IT Security - M. Ursula HerrmannM. Ursula Herrmann is Great Lakes Computer’s guest blogger on Government IT Security.  You may also recognize her from her work on Crain’s Cleveland Business as a guest blogger on Network Security.  Ms. Herrmann is a Network Security Analyst living in Juneau, Alaska.  Network Security is not only her career but also her hobby as a blogger.  You can check out her full blog here.

The Federal Government is trying to update its approach to security; will it succeed?

At the end of 2010, the then-CIO for the US Government, Vivek Kundra, published a paper outlining 25 points to reform Federal IT Management. I’d heard of it at the time, but not read it. However, with the President having recently signed the sequestration order into law, it’s being passed around again with “where are we now and where are we going with this” notes attached.

There’s nothing wrong with the paper, per se. In a nutshell, it says that the government should focus its energies on programs that yield obvious benefits, and on hiring programs that will attract rising IT stars. The problem is that, for the most part, the Federal government has no idea what will attract such people to work for and with it. And the reason for that is that the way that most IT professionals – especially the young geniuses that the government is hoping to snare – think is complete antithesis to how the government works, and vice versa.

Like any generalization, of course, there are exceptions to what I’m talking about. There are certainly a lot of brilliant people whose way of thinking is not antithetical to the way the government works, and many of those people are in fact working for the government, or working for companies that support the government. And there are some people who, regardless of the fact that they don’t have a meeting of minds with the government, will still choose to work for it in some capacity, for various reasons. But it’s very unlikely that the government will be able to attract the sorts of people that Kundra’s paper is talking about, at least in large quantities. The fact that the government representatives who talk about this hiring concept don’t realize how unrealistic they’re being is rather worrying.

There are several reasons why the government won’t, for the most part, attract the best and the brightest young minds in IT. First of all, as I’ve mentioned, there’s the fact that the government way of thinking and doing things is antithetical to your typical hacker. (Note to the reader: if you feel that the term hacker is pejorative, then you are not one.) This isn’t true in all cases, and certainly a number of us feel that it’s worthwhile to try to work from within the government system, but I’d venture to guess that those of us who chafe less in the government are a bit older and more staid than the “cyberninjas” the government is trying to attract (most of whom ridicule that term). The government already has a lot of people in its employ who might be able to fit their idea of “cyberninjas”, but the government is not willing to spend the money to train them.

And this lack of desire to spend money where it would do good leads to the second problem: the government works by spending the least amount of money possible to achieve the best result it can. If a particular company or entity is the lowest bidder on a project while promising the same or a better result, that entity will be awarded the job. Because the citizenry are the ones paying for the project through their taxes, that’s the way it has to be. However, it doesn’t give the government a lot to work with in terms of attracting “cyberninjas”, who can make a lot more in the private sector. In general, a government job is comfortable and secure, but it can’t match the perqs and thrills that come with being a famous name in IT culture. In fact, the government would frown on a lot of those perqs and thrills (which brings us back to the difference in mindsets), and it wouldn’t want to or be able to fund even those it would not frown on (such as extensive traveling to security-related conferences and training).

A third issue is something I touched on in my previous article about Continuous Monitoring. The Federal government is so focused on compliance that it’s seemingly forgotten that there’s a lot more to security. I see a lot of people saying “what is the right thing to do” and other people saying “it says right here that…”. Adherence to policy is necessary and I’m not trying to knock it, but it’s not the be-all and end-all of securing information. The government as an entity may know that – although I’m not taking any bets – but I would estimate that 99.9% of the people who are actually in the trenches doing security don’t have the first clue to proceed, other than finding out what the policy is so they can tell other people how to adhere to it. And that is a problem.

Vivek Kundra’s paper was written only a couple of years ago, and it’s still very germane. However, I’m not sure how realistic it is. Kundra has himself returned to the private sector, but I wonder what he thinks now, especially about methods to attract young and brilliant IT professionals. The government really needs fresh blood, but I’m not sure it will know what to do if it can get what it needs.

Learn more about the author Bob Martin