A Niche to a Niche is Still Hard to Staff
Posted July 10th, 2008 by rybolovI’ve touched on this about a bazillion times, let me start today with a very simple statement: due to the scale of the US Government, we cannot find enough skilled security people.
Part of the problem is that good security people need to know the following skills:
- IT technology: since the data more often than not is in a computer, you need to understand them
- People technology: policies and procedures for managing people
- Business sense: understanding that you’re supporting business goals
- And for Government: politics
Back when I was PFC Rybolov, my battalion commander told me something along the lines of “The intelligence world is a hard job, you have to be able to out-infantry the infantry, out-mechanic the mechanics, out-radio the radio guys, and you need to know a language.” Security is pretty much the same thing–you have to out-techie the techies, out-business the MBAs, and out-jerkify the auditors. =)
Sound complicated? Yes, it is, and it’s hard to find people who can do all this. IT is an employment niche, IT security is a niche to a niche. And there isn’t enough people who have the experience to do it.
So how do we mitigate the staffing shortage? Here is what we are doing today in the Government:
- CyberCorps scholarship program for undergrads and graduate students with a minimum government service obligation.
- Using other career fields in “crossover roles”–yes, accountants can be used for some light security tasks. Some things that we think of as security are really Quality Assurance and Change Control jobs that we have a vested interest in making work.
- Using contractors in some roles such as ISSO, ISSM, etc.
- Automation as much as possible. Technical is easier, the policy and procedures side takes longer. What you’ll find out eventually is that good IT management is good security management.
- Hanging on methodologies to “automate” the process side of security.
Now this is cool and all, but it’s hard to sustain and really hard to justify as a long-term solution. In order to support the Government, we need to create more people. Cybercorps is a start, but the need is so much larger than the supply that we have to consider better ways to create Government security dweebs.
Do we need Security Awareness and Training? Yes we do, but much more than what is being provided (think system administrator training and procurement specialist training, not end-user training), and as an internal recruiting pipeline. Still, I don’t think that we can recruit enough people to “the dark side” and that we need to look outside the Beltway for people. Problem is that DC is such an insular community and we don’t speak the same language as the rest of the world.
Similar Posts:
Posted in FISMA, What Doesn't Work, What Works | 8 Comments »
Tags: accounting • auditor • cybercorps • government • infosec • infosharing • management • scalability • security
July 10th, 2008 at 10:45 am
How about the thought of dispersing the beltway across the rest of the country?
July 10th, 2008 at 12:45 pm
Dispersing the Beltway? Other way around, the rest of the country concentrates itself inside the Beltway every two years following November hijinx.
And speaking of the IT security staffing pool in DC, what’s with all the requirements for certifications? The DoD had their 8570.1M mandate for security certification as a condition of employment (or as I like to think of it ‘The DoD Pay Raise for DC IT Security Staff Mandate’) and now the civilian side of the Federal government is following suit. While I think it a good idea to insist on a base level of knowledge and demonstrated ability this may be one of the more inane set of mandates.
It’s like someone failed economics and doesn’t realize what happens when demand for a commodity becomes both high and inelastic. First the established supply increases in price. Second, you get substitute goods and/or inferior goods trying to fill the supply vacuum. Crossover roles are an example of the this. Third, the situation continues either until a new equilibrium is established (that will take a while) or until prices are so high and goods are so inferior that you see a backlash. Given that Federal IT security budgets are not super elastic which do you think will happen first?
July 10th, 2008 at 2:52 pm
It’s not that I mind the high prices for quality services, I’m a recipient of them, mind you, as are most of my friends.
The part that drives me batty is the commodity-quality services at boutique prices. That’s when I jump the fence to the anti-FISMA camp and let the horns show.
July 11th, 2008 at 8:03 am
One more reason FISMA gets the bad rap for being overpriced and having few good practitioners. The problem in this case isn’t FISMA, it’s in the mandates that universally raise the cost of FISMA implementation with artificial demand increases. So there is a causal relationship between certification demand and fence jumping anti-FISMA horn increases. I’d love to see the chart showing that equilibrium point.
I really shouldn’t complain either as I benefit from the increased demand for certification. If I were of a more cynical ilk I’d establish a security certification which meets the minimum requirements for these mandates and start raking in the filthy lucre.
July 15th, 2008 at 5:15 pm
Well, the thing about expertise is that it costs money.
Who would you rather guard your store, a rent a cop or a Navy seal? Theoretically, the seal is going to be better and cost lots more than some guy who just is wearing a uniform that says security.
July 29th, 2008 at 12:26 am
I am a current Cybercorps scholarship recipient, have an internship with a certain three letter agency and graduate this December so I am in the middle of seeing the insides of many of these government organizations and the policies that drive them. Besides the major pay difference between public and private work, I am not sure that I would work for the government (if I was not committed through Cybercorps) just because of the serious lack of technical talent around. I am coming out of school, and I don’t think that I am any where close to where I need to be technically speaking, and I am having a very hard time finding a technical group of people where I can hone my skills and be mentored. The government seems to be filled with way too many psuedo-techies and policy enforcers. It is a rather sad set of affairs.
October 31st, 2008 at 5:51 pm
This is good for the certification mills that are making big $$ off of the training they have convinced everyone is needed.
I have certifications, but can tell you a lot of the people who have them took the training for the test. Sort of like the “no-child left behind” Teach to the test.
That menas you kow how to pass the test and not much else. I have interviewed many “certified” individuals only to find out they wweren’t qulafied for the job.
Give me someone with experiance and desire, they’ll do more and work for less then a “certified” person.
Besides, Everyone will spend more time getting and maintain thier certs then doing the work needed to protect large enterprises.
But what the heck, I like paper tigers and paperwork drills.
October 31st, 2008 at 6:32 pm
Hi Bill
I’m not really talking certifications, I’m more interested in growing more people that have the skills and experience that we need. That takes a long-term investment in the industry as a whole and defined career paths for people.