Podcast Season 7 Episode 1 – Tatyana Bolton with R Street Institute
Tatyana Bolton is passionate about cybersecurity, diversity, and our nation’s security. Listen in on a dynamic conversation that covers her career, what she is thinking about in the latest Executive Order from the Biden Administration, and how she is #MakingSpace for a diverse workforce and voice in the cybersecurity space.
Welcome to Neo Cast. Join us each week as we discuss challenges in government contracting, strategies, and solutions for your businesses. We’ll dive into managed IT, cybersecurity, workforce advancement, and much, much more. Sharing is caring, and we’ve got top-shelf advice to help you navigate today’s biggest challenges. Let’s get to it.
Hello and welcome, everybody, to another episode of Neo Cast. We are starting off a new podcast series and our first guests, Tatyana Bolton with R Street Institute is here with us today. We aim to have this series to be a little bit more conversational and just getting to know more individuals in the cybersecurity space, not only about their career but what they’re really passionate about right now, and certainly what’s on everybody’s minds, the executive order that’s been brought in over the last couple of months. We’re about 40 days into it. And there were quite a few deadlines that were put in that.
So we’re curious to hear from Tatyana on what she thinks about some of the initiatives that were brought up in that executive order. But to start out, Tatiana, I think it would be great to just get a little bit more history on you as a person, as a professional. How did you end up here at R Street Institute?
Well, thank you for having me. It’s a pleasure to be with you today. I came to our R Street from the Cyberspace Solarium Commission where I was a policy director. And I focused there on resilient government reorganization type efforts, including some efforts on encryption and data security, data privacy, and, for example, the National Cyber Director recommendation, which I worked on diligently for several months as we worked on the reports that were going to Congress after we published our official report in March of 2020, right before the pandemic. Literally had our last event the day before everything closed. The Friday before the world went into lockdown. So there was-
So it was an interesting time to start a report that, to be fair, led to a 25 recommendations going into the National Defense Authorization Act, NDAA, last year, which was fantastic. It’s probably… I’m extremely proud to have served on that commission as… I think it was one of the most successful commissions over the last half a century. And before that. I was a cyber policy lead over at CISA, the cybersecurity agency, working on all types of cybersecurity policy for the government. And before that, I was at DOD. Not working on cyber there, but various other program management position. So it’s been interesting, but I love being here at R Street. It is a fantastic group of people. So a fairly quirky place.
We all have… As I just walked into the office for the first time today, we have little south park avatars that we create for ourselves. I just saw my avatar, which says, “I do the cybers.” But it’s… Yeah, it’s great. We’ve got a lot of freedom to focus on various issues and cybersecurity and I’m really enjoying the work.
Awesome. So R Street Institute, as I understand, is a public policy organization focused on free markets and limiting government within reason. And so this is a really interesting position that you’ve been within inside the government, working on cybersecurity policy. Now you’re on an outside organization looking in and trying to make policy recommendations, I’m assuming, towards how we handle cybersecurity in the future. We have a May 12 executive order That’s come down from the Biden administration around cybersecurity. Why don’t we kick off there and maybe if you can interweave a little bit about how your perspective of coming from inside the government into now this policy advisement role, if you will, and how you look at that executive order?
Yeah. It’s a big step. A really big step towards securing federal government networks and sort of setting the stage for stronger cyber security throughout our ecosystem in the country and abroad. I’m happy to see that happen. I think there’s been a lot of small, but significant changes that the government was capable of doing but hadn’t yet done. I think part of that is just inertia, the way in which a large government bureaucracy or 102 government bureaucracies function.
And a lot of it is just that. It’s not even that there aren’t qualified fantastic smart people working in the government who have great ideas or leadership that wants to take some of these actions. I think that it’s… This is why it’s nice to see, whichever sort of side you’re on, it’s nice to see sometimes a new administration. They can have a new perspective on an issue like cybersecurity. And can take new significant action. So that’s what we’re seeing here.
I particularly some of the efforts to go towards a zero trust networks, to require software bill of materials, to improve the uptake of cloud services and two-factor authentication across the government. I think those are fundamental steps that we need to take across the board. But the federal government doing it, I think is the absolute right first step. Because as many people will say to you from the private sector, if the government can’t get it right, then how are they supposed to tell us what we’re supposed to be doing?
