National security cyber issues and Stanford’s cyber policy program
Guest AJ Grotto is the William J. Perry International Security Fellow and founding director of the Program on Geopolitics, Technology and Governance at the Stanford Policy Center and Stanford University. Grotto has served in the National Cybersecurity Council under two successive presidents and brings decades of knowledge in international relations, policy and risk both to his students and to clients in his private sector consulting work. Grotto tells us about the current state of international cyber risk and response, gives his tips for students just getting started in international policy and why a suspicious-looking email took him away from the law profession and into the security space.
0:00 - National security cyber issues
4:04 - How AJ Grotto got into cybersecurity
7:10 - Grotto's work in the National Security Council
10:25 - Skills used in the National Security Council
14:35 - Working at Sagewood
17:00 - Global trends in cybersecurity
19:00 - Economies down; cyber crime up?
20:17 - Cyber risk work at Stanford
23:10 - Cybersecurity students at Stanford
29:46 - How to take Grotto's class at Stanford
31:25 - Federal Zero Trust directives
34:49 - What to research for national security work
38:09 - Important global cybersecurity topics
40:06 - Learn more about Grotto, Stanford international policy
41:07 - Outro
– Get your FREE cybersecurity training resources: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast
Transcript
Chris Sienko
Today on CyberWork, I speak with AJ Grotto, the William J Perry International Security Fellow and founding director of the program of geopolitics, technology and governance at the Stanford Policy Center and Stanford University. Aj has served in the National Cyber Security Council under two successive presidents and brings decades of knowledge in international relations policy and risk both to his students and to clients in his private sector consulting work. Aj tells us about the current state of international cyber risk. In response, gives us his tip for students just getting started in international policy and why a suspicious looking email took him away from his law profession and into the security space. It is a new twist on the cybersecurity origin story and you don't wanna miss it, or miss this episode of CyberWork ["CyberWork"]. Welcome to this week's episode of the CyberWork with Infosec podcast. Each week, we talk with a different industry thought leader about cybersecurity trends, the way those trends affect the work of Infosec professionals, while offering tips for breaking in or moving up the ladder in the cybersecurity industry. My guest today, andrew Grotto, is the William J Perry International Security Fellow at Stanford University and the founding director of the program on geopolitics, technology and governance at the Stanford Cyber Policy Center. He serves as the faculty lead for the Cyber Policy and Security Specialization in Stanford's Ford Dorsey Masters in International Policy Degree Program and teaches the core cyber policy course for the specialization. He is also a visiting fellow at the Hoover Institution. He served as a senior director for cyber policy on the National Security Council during the Obama and Trump administrations from late 2015 through May of 2017.
So today, as you would imagine, we're going to take advantage of AJ's considerable knowledge around geopolitics and security and we're going to talk all about that today. So, aj, thanks for joining me today and welcome to CyberWork. Thanks, chris, good to be here. So you had a long history, obviously, of security innovation and analysis, and you had a set of security policies you know, across a broad spectrum of federal sectors, from health care and consumer cybersecurity and critical infrastructure, and two presidential administrations. So my first question is what was the initial moment or inspiration that started your full immersion into all things cybersecurity? Was there a formative experience in tech and security that caused you to pursue this path so passionately?
AJ Grotto
Yes, there was actually. So, by way of background, I'm a lawyer. By training and coming out of law school, my goal was to be a law professor. My area of expertise was international trade law and my plan was to go to Washington DC, spend a couple of years, maybe working on the Hill, get some policy experience and then go on the academic market for law professorships. So I moved to Washington DC with that in mind and while I was looking for a full-time job, I thought it'd be a good idea to intern, spend my time, you know, instead of sitting at home, you know, hitting refresh on my email for leads, Right.
