SecureState Blog

Read SecureState's award winning blog.

In the movie Office Space, Peter Gibbons finds himself in front of “The Bobs” talking about the lack of incentive for coming to work. It’s easy to point a finger at government inefficiency because of their visibility and wide span of authority. But there is also a deeper issue here, which is how the government operates with regard to staff. There is little incentive to do more than the minimum outside of a love for the red, white, and blue.Office Space - Bobs

In the commercial sector, high performers who bring more income into the organization generally have a chance to increase their income level and position. On the government side, this incentive doesn’t exist which presents an incentive issue. There are pay steps and some promotions, but outside of flexible schedules, extra vacation days, and benefits that outpace the commercial sector, there is very little incentive to be a high performer. With pending health care laws, some of those gaps are being reduced creating an even larger incentive issue.

This may be part of why we see initiatives to push IT support functions to cloud services and to use commercial providers for security support. The Federal Information Security Management Act of 2002 (FISMA) states one purpose of the law is to “…acknowledge that commercially developed information security products offer advanced, dynamic, robust and effective information security solutions…” If you are slightly masochistic, the whole law can be found here. Outside of security, we see this extending to highly technical engineering feats as well, such as the United States human spaceflight programs.

An additional motivation for the government to outsource lies in a difficulty competing for highly qualified professionals. If the federal government opts to directly hire staff, the hiring process is long and drawn out. This means you not only need highly qualified personnel to apply and meet your candidate pool requirements, they also must be willing to wait up to six months for the hiring process to carry out. In that time period, your most highly qualified personnel will likely have found other opportunities worth their time and efforts. To aid in addressing this issue, federal contracting has taken a large front row seat in how government operates. Outside of The Solution to FISMA and FedRAMPinitial contract competitions, Support Service Contractors (SSC) do not fall under the same scrutiny for hiring and firing like federal employees.

SSC map a bit more closely to the commercial sector in that they can be employed or terminated at a moment’s notice depending on their company policies. They can also be used across multiple functions. This means if you have a new support function outside the employee’s initial job description, there generally is not a union which dictates an employer’s ability to assign the SSC new work. An issue for the government here lies in the rarity of having a truly specialized professional supporting their business functions. I am not saying the individuals don’t do good work. What I am saying is that their skill sets are highly distributed, which prevents them from becoming experts in their field of practice.

As an example, within Cyber Security, you will find personnel who perform systems administration functions as well as digital forensic functions. Now there may be some benefit to this; however under the instances I have seen, the system administrative functions disallow the employee to develop into a skilled forensic investigator because they are constantly switching between the two roles. The constant switch never allows the employee to become a well versed professional in either arena. This structure definitely allows the government to get work done, but never in an efficient nor truly effective manner. For this example, the case file for an investigation will never be sufficient for representation in a court of law.

What alternative exists then? As referenced at the beginning of my rant, a precedent has been established with the space program. If we can outsource flying a physical body into space, why shouldn’t we be able to do the same with IT in general? By outsourcing, I am not referencing federal contract opportunities, but rather truly outsourced services and support. A structure where cloud services and bench consulting can provide the dedicated, expert services which will aid the government in becoming more efficient and effective as a whole. FedRAMP is definitely a step in the right direction for cloud service providers. Albeit slow for adoption as referenced in the media, the ball is rolling and will only pick up speed as federal budget cuts continue.

This brings me to bench consulting services. When working on the federal side, I carried a common misconception regarding the expertise of bench consultants and why they were called so. A bench consultant is not someone sitting on a bench. These professionals carry a highly specialized skill set with continuing education and a wide variety of experience related to the specific skill set. Within a security consulting firm, you will likely find a knowledge base and background from financial sectors, energy, government (local, state and federal), not to mention expertise in multiple arenas within the IT Security field of practice.

It has been my experience that many times existing federal employees will attempt to learn these specialized skills rather than using bench consultants. I did when I was in that position. However, imagine a scenario where a federal installation now uses automated power distribution for their facilities. It is clear the government doesn’t know how to protect these systems, as reported here. There is a a lot of speculation regarding how to appropriately protect them, but an environment where security professionals focus on NIST guidance likely isn’t going to be highly successful this early in the process. On the bench consulting side however, you have experts in Supervisory Control and Data Acquisition (SCADA) systems.

Again, I am not saying the SSC or Civil Servant (CS) personnel attempting to learn these items are incompetent! This just goes further to show how the federal government is not postured to adjust and learn SCADA requirements and security measures appropriate for those systems compared to NIST guidance. The life for most federal agencies exists in NIST guidance to meet FISMA compliance. Although deep understanding exists in this structure, it does not exist deeply for most organizations in understanding the smart grid. Without the use of bench consultants, you are back into a situation where federal staffing is spread thin and forced to become jacks of all trades, experts at few.

Why is this important? If you can do the work, who cares if it is done by an expert? Let’s put that in perspective. Imagine you are having a new roof put on your home. You come to the same conclusion where you can do the work by watching enough DIY Network. So you go about your stuff and get your roof replaced. Everything looks good and you feel warm and fuzzy. Then, the first big rainstorm comes and you find out you didn’t know how to seal the peaks and valleys. When the water is coming through, that is not a good time to realize you should have used a dedicated expert. In a similar light, that is your incentive here. Don’t let your data leak in the middle of the storm. It’s at that point, you will realize it is too late. Unfortunately, it is when this point hits that you may be like Peter Gibbons and need a miracle to prevent larger damage.