Where are all the government infosec professionals?

Chris Sienko: Hello and welcome to another episode of Cyber Speak with InfoSec Institute. Today's guest is Gregory Garrett, head of US and International Security for BDO. We're going to be talking about a topic that's currently a big part of InfoSec Institute's initiative for the coming years, namely finding new and innovative ways of closing the cybersecurity skills gap. To do this requires us to first understand the underlying sources of the problem, and Greg is here to help us come to an understanding about the various facets of the issue. Gregory Garrett is the head of US and International Cybersecurity for BDO, where he supports more than 2000 IT and cyber professionals globally. A recognized IT and cybersecurity expert with 30 plus years of experience, Greg has managed more than 40 billion in complex high tech programs and related consulting services for government agencies and Fortune 500 companies around the world. Greg, thank you for joining us today.

Gregory Garrett: Well Chris, it's my pleasure. I'm always delighted to talk about cybersecurity.

Chris: That's fantastic and we're glad to have you. So let's start out with the 10,000 foot view. What in your opinion is the biggest cause right now of the cybersecurity skills gap?

Greg: Well, I think Chris, first you have to look at the people that work in cybersecurity because it's not just one flavor or one set of skills. And if I were to broadly put those into three major buckets, I would say first you have those folks that are focused on the policies, plans and procedures and especially, as you know, on the government side that are focused on the National Institute of Standards and Technology, NIST 800 series and the risk management framework. I would submit to you and to the audience that the government actually has plenty of cybersecurity compliance-based policies, process and procedures firms. So I would say their shortages are in the other two categories, and I would say those are really in the hardware and software, the technology analysis, the programmers, the coders, the pen testers. There they have a significant shortage.

And then the third group would be, and these are really the high end, the threat intelligence analysts, the data scientists, the people that can take that data and extrapolate it either on a retrospective basis or on a proactive basis to identify potential trends and vulnerabilities. So when I talk about cybersecurity skills, I try to bucket it in those various different groups or categories.

Chris: Okay, that's interesting. So, there's a stratification of certain type of positions where is it just because it's much higher specialization level or higher skill that certain buckets are less served and others are more served?

Greg: Well, I think it's a combination of factors. I'd say one, the government has a tendency towards requirements and documentations and policies and plans and procedures. And since they, let's say to a large measure, specialize in that, they have a lot of people with those skillsets within their organizations today. I think they have a hard time attracting, for a variety of reasons, pay and flexible work hours and a variety of reasons, the high end hardware and software engineers, computer scientists, and the third category of data analysts and what I'd call high end threat analysts. If you're familiar with the security operations centers, the SOCs, that all the federal government agencies have, it's easy for them to get the tier one, which are the analysts that are looking at the scopes and gathering information.

And it's fairly easy for them to get the tier two people that have some experience as to handling incidents and intrusions and then coming up with a game plan to deal with them to eradicate a malicious software or virus. But where they struggle are those higher end tier three analysts that people that can really do the threat analysis, that can really do the proactive threat assessments and that's where there's a significant shortage.

Chris: Okay. So do you think it's because they're not offering people of these specializations and skill levels an appropriate offer or is it that they're kind of low balling it or are there just not that many people out there that can do the job?

Greg: Well again, it's a combination, Chris. I mean, I'll give you a for example. Several years ago I was leading a large government cybersecurity contractor that provided literally hundreds of people to federal civilian agencies to staff those kinds of security operations centers. And what we found is that the government agencies were willing to pay maybe half to a third of what those same people could get in the private sector.

Chris: Wow, okay.

Greg: I mean, I'll give you a classic example. One of the high end skillsets today is a certified Splunk architect because as more and more companies are using Splunk as a data visualization tool to be able to gather vast amounts of data and analyze it and customize it into customized dashboards, there is a very small number of people that have the high end Splunk certified architect, which is above their Splunk certified engineer, and even fewer that have security clearances. And so in the private sector, those people could bill out at say $350, $400 an hour. The government's only willing to pay those same people with that same skillset maybe $150 an hour.

Chris: That's interesting. I mean, do you think there's any way around that? I mean, there's always funding issues within the government and stuff like that. Is it just a matter of prioritizing the need and moving the money around or changing minds about leadership in the government and so forth?