And so I ended up, you know, interning at a think tank called the Center for American Progress, which was brand new when I started. Originally they wanted me to work on some trade issues, but eventually, through some twists and turns, I ended up working on nuclear non-proliferation policy. So how to deal with, you know, nuclear programs in Iran or with Korea, what we should do in the United States with our own nuclear arsenal, and I worked on that for about five years and this now we're sort of hitting 2008,. Frankly, was getting kind of bored with nuclear non-proliferation not because it's not an exciting issue and the stakes are high, but I just felt that the playbook for proliferation crises has kind of already been written, yeah, and so you know when something happens, You're basically just, you're kind of maintaining something rather than innovating.
something new is that it yeah, yeah, and so I started. I got to thinking about okay, what's an area that I can jump into where it's a little bit more of a green field as far as policy goes? And as I'm thinking this through, I get an email from my boss at the time, John Podesta and at least the email was purporting to be from John politely asking me to read a new report on Russian nuclear forces. And I could tell immediately from the tone of the email that this was not from John. So I forwarded it to our IT staff and, sure enough, it was an attempt by the Chinese PLA to hack into our systems.
And, as we later learned, there was a whole campaign by Chinese military intelligence to hack into think tanks in Washington, as well as both the Obama and McCain presidential campaigns, and so that was my moment where I was like huh, maybe the cyber thing is where I should go.
Chris Sienko
Yeah, interesting.
AJ Grotto
That was the moment where I sort of light bulb went off, and here I am.
Chris Sienko
Yeah, I bet the person who sent you, or the bot that sent you that attachment didn't know what was happening in terms of what it would turn you into. It's like the it created a monster.
AJ Grotto
Yeah, it was the radioactive spider that launched a whole line of comic books here.
Chris Sienko
So, moving on to that, your career history includes some amazingly high profile positions within US government. You mentioned a little bit about that, including senior director for cybersecurity policy at the National Security Council, advising two successive presidents on digital technology, innovation, geopolitics and risk, and you also led senior level teams to develop and deliver presidential priorities. So, without violating any NDAs or anything, could you break down what the actual nuts and bolts of those tasks were? Were you conducting independent research? Were you making specific recommendations? Were you implementing these recommendations? Were you using both?
AJ Grotto
So the mission of the National Security Council is to coordinate National Security Policy across all the different parts of the government. Okay, then, to serve as an advisor for the president and so that that that was my job. And in cyber policy, where my main area of focus Was on more the defensive side of cyber policy, so coordinating the defense of US critical infrastructure, so your banks, healthcare, you know communications and whatnot, and then you know advising, you know coordinating policy to some extent on on sort of the dark side of cyber, the offensive side, but really focused on on defense. I like defense. I played football, you know, when I was younger and defense was always my favorite.
You know side of the ball and so what, what that means practically speaking, what what coordination means practically speaking is when there's a point of problem emerges.
You know a, you know a Russian hacking campaign against the electric grid, someone needs to bring together all the different parts of the government that have some something to contribute to solving that problem right. So that could include law enforcement, including could include the Department of Homeland Security, which has responsibility for critical infrastructure, the Department of Energy, which has a lot of expertise and regulatory authority, and energy, as well as the intelligence community in the military, and what what the senior director does is working with, with, with, with colleagues at these different departments and agencies is try to develop options for the president, and there's a whole sort of you know command structure that this process follows. So We'd we would develop options for deputy cabinet ministers that would then go up to you know sort of the, the cabinet, the heads of departments, so the Secretary of State, secretary of Defense, and then on to the president and and that's the way the system works. So in some sense my job was hurting cats, mm-hmm right.
Chris Sienko
So you were yeah, yeah, I was gonna say it was. It's a lot of Getting the sort of tops of each organization to all sort of get into one room together, literally or figuratively, and come to an agreement. And then it sounds like you were kind of so. You had like a set of like okay, we could do plan a, plan B, plan C kind of thing for the president, and then they that's fine off on it kind of thing.
AJ Grotto
That's right, yeah, yeah, and then we would also soup.
Chris Sienko
We would also know make sure that that there was follow-through, right, yeah, the president's vision is that actually things were actually happening, yeah, so I, no matter how high the you know, the the job title is or the the responsibilities are, I'm always Dying to sort of break it into sort of individual skill sets and tasks. So, like, what areas of your skill set got the biggest workout when you were doing this type of work? Like, what was, what were the parts that really you felt yourself stretching to sort of make this all work?
