Solution spotlight: Tackling the cyber talent gap.
Solution Spotlight: Simone Petrella sits down to talk with Tatyana Bolton from Google about ways to tackle the cybersecurity talent gap.
Simone Petrella: I am thrilled to be joined today by Tatyana Bolton, Security Policy Manager at Google and Senior Advisor to the U.S. Cyberspace Solarium Commission. Thank you so much for being here today.
Tatyana Bolton: Thanks for having me.
Simone Petrella: So I want to start with some things that you're doing in your role at Google. I know that Google has been busy since earlier in the summer rolling out a number of initiatives geared toward increasing talent and cybersecurity. I've seen things including a specialized Google certificate in cybersecurity, preparing people for entry-level jobs, a new research program with universities in New York, and committing more than $20 million to help students get hands-on experience through a series of cybersecurity clinics. I know it's still early for some of those, but can you tell us a little bit more about the ones you're most excited about and how they're going so far?
Tatyana Bolton: Yeah, so these are some of my most, you know, sort of passion projects, if you will. I love working on this issue because I think it's so critical to cybersecurity on the whole. I think a lot of people focus on any number of issues, including vulnerability disclosure, cloud security, etc., and I think all of those have a workforce element to them, which is why I think addressing this issue and talking about it is so important. The work that you mentioned, all of it, I'm very excited about. I think it is a -- it's an effort to have a comprehensive approach to cybersecurity workforce issues because no one program or project can ever really fix this program -- or fix this issue in its entirety. I think if anybody tells you that, they're, you know, they're lying. It's such a stubborn problem. It's been around for a while. You know, we have 650,000 openings in cyber -- in cyber jobs. That number has continued to grow, and so we try -- we're trying to address it from a number of different ways, right, building more pathways into cybersecurity, increasing the education, the training for cyber professionals, and then also just the broader public, and then also helping with curriculum -- curriculum and resources for learners. So as you mentioned, we're doing -- we just in May released the cyber certificates, which we're very excited about. Those are available right now online and they are helping students get access to education on cybersecurity from Google experts who have been doing this for a really long time. We have a great lineup of people in that certificate that train the students in cybersecurity. I'm also extremely excited about the work that's happening in New York where we have committed over $12 million to research work on curriculum on cybersecurity. I think it's, you know, there are a lot of issues there that needs to be addressed, including, for example, how cybersecurity is not yet a -- cybersecurity is not yet a requirement in all computer science curricula across the country or the world. So, you know, we're trying to help that by developing more research, getting organization and universities working together to try and figure out what a curriculum should look like in cyber or, you know, expanding on the existing work that a lot of great organizations have already done. And then lastly, the cyber clinics program, which I've worked on or have been tangentially connected with for the last five years or so, and that's from the Cyberspace Solarium Commission work all the way -- all the way to Google. The clinics are a really fantastic model to try and get hands-on learning to students, because right now what we have is this sort of pipeline that trains some group of people in cyber, right, people who think -- people who are going to like a computer science program at a university, but there's also a lot of people who aren't going to universities, and then we've got -- and then we've got the, you know, offices, the companies that need cybersecurity expertise and the jobs, but there's a squishy middle between the learning that's happening either through certs or universities and the actual job, and what the real need here is this hands-on learning piece, the piece that actually connects students and their -- and their classroom learning to actual positions where you need experience and hands-on -- and hands-on experience to actually get that position, and so clinics are a fantastic way to do that. Based out of universities, with the support of a faculty member, students work with community organizations in their city or their state and they help them develop things like a cyber risk assessment or a strategy or, you know, any number of cyber policies that an organization might need, and the org -- so it's a win-win. The organization gets cyber support that they wouldn't otherwise get because they are under-resourced. You know, as a general whole, small businesses, state and local organizations are really under-resourced for cyber, and so they get help, and then the -- on the other side, the students get hands-on training, and so it helps both sides, and that's why I'm such a fan of that program. But, you know, at Google, we're doing a number of these programs because not one -- no one of them alone will fix the issue.
Simone Petrella: Yeah, I think that kind of brings up a good point and a question I have around, you know, Google has the ability and is really leading the charge on a lot of these initiatives by focusing on that pipeline and how we can take a dent in that large gap that continues to grow in cybersecurity positions, but beyond it being certainly not a one-size-fit-all, what are some of the other challenges that you see from a policy perspective to try and scale some of these great initiatives to make a little bit more substantive progress because that number seems to be increasing at a pace faster than we're able to even come up with some of these solutions?