Right. So can we talk about a few of those things because now the stuff, obviously, anytime it affects the government, to your point, we learn from them, but also all of the private agencies or organizations that are working directly for those agencies are impacted heavily by those. And of course we’ve been, especially at NeoCon or NeoSystems through Neo, Casts we’ve been exploring CMMC now for two years. And then in this executive order and cybersecurities becoming more and more of a big deal that was specific to DOD, how do you see this will have an impact downstream to the organizations that are actually working with federal government?
Well, so I think it’s going to be a fairly significant shift because the federal government is the sort of largest procure of services in the United States, right? It’s the biggest buyer for a number of industries. The Microsoft licenses alone that the United States government holds is larger than any other organization. And so through that buying power, something that cybersecurity experts have been recommending for years, using the government buying power to support and improve cybersecurity across the ecosystem.
So I think what you’re going to see is that companies Boeing or Lockheed, who worked directly as government contractors for the Department of Defense, have taken a lot of these steps. But I think you’ll see them leaning more into it as the requirements increase. And companies Microsoft, or Apple, or Google, who are working also with the government, I think you’ll see them as well paving the way towards the uptake of some of these recommendations on a broad scale across, not only some of these largest providers, but the smaller providers, which at times are the ones that are most vulnerable.
It’s a lot easier for a hacker to get into a third-party supplier to Microsoft or Google than it is to get into actually Microsoft or Google. So that’s what they go after. You see that a lot. SolarWinds is a perfect example of that, right? They didn’t go after Microsoft. They didn’t go after the Nuclear Security Agency or DHS. They know those have stronger protections. So they went after third-party suppliers.
And I think through this order, what you’re going to see is that all of this supplier, this whole supply chain network, which we need to improve our supply chain security, that will be the first step towards doing that. We will see small companies, medium-sized companies, large companies, all of which contract with the government, required to make these changes. And once those changes are made in whatever percentage of the industry that contracts with the government, you’re going to start to see it as a standard.
And so that improved cyber security will then trickle out to the private sector as well as consumers. So you’re going to be able… I think it’s going to be a significant boost to cybersecurity.
So with the CMMC, we talked a lot about how it could potentially adversely affect a lot of smaller suppliers, because they may not have the budgets and the government may not necessarily be willing to pay that premium to cover the difference between having those types of security protocols in place, especially with the level four and level five of that. And this executive order, of course, rightfully so, is bringing cyber security to the heart of how everyone’s evaluating their business.
How do you see or what is your recommendation from R Street Institute on how the government incentivizes smaller organizations to come on board? Because the further you get down the chain, now you’re talking about a ton of smaller private cybersecurity firms that are likely to get engaged in some of these contracts that are way downstream, but small enough that they might be really hurt by the profit margins and inability to maybe catch up with the industry. What are your thoughts there?
Yeah. I agree. It’s very much true that small and medium-sized businesses get impacted disproportionately when cybersecurity requirements are imposed. We don’t want to see sort of unfunded mandates, right? People hate to see unfunded mandates. Because not only do you then see lower adoption rates but you see compliance as opposed to true cybersecurity adoption. I am actually… I’m a big fan of the concept of a maturity level frameworks, right? Maturity models, as a means of improving cybersecurity across the board. Because I think that we should be incentivizing improving your maturity level, right? And at different levels.
It doesn’t make sense that your uncle Nick’s dry cleaning on the corner have to have the same sort of maturity level as Lockheed who’s providing the F-35 for the military, right? That doesn’t make sense. Who cares if the computer system of like… People care, obviously. We don’t want anyone to get hacked. But what does the national security implication of the dry clean or getting hacked as opposed to Lockheed? Those are miles different.
And so I like those maturity level frameworks for that reason, but I also think that it’s important to not have unfunded mandates. And so my position is that and that of R Street. Cyber is that we need to focus on state and local cybersecurity. We need to do that through a multitude of ways, including improving availability and capacity to utilize cyber response resources, to do standalone and integrated cyber exercises, to establish a fully integrated cyber response capability, increase personnel and funding.
