I’ve touched on this about a bazillion times, let me start today with a very simple statement: due to the scale of the US Government, we cannot find enough skilled security people.
Part of the problem is that good security people need to know the following skills:
- IT technology: since the data more often than not is in a computer, you need to understand them
- People technology: policies and procedures for managing people
- Business sense: understanding that you’re supporting business goals
- And for Government: politics
Back when I was PFC Rybolov, my battalion commander told me something along the lines of “The intelligence world is a hard job, you have to be able to out-infantry the infantry, out-mechanic the mechanics, out-radio the radio guys, and you need to know a language.” Security is pretty much the same thing–you have to out-techie the techies, out-business the MBAs, and out-jerkify the auditors. =)
Sound complicated? Yes, it is, and it’s hard to find people who can do all this. IT is an employment niche, IT security is a niche to a niche. And there isn’t enough people who have the experience to do it.
So how do we mitigate the staffing shortage? Here is what we are doing today in the Government:
- CyberCorps scholarship program for undergrads and graduate students with a minimum government service obligation.
- Using other career fields in “crossover roles”–yes, accountants can be used for some light security tasks. Some things that we think of as security are really Quality Assurance and Change Control jobs that we have a vested interest in making work.
- Using contractors in some roles such as ISSO, ISSM, etc.
- Automation as much as possible. Technical is easier, the policy and procedures side takes longer. What you’ll find out eventually is that good IT management is good security management.
- Hanging on methodologies to “automate” the process side of security.
Now this is cool and all, but it’s hard to sustain and really hard to justify as a long-term solution. In order to support the Government, we need to create more people. Cybercorps is a start, but the need is so much larger than the supply that we have to consider better ways to create Government security dweebs.
Do we need Security Awareness and Training? Yes we do, but much more than what is being provided (think system administrator training and procurement specialist training, not end-user training), and as an internal recruiting pipeline. Still, I don’t think that we can recruit enough people to “the dark side” and that we need to look outside the Beltway for people. Problem is that DC is such an insular community and we don’t speak the same language as the rest of the world.