Greg: Well I think for those high end skillsets, there has to be a recognition that the government has to be flexible and being willing to pay what the market demands when there's a shortage of those kinds of people. And unfortunately, I haven't seen a lot of flexibility in the government agencies around those. And also too, I think part of the problem, Chris, is that the government is not real flexible often on their requirements. And so sometimes their very specific requirements for so many years of experience, such a level of education, so many certifications and a security clearance, combining all of those, those becomes very restrictive. It makes it very difficult for both the office of personnel management as well as the government contractors to be able to fill those positions.

Chris: So what are your thoughts on, this is maybe not just about the government, but the industry in general. There's a theory that there's less of a skills gap than it's more of a training gap. Under this theory, employees currently at the company might want to do the job, but HR has been conditioned to accept only the perfect unicorn candidate for these positions with only the right set of skills. They're not training people or bringing them up internally. Is that also a component of this, do you think?

Greg: Yeah, I think that's a very real component of this. I think there's a lack of understanding of people's ability to adapt and to learn and to gather new skills. And I've seen this both in the public sector and the private sector. I mean, there are certain core capabilities that you look for based upon the roles, as I mentioned earlier, that people play, but I like somebody with a computer science background or an engineering background because they tend to have more technical problem solving skills than somebody who's, for example, an accountant or somebody with a finance background. But it doesn't mean that those people, if they've got good computer skills, can't be trained and adapted to one of those three categories of positions.

Chris: So, moving on. Because of the speed at which up to the minute knowledge changes in the security game, it's been said that up-to-date knowledge has a half-life of about two years, which means about every two years, half of the knowledge goes away either because you start to, you know don't use it, you lose it, but also that it becomes obsolete. So is this issue bigger than just getting people onto the skills treadmill so that they're staying fresh? Is the technology moving so fast that people can't keep up as well?

Greg: It is really a challenge. And again, I go back to those three skill groups because the rules, the regulations, the laws, they don't morph nearly as quickly as the actual technology does. And so those that are focused on the hardware, the software, the penetration testing, the vulnerability assessments, trying to keep up with the latest malware, that is just an ongoing dynamic environment that is constantly changing. The half-life might be actually more like six months when it comes into some of the latest malware and trends associated with that. But I would say, when it comes to the policies and procedures, it might be more like a five year period. And the threat analysis and data analytics, that's probably closer to a two year half-life.

Chris: So within your own organization, yours in this case being the listeners, within organizations, what are some of the metrics you would use to assess both the real skills gap in your organization but also the actual skill level of your staff or the actual skill level of applicants for your InfoSec positions? What questions should you be asking candidates or existing employees to prove their knowledge or their interest?

Greg: So again, I'd go back to what's the nature of the position that they're filling? If I'm looking for someone to be, for example, a cybersecurity analyst that's conducting largely HIPAA based cyber risk assessments, then I'm going to ask them questions around their knowledge of the HIPAA requirements, maybe a knowledge of NIST requirements or ISO requirements, how many assessments they've conducted, what tools and methodologies they've utilized. And we'll focus on that specific skillset. Conversely, if I'm looking for a pen tester, I'm going to see how many penetration testings they've done, what software tools they're familiar with. So, each one's a different set of questions. And the threat analysts, there I'm going to be talking about how they analyze and interpret data, what database tools that they've utilized. So, each of them are a different set.

Chris: Yeah. So I guess, especially at both in the government level but in also in the private sector, we mentioned how fast technology changes and how fast trends change and so forth. So, conceivably massive changes to your company's cyber program can happen all the time, like sometimes a company will just migrate everything to the cloud and that can result in complete upheaval of your security department. You'll either have to retrain or replace most of your InfoSec team. Are there any steps you can take in advance that would prevent job loss or downtime to find new candidates? Is this a process that can be a learned skill from executives who, say, change everything tomorrow?

Greg: Well, very seldom do I see an executive or talk to a senior executive who says to change everything tomorrow.

Chris: Yeah, yeah, yeah. Sure. I just read about this new thing at a conference and I want us to do it immediately.