And I think part of that needs… And we wrote a report on that, by the way, on state and local cybersecurity. So you can check it out at rstreet.org. But I think a lot of that has to come through some form of interface with the federal government, at least in the beginning, because the funding at the state and local level is often lacking. And so I think the recommendation from the commission that we made, which is which recommended establishing a grant program through, for example, FEMA’s grant making ability, but orchestrated sort of biases in DHS in order… I think that’s important because the majority of the attack surface is at the smaller companies, smaller state locality level.
And so if need to create kind of this network of protected systems, we need to incentivize the uptake of secure cloud. We need to get better response services. We need to have better training all of these stuff. And it costs money. So unless you expect states, small companies, and everything else to sort of come up with this money out of thin air. I think it’s imperative that we think about it from the national security point of view.
And if you’re thinking about it from that point of view, I think the answer is grants or some sort of incentivization protocol, perhaps 0% interest loans. Things like that, that can allow people to improve their cybersecurity and therefore inevitably their profit margins. because ransomware attacks costs a lot of money if you get hit.
Right. Absolutely. Well, a big part of the executive order, and this sort of goes to how will these organizations truly wade through these types of logistical issues is around threat sharing, and making sure that the agencies are sharing, but then broader implications would assume that now you’ve got a collaborative cyber security industry that is working towards threat reporting and threat sharing to make everybody safer. How do you all look at that from a privacy perspective, from a security perspective, and even just an implementation? How do we think that’s going to get done?
Well, information sharing has been a number one topic in cybersecurity for the better part of the last two decades. And we seem to still not be able to answer that question because it’s complicated, because it’s the sharing of people’s personal information, because of privacy concerns, because of the difficulty, and the necessarily segmented parts of bureaucracy and private sector that can’t intermix at points, right?
As a country, we appreciate the federated system, and we appreciate that we have three branches of government. And they don’t necessarily share information well with each other. Similarly, within the government, we’ve got breaks between and some necessary stove-piping, for example, between a crime fighting organizations like the FBI and security organizations like DOD, and on the civilian side, the DHS and CISA, the cybersecurity agency. And then most importantly, the intelligence community, right?
So we have specific titles in the U.S. code, right? As law. We’ve got Title 10 and Title 50. And they’re separate. And because of some of that, because of the way in which both of those interact with the private sector, it’s difficult to necessarily share information when it’s when required for threat hunting purposes, or responding to cyber attacks, or identifying vulnerabilities. But it’s important to do that.
And there have been a lot of different recommendations. One of the recommendations that I support is the creation of a joint sort of CyberCell, which serves as the conduit between private sector and the government to share information. Kind of a data lake, if you will. One of our one of the commissioners is Tom Fanning from Southern Company. He’s a big proponent of this. Because it’s important to the private sector just as it is for the federal government to share this information so that we can have a united map of the vulnerabilities and threats.
Because in cyber, the threats don’t just stop because you’re you’re either on our soil or someone else’s soil or in this location, in this city, or that city. It’s so easy, right? To hop networks, and, if you know what you’re doing, to move laterally when you get into one company to get into another. Like SolarWinds, right?
So it’s important that we do share information, and I think it is critical as you mentioned to consider the data security implications of that. But we need to find a way. I think this sort of data lake concept, concept of a joint center for doing this is important. I’m not sure when we’ll get there, I think, who knows, we may have another 10 years to go, but it’s important to try.
Right. Well, I read your recent, at least, executive summary of a data privacy, which was, I think, unrelated to really this particular executive order, but I actually wrote down what you said because I thought it was brilliant. Lawmakers should keep in mind that their task is not to agree on and then create a utopian ideal for data handling, but rather to establish a strong federal floor for data security and privacy.
And while that does, I believe, reflect sort of the beliefs around personal, privacy, and privacy data within private sector, I think that’s probably a good guidance for the organization to be thinking about as they move into securing us. The executive order outlined, for instance, that the contractual language needs to be pulled back or dialed in differently to allow… Because a lot of the times this sharing is not allowed by order of what the agreements that the vendors to the government actually sign. They’re not allowed to share that information.
