Over the past few months, I’ve received quite a few messages from respected friends and colleagues around the nation that both surprised me and got me rethinking about a few simple questions: Are all of the top cybersecurity pros in the private sector? Is a move out of government inevitable for the best and brightest (due to pay differences)? Should all government security be outsourced? Why is it important to have solid security leadership within government? Where is the security industry heading regarding public sector cyber jobs?
First some context... I just switched jobs within Michigan government. I’m back as a full-time government security officer, as Michigan’s new (and first) Chief Security Officer (CSO) over both physical and cybersecurity. A year ago, I was pretty sure that I would be employed by someone else by now – either in a federal government cyber leadership role in DC or in the private sector in some capacity. I did have several good offers. However, my family decided to stay in Michigan for a variety of personal & professional reasons.
My main reasons for staying in government include a new Governor who is serious (and passionate) about cybersecurity, a desire to limit travel, a real chance to make a positive difference and reinvent cyber in Michigan government (again), opportunity to work with DHS and other top global leaders in cyber, difficulty in moving (houses aren’t selling in Michigan), our local extended family that is a great support for me, my wife and kids, a helpful, challenging church community that is hard to find and “the government need” is great. Yes, I’m glad that I stayed in this new role (so far).
Truth be told, the emails and calls from trusted friends (after I announced my decision) surprised me a bit. The overall sentiment: “Are you sure you want to do that?” Some comments were more bold: “You’re crazy man - I’d take the money. ” –or- “I give you a few more years – MAX. You’ll be in the private sector soon enough!”
Perhaps they’re right. Time will tell.
But enough about me. I share this story as a case-study addressing a wider set of questions listed above. A few basic observations that I’ve seen through this process and my nationwide interactions over the past three years. I believe that these trends cross local/state/federal lines:
- The private sector does pay more for cyber talent. Yes, I’m including the total package including benefits – anywhere from 25% to 75% more+
- There is also more risk/reward in the private sector, with the potential for stock options and bonuses not available in (safer) government jobs.
- It is very hard to keep good government cybersecurity talent over the longer term. Michigan has lost several top cybersecurity pros over the past few years, and almost all of our experienced professionals have been made tempting offers. Why they stay or go varies.
- Older workers in government are inclined to stay longer due defined retirement benefits, but younger workers are in “defined contribution” plans (like 401Ks) that are more flexible and can move to a new employer more easily.
- The opportunities for out of state training are often more extensive in the private sector, especially with companies that focus on cybersecurity as their main set of products and services.
- Many companies are now offering various types of security-as-a-service. They assume that they know more than their government customers, are much better at providing cyber capabilities, can tell you what you need to do and government execs will usually oblige or eventually cave-in.
- A large number of cybersecurity and technology companies are pushing (selling) “the flavor of the month” whether you need “it” or not. Sales staff need to hit their quotas or they’re in trouble (or gone.) This dangerous sales trend is hurting the trust between government and the private sector. Are enterprises really getting more secure or efficient or just buying the latest “stuff?”
- Government leaders need to do a much better job of managing their vendors and/or providing security services –but…
- Government teams and leaders are stretched and can barely keep up with the fast-moving cyber landscape and global threats.
- Some government colleagues around the country tell me that they can’t get projects implemented, even if they buy various security products and services. There are various reasons for this, and this topic will the focus of a future blog. Integration of new technology is a problem in complex government enterprise-wide environments. Oftentimes, government or vendor integrators forget the "people" part in people, process and technology.
These trends lead to the many government executives (on the business side) to come to simplistic conclusions like:
1) Just outsource cybersecurity to get better results.
2) Government compliance regulations are so complex that outside firms are needed to manage new integration efforts, especially if the systems are large and/or contain potential liability, major functionality changes are needed or failure could lead to potential audit findings. (Few systems don't meet these criteria...)
3) Most government cybersecurity experts lack the required expertise to advise senior leadership on required steps.
4) Senior consultants from large firms (who have access to political leadership and top government elected officials) offer the best hope to get things done and reduce enterprise risk.
Even if all of these statements are true, and I’m not sure that they are, the role of trusted government security and technology leaders has never been more important. Why? What roles do government CIOs, CTOs, CISOs, CSOs, IT Security and physical