AJ Grotto
Management and you know, building leadership right, building coalitions, trying to identify points of consensus that you could build on when, when there's broader disagreement. You know my experience most cyber security problems, whether they're at sort of that level of national policy or at the level of an enterprise, often involve, almost always involve, humans in some form or another. Right, I think they're. They're human problems, not necessarily just straight, just technical problems. And so you know, having sort of human skills, knowing how to deal with people, knowing how to communicate effectively, all of those skills were, were key to Performance in that, in that role, gotcha.
Chris Sienko
So yeah, okay, that's great. Do you, do you feel like, for instance, your, your law background, like in terms of like crafting, like the arguments, or do you feel like you it was, it was okay, you knew what you needed to get done.
AJ Grotto
It was just a matter of getting people to sort of agree with you um, I, I'm a big fan of law school, yeah, even if even if you know, graduates don't necessarily practice law because, I think it's great training, especially for policy roles where you know you're you're having to make arguments, adjudicate arguments, all in a legal context, right, you know, at the end of the day, you know we want to do what's so legal, not what's what's not legal, yeah, and so having you know, having sort of that, that muscle memory and sort of you know in place, is, I've always found to be really valuable. Obviously, law school is not for everybody, but for me it really kind of hit the mark in terms of my, my professional development.
Chris Sienko
Yeah, and and clearly, starting somewhere that's not heavy tech is not necessarily a barrier to entry into heavy tech. You know, roles later on in life, because again, we have a lot of people who are taking their first you know, either bold or trepidatious step into cybersecurity from other career points and so including law, obviously. So, yeah, always, always good to hear those types of Anecdotes and and experiences and so forth.
AJ Grotto
So just to pick up on your point, you know. I mean there are, there are certain job functions in cyber policy that are technical, right, and you need technical skills in order to fill those jobs, but there are awful positions that aren't. They may have a technical dimension, but they're not strictly speaking technical, technical jobs. And so you're returning to my example of Russia in the electric grid. This is an example, or hypothetical. That's a Russia problem as much as it is a cyber problem, and so you know, the skills that that that must be brought to bear on a problem like that include understanding how Vladimir Putin thinks, or at least trying to understand how he thinks, understanding their vulnerabilities, not just in the cyber sense of the word, but politically and economically, and having a sense of what would we need to do to shape their behavior. That's a Russia problem, not necessarily, not strictly, a cyber problem.
Chris Sienko
Right, but conversely to that, you still need to have enough of the tech knowledge to not that your theories of how to solve a Russia problem are not so disconnected from the actual technical implementation of it that they're like no, we can't do that, you're talking about magic there.
AJ Grotto
Well, yeah, even if the policy response is an economic sanction, for example. Yeah, for we want our policy responses to be proportionate, right, in some sense of the word. Yeah, we don't want to overreach, we want them to be proportionate. And it takes some technical skill to be able to evaluate a risk, a cyber risk, and determine okay, how real is this? Because that then determines or shapes what a proportional response might look like.
Chris Sienko
Yeah, okay. So, following your time at the National Security Council, you started too back to back projects, both of which you maintain to this day. One is behind you on your wallpaper. You're, first of all, you're president and CEO of Sagewood Global Systems, where you advise international clients on emerging issues involving digital risk, including cybersecurity, ai and machine learning, risk management, data, governments, cfius and export controls, as well as helping C-Suite develop and implement integrated enterprise strategies for managing digital risks. At the same time, you became director of a program on geopolitics, technology and governance at the Stanford Cyber Policy Center. So I want to move there next, but I want to start with Sagewood, if that's okay. I'm wondering if you could walk me through the types of services and work that you do with your clients at Sagewood. Are these enterprises that already tend to have a solid security policy and strategy in place?