How likely, based on just a simple heaviness of the bureaucracy of the government, is it that this is going to be implemented in the timeframe that it needs to be implemented? Because, again, we started out this conversation, say there’s 60-day targets, there’s 90 day targets, there’s a 120-day targets. Those are lot of targets for an organization that typically moves at a Titanic pace.
Yeah. Honestly, I’m fairly pessimistic that those timelines will be hit. However, having worked in the government, there’s nothing better than the threat of reporting to your boss, right? Or the White House about the implementation of a certain project to get those trains and moving. So I think that it’s important… I think that’s why those were put in. They’re functions of of pressure on the agencies that normally would spend, if given the leeway would, spend a good year studying this and then do taskforce pieces and working groups. And then next year, then they’d get into the actual thinking through how they do with the planning, and then they take another year for planning, and then they’d implement.
I think what the executive order was trying to do was to preempt that typical bureaucratic response. And I think that’s smart some of my friends back at CISA and DHS worked on this. And so I know that they know how slow the process goes. And I think their goal here was to put pressure on the bureaucracy. And the direction he needs pressure put upon it. I worked in contracts in the government as a contracting specialist, I know that the the difficulty of getting modifications put through on existing contracts is not as simple task.
So what’s the chance that all the federal government contracts will have amendments or modifications made to them in six months even? Low. Right? Low. But the fact that these timelines exist, I think, will put enough pressure on it that they will put the gears in motion so that we can actually start to see some change in the next year.
Right. And perhaps that through the fact that it is an executive order versus being done a different way, the ask for forgiveness later may come into play so that the permission-
Yeah, it could. And maybe that’s the right answer.
Perfect should not be the enemy of the good.
Right. Exactly right. So to the extent that you can have sort of purview into what’s going on as a result of the executive order, we’re 40 days in, again, the first timelines were about 60 days and then moving on to 90 and 120, how do you think it’s moving? What are you seeing from your perspective on the progress?
I would say that it’s hard to see within the government what’s happening from the outside. But I know the gears are turning. I know that there’s a lot of people doing a lot of great work trying to implement this stuff. I think that a lot of this is not something that we will see from the outside, but things from 30 days out of the order, which has already passed. The secretary of commerce through NIST was supposed to solicit input from the federal government, private sector, and academia to identify and develop new standards, tools, and best practices for certain things supply chain security. I think that that has happened.
I would probably say that, and this is my guess, but things that can happen, right? You can send out an email and say, “Listen, I need your input for the executive order. Please send me your recommendations and what you see as the pressing need for supply chain security updates.” Right? Or how to improve FedRAMP, or how to work on cloud implementation. Right?
I bet you they’re in the beginning stages of all of those things. It’s when we need to touch contracts, or when the money comes into play, or when hiring is involved. That’s the stuff that’s really going to slow it down. So I’m hoping that that the first steps have been taken to to start asking for inputs and recommendations, to start reports, changing policies, right? To start drafting changes to policies. Those are fairly quick changes, but we’ll see how long the rest of it takes.
Absolutely. Now, I have a sort of a left-field question here, but given new systems placed in the market as a managed security services provider, and then thinking about people FireEye, who were heavily in the storm of the SolarWinds issue, or CrowdStrike, or other different vendors to the cybersecurity space, what should they be thinking about how they can contribute to the success of the next phase of cybersecurity for our nation and for the contractors that are working with the government?
Well, that’s a great question. It’s interesting how this whole ecosystem has grown up around cybersecurity. And I think that what’s most necessary is for those players to work hand-in-hand with the federal government. I think it’s imperative that primarily the connection remain tight between CISA, and the intelligence community, and the FBI, and some of these managed service providers, including FireEye, and Mandiant, and ll of that, CrowdStrike. Because they’ve got intelligence and information the federal government doesn’t have. The federal government has information that those partners don’t have.
And that is why we need to have this very tight public-private partnership. Everybody has their own roles and nobody should try to swim in each other’s pool, but it’s important that the relationships are there. One of the biggest… Some of the best takeaways from me, from the commission, was when we talked to FEMA and we talked about how they handle emergency response. And from their experience in the Boston bombing, the Boston Marathon bombing, for example. They learned that training and relationships and having the connective tissue between organizations is the best indicator of success when an actual incident occurs.