Greg: Yeah. I mean, sometimes you have those technology, early adopter folks, but often that's not the case. What's usually the case is people say to me, "Hey Greg, we have a limited amount of money to spend and we want to use our money as wisely as possible to improve our level of security. Where should we start?" And candidly, I sort of treat it more like a physician would a patient, and I say, "Let's start with a rather robust series of diagnostics and let's look at the actual defense and level of security of your organization comparison to the threat." Whereas a lot of people will whip out a copy of NIST 800-171 if they're working with a government contractor, or if they're working with a financial institution, the NYDFS cyber security requirements and you follow a checklist approach. I don't really think that's appropriate.

I think you should start with the diagnostics, like doing an email network attack and threat assessment, conducting penetration testing that externally look at the environment, conducting scanning on the computers to see if there's an advanced persistent threat that hasn't been detected. So really looking at the hardware, the software, the email, the networks, the end points, and determining how vulnerable is this organization to outside attacks. So I like to start there. And then I'll look at their policies, their plans and their procedures, so I can get a holistic assessment of the organization and its level of defense. And I do all of that typically before I start doing any recommendations or remediation actions in improvement.

Chris: I see. So we had a recent guest who noted that, we were talking about career tracks to a CISO positions, and he noted that outsourcing security is becoming more and more common these days and that CISOs need to understand how to integrate this very real and very common business decision into their model of risk becoming extinct. How will this impact the short and longterm skillset issues we've been discussing? If we don't have anyone that can do this particular position and no one's trained for it, are people going to be using security in a box as stop gaps or is there a worry that cost-cutting tendencies towards outsourcing is going to make the whole argument of training your employees in house redundant in a few years?

Greg: So that's a good set of questions. It really is. I'd say most of my clients are mid-sized companies today and so they're all struggling because the large Fortune 100, Fortune 500 companies can afford to have a really robust cybersecurity in house department with a lot of resources, a lot of training, high quality variance chief information security officers. The mid-sized companies struggle. They struggle to find the talent, they struggle to hold onto the talent, to make the investments in the hardware and the software. So candidly, the managed security solutions or managed security services environment is really an attractive environment for them.

And I will tell you that we're selling a lot of managed security services from email threat monitoring services to network and end point, the detection monitoring services to what we call a virtual CISO service where a client can say, "Hey look, I can't afford a full time CISO, but I could really use somebody maybe eight hours a month to help develop some high level plans or strategy, or if you could give me a CISO in a box where I could call up and say, okay, this time I need a CISO that has a real great understanding of, for example, HIPAA compliance and can help us develop a strategy for that." And the next time it might be, "Hey, can you hook me up with an expert on incident response planning and help me put together a really robust business continuity plan, disaster recovery plan and incident response plan?"

Chris: I'm sorry. Do you think that this can be a permanent solution going forward in the sense that you can use these people while you're retraining your current staff and helping more internally, or what do you think?

Greg: Yeah, I think it depends on the needs of the client. I mean, sometimes somebody needs a CISO for three to six months while they're looking into recruiting, searching for the right full time person. Sometimes the company just can't afford paying out that kind of a salary on a full time basis. So it just makes good business sense for them to have access to someone with those skills, but only on a part time basis. So, I think it's best to provide the support that the clients need, based upon their budget and their situation.

Chris: Right. Absolutely. One of the reasons that we brought you on the show is you have, because of your government background and knowledge. I wanted to ask you a little bit about the recent government shutdown and what effect it has had on the issue of the skills gap. By the time this episode airs in a month or whatever, temporary funding measures will have run out, so we'll see if we've shut down again. But in general, what do you think the ripple effect will be that that will have on the cybersecurity training within the government and job placement, especially in key security positions in the military?

Greg: So, I appreciate the question. I really do because having spent 24 years in the United States Air Force as a military officer and worked in all different areas of communications from satellite communications to telecommunications, to IT and cybersecurity, I have a real appreciation for this and what some of the challenges that folks are going through. So one, I would say this particular shutdown is somewhat unique from the standpoint that it was a partial shutdown, 75% was funded and most organizations, and you know that the government is not a single entity. DoD is a quite different culture than the intelligence community, and both of those are quite different than the civilian agencies. They each have different priorities on funding. Said simply, most of the federal government organizations consider cybersecurity skills and those surrounding their security operations centers to be essential. And so for the most part, those people were funded, working their appropriate shifts and fully operational during the shutdown.