Tatyana Bolton: Yeah, totally, totally right, and I will say, you know, just at a higher level, Google believes in sort of a comprehensive approach to security through open and secure frameworks that foster collaboration, innovation, sharing solutions freely to resolve vulnerabilities, and then creating secure-by-default products, services that embed the protections, making everything secure by default. So that is the basis, if you will, for the way we think about workforce in cyber as well. And what -- I think that there's issues in the very early learning space, right, K to 12 not having enough -- not having enough focus, not having enough resources. There's the issue of that squishy middle I mentioned between the classroom learning or the cert learning and actual jobs, right? So getting people in the door, I think that's a huge problem. That's why we've actually focused -- why we've chosen to focus on that particular area, because in the, you know, between -- in all of that, and then including the issues with retention, that piece about getting people in the door with sufficient training and experience. I think that's the -- that's the big issue, but longer term, I also will add, the K to 12 piece is really -- is really critical because if you are -- if you don't have enough of a population that's even knowledgeable about the basics from an early age, they don't -- they can't -- they're not sort of inspired to go into cybersecurity and fix these problems, right?
Simone Petrella: Yeah.
Tatyana Bolton: If you're not even seeing cybersecurity professionals until you're older, you're not really thinking about that as a career path and that --
Simone Petrella: Right.
Tatyana Bolton: So that needs to change.
Simone Petrella: I see that -- by the way, I see that in my own personal experience. I have a five-year-old in kindergarten and security is absolutely not in that curriculum, and to be perfectly honest --
Tatyana Bolton: Right.
Simone Petrella: I don't think that the school is equipped to implement it even if one were just handed to them on a silver platter.
Tatyana Bolton: Yeah, I mean, and so like that's -- exactly. Like, we have -- we want to do this, but like, still people are not out there. They're not really -- there's not enough cyber experts to go into every school in America and say, hey, I do cybersecurity for a living. What does that look like? Oh, well, I'm a, you know, security researcher or, oh, I do policy in cyber, or I'm a comms person in cybersecurity, and what do those jobs look like, and what does that, you know, what does that even mean? Most people are like, you do what again, right? Which is, you know, which is great in 2023, but also it's like -- but there's also the problem of like not enough teachers, too, right? So the teachers also, you know, you can't put it on them. They're like massively overwhelmed as it is. They do such great work with our kids. I have four, so, you know, I'm well acquainted with the -- with the -- with teachers and how hard they work, and putting that on them is also very difficult. So like, you know, just getting them trained in this and showing, like, how to add case studies into an elementary school program, curricula, right? That's just a whole nother issue. They don't even have enough teachers or professors at the college level, right, let alone K to 12, and so we've just -- I think, you know, part of this is a -- you know, I don't want to be too negative about it. I think part of it is a -- just growing pains of a profession that's really only been around for, you know, at most 50 years. You know, we've only had the internet for, what, how long, right, when DARPA created it. So it's not surprising, I think, that we're here, but I think it is really important that we focus on it and invest resources to try and address the issue, that we raise awareness, that policymakers are prioritizing real changes, because I think for me, it's, you know, the best thing is not just -- not just, you know, having panels and podcasts, which are amazing to drive awareness, but also getting policymakers to pick tangible outcome-driven proposals that can work and include those into, you know, we've seen this in the National Cyber Strategy, the ONCD, the Office of the National Cyber Director, very much focusing on the cyber workforce, getting people skilled in cyber, the recent launch event, and the White House fact sheet about it had a lot of different actual, like, tactical programs and support for particular people within the pipeline, including, like, educators, universities, professionals, etc. So I think you're seeing some of it happen, and I think, you know, with the creation of the National Cyber Director's Office, you're, you know, you're getting a focus like a -- like a U.S.-based focus on this, or I'm sorry, a whole of U.S. focus on this, but more -- just more needs to be done.
Simone Petrella: Do you see anything coming out beyond the National Cybersecurity Workforce Strategy? I know that's under ONCD at the executive branch level, but given the situation in the legislative branch, I mean, are we at a point that this will translate into anything we can take a whole-of-government approach?
