety of the landscape, but we do need to be able to do deep dives on the products that are relevant to our portion within the Google Cloud story. And oftentimes that revolves around the subject of security. So that's just one example of very targeted training that organizations can undertake to make sure that their workforce is prepared for their role.

Simone Petrella: Right. And a great point, because in your example, it is tied exactly to the objectives of why everyone's working within your office of the CISO at Google Cloud in the first place. So just being able to provide that pathway and that direction so that it has a direct impact on the business, then you can start to actually calculate some kind of return on that investment. Shifting gears on you here for a second, on a personal level, I know you are also involved with Cyversity, which is a nonprofit dedicated to increasing diversity and inclusion across the cybersecurity profession. Full disclosure, we also have partnered and do work with Cyversity on a number of our training programs. So a huge shout out to the organization. But for those who are either new or have not had a chance to get exposed to Cyversity, can you tell us a little bit about the organization, its mission, and some of the exciting things that you're working on?

MK Palmore: Absolutely. So let's start with the mission. And then currently I'm on the board of directors for Cyversity. I'm also the vice president. I call it vice president of operations because it's really both tactical and strategic things that the organization needs in order to keep moving. And I'm going to be assuming the role of president of the organization at the end of this calendar year. So it takes me into a whole new light, both a leadership challenge, and it also represents the confluence of this area that I'm really passionate about in terms of bringing more women, people of color, and in our case, the veterans community as well, into the field of cybersecurity and technology widely. The organization's been around about a decade. The founders are still involved, and moving forward in 2024, it will actually be the first year that one of the founders or initial folks who started the organization won't be involved in the day-to-day tactical and strategic activities of the organization. So we're at really a new level. We're doing things like simply providing a network or ecosystem for folks to thrive in, providing training, providing scholarship opportunities. These are all things that I think we've gotten to be really good at as an organization, largely through partnerships. We partner with every organization we need to in order to bring value to our members. And our members happen to be, again, people from diverse populations who are starting at various levels in terms of their abilities in cybersecurity. Everything from zero start, all the way through folks who are mid-career and maybe making a switch, and then the senior level cadre folks like myself who view it as part of our responsibility, I think, to give back to the industry and to open doors for others. I literally get up in the morning thinking about how I can bring more diverse people into the cybersecurity field. And Cyversity has been and will continue to be a way that I can make that investment in the industry and community, and I'm super passionate about it. So we do all the cool things like bringing scholarships, giving folks training, giving them access to things that they normally wouldn't have access to by virtue of membership in our organization. And again, we're constantly thinking about partnerships, but we're also trying to solve really those big problems. And the big one that I mentioned already that we're trying to get our heads wrapped around as an organization is this challenge of actual work experience. There's no shortage of folks that want to partner with us. We've partnered with SANS, we've partnered with CompTIA, we've partnered with other organizations that provide critical cybersecurity training, and they do it really well. ISC Squared, I should mention too, a big partner of Cyversity. So getting folks access to that is no longer the big challenge, although there's always the absence of corporate dollars that you can get through sponsorships. In terms of development, there's always a need to be out there fundraising and raising money and looking for corporate support. But at the end of the day, the big challenge that as we look forward, 2024 and beyond, how do we add to that? How do we bring this internship ability to actually get hands-on experience in SOC environments, ability to actually bring to the table and actually go into an interview, being able to say, yes, not only do I have training in that, but I've got some hands-on experience, and here's how that experience will help your organization and why it might be important to think heavily about hiring me as an individual, right, as you go forth and try and get these jobs. We're looking for support and across industry partners to help us solve that particular aspect of it, the actual job experience part, which is where I think the biggest gap is. And once we've been able to make a dent into that, I think that with government support, with corporate support, with foundation support, you will be able to see the impact that organizations like Cyversity can really have on transforming this particular challenge of the cybersecurity workforce. It will allow us to move in a much quicker fashion, getting folks from zero start to actual jobs in the industry. And I'm proud of the work that we've been doing at Cyversity but there is a lot more left to do.

Simone Petrella: For those listening who maybe are just hearing about, you know, Cyversity's mission and where you wanna go now for the first time, what are some of the ways if they are in an organization or a corporate environment that maybe isn't necessarily working with you today, but how do they get involved? And, you know, to your point on dollars and fundraising and corporate support and internships, what are some of the things that you would love to, you know, see as a call to the action from those of us in the industry that are in a position to make some really powerful decisions in this arena?

MK Palmore: Yeah, so all of the above, everything that you just named. So corporate support in terms of dollars, you know, nonprofits like us are constantly looking to partner with corporate America so that we can bring value directly to our members and corporations to sponsor a number of things to include the annual conference that we have every year. This year's conference at the end of October is being held in Orlando, Florida. And then just national sponsorships that sponsor the training, the ability of Cyversity to deliver curriculum directly to our members. And then that last piece, if there are sponsors out there or entities that believe they have a piece of the puzzle, because no entity can solve this wholly, but if there are entities out there that believe they have a piece of the puzzle in terms of wanting to potentially belong to a consortium of employers where you can get those types of internships that actually result in the kinds of hands-on experience that's really lacking right now for new entrants into the field, we'd love to partner with organizations like that so that we can, again, close that gap in a much quicker fashion. Corporate sponsorships are always welcome. You know, Cyversity is a, again, nonprofit 501c3. We're on all of the giving platforms that are out there, Benevity and others. And we live and thrive through those sponsorships and dollars that we receive, and the vast majority, better than 70%, and in some cases, better than 75% of every dollar that goes directly to our members as opposed to operational costs of the organization.

Simone Petrella: Amazing. Well, MK, thank you so much for joining. Really appreciate you taking the time this afternoon.

MK Palmore: Absolutely. I appreciate the invite and enjoyed the conversation. Thanks a lot.