So from an operational standpoint, I would say it had very limited impact. Now if there's a second round or we reach our debt ceiling and people aren't funded, that could be more significant. But to your point, I think where it really has an impact when these kinds of government shutdowns occur, what tends to be pushed off and sometimes completely eliminated is training, and training is essential, especially simulations for incident response and things like this and keeping up with the latest malware and the latest software and the latest data analytics capabilities. So those kinds of delays in training can have an impact. But to your last point, where I think it has the biggest impact is on recruiting and retention, is that people don't see this as a stable environment where there's a potential that they may not get paid, may not get the training. Then it becomes even less desirable than, candidly, it is already.

Chris: Yeah. Even more so, as you said, you're already potentially taking a pay cut for these kind of positions anyway. And then if you're also risking job security, suddenly it goes very far down your list in terms of desirable positions you might want to take with your skills.

Greg: Yeah, absolutely. And candidly, again, a lot of the folks that go into the government, I mean besides service to the country, which is a wonderful thing, but a lot of them go into it because of the level of security that they have in the position security, the opportunities for advancement and historically really high quality education and training programs.

Chris: So do you think that the skills gap, specifically at the government military level, it sounds like, like you said, a fair amount of it was funded, but do you think that a permanent solution is something that could be solved with specific legislative action or does it go deeper than that?

Greg: Well, things are certainly possible to improve through legislative actions, like increased funding and basically saying these are protected critical mission essential positions, things like that can be done. And I think there are some deeper issues just concerning how the government looks at these kinds of positions, and they've become more of a commodity over the last 10 years, and so not viewed as valuable as perhaps they once were.

Chris: Yeah. I guess to wrap things up here, if you had a magic wand to solve the skills gap, especially in the government and military areas once and for all, what specific actions, legislative or otherwise, would you take? Is there a combination of fast track measures that would solve this tomorrow, whether it's changing executive minds about what this is about or what would your ideal solution be, I suppose?

Greg: Well, there's always the short term, the mid term and the longterm solution. I'd say from a longterm solution, my wish for the government would be that they not be so shortsighted and that they view this point in time in cybersecurity as what it is, a point in time, and start looking at the next generation. And I do see the next generation more blockchain oriented, where we move to a more secure platform because inherently, as you know, the internet was created as a communications device to send data at high speeds, but not in a protected environment. And so as we've migrated the internet to more transaction and made it a virtual shopping mall with a virtual pay capability, we've created an environment where now we've got information and security concerns that it was never intended to have.

We've bolted on encryption, multifactor authentication and all these other measures. We try to implement a level of security on an inherently insecure platform. And so, I think if you're looking forward, you have to recognize that this as a platform will be here for at least another 10 to 20 years. And I'm talking about the internet and our commercialization of it. But I do see that with the growing use of blockchain technology in both the public and private sectors, that we'll see more secure based transactions, whether it's contracts, electronic funds transfers, accounting measures taking place using blockchain technology.

And so I would like for them to really invest more in the future, because Chris, I was looking at the budget reports just yesterday that came out of the GAO in preparation for our discussion. And they spent $80 billion, the US federal government, on IT last year. Over 70% of that was for IT modernization of really old hardware and software. And I would say, look, instead of spending all that money patching the old equipment, scrap a bunch of it, shut down a bunch of those old systems and networks, and start really making significant investments in a much more secure platform going forward using, as appropriate, blockchain technology.

Chris: Well Greg, thank you for joining us today. This has been extremely educational, and I hope everything you're predicting comes true.

Greg: Well, thank you very much for your time. Always appreciate it.

Chris: Okay, and thank you all for listening and watching today. If you enjoyed today's video, you can find many more of them on our YouTube page. Just go to youtube.com and type in Infosec Institute to check out our collection of tutorials, interviews, and past webinars. If you'd rather have us in your ears during your workday, all of our videos are also available as audio podcasts. Please visit infosecinstitute.com/cyberspeak for the full list of episodes. If you'd like to qualify for a free pair of headphones or other promotions with a class signup, podcast listeners can go to infosecinstitute.com/podcast to learn more. And if you'd like to try our free Security IQ package, which includes phishing simulators you can use to fake phish and then educate your colleagues and friends in the ways of security awareness, please visit infosecinstitute.com/securityIQ. Thanks once again to Gregory Garrett and thank you all again for watching and listening today. We'll speak to you next week.