And so I think this is a perfect example here, right? For SolarWinds, for the Colonial Pipeline hack, for everything. There are vulnerabilities and threats that Mandiant, that FireEye CrowdStrike, see that the federal government doesn’t see. And so it’s important that they know who to call on the federal government, that they know who to engage and when. And the government knows who to go to when they need to implement a change, right? Or have a recommendation, or they have a threat that they want to share, right? Or information.
So I think that’s the most important thing, just keeping up those relationships so that we have a memory, that tactile memory of where to go and who to go and it’s not sort of individual dependent. Right? So it’s not I know Mary, so I’ll call Mary. It’s I know CISA, and I’ll call CISA.
Right. No, I think that you make a good point of if everyone realizes that the attackers, the threat actors, they are united, frankly, in their attack upon, not only our government, but our private sector and our citizens. And I think for a long time that that perhaps has been a barrier for everyday citizens as well as agencies and the government itself to really see this as not just a threat to the DOD getting secrets stolen around what our defense is, but that our defense in general has huge holes in it and gaps in it, because we haven’t been looking at this cyber security issue as a broad attack against us in many different ways.
And the Colonial Pipeline was one way to show it. The hospital breaches are another way to show it. These are all different areas. And so I think you’re right that the quicker we can get the government seeing us as a comprehensive threat throughout the entire country, just any other threat of war or anything else, the better that we can all get to being a united front on our end on preventing these types of attacks.
Anything else that you see within this executive order, specifically, again, going back to sort of R Street Institute’s specific perspective on things? One section in there was talking about appropriate and effective protection of privacy and civil liberties. Other areas of the executive order that have tickled your brain on thinking, hmm, we probably need to develop a thing about this, or a thought about this, or way to counteract or work with this particular request? Anything that’s ticking out in your mind?
Well, honestly, there’s so much in there and there’s always so much to do. We work a lot on supply chain security. So I’m really interested to kind of dig into the direction of the EO there for federal agencies and contractors to see what our sort of interpretation and analysis is in that through our secure and competitive markets initiative. But I will say, I think one thing that was lacking was any mention of workforce or issues with hiring. I know that that, honestly, could be a whole nother order. And perhaps it is. We had an America’s Workforce CEO a couple of years ago when I was still back at CISA, but I don’t think it was broad enough or extensive enough to address the glaring issues of hiring in cybersecurity in the federal government and state and local governments, to be honest.
So I think that that is one area where I would to see more work and where I know that I will be spending a lot of my time. A lot of people think that that’s not very interesting, or isn’t going to happen, or too complicated, or it should be left to professionals, but I think that cybersecurity professionals need to get involved in this so that we can advocate for what we need in the workforce so that we can have stronger cybersecurity all around. Because people are doing all of this stuff. It doesn’t just happen in itself, right? The CEO isn’t going to execute itself. People are going have to do it.
Right. Now you make such a great point and a great ability for me to segue right into what I’d love to sort of wrap up the conversation with. But to your point, the software that’s implemented, the CrowdStrike systems, the viruses, all of these things can exist. We can have endpoint detection, but if you don’t have someone with eyeballs, the human security operations center actually overlooking what’s going on and what the technology is telling you, it’s sort of null and void.
So I’d love to segue back to a little bit about your career, but then moving into the Making Space initiative. Because it looks you came through up to being in this position potentially through a couple of different ways in your career and maybe it wasn’t traditional going right into coding and things this. And so how do you help people understand what are the varied avenues of getting into cyber security in all the ways in which you can get it? Because everyone does believe, oh, I need to be an incident responder or something that. They don’t realize you can actually affect public policy. You can affect different things. And then maybe we can start talking about Making Space and how that diversification of those individuals that are coming into the industry matters.
Yeah. I’m a huge proponent of diversity in cybersecurity and talking about it differently, right? Not leaving it in the realm of coding with some guy in a hoodie, in a black hoodie, in a black room, hands on keyboard. That is one portion of cybersecurity, right. That’s one piece of it. If I could change anything about cyber, it would be that perception, the perception that there’s just the coder hackers. That’s it. That is literally one job description out of a thousand, right?
There’s trainers, there’s educators, there’s artists, there’s policy professionals, there’s all kinds of people who are doing all kinds of things. There’s public-private sector coordinators, right? People who are just, just reaching out to the private sector from the federal government or vice versa. So we need all kinds of different perspectives and all kinds of different backgrounds for the work to be done.
And I think one of the weaknesses of cybersecurity right now is that it’s being done on the federal level, at least, from one particular perspective. And that’s the perspective of white men because something 70% of the cybersecurity professionals are men. 90% of them are white. So it’s difficult. You’re getting very similar mindsets if you’re hiring from such a non-diverse pool of people.
And so that’s where the idea for Making Space came in, right? I saw this issue within the federal government. Obviously, national security is well known to be a heavily male, heavily white sort of field, but cybersecurity as a segment of national security is similarly so. When I went to the private sector side you see the same sort of thing. And given that we have almost 450,000 person gap in the workforce, there’s 450,000 open positions, right? For which there are no people. And if you have such a large gap, you start to see that the benefit of widening sort of the scope of the people you’re attracting. Because right now, you may be putting out job ads and you might be collecting resumes, but in the end, you’re often targeting similar groups, you’re hiring and promoting similar people. And you’re putting those same kind of people on panels and on events.
That is where I wanted to make at least a little bit of a mark. It’s a small step, but the Making Space initiative is an effort to get more voices included in the conversations that happened publicly about cyber security. And so the pledge states that every organization that joins will agree to include at least one woman or one person of color on any panels or events that they host. And we’ve gotten over 50 organizations, including some fairly large organizations like Twitter to join us in this effort. So we were excited to see the growth in this and the recognition that this is a problem. And we’re really glad and excited to see partners working with us on this initiative.
And right now, I sort of mentioned before we got on the show here to you, it is such a politically divisive topic for some reason. People’s sort of really get into a camp of, I don’t want to have to abide by that because I already see wherever talent is hidden. And others who were saying, we’re mandating it. You have to mandate that. You have to certain quotas and things like that.
And so I love that this is more of a pledge in the middle of where how do you really get people to buy into the message of making the space and to really put their money where their mouth is in the sense of, not because they’re obligated but because they see that the perspectives are needed. Frankly, if you’re going up against multinational organizations that are a threat actors, that would tell you that you have to demand that you have a diverse subset of people who are actually fighting that threat.
That’s exactly right. We’ve got… The threat actors are as varied as the number of countries on the globe and the areas from which the hackers come, which is everywhere. And they’re men and they’re women and they’re different. And so we should be different. And we should think that way in order to protect our networks. Some of the best cybersecurity recommendations for networks is to not put you all your eggs in one basket, right? Diversify. Same with people. You can’t have everyone thinking the same way.
I feel like we get into a little bit of group thing, and then you get into sort of the same problems getting the same solutions. It’s like, what’s the old adage? You keep doing what you’ve been doing, you’re going to keep getting what you’ve always been getting. And is this really what we want to keep getting? We’ve been hacked constantly. We’ve been… In the last year, I can’t even how many hacks have been perpetrated against the United States. And that’s just in our country. That’s not even across the globe. And, PS, it’s not even all the ones that we know about. Because we don’t have a national data breach notification law, which, for the record, we should.
But we need to have a diverse group of people who are participating in it. And part of that is seeing ourselves people, like women, right? Seeing ourselves on those stages, right? Seeing women on those panels. You may say what do you mean? Of course there’s women on panels. But you would be surprised how many panels still consists entirely of men in DC, in New York. Everywhere, there are panels on cybersecurity and, quite honestly, a bunch of other topics. There’s plenty of male-only panels. And it’s kind of a problem.
We have a 51% to 49% split of the population in terms of population. Women get 60% of bachelor’s degrees. We get 47% of even engineering degrees. If that’s what you’re worried about, that women are educated. And then 49% of women going into entry-level positions all across the United States. This is in varied professions. So not specifically cybersecurity. But once you get to the higher levels, places where people are actually being put into events, are asked to speak, are asked to share their experience, it cuts down drastically the number of women that are represented. And similarly, people of color.
