Surprise Report: Not Enough Security Staff

Posted July 22nd, 2009 by

Somedays I feel like people are reading this blog and getting ideas that they turn around and steal.  Then I take my pills and my semi-narcisistic feelings go away.  =)

So anyway, B|A|H threw me for a loop this afternoon.  They released a report on the cybersecurity workforce.  You can check out the article on The Register or you can go get the report from here.  Surprise, we don’t have anywhere near enough security people to go around.  I’ve been saying this for years, I think B|A|H is stealing my ideas by using Van Eck phreaking on my brain while I sleep.

 Some revelations from the executive summary:

  • The pipeline of potential new talent is inadequate.  In other words, demand is growing and the amount of people that we’re training is not growing to meet the demand.
  • Fragmented governance and uncoordinated leadership hinders the ability to meet federal cybersecurity workforce needs.  Nobody’s so far been able to articulate how we build an adequate supply of security folks to keep up with demand and most of our efforts have been at the execution level.
  • Complicated processes and rules hamper recruiting and retention efforts.  It takes maybe 6 months to hire a government employee, this is entirely unsatisfactory.  My current project I was cleared for for 3 years, took a 9-month break, and it took me 6 months to get cleared again.
  • There is a disconnect between front-line hiring managers and government’s HR specialists.  Since the HR folks don’t know what the real job description is, hiring information security people is akin to buzzword bingo.

These are all the same problems the private sector deals with, only in true Government stylie, we have it on a larger scale.


He’s Part of the Workforce photo by pfig.

Now for the things that no self-respecting contractor will admit (hmm, what does this say about me?  I’m not sure yet)….

If you do not have an adequate supply of workers in the industry, outsourcing cybersecurity tasks to contractors will not work.  It works something like this:

  • High Demand = High Bill Rate.
  • High Bill Rate = More Contractor Interest
  • More Contractor Interest + High Bill Rate +  Low Supply = High Rate of Charlatans

Contractors do not have the labor pool to tap into to satisfy their contracts.  If you want to put on your cynic hat (all the Guerilla-CISO staff have theirs permanently attached with wood screws), you could say that the B|A|H report was trying to get the Government to pump more money into workforce development so that they could then hire those people and bill them back to the Government.  It’s a twisted world, folks.

Current contractor labor pools have some of the skills necessary for cybersecurity but not all.  More info in future blog posts, but I think a simple way to summarize it is to say that our current workforce is “tooled” around IT security compliance and that we are lacking in large-scale attack and defense skills.

Not only do we need more people in the security industry, but we need more security people in Government.  There is a set of tasks called “inherent government functions” that cannot be delegated to contractors.  Even if you solely increase the contractor headcount, you still have to increase the government employee headcount in order to manage the contractors.

Similar Posts:

Posted in Outsourcing, Public Policy | 9 Comments »

9 Responses

  1.  Twitted by mrfisma Says:

    […] This post was Twitted by mrfisma […]

  2.  Kris Says:

    Interestingly, despite this, the government contractor I work for is not putting all that much effort into retaining skilled and cleared security personnel.

  3.  Handsome Donkey Says:

    I’ll repeat a blurb I read today:

    We already have more than enough ditch diggers with “cyber security” vocational training. What we need are people in executive positions who have a “clue.”

  4.  Cyber-Workforce Training? | The Guerilla CISO Says:

    […] Comments Handsome Donkey on Surprise Report: Not Enough Security StaffTwitted by mrfisma on Surprise Report: Not Enough Security StaffOWASP AppSec DC Infosec Conference […]

  5.  Security Briefing – July 23rd : Liquidmatrix Security Digest Says:

    […] Surprise Report: Not Enough Security Staff – Guerilla CISO […]

  6.  LonerVamp Says:

    Oh come on, we should welcome more new grads into the amazingly exciting and amazingly frustrating world of security! 🙂

    But you’re right, we have plenty of charlatans whom I would not want handling my security needs…at least not without some senior mentorship/leadership in place.

  7.  Twitted by jaysonstreet Says:

    […] This post was Twitted by jaysonstreet […]

  8.  Top 3 NoVA Infosec Blog Posts of the Week | Says:

    […] you have a recipe for disaster. @rybolov explains it much better than we can though, so be sure to check out his post to get the whole scoop. Well, that’s all the NoVA Infosec Blog goodness for this week; if […]

  9.  LonerVamp Says:

    Just to point out something I didn’t highlight enough: more mentoring for newer folks.

    Not really administrative, however.

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

Visitor Geolocationing Widget: