Yeah, tell it to this guy, the Internet’s lawyer. =)
Yeah, tell it to this guy, the Internet’s lawyer. =)
In the military, there is a saying: “You go to war with the army you have, not with the army you wish you had.” In other words, you do all your training in peace and once you go off to war, it’s too late to fix it. Not that I agree with all the Cyber Pearl Harbor doomsayers, but I think that the CyberArmy we got now isn’t the right one for the job.
So, let’s talk about services firms, contractors fit into this nicely since, well, they perform services.
There are 4 types of work that services firms do (and contractors are services firms):
This is also the maturity model for technology, so you can take any kind of tech, drop it in at the top, and it percolates down to the bottom. Think Internet use: First it was the academics, then the contractors, then the technology early adopters on CompuServe, then free Internet access to all. For most technology, it’s a 5-10 year cycle to get from the top to the bottom. You already know this: the skills you have now will be obsolete in 5 years.
Procedural Permit Required photo by Dawn Endico.
Now looking at government contracting….
As a government contractor, you are audited financially by DCAA and they add up all your costs and let you keep a fixed margin of around 13-20%. You can pull some Stupid Contractor Tricks ™ like paying salaries and working your people 60 hours/week (this is called uncompensated overtime), but there still is a limit to what you can do.
This fixed margin forces you into high-volume work to turn a profit. This in turn forces you into procedural or even commodity work.
If your project is strictly time and material, you make more money off the cheaper folks but for quality of work reasons, you have to provide them with a playbook of some sort. This pushes you directly into the procedural tier.
There are some contractors providing services at the Brains and Gray Hair stages, only they are few and far between.
Traditional types of contractor security services:
Then back around to cyberwar…
Cyberwar right now is definitely at the top of the skill hierarchy. We don’t have an official national strategy. We have a Cybersecurity Coordinator that hasn’t been filled yet. We need Brains people and their skills to figure this out. In fact, we have a leadership drought.
And yet the existing contractor skillset is based on procedural offerings. To be honest, I see lots of people with cybersecurity offerings, but what they really have is rebranded service offerings because the skills sets of the workforce haven’t changed.
Some of the procedural offerings work, but only if you keep them in limited scope. The security operations folks have quite a few tranferable skills, so do the pen-testers. However, these are all at the tactical level. The managerial skills don’t transfer really at all unless you have people that are just well-rounded, usually with some kind of IT ops background.
But, and this is the important thing, we’re not ready to hire contractors until we do get some leadership in place. And that’s why the $25M question right now is “Who will that person be?” Until that time, anything from the vendors and contractors is just posturing.
Once we get a national leadership and direction, then it’s a matter of lining up the services being offered with the needs at the time. What I think we’ll find out at that time is that we’re grossly underrepresented in some areas and sadly underrepresented in some areas and that these areas are directly inverse to the skills that our current workforce has. This part scares me.
We need workforce development. There are some problems with this, mostly because it takes so long to “grow” somebody with the skills to get the job done–maybe 5-10 years with education and experience. Sadly, about the time we build this workforce, the problem will have slid down the scale so that procedural offerings will probably work. This frustrates me greatly.
The summary part…
Well, just like I don’t want to belong to any club that would stoop so low to have me as a member, it could be possible that almost all the contractors offering services aren’t the people that you want to hire for the job.
But then again, we need to figure out the leadership part first. Sadly, that’s where we need the most love. It’s been how many months with a significant leadership vacuum? 9? 12? 7 years?
The most critical step in building a cyberwar/cyberdefense/cyberfoo capability is in building a workforce. We’re still stuck with the “option” of building the airplane while it’s taxiing down the runway.
Everybody wants to get in on the cybersecurity filthy lucre. According to the B|A|H report I blogged about yesterday, we need to take fresh young lolskriptkitties and turn them into professional cyberlolcats.
Somedays I feel like people are reading this blog and getting ideas that they turn around and steal. Then I take my pills and my semi-narcisistic feelings go away. =)
So anyway, B|A|H threw me for a loop this afternoon. They released a report on the cybersecurity workforce. You can check out the article on The Register or you can go get the report from here. Surprise, we don’t have anywhere near enough security people to go around. I’ve been saying this for years, I think B|A|H is stealing my ideas by using Van Eck phreaking on my brain while I sleep.
Some revelations from the executive summary:
These are all the same problems the private sector deals with, only in true Government stylie, we have it on a larger scale.
He’s Part of the Workforce photo by pfig.
Now for the things that no self-respecting contractor will admit (hmm, what does this say about me? I’m not sure yet)….
If you do not have an adequate supply of workers in the industry, outsourcing cybersecurity tasks to contractors will not work. It works something like this:
Contractors do not have the labor pool to tap into to satisfy their contracts. If you want to put on your cynic hat (all the Guerilla-CISO staff have theirs permanently attached with wood screws), you could say that the B|A|H report was trying to get the Government to pump more money into workforce development so that they could then hire those people and bill them back to the Government. It’s a twisted world, folks.
Current contractor labor pools have some of the skills necessary for cybersecurity but not all. More info in future blog posts, but I think a simple way to summarize it is to say that our current workforce is “tooled” around IT security compliance and that we are lacking in large-scale attack and defense skills.
Not only do we need more people in the security industry, but we need more security people in Government. There is a set of tasks called “inherent government functions” that cannot be delegated to contractors. Even if you solely increase the contractor headcount, you still have to increase the government employee headcount in order to manage the contractors.
Actually this is all a little bit strange to comprehend, I’m not sure I get it all, but here goes…
So my friend Michael Santarcangelo sold his palatial estate, put his wordly posessions in storage somewhere in upstate NY state, and packed up his family in an RV and is travelling around the US giving a series of seminars on “Communicating the Value of Security”. I’ve met Michael, and he’s not a patchouli-smelling hippie looking for inner truth or some kind of weird traveling salesman, he’s just a really smart guy who’s passionate about what he does.
And he’s coming to Northern Virginia on the 25th to bring you BBQ, pool, and a seminar on how to communicate with non-security folks. There’s a trivial cost to pay for the food. It’s also a family event, and there’s no extra cost for your family to come along, although when Michael sees how much my teenage daughters eat, he’ll probably charge me at least an extra $50 bucks.
It’s a global-scale conference. It’s in DC November 10-13th. Registration is open. I’m helping out as manual labor and maybe all-around fluffer of some sort.
The DC area sponsors (contractor companies and non-profits) are noticeably lacking, and I would like to fix that. If you’re interesting in sponsoring, let me know and I’ll forward your info on to the event organizers.
And while I’m out shilling, the DC OWASP Chapter is going strong and having their next meeting on August 5th. Check them out.