And so we really need to, as my friends say, share the mic. Share the mic and [inaudible 00:37:20]. That’s a group that I work with closely and we’re developing a navigator together for black professionals in cybersecurity. They do fantastic work in terms of social media campaigns and trying to encourage more black professionals to apply for positions, to engage and to inform. I love all of these things and I think we need more people, not less. So that’s my thing. And it’s not about mandates. It’s not about quotas. It’s just about the fact that there are pockets of brilliance that I think a lot of people don’t even see.
Right. There’s potential unrealized for sure. Now, last question I’d love to ask you because… What was your special sauce? I mean, you are now heading up the entire policy division within R Street Institute about cybersecurity. You worked at CISA and with the Solarium Commission. What were there a couple of maybe one or two of the things that happened within your career, maybe even in your life or what motivated you to pursue this particular field? And maybe what was the door that got opened or what door did you bust down to get to where you are?
Well, first I think I should acknowledge that a lot of this was probably based on luck. The fact that I was in the right places at the right times with the right people. Like, for example, two years ago I was at CISA. I had made the conscious decision to move over to the Cybersecurity Agency, at the time called, National Protection and Programs Directorate.
Once I was there, I got the opportunity to go on the Cyberspace Solarium Commission, which I think is probably one of the best and the most impactful things for my career specifically, because it opened a lot of doors for me. Part of that is luck. And so I think that a lot of people just need to acknowledge that they’re lucky. And I am, I’m extremely lucky to have been able to participate in the commission, to have been there to help to start it and to do a lot of that, the great work that we did there which sort of led to me coming over to R Street.
But I’ve been… I’m a very hard-nosed person and I fight for myself. I try to… In the beginning of my career, I focused, I think, probably too much on making sure I found a job, making sure I was never without a job, never any gaps, right? When I wasn’t happy with the position, I would immediately start looking, making sure I had a position before I left anywhere. But I think that I, at the time, could have spent a little bit more time being more thoughtful about career choices in the beginning. But to be fair, no looking back, right? It all led me to some great experiences and great professional growth that led me to the role I have now. Which is eminently rewarding.
But I would just say self-advocacy is really important, particularly for women. Fight for a salary increase whenever you take a job. And if you’re not happy somewhere, go to the next place, right? Don’t waste your career sitting in an organization that you’re not happy with, or that you don’t feel you fit into, or that’s rewarding. I’ve had a multitude of jobs. And I love to keep learning. I love to keep doing new things. So that often drives my career progression. I’ve done that a lot. And I hope to keep learning at R Street.
That’s great. Well, and I would say the last and final point is to position yourself for luck. Because, yes, luck comes, but you have to be in a position to receive it. So, it looks you did a great job of making sure you were in the right position in order to receive the good luck and good fortune that came along with your learning and opportunities that would best fit where you saw yourself going.
So I hope that’s a good parting word for anyone out there listening, who is interested about getting into the industry of just understanding that it can have a wide and varied path, but there is a path for you. And there are 450,000 openings for you to explore. So come right in, join the Making Space initiative.
Tatyana, it’s been such a pleasure talking to you. Such great insights around the new executive order, the industry as a whole, careers, everything. I loved this conversation. Really appreciate you taking the time to talk to us about all of these things. And we hope we get to talk to you again soon.
You too, Erin. Thanks so much. And thank you to Neo Cast for having me on. It was great.
Yap. Absolutely. Okay. Thank you.
The NeoSystems Difference, we specialize in serving organizations of all sizes. In today’s fiercely competitive market, is your organization constantly searching for ways to gain the advantage over competitors, smart organizations are paying more attention to their strategic back office operations. NeoSystems offers scalable back office services and solutions to improve your organization with a team of industry experts, industry leading information technology tools, and an advanced technical infrastructure. From software hosting and security solutions to manage accounting services, NeoSystems will custom-build solutions and services that are tailored to fit your organization’s needs. Check us out on the internet at neosystemscorp.com. That’s neosystemsorp.com.