As the Federal Government continues to battle the “Fiscal Cliff” and look for areas to cut in their budgets, it seems that information security is always a target. Organizations look to scale back the number of employees working in information security, choose to not “backfill” resources or look for cheaper options (IE lower salary for employees). The biggest problem that arises from this mindset is the fact that security should not be on the chopping block. As we’ve been warned from others and seen in the news, the threats are rising to our country’s most vital information systems and cutting security resources will only make the problem worse!
I recently wrote about a major problem in the Federal Contracting environment, mentioning the problem of staff augmentation and how changing a vendor does not necessary lead to better services. Since the government began purchasing services, they have looked to industry to provide staff to augment their onsite team. For the most part, each agency has their own security team that provides services in every way possible from developing C&A packages to providing monitoring of networks. The government typically overpays for individuals or pays for individuals to be sitting onsite with limited amounts of work, thus not maximizing the use or effectiveness of those resources.
To put it in simple terms, let’s say your roof has been leaking and it is time to replace it. As any other American, you have two easy choices: Do it yourself or hire an expert. The first example requires a lot of work on your part, obviously. First you need expertise in replacing roofs; maybe you have read a book, or have done it before. Either way, you can’t just wake up one day and know how to replace a roof. So there is the time spent learning. Then there is the time and cost spent purchasing supplies. This can be quite costly as you’re paying not only retail price for the materials, but you also have to find a way to transport them back to your house. Once you’re in the actual work phase, you then have to find the time to do the work, thus impacting your time spent elsewhere. Plus, you will use your own methodology, which hasn’t been perfected through practice, thus causing you more time spent actually completing the project. When all is said and done, you may be able to save yourself money, but you have spent a lot of time and frustration in doing it yourself.
The second example of hiring an expert would be a huge stress relief. There’s no arguing, outsourcing to a contractor is never a painless experience, but you have the comfort of knowing you have an expert working on the roof and they SHOULD provide you with a better product. They get materials cheaper because they typically don’t pay retail price, and they have the equipment to transport the materials. Then you save because the roof is replaced quickly (typically within a week’s timeframe) as opposed to you working weekends or taking time from your normal job. In the end you may fork out a little more money, but you have likely saved yourself time and frustration.
The government, however, uses a combination of both options. They hire someone to do the work for them, but they purchase the materials, require the contractors to follow their methodology, and manage the project. When all is said and done, they end up spending more money, wasting more time and still have the frustration.
There is a simple way for the government to save money in the times of diminishing, sometimes disappearing, budgets, but it will take a strategic Mind Shift and require Federal executives to look to the commercial sector for answers.
At almost every conference I have attended in the past, the Government speaker(s) discuss the need to look to the commercial sector to understand what they do well. Without a doubt, this is the best of ideas when it comes to information security, because, working in both sectors, it’s easy to see the Commercial Sector is at least 3-5 years ahead of the Federal Government (with the exception of some areas such as data classification). So what is the commercial sector doing well that the Federal government is not? One area is the way the commercial sector buys.
We are not saying get rid of the FAR or the government contracting method, what we are saying is the government needs to change the types of services they buy. The commercial sector does not buy staff augmentation services, or look to consulting firms to provide individuals that will simply follow their in-house developed methodology. They look to industry to provide innovative solutions to solve the problems they have. Often times, this provides for a better product, and saves in many areas including money, recruiting time, executive time spent on menial tasks, office space and equipment, in addition to identifying more ways to save money in the future.
In the commercial sector, organizations often purchase packaged solutions from information security consulting firms. Packaging services allows the government several advantages over internal spending and waste, as well as contracting staff augmentation including:
- Clear deliverables: The government current looks for contractors to provide a service in a staff augmentation model. With staff augmentation as the model, organizations are paid for the time they have resources onsite. Typically, the only deliverables are status reports and timesheets. In the commercial sector with outsourced models and Fixed Firm Price contracts, organizations establish clear deliverables with time expectations and details around what the deliverable will entail. If the vendor does not provide the deliverable agreed upon, they will not be paid for their services.
- Definitive cost: The government tends to look to contracting organizations to provide Time & Materials (T&M) or Cost Plus Fixed Fee (CPFF) engagements. During these contracts, individuals are assigned tasks they must complete and a general timeframe on when to complete them. Often times, the tasks are only partially completed because of time constraints or deliverables are not developed. Moving to the outsourced model, a Fixed Firm Price would allow the government to have better control of costs because there will be a finite number. If the vendor does not deliver as promised, they do not get paid.
- Less Overhead: No longer will individuals be tasked with auditing and ensuring that each hour charged to a contract is accounted. In addition, outsourcing allows the government to have less facilities cost. If an individual is not sitting onsite and not using government equipment, or charging the government for single use tools, think of all the cost savings!
- Better Services: In addition to the advantages already listed, the one clear differentiator that the commercial sector is getting through packaged solutions, is a better service. Commercial vendors have developed their best practices and methodologies and perfected their craft through years of experience and constant repetition. When a commercial company purchases services from a vendor they know they will be getting the best of breed services because of the company’s experience, not the experience of an individual who is good at following government mandated direction. If the government were to make the switch they would be receiving packaged solutions that have been developed to be repeatable and the quality to be the same for everyone.
The Case Against
The one argument I consistently hear government executives fall back to is that “We don’t think it’s a good idea to have government data outside of our facility…” While this is an understandable concern for any organization, it is hard to trust organizations to protect their data when they still hold the risk. But, the government has regulations (FISMA), security programs (NISPOM) and ways of sharing data with the commercial sector (DHS Cybersecurity Information Sharing and Collaboration Program and Defense Industrial Base Cybersecurity Information Assurance Program) already in place. So why not leverage these as an opportunity to save money and increase the quality of the service?
Let’s look at some hard-coded numbers to make this relevant to the typical buyer. When working with a large retail organization, SecureState provided ad-hoc services to assist the internal security team with a portion of their daily initiatives. To perform these initiatives, the retail organization had four Internal full-time employees to complete the work. On average, the direct cost for each employee was $100,000/year or $400,000 total. Often times, these individuals would complete work earlier than anticipated or have to wait to complete work because of another team within the organization. This caused a great deal of downtime and overhead cost to the retail organization.
The CIO of the organization noticed wastes in spending, without seeing the results he wanted and decided to outsource this portion of his team to SecureState. As an outsourced provider, SecureState was able to provide services at a cost of $250,000/year with the ability of providing an expert in all areas. SecureState provided agreed upon deliverables and services to greatly increase the security posture of the organization and the efficiency of the security team.
Call to Action
Will the government ever truly embrace commercialized innovation? If you work in the government sector and facing budget cuts with increasing responsibility where would you cut? Of course If all else fails… give us a call and we can help!