AJ Grotto
So my clients tend to be companies that want to exert thought leadership and cyber policy. Okay, that's one category. The other category are companies who understand that their business is affected by cyber risk and perhaps digital risks more broadly, including regulatory risk, for example, and they want some help or advice navigating those issues. So in that first category, sort of the thought leadership piece, I will help executives prepare for high-level meetings at places like the World Economic Forum, davos. I will help companies prepare and submit responses to requests for information that regulatory agencies put out when they're vetting a new regulation. So it's helping the company engage in the policy process and show some thought leadership when it comes to risk advisory there, oftentimes explaining geopolitical dynamics. As an example, I was in Hong Kong last week where I met with a variety of private equity clients to talk about US-China policy, to talk about AI trends in AI regulation in China as well as the United States and Europe. So those are the two main baskets of issues.
Chris Sienko
Okay, I mean, within that realm, is there anything again keeping it safe and secure or whatever that you're seeing? That's particularly interesting right now in terms of global trends or things that you're monitoring, I should say, I guess, especially closely.
AJ Grotto
Well, we're in the midst of a surge of activity by governments to regulate cybersecurity. Just today, for example, the FDA the Food and Drug Administration's cybersecurity requirements for medical devices landed, and so we're seeing not just the US government but governments around the world put a lot of thought and effort into regulating cyber risk, and this is a relatively recent phenomenon. For many, many, many years decades really it's been a little bit of a wild west when it comes to cyber risk management and government. We've sort of left it to the private sector to determine for themselves what is an appropriate level of risk to accept or not, and that model works great for most businesses. But when we're talking about critical infrastructure we're. The risks to the society are much higher than the equation changes, and that's where we're seeing a lot of big changes.
I'll share with you something I picked up on my recent trip to Hong Kong that might be of interest to listeners. I've been following China for many, many, many years and there's always been this sense of excitement about the Chinese market. This trip I have never encountered such a dark mood towards the Chinese economy as I did on this trip A lot of talk about pulling money out, moving it elsewhere, and so that was a pretty striking finding from my visit to Hong.
Chris Sienko
Kong In terms of the sort of like crisis points like that. I'm assuming that that changes the landscape considerably in terms of like you start, you know, I feel like when economies start going down, maybe that country cybercrime starts going up, especially towards, like, other countries. Is there any sort of like relationship like that, like there is with, say, like North Korea and Lazarus Group, or whatever, the Chinese are so active already that it's hard to imagine them getting more so okay.
AJ Grotto
Yeah, you know, I heard an anecdote from an FBI agent out here in Silicon Valley who said that something like 60% of China's industrial espionage budget devoted to the United States is aimed squarely at Silicon Valley. You know, and so I mean that is. That is a huge amount of resources.
Chris Sienko
Yeah, that's our oil field, basically.
AJ Grotto
Yeah, yeah, that's right. So I do think that those trends matter for things like the startup economy in China, where we will probably see a dip in early stage investment, which matters for innovation and cybersecurity in other areas.
Chris Sienko
Okay, now I'm turning to your work at Stanford. How, if at all, does your research and work with students around these same topics of emerging technology and cyber risk and geopolitics and policy carry over to your work at Sagewood? Is there a situation where your research that you're doing with your students at school is something that carries over into your work or vice versa, things that you learned at Sagewood is something you can teach your classes?
AJ Grotto
Yeah, there are definitely synergies between the two lines of effort. I have to be very, very careful to keep them separate, in the sense that I don't I'm always very clear about what hat I'm wearing when I'm engaged in some activity, especially when it comes to research. There are ethical issues. I want to make sure I'm on the right side of conflicts of interest, issues that I want to make sure I'm on the right side of. I mean, though, it keeps me fresh and engaged in quote unquote the real world, and I do bring that experience to my students. I think it enriches the classroom experience. And then my research at the university on digital risks does inform the way I think, obviously, and advise clients on other things. When it comes to the financial side, plus how I credit and sign works, I'm very careful about maintaining that firewall of sorts.
Chris Sienko
Gotcha, gotcha At the same time. It sounds like it's a way I guess that happens with a lot of professors you use your research to keep your, because otherwise you're just teaching the same thing over and over and you get stagnant and stuff like that. So it's a way of keeping the water moving, I suppose.
