I love transition time. We get all sorts of strange people who come in, issue their letters on how they think the Government can solve the major cybersecurity issues for both the Government’s IT systems and for the rest of the US as a whole. And then, they all leave.
Nobody actually implements the suggestions because it takes time, effort, and money to get them done, and all that anybody ever wants to give is talk. Talk is cheap, security is not.
Many years ago when I became an infantryman, our guest speaker at graduation made one of the most profound statements that I remember over 8 years later: “Infantrymen vote with their feet”. In other words, we’re doers, not talkers, and at one point in our lives we decided that something was important enough to give up 4 years of our lives, maybe more, for this cause. Even Colonel Davy Crockett after he lost re-election to the House of Representatives wrote “I told the people of my district that I would serve them as faithfully as I had done; but if not … you may all go to hell, and I will go to Texas.” He died less than 3 years later at the Alamo. That, ladies and gentlemen, is how you vote with your feet.
My personal belief is that the primary problem the Government has with security (on both sides of the InfoSec Equities Issue) is that there is a lack of skilled security practitioners upon which to draw from. If you think about everything we’ve done to date, it’s almost always a way of compensating for our lack of skilled people:
- Reducing security to a bunch of checklists
- Providing templates to non-security staff
- Automation wherever possible
- “Importing” non-security specialists such as accountants and technical writers in security roles
- Building a “Franchise Kit” upon which to base a security program
- Reserving key decisions for trained security staff
As an industry, we have failed (at least in the public sector) at generating people with the skills to do the job.
And in light of this, my challenge to you: have a good idea and think you know how to solve the information security? Yes, we need those, but what we really need are IT security infantrymen who are willing to be doers instead of talkers. To answer the title of my blog post, the thing that the Government is missing is you.
Infantry Action Photo by Army.mil
So how can you help? I know moving to DC is a bit of a stretch for most of you to do. This is a short list of ideas what you can do:
- Learn how the Government secures systems: don’t just dismiss outright what people in DC are doing because conventional wisdom says that it is failing miserably, and don’t listen to people who do the same.
- Actively recruitment of techies to “embrace the dark side” and become security people: We need more technically-savvy security people.
- Answer the call from DHS when it comes: living in DC is isolating from the rest of the world and all fo the good ideas that are out there. Maybe you have a phenomenal microstrategy on how to secure IT. They/we need to know them. The Government cannot succeed at securing cyberspace (whatever your interpretation of that phrase means) without input from the private sector.
- Don’t engage the Government only when there’s money in it for you. ~$8B is a ton of money, but if you’re doing your job right as a vendor, you’re solving their problems as a first priority, not a second.
- Build a better education system for security staff and make better career paths to get people from the technical disciplines into security.