Google looking outside the usual channels to fix security skills gap
'If your input continues to be monoculture, you can expect the same outcomes'
Cybersecurity moves fast. New and bigger threats emerge all the time across an ever-expanding attack surface and there's not enough people to fill vacant jobs.
Because of this, "not every organization is hyper-focused on the subject of diversity and inclusion," MK Palmore, a director in Google Cloud's Office of the Chief Information Security Officer, told The Register.
"We as an industry get hung up on looking for folks who have been there, done that, and want talent to jump in and hit the ground running," he continued. "We need to slow down a bit and widen the optics on what represents new talent to bring into the field."
This requires investing money and human resources into training folks who don't come from a traditional infosec background, but Palmore said the payoff is worth it for a couple of reasons.
First, there's the well-documented worker shortage of about three million people. The security skills gap isn't going to close unless organizations hire people outside of the existing cybersecurity workforce. "We can't just keep shipping people from one company to the next," he said.
Plus, diverse people bring different perspectives and ideas about how to solve problems to the table. The infosec community — still mostly male (76 percent) and mostly white (72 percent) — needs diversity to produce better outcomes, Palmore said.
If we don't understand the importance of diversity, we're going to continue misfiring
"If your input continues to be a singular focus or monoculture, or typically comes from the usual circles, you can expect the same outcomes," he added. "It's imperative that the cybersecurity industry continues to grow and thrive, and if we don't understand the importance of diversity, we're going to continue misfiring instead of making sure that we can get ahead of adversaries."
To this end, Google Cloud recently partnered with Cyversity, a non-profit that seeks to bring more women and underrepresented minorities into infosec jobs. Palmore also sits on the Cyversity board of directors. And together with the SANS Institute and Palo Alto Networks, the org and the cloud giant announced the Cyversity SANS Diversity Academy, which will provide free education and training in an effort to place around 200 women and underrepresented minorities into cybersecurity jobs.
Women of all ethnicities plus Black, Latinx, and Native American men can apply to attend the six-month-long program until November 23.
This mission is also personal to Palmore, who arrived at Google and in an CISO role, from a non-traditional background.
From FBI to Google Cloud Office of the CISO
Palmore grew up in Washington, DC, and after high school he attended the US Naval Academy, which had been a long-time dream of his. After college, he served in the Marines for five years, and then joined the FBI.
"I showed some interest in the FBI at a local field office in San Diego, and they jumped at the opportunity to recruit and bring in an African-American Marine Corps officer that was an Annapolis graduate," Palmore said.
The FBI assigned Palmore to the Los Angeles field office, where he "worked all the traditional cases" assigned to new agents like bank robberies and domestic terrorism. It wasn't until he moved to the Sacramento Division that he worked his first cybersecurity case.
"It was the mid-2000s, and the FBI was in the throes of understanding how the internet and technology was being used for terrorist communications," he remembered. "I had a fairly average terrorism case assigned to me."
By "average" he means the technology being used by the terrorists was complex, but the case itself wasn't a well-publicized one. "But because it had such a huge technology component, it sparked a fire in me," Palmore said. "I understood that this field that I was always interested in and wanted to get into was available to me through my experience as an investigator in the FBI. So it opened a whole new door for me."
After that, he started taking every security training course that the bureau would allow and working more cyber-related cases in the field.
Palmore retired from the FBI in 2019 after spending over 32 years in the US government, and got a job at Palo Alto Networks in a CISO advisory role. He made the jump to Google Cloud last year.
'Go where diverse talent is'
At Google, he spends a lot of his time talking to other organizations' CISOs. Obviously, cloud security is a frequent topic of discussion. Diversity and inclusion — how to hire and then retain women and minorities — should get equal airtime, Palmore said.
Instead of waiting for workers to find the industry, "you gotta go where the diverse talent is, and make them aware there's an opportunity available to them," he said. "When I say go where they are, I'm talking about college-level folks who are women and underrepresented minorities who maybe he would have never considered a career in cybersecurity. I'm talking about mid-career transitioning folks who are looking for a new opportunity in an industry that represents growth and is going to be around for a significant number of years. That is cybersecurity."
Within the industry, there's enough "subdomains" that don't require a background in coding or software development, he added. "Part of the challenge is we just have to do a better job of exposing folks to the opportunity and then subsequently getting them trained."
Diversity Academy opens its doors
That's where the Cyversity SANS Diversity Academy comes in. Applicants must be at least 18, not currently employed in a cybersecurity role (other IT jobs are OK) and have residency status in one of three regions: North America, South America or Europe, the Middle East and Africa.
Selected participants will receive a scholarship to attend at least one training course, plus certification, at no expense. Phase one of the six-month program includes vendor training, where applicants receive access to Google Cloud and Palo Alto Networks training. Applicants selected for phase two will attend SANS foundational SEC275 training course and receive GFACT certifications. And finally, those that move on to phase three will take more advanced SANS courses and receive GIAC certifications.
- Infosec still (mostly) a boys club
- AI recruitment software is 'automated pseudoscience', Cambridge study finds
- Cisco starts 'talent movement options', and restructuring amid real estate cuts
- Unlucky for some: Meta chops 13% of global workforce
SANS offers several other similar "immersion" academy programs that provide technical training, and claims 90 percent of graduates land new jobs in cybersecurity within six months of completing the programs.
The training org partnered with Cyversity on a pilot program limited to California before rolling out the larger Diversity Academy, said Max Shuftan, director of mission programs and partnerships at SANS.
"What we hear when talking to customers, it hurts them when teams aren't diverse," Shuftan said. "It makes their culture weaker and less strong. As a result, they have issues with retention, they have issues with recruitment. And with these vacancies, they're at more risk of threats and breaches." ®