AJ Grotto
Well and it helps me. So the class that I teach that you mentioned at the top of our conversation, fundamentals of Cyber Policy is a survey style class. Okay, meaning I have to cover a lot of ground, and making matters even more challenging is Stanford is on a quarter system, which means that our academic unit is a quarter, which is 10 weeks, compared to a semester which is 16 weeks. I got to pack a lot of material into a much shorter period of time and that means I have to curate the course pretty carefully, and my engagements outside the university, whether that's through the consulting world, whether that's advising you continue to advise informally parts of the US government and the Hill, the Congress on legislation helps me understand. What should students be learning about? How do I help them stay current? Because I want them to be able to get land killer jobs when they graduate, and that depends on many ways, on them being current and hitting the mark in terms of what employers are looking for.
Chris Sienko
Well, good, that moves into my next question perfectly, because I was just about to ask about your program at Stanford and I guess I'm curious to know what type of works or positions are these people taking these classes trying to enter? Are your students primarily security professionals that are already in the industry, or is there a range of experience or ages to your students?
AJ Grotto
Yeah, there's a range of experience. Most of our students tend to come to us with a few years of work experience. I think the average age of our student is mid-late 20s. They come from a variety of backgrounds, ranging from former US military to current diplomat with the foreign government's diplomatic service and then, of course, students who come from the private sector and maybe want to stay in the private sector. So it's a very diverse group. It's very international. Something like 40% of our students are international students, which I think enriches the classroom experience because these issues are international. It's an international affairs program on top of that, so I'm having that diversity. I think enriches the program.
Chris Sienko
Yeah. Is this primarily an in-person on campus class, or do you have a virtual component?
AJ Grotto
as well. It's in-person, it's a two-year master's degree program and, if you've ever been to Stanford's campus, being on campus is a feature, not a bug.
Chris Sienko
Yeah, of course it's amazing campus, sure, sure, absolutely.
AJ Grotto
So students want to be here teaching. We taught remote during COVID and it was for, I think, all students a challenge in the classroom.
Chris Sienko
Hey, cyberwork listeners. I just wanted to remind you again that if you book a live online bootcamp from Infosec by December 31st 2023, you'll get $500 off the price. There's no promo code needed. Just book your bootcamp before the end of the year and it'll be $500 off the normal price. So AJ Grotto's background is in international cyber policy and he's a top-level guy. Obviously he's worked under several presidents. But one common stepping stone to this type of work is cybersecurity compliance, which is why I want to walk you through ISC Squares CGRC certification and our bootcamp for it. The stands for certified in government risk and compliance. A knowledge of these frameworks and policies is crucial for information security, information system security officers, senior system managers, system admins and anyone else wanting to learn more about the NIST-based information system security authorization process. So a couple of key points. I want to pull up the bootcamp and sort of show you what you will be learning in our CGRC bootcamp here. So to start with, I want to say that there is indeed a prerequisite here You'll have to have at least two years of paid work experience in at least one of the seven domains listed in the ISC Squared CGRC common body of knowledge, and those include information system, information security, risk management program, scope of the information system, selection and approval of security and privacy controls, implementation of security and privacy controls. Assessment, audit of security and privacy controls, authorization and approval, information system and continuous monitoring. If you've been doing one or more of those for more than two years, you're golden. If you have not, you can still take the test, but you will only be an associate level certified. So really put the years in first and then come to us for CGRC or just learn it. Do what you want to do. This certification is USDOD 8570.1 approved and ANAB accredited for the ISO IEC standard 17.024. So this is a three day boot camp. You'll start out with our InfoSec Skills platform and do the CGRC prep course. This will help get you get your feet wet, but you know what you're going to be learning for these three days. Day one In the morning and afternoon, you'll be doing risk management framework, which includes categorization of information systems, security control, implementation and monitoring of security controls. As always, in the evening you'll have optional group or individual study time, which means if you don't feel like you completely understand the thing, you can jump back into the meeting area and talk with your fellow students and make sure that everything has stuck the way you wanted it to. Day two, you'll be categorizing information systems in the morning, including information system system security plan, categorizing a system, privacy, activity system, boundaries You're starting to get the full picture of it and in the afternoon you'll be selecting security controls, including setting a security control baseline and learning risk assessment as part of the risk management framework, which, if you're not backwards and forward on the RMF, you will be. After this, again in the evening, you'll have optional group or individual study.