Tatyana Bolton: I mean, well, I've seen -- I've seen bills from lawmakers on cyber workforce either to invest in cybersecurity training, which is great, or in that -- I've seen a bill on clinics to try and increase the amount of clinics across the country. NSA has also just recently funded for additional clinics. There's also the philanthropy community that I think should absolutely step up here and, like, help to establish some of this infrastructure that's needed for training, for connecting students with -- or connecting graduates with jobs, building out this sort of infrastructure of internships, apprenticeships, fellowships, clinics that can get students actual -- the actual experience they need to get into the field at the beginning or also transition. Google.org gave a donation to a number of veterans groups to do cybersecurity training and help them transition into cybersecurity because that's another great area, right? Like, just look outside of what we currently have and look at people who are trained but just in other professions and see how we can get them in, and so I think -- I think the philanthropy community can play a role there. I think companies obviously have a responsibility, and, you know, we're obviously -- we are eager to help and partner with governments to do more work here. And then, you know, I think the implementation plan from ONCD and the work that CISA's been doing, getting out there, talking about cyber workforce. Jen Easterly, of course, has gone out and is a big presence in the ecosystem, encouraging and inspiring women and girls to go into cybersecurity, which I think is fantastic, just trying to, you know, elevate the profession of cybersecurity and make it hip and cool because we are, you know, hip and cool people.
Simone Petrella: Absolutely.
Tatyana Bolton: Me, obviously. I'm so cool here. I'm cool.
Simone Petrella: I mean, of course, but it's, you know, it's so interesting because when you talk about all these amazing initiatives that are happening across the industry including what Google's doing to increase the pipeline and that, you know, not only the pipeline of cyber talent, but even more diverse cyber talent, it always strikes me that it's not possible to think about that pipeline unless you create room within organizations to allow for those new candidates to actually come into entry-level positions and kind of upskill or give a path for those who are there -- who are there in the companies already.
Tatyana Bolton: Yup.
Simone Petrella: And I'm curious if there's anything even just anecdotally you can share about how Google thinks about talent in a retention sense, because if you don't have a way to retain and pathway people, it's hard to kind of create a world where we can take that entry-level talent and actually grow them into the roles. Yeah, well, so Google does a lot, like it helps us significantly with growing our expertise. We've got, you know, great support to get training and upskill, try new positions at Google, so those are all, I think, best-of practices or best practices that Google, you know, currently uses. But I think just generally, you know, we need to -- we need to make sure that we are thinking about, like you were talking about the issue of people coming in the door and, like, some of the requirements, I think there's a number of things we could do there, right? You know, we've got Bachelor's degree requirements, CISSP requirements, five years of experience for entry-level positions. That's just silly. I think we've been talking about this for a long time, but it is inherent on the people who are doing the hiring to take that in and really do strategic assessments of their -- of their hiring documents and the position descriptions to determine whether a CISSP is actually needed for an entry-level position or if you could actually do better for your organization as a whole by bringing in more entry-level talent, helping them, mentoring them. Obviously, that's a really critical component. You can't, like, bring on entry-level talent, not help them along, not do the training because that, you know, presents a number of issues. But if you're committed to the mentorship and the training piece, if you bring in the entry-level talent, you can get -- you can really help a person grow their career and it allows them to grow, develop as a professional with room for, you know, with room for growth, right? So you don't always -- I think in D.C., you see this a lot in the federal government, everybody's like a 13, 14. They're senior-level policy people, right? They're senior-level technical people. There's very -- there's almost very little room at the beginning. I think we need to address the structural underlying issues, such as those position descriptions, the, you know, the fact that managers are eager to get -- eager to get experienced talent, so we need to address those types of things to make sure that it's easy or easier for organizations to hire that entry-level person, professional, right, and make sure the requirements are reasonable. And then to your point on retention, yeah, absolutely. Like, it's -- you need to have -- I think culture plays a big role in this, too. Like, you've got to have a good culture in order to retain your talent. You need to give people room for growth. You have to allow them training. That helps not only the person, the professional, it also helps your organization, and so I think there's, you know, with some of those things built in, you can do a lot of work. Obviously, CISA has focused on the pay piece, which is great. I think it's addressed some of those problems by putting in cyber pay at CISA, making it more enticing to work there. Obviously, they're competing against large name brands and -- Like Google.
Tatyana Bolton: Well, I mean, it is amazing to work here, so, you know, what can I say? But, you know, NSA also has a great recruitment and retention program, right? NSA has almost a best-in-class within the federal government. They, you know, they allow rotations. They encourage -- they encourage training, trying new things. They hire at the entry-level. They grow their talent. So it is possible, right? And so, and I think like there's pockets of this excellence across the -- across the world, and I think we should take some of those best practices and put them into work across the ecosystem, because, you know, CISA has cyber pay, but have they really implemented the rotational part of what makes NSA hiring so great and retention so great? No. And so I think we need to -- we still have work -- we still have work to do and room to grow that, but nothing -- you know, Rome wasn't built in a day.
