In the military, there is a saying: “You go to war with the army you have, not with the army you wish you had.” In other words, you do all your training in peace and once you go off to war, it’s too late to fix it. Not that I agree with all the Cyber Pearl Harbor doomsayers, but I think that the CyberArmy we got now isn’t the right one for the job.
So, let’s talk about services firms, contractors fit into this nicely since, well, they perform services.
There are 4 types of work that services firms do (and contractors are services firms):
- Brains: nobody else has done this before, but we hire a whole bunch of PhD people who can research how to get this done. We charge really high prices but it’s because in the downtime, our people are doing presentations, going to symposiums, and working on things that you don’t even know exist. Think old-school L0pht. Think half of Mitre. Think sharks with friggin laser beams, lasing and eating everything in sight.
- Gray Hair: We’ve done this before and know most of the problems that we can experience, along with the battle scars to prove it. We charge quite a bit because we’re good and it takes less of us to get it done than our competitors. Think most good IT engineers. Think DLP and DAM right now. Think infantry platoon sergeants.
- Procedural: There is a fairly sizeable market starting to grow around this service so we have to standardize quite a bit to reduce our costs to provide the service. We use methodologies and tools so that we can take an army of trained college graduates, put them in a project, and they can execute according to plan. Think audit staff. Think help desk staff. Think of an efficient DMV.
- Commodity: There isn’t a differentiator between competitors, so companies compete on price. The way you make money is by making your cost of production lower or selling in volume. Think Anti-Virus software (sorry friends, it’s true). Think security guards. Think peanut butter.
This is also the maturity model for technology, so you can take any kind of tech, drop it in at the top, and it percolates down to the bottom. Think Internet use: First it was the academics, then the contractors, then the technology early adopters on CompuServe, then free Internet access to all. For most technology, it’s a 5-10 year cycle to get from the top to the bottom. You already know this: the skills you have now will be obsolete in 5 years.
Procedural Permit Required photo by Dawn Endico.
Now looking at government contracting….
As a government contractor, you are audited financially by DCAA and they add up all your costs and let you keep a fixed margin of around 13-20%. You can pull some Stupid Contractor Tricks ™ like paying salaries and working your people 60 hours/week (this is called uncompensated overtime), but there still is a limit to what you can do.
This fixed margin forces you into high-volume work to turn a profit. This in turn forces you into procedural or even commodity work.
If your project is strictly time and material, you make more money off the cheaper folks but for quality of work reasons, you have to provide them with a playbook of some sort. This pushes you directly into the procedural tier.
There are some contractors providing services at the Brains and Gray Hair stages, only they are few and far between.
Traditional types of contractor security services:
- Security Program Management and Governance
- Audit and Penetration Testing
- Compliance and Certification and Accreditation Support
- Security Operations (think Managed Security Services)
Then back around to cyberwar…
Cyberwar right now is definitely at the top of the skill hierarchy. We don’t have an official national strategy. We have a Cybersecurity Coordinator that hasn’t been filled yet. We need Brains people and their skills to figure this out. In fact, we have a leadership drought.
And yet the existing contractor skillset is based on procedural offerings. To be honest, I see lots of people with cybersecurity offerings, but what they really have is rebranded service offerings because the skills sets of the workforce haven’t changed.
Some of the procedural offerings work, but only if you keep them in limited scope. The security operations folks have quite a few tranferable skills, so do the pen-testers. However, these are all at the tactical level. The managerial skills don’t transfer really at all unless you have people that are just well-rounded, usually with some kind of IT ops background.
But, and this is the important thing, we’re not ready to hire contractors until we do get some leadership in place. And that’s why the $25M question right now is “Who will that person be?” Until that time, anything from the vendors and contractors is just posturing.
Once we get a national leadership and direction, then it’s a matter of lining up the services being offered with the needs at the time. What I think we’ll find out at that time is that we’re grossly underrepresented in some areas and sadly underrepresented in some areas and that these areas are directly inverse to the skills that our current workforce has. This part scares me.
We need workforce development. There are some problems with this, mostly because it takes so long to “grow” somebody with the skills to get the job done–maybe 5-10 years with education and experience. Sadly, about the time we build this workforce, the problem will have slid down the scale so that procedural offerings will probably work. This frustrates me greatly.
The summary part…
Well, just like I don’t want to belong to any club that would stoop so low to have me as a member, it could be possible that almost all the contractors offering services aren’t the people that you want to hire for the job.
But then again, we need to figure out the leadership part first. Sadly, that’s where we need the most love. It’s been how many months with a significant leadership vacuum? 9? 12? 7 years?
The most critical step in building a cyberwar/cyberdefense/cyberfoo capability is in building a workforce. We’re still stuck with the “option” of building the airplane while it’s taxiing down the runway.