Day three implementing security controls, including implementing selected security controls, tailoring of security controls and documenting of security control implementation. Also, in the morning you'll be assessing security controls and then in the afternoon you'll be authorizing information systems. This is where you're going to really learn how to take charge. You're going to be determining risk. You're going to be determining the acceptability of risk, which is going to be very crucial because you have to know what the acceptable risks are in order to do business. Then, very crucially, you will be working with learning how to obtain security authorization decisions, which is going to really set you into a leadership track. Then, following that, you'll be monitoring the security state, including conducting ongoing remediation actions, updating key documentation, decommissioning and removing systems and more. Of course, you'll be doing group and individual study in the evenings, if you wish.
Then, following that, it is time to take the exam. Of course, we offer a 93 percent. Okay, we offer an exam pass guarantee. We have a 93 percent pass rate on the first try. If, for some reason, you do not pass your exam on the first time, we will give you a second voucher to take the exam a second time. Whether you serve as a security counsel under a US president or you stick to other NISP-based Information System security authorization, it's very important to know that knowledge of governance, risk and compliance frameworks and policies is a springboard to an amazing number of security jobs and career tracks. Again, to start the first or the next step of your career, go to infosecinstitutecom free and browse the live online bootcamps. Register before December 31st 2023 and I can't stress this enough, it is $500 off. Back to the show Now we don't want to go back to that?
No, absolutely not. Fingers crossed. It sounds like there's at least a baseline requirement in terms of existing knowledge or degree. I mean, what is the pre-knowledge barrier to entry to taking your class? Where should they be in the hierarchy in terms of X number of years, or X number of skill sets or degrees or certifications or anything like that?
AJ Grotto
Well, so students have to have their undergraduate degree. We don't really care what degree they come to us with, as long as they have some quantitative skills which students find different ways to express. The program does not presume any technical knowledge in the part of the student. Okay, our expectation is that students who are facing a little bit of a deficit when it comes to their technical knowledge could pick that up during their time at Stanford, either through coursework or. I always encourage students, and I encourage your listeners too.
I mean, coursera has some really good offerings. I've tested some of them myself and I think they're like the Python class. I forget now who teaches. It is excellent, so I'll point students to those resources. But really we don't require any specific technical background. It's a policy program. We want students to be able to tackle policy problems. It's not a program we're not going to train students to go be CIOs, for example. Now, students may go into that role if they have the right background already or they pick that experience up after they graduate. But that's a more technical role than I think we're preparing students for Got you.
Chris Sienko
So because a lot of our students and listeners are currently or plan to practice cybersecurity in the US military or the federal sector, or even just a vendor to these sectors. We've covered a lot in recent episodes about certain recent directives towards moving the Pentagon, for example, to 100 percent zero trust model in a very short period of time, as well as the larger but slower directive to do full asset discovery across all bureaus of the federal government across the coming years, and I know you're not currently with National Security Council, but do you have any thoughts I don't know if you're following these Do you have any thoughts on these directives? Are there other policies in this style that you think need to be fast-tracked to face some of the emerging threats around the world?
AJ Grotto
I know I support all those policies and I think the only way to get them done is to put them on a fast track, otherwise they will. They will always be second, they're always going to be next quarter's priority. Yeah right, exactly, exactly. So fast tracking them is really the only way to go. You know, patching cadence is a really hard challenge for all organizations, for all large organizations. That's an area where I think the federal government continues to have work to do. Dhs has put out these binding operational directives that direct agencies to patch all known vulnerabilities, but there needs to be follow through and continued care and feeding of that, which I know the administration is doing. But it's one of those issues that needs to be fast, needs to kind of constantly be on a fast track, because one of the most common ways that bad guys get into systems is not through zero days but by exploiting known unpatched vulnerabilities.
Chris Sienko
Right, yeah, we've also had all episodes about that. The you know, pardon my French, the patch, your shit approach you know, but you know when you're looking at hundreds of thousands of unpatched vulnerabilities and stuff there also is that you know that notion of like knowing exactly all the actual entrance spots, rather than you know to use another guest's very excellent comment you know putting a perimeter fence around your garbage. You know, but you know obviously that's. That's all part of this sort of larger directive.
AJ Grotto
I know, in terms of prioritization and expediency, like you said, yeah, and I would add I mean we're, we're continuing to treat the symptoms of a disease and where the disease is, insecure software. And you know, I know that as an area where the administration is starting to devote a lot more attention. This is a key theme in the national cybersecurity strategy the idea that software vendors really need to step up and put out more secure products. And look, I, you know, I think Microsoft in particular has some work to do here, given that, you know, something like 85% of the federal government's productivity market is sort of serviced by Microsoft. The dominance is even greater in operating systems, and so, you know, I think the vendors have to do a much better job putting out secure software in the first place, and I was, I was delighted to see the administration call that out in the national cyber strategy that came out earlier this year.
Chris Sienko
Thanks, that's good to hear, glad to hear you're. What you're seeing looks like it's a, to some degree, another on on the right track. So so for listeners who plan to work towards this type of security work, who might be still further down the ladder, especially around international policy, risk and geopolitics, so I think we should talk about the type or places where they should be doing research, what they should be getting up to speed with very quickly in order to start moving into this type of work, because I know a lot of people feel like they're you know they're juggling a lot of balls all at once and then, once you start adding things like like policy and and, just like you said, bleeding edge technology and, and you know, escalating threats and stuff like, where would you, where would you start if you were looking to get started learning?
AJ Grotto
about this stuff today. You know it's a tough question to answer because I'm not going to stop me from answering it. But the reason why it's a tough question is there are so many different career paths in cyber security that it's difficult to generalize. Yeah, and I don't want to leave your listeners with with the sense that there's sort of this flow chart, you know diagram that they, if they follow it, they will, you know, land where they want. Because when I talk to students, my question back to them is okay, well, what do you want to do? Right, I mean, what do you?
What are the types of things you're interested in doing? Are you interested, if you're interested, in doing sort of deep dive forensic work, well, that that's. That's a career path, right, and requires you know a set of technical skills. You know understanding of adversary trade craft, you know. Knowing, knowing how to hack, because you know you have to think like a hacker or you could be a great forensic specialist. Or are you interested in developing, in developing offensive cyber operations, where you know there's still a lot of technical skill, but now you have to also understand, okay, you know, how do you, how do you translate?
you know, say, military requirements into cyber speak, you know into cyber operations, which is you know which is a, that's a, that's a, almost a management skill, and so you know. So there isn't, there isn't you know, a single path Right For people who are just getting started. I think there are a lot of really interesting books out there that that are relatively light reading, that can give readers a real kind of feel, their flavor of the field. You know, nicole Pearl Ross book this is how they tell me the world ends is about zero, the mark, the black market for zero to exploits. That's a great book, david Sanger's book I'm not totally blanking on the name but it, if you, if you go to Amazon or your neighborhood bookstore and you look, look for David Sanger he's a New York Times reporter You'll find his book. Kim Zetter's books are all really good. So these are all options to take a look at and I think you know is that new Cold Wars or the perfect weapon the perfect weapon, yeah, the perfect weapon, fear and the average, okay, perfect weapon.
And what? What? What I like, what those books are good for, is readers will see lots of different jobs portrayed in those right, yes, in those books, right. And so if there's a character, you know a person in those books who wow, like that, that's exactly me Interesting, that's me, that's what I want to do. Well then, you've got, you know, you've got a little bit of a model to follow and potentially reverse engineer.
