Google Cloud director shares how Google is advancing diversity in cybersecurity

When it comes to building a strong cybersecurity workforce, MK Palmore wants to look where others haven’t. It’s “actually a security imperative,” said Palmore, director of Google Cloud’s office of the CISO, a former FBI cyber branch special agent, and a board member at cybersecurity diversity, equity, and security nonprofit Cyversity.

Palmore is confident an influx of unrealized potential is what cybersecurity needs—a growing concern in an industry that is both too homogenous and in dire need of fresh talent.

Google is a company that has seen its fair share of DE&I-related controversies, ranging from allegations of workplace discrimination and labor retaliation to concerns over the impact of some of its products and contracts. In 2020, internal disagreements surfaced between management and AI researcher Timnit Gebru, a Black AI ethicist who had found faults with its diversity protocols.Gibru claims these disagreements led to her ousting.

In an interview with IT Brew, Palmore said Google has tried to advance diversity in cybersecurity with a variety of initiatives. Those include its Coursera-based Google Career Certificates program, scholarships such as its partnership with Women in Cybersecurity, and Be Internet Awesome, a curriculum that teaches kids the fundamentals of safety online.

This interview has been edited for length and clarity.

What are the biggest blind spots in cybersecurity caused by a lack of diversity?

Technology has now become sort of the backbone of how it is that we grow as a society. And, you know, cybersecurity is a natural component of that—you can’t have conversations about technology without talking about cybersecurity. So, when you think about the user, this [large] group of diverse people, and you think about the people who are creating the technology and subsequently securing it, and you begin to see the disparity that exists between the user and the people who are creating this technology, there’s a natural inclination, I think, to balance that.

Secondly, I would say that, if you’ve been in the security industry for any amount of time, and I have now for a decade plus, the topics of security have not changed radically in terms of the cyber threat landscape and what it is that we’re seeing. So, problem-solving is part of the issue. And if you agree that problem-solving is part of the issue, you have to believe that more diverse groups will bring different answers to the table in terms of solving those problems.

What are some of the most accessible opportunities for people that don’t have a super technical skill set, who don't know a lot about programming?

You can’t come in with zero expectation that there’s not some technical stuff that you have to learn. But there’s a balance…It changes from one domain to the next.

And so, you know, privacy and trust, maybe not a high degree of technical skill required, but you need some requisite level of intelligence in order to engage those topics, because they get to be complex. They tend to have global implications. And when you really get down into details, you need to have some kind of ability to kind of manage information, and at least be able to categorize and make determined determinations about where you’re going to do this. So, that’s one area. Governance risk and compliance is another area where it really toes the line, I think, on your ability to understand technical issues.

In your personal experience throughout your career, what have been the biggest obstacles to DE&I?

Mid-level management engagement on the issue. I’ve seen top-level engagement from the CEO down to executive staff and leadership. But the mid-management level is where the hiring actually takes place. And the challenge is getting those folks on board and believing in the initiative…Those are the folks where the rubber meets the road, they’re doing the hiring, they’re the ones actually, you know, working in a leadership capacity to retain the workforce.

What advice do you have for young people of color, women, LGBTQ+ people, and people with disabilities trying to break into the cybersecurity industry?

Look for organizations for whom this is a matter of importance. If you’re interviewing with an organization, and you ask about what their thoughts are, what their position is on diversity, equity and inclusion…If they don’t have something formal, I would say that probably should be a red flag to you.

So, look for organizations that are engaged in this topic, that understand that it’s important to their business outcomes, and then pursue opportunities with those organizations and ask about it in the interviewing process.—TM

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @thetomzone on Twitter. Want to go encrypted? Ask Tom for his Signal.