On Government Employees, Culture, and Survivability
Posted July 21st, 2008 by rybolovA couple of months before I was activated and went to Afghanistan, I got a briefing from a Special Forces NCO who had done multiple tours in the desert. One thing he said still sticks in my mind (obviously paraphrased):
“The Afghanis, they live in mud huts, they don’t have electricity, they are stick-people weighing 85 lbs, and to say that we could bomb them into the stone age would be an advancement in their technology level. But never underestimate these people, they’re survivors. They’ve survived 35 years of warfare, starting with the Soviets, then they fought a civil war before we arrived on the scene. Never underestimate their ability to survive, and have respect for them because of who they are.”
Today, I feel the same way about government employees, even more so because it’s an election year: they’re survivors.
Now time for what I see is the “real” reason why the government is doing badly (if that’s what you believe–opinions differ) at security: it’s all an issue of culture. I have a friend who converted a year ago to a GS-scale employee and took a class on what motivates government employees. Some of these are obvious:
- Pride at making a difference
- Helping people
- Supporting a cause
- Gaining unique experience on a global-class scope
- Job stability
- Retirement benefits
And one thing is noticeably absent: better pay and personal recognition. Hey, sounds like me in the army.
The Companion Family Plan for Survival at Home photo by Uh … Bob.
Now I’m not trying to stereotype, but you need to know the organizational behavior pieces to understand how government security works. And in this case, the typical government employee is about as survival-aware as their Afghani counterpart.
Best advice I ever heard from a public policy wonk: the key to survival in this town is to influence everything you can get your hands on and never have your name actually written on anything.
In other words, don’t criticize, be nice to everybody even though you think they are a jerk, and avoid saying anything at all because you never know when it will be contrary to the political scene. The Government culture is a silent culture. That’s why every day amazing things happen to promote security in the Government and you’ll never hear about it on the outside.
One of the reasons that I started blogging was to counter the naysayers who say that FISMA is failing and that the Government would succeed if they would just buy their product for technical policy compliance or end-to-end encryption. Sadly, the true heroes in Government, the people who just do their job every day and try to survive a hostile political environment, are giving credit to the critics because of their silence.
Which brings me to my point:
Yes, my name is Rybolov and I’m a heretic, but this is the secret to security in the Government: it’s cultural at all layers of the personnel stack. Security (and innovation, now that I think about it) needs a culture of openness where it’s allowable to make mistakes and/or criticize. Doesn’t sound like any government–local, state, or federal–that I’ve ever seen. However, if you fix the culture, you fix the security.
Similar Posts:
Posted in FISMA, Rants, What Doesn't Work, What Works | 3 Comments »
Tags: anonymity • fisma • government • infosec • management • risk • security
July 28th, 2008 at 3:30 pm
Ah but with out heretics we’d still think that the sun revolved around the earth! We must challenge the status quos in order to provide a space where true freedom can prosper. Some wise person (wink wink) once told me there are three kinds of GS employee; 1) The kind that cares and works hard to get the job done, 2) The Power Mongers, and 3) the burn outs.
I’d have to say that 70% of the GS’rs fall into the burn out category, with 20% falling into the getting the job done (not necessarily correctly mind you), and the last 10% being the power hungry premedanas.
I’d like to see those percentages shift to 10% burn outs and 70% getting the job done and the remaining 20% focused on service improvement. In other words the 20% would be the management who care about getting better service to American tax payer. But there in lies the core of the problem, that another very wise man (wink wink) shared with me, the Federal Government is the largest non-profit business on the face of the planet. It is only answerable to Congress (another branch of itself) and as we have seen from the esteemed Senator from Alaska the internet is a series of tubes!
With the watchers being blinded by ignorance to the power at there finger tips I think it becomes easier to understand and accept that the culture of security goes beyond those who work, those who are burned out, and those who just want power. The culture of security is paradigm to the culture of seat belts.
Once upon a time the presence of seat belts in the car was optional. It wasn’t until a guy named Nader (another heretic) spoke out for automotive safety standards that things started to change. I think the most important word of that statement is “started” as it took 30 plus years of education and enforcement to see the survival rates that we see on the highways today. People I know put seat belts on and don’t even think twice about it.
We’ve just begun this effort to change the culture of information security in the federal government. It’s going to take a long time, a lot of effort, money, and enforcement (giving people tickets for not clicking the seatbelt as it were) and maybe even fighting the good fight for a generation. The X Gen folks (me), and those that came after me, have a different perception of the meaning of data and what is possible with the data processing systems we have today.
I have only seen one X Gen’r in senior position within the federal IT space and the rest are baby boomers who, I believe, have it burned into there punch card heads that, and they will deny this, we live in a world were data is like concrete. You pick it up, move it, store it and build things with it. I look at data like water. It can harden to blocks of ice data. Melt to flow in any direction or evaporate into a gas state (it’s there but you can’t see it). I don’t even think the baby boomer managers out there are even aware of this at a conscious level. Remember it’s burned into there punch card brains.
Regardless if they are aware of it or not they are not looking at data systems like vessels for water management. They look at blocks of concrete which ultimately impacts the entire conversation about data security and how we interact within our digital lives. After all why should we care about rogue access onto a network if data is a concrete block that I can tie down (password protect) in a NTFS file share? But if you look at it from a fluid dynamics perspective everything changes and the insanity of classified or privacy information on a public network share becomes clearer. Fluids are constantly in motion or in a process of transition from one state to another due to the influence of the environment around them. The same holds true for data if your mind it open to the concept.
July 28th, 2008 at 10:19 pm
I think that there are a lot of people who are interested in getting the job done but have cultural, organizational, and political roadblocks in place. You have to appreciate that the Government is resistant to change–yes, it keeps the good ideas from being implemented sometimes, but it also keeps the bad ideas from being implemented.
August 15th, 2008 at 1:47 pm
On my side of the government fence, the prblem in IT is retention. Now, granted, our job pool is small (have to be active military to get the fed jobs relating to the IT field for the MILDEP), but its basically a welfare training system. The Gen X’ers get hired on permanent, get the job training and the certs, and summarily quit to chase the big money in the civilian sector. That leaves the section short-staffed and left with the people who either are content with their status-quo or aren’t skilled enough social-wise to make it outside the gov/mil system. I wish there was even a framework for a solution, but it takes a certain kind of fool to do something he could be getting paid considerably more for outside. Our modern society seems to be producing less and less of these people. Were it not for some wise old E-5 who suggested I get up off my lazy ass and join I would never have known it suited me just fine. To get back on track, I think that culture change will happen naturally over time as the “old guard” retire and the new take their place.