Chris Sienko
Yeah. So as we start to wrap up this episode today, aj, can you leave us with some aspects of global cybersecurity in the news, or that you're watching? That we should all be keeping an eye on, even if we're not actively working either in the government sector or in policy.
AJ Grotto
Yeah, I guess I've been involved in an effort to think about liability for insecure software, and so the way that that you know software has been sold historically is on a license, or as is meaning that when you purchase the software, the, the vendor is disclaiming all warranties, so the software breaks, they have no obligation to do anything about it, and the thinking is that, well, for certain parts of the economy, particularly critical infrastructure, that model isn't good enough and the question becomes OK, if we, if we want vendors to produce more secure software, one of the incentives is is you know, and this is you can explain an awful lot of auto safety right, which has come a long way in the last 60 years.
On this basis, in terms of liability and the threat of liability. Now, this is a really hard problem because, you know, a threat of liability, if calibrated improperly, could have a real nasty impact on innovation. And so this is a, this is a. Really I don't want to I can't, you know, sort of overstate how hard a problem it is, but it's one that I think we need to start to tackle. And so I think that the, the by the administration, is also called out in the national cyber security strategy, and so you keep your eyes peeled for more talk. I think your listeners will start to hear more talk about this issue in the coming six months or so. Yeah and so, but that that that's been. That's been top of mind for me.
Chris Sienko
That's great. That's a great place to wrap it up here. So thank you for your time today. If we have one last question If our listeners want to learn more about you, a G grotto, or your, your program at Stanford, or you know your organization, where should they go online?
AJ Grotto
If they want to learn more about our program. The program is called the Ford Dorsey Masters international policy program. If you just do a Google search for international policy, stanford, you'll, you'll, you'll. One of the first links will be our, our website, our website. Take a look if you're interested at the intersection of cyber policy and international affairs. I think we are the best program in the world. Say that in all modesty. So check us out. It's an amazing program. Plus, you get to live in beautiful, sunny Silicon Valley. There you go.
Chris Sienko
I mean, do you have a personal online presence yourself? Do you LinkedIn? Do you, do you? I?
AJ Grotto
linked in. Yeah, and then my company is. Website is sagewood dot global. If people are interested in that.
Chris Sienko
Perfect, all right, well, thank you. Thanks so much for your time and insights today. Thank you, thanks, chris, and thank you to all of our cyber work listeners and video viewers, whether it's your first episode or you've been with us since the beginning. We're grateful to have you along for the journey, and if you have any topics you'd like to have us cover or guess you'd like to see on the show, drop them in the comments below. Before I let you go, I just want to I hope you'll remember to visit info second stutecom slash free to get a whole bunch of free and exclusive stuff for cyber work listeners.
This includes our new security awareness training series, work bites, which features a host of fantastical employees, including a zombie of empire, a princess, a pirate and an alien making security mistakes and hopefully learning from them. It's an hilarious and entertaining way to make sure you and your employees understand key security awareness concepts, so check it out. Also, info second stutecom slash free is the place to go for your free cyber security talent development ebook. Check out the in in depth training plans for the 12 most common security roles, including sock analyst, penetration tester, cloud security engineer, information risk analyst, privacy manager, secure coder and more that and everything else can be had once you get yourself over to info. Second, stutecom slash free, and I guess that this link is in the description below as well. Thank you once again to AJ Grotto, and thank you so much for watching and listening, and until next week. We'll see you soon. Take care now.
Subscribe to podcast
How does your salary stack up?
Ever wonder how much a career in cybersecurity pays? We crunched the numbers for the most popular roles and certifications. Download the 2024 Cybersecurity Salary Guide to learn more.
Weekly career advice
Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Booz Allen Hamilton, CompTIA, Google, IBM, Veracode and others to discuss the latest cybersecurity workforce trends.
Q&As with industry pros
Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.
Level up your skills
Hack your way to success with career tips from cybersecurity experts. Get concise, actionable advice in each episode — from acing your first certification exam to building a world-class enterprise cybersecurity culture.