Simone Petrella: Right. Well, and I think it's --
Tatyana Bolton: I shame myself for having to [inaudible 00:18:59], yup, yup.
Simone Petrella: I'll put it on my bingo card.
Tatyana Bolton: Yeah, we'll see. I was, you know, I said I was cool, right? So obviously, I had --
Simone Petrella: We had to take it down a notch, right. But it's, you know, your point on job descriptions is so salient because, you know, not to sound overly crass, but the amount of times I've worked with organizations on their job descriptions, and frankly, they suck, and it's because people are busy, hiring manager's busy, we take one off the shelf and we kind of repurpose it, and at the end of the day, even though it might take extra effort to get them right, what I hear you saying, and what I kind of see myself, is you have to know where you want to go with those rules before you can create a path or an opening for someone to get into them.
Tatyana Bolton: Well, I think this speaks --
Simone Petrella: I mean, how else do you do it? Right. I think this speaks to the need to develop a workforce strategy within your organization, right? If you are -- if you're a -- if you're an organization that's struggling to get cyber talent, which many of them are, you need to think about it strategically. You need to sit down and it should be an executive-level exercise. This is, I think, one of the areas where it goes wrong. There's not executive-level review and investment into the cyber workforce, and I think that is the level at which this needs to be done. With that, you can do a -- do an assessment. Are these the right people? Where are we going in five years? Where do we want to be in 10 years, and what does that workforce looks like that gets us there? Because it's not necessarily the workforce you have today, and, you know, obviously, technology changes. The, you know, the times change. A pandemic happens. Who predicted that one? Right.
Tatyana Bolton: So, like, you -- obviously, and it's a hard -- it's a hard task for companies, I'm not going to lie. It's not, you know, you have to almost look into a crystal ball and, like, but do some, you know, do some data analysis. Cyberseek.org, plug for them, amazing work. They have great data points broken out by sector, broken out by -- broken out by, you know, levels of hiring, so definitely a place to look as a resource as you're trying to do some of this review and analysis for your organizations. Also, one point, because I mentioned emerging technologies, AI, I think, also is definitely a place that will have an impact on the cyber workforce as it will, I think, on most of the workforce.
Simone Petrella: Yeah.
Tatyana Bolton: At Google, obviously, we've been working on and developing AI technologies for more than a decade already, but I think now, you know, there's a really big focus on it, and we are, you know, moving ahead boldly but responsibly, and we, you know, but we see opportunities in the -- in the workforce space, right? For example, how AI can be used in a safe manner. We actually just put out the AI Safe Principles, SAIF, so you can take a look at those, but they talk about how you can actually use the AI to secure your networks and how it can help the defender, right? What defender doesn't have issues, you know, identifying, prioritizing, and addressing the insane number of vulnerabilities that exist and applying patches in a prioritized manner, right? What if we could figure out a way how AI can help that, right? So there's this some of this toil that a lot of people experience and leads to burnout in the industry that we can also think creatively about how we can apply AI to help that. So, you know, I think it's -- there's a lot of opportunity, and I think that, you know, we -- I think we were already looking at -- looking at how to apply these things, so we are -- so there's stuff out there. At DEFCON, for example, we just did an AI Red Team, right? And so we're looking at, like, you know, we're looking at how not, you know, you're just not just -- not just talking about the, you know, the defense of the past, but what it looks like in the future, training those professionals to think about AI, making sure they're engaged, making sure they're aware of the technology, how to work with it, how to address, and then utilize the technology to best effect, and, you know, obviously, from my perspective, to defend our networks and systems.
Simone Petrella: I think one of the things that, you know, I'm taking away just from this conversation is, it's really a multifaceted solution and it's part of a broader security strategy. So we have this talent or skills gap. It's not just about finding more people to solve it. Can we use creative technologies? Can we think about the processes and controls that we put in place as we implement frameworks like Zero Trust. It's kind of this whole of strategy that we have to think about as opposed to just one. So a really, really great point overall.
Tatyana Bolton: Absolutely, yeah.
Simone Petrella: Tatyana, thank you so much for joining me today, and I appreciate all of your insights, and I'm sure the audience will, too.
Tatyana Bolton: Well, I appreciate you having me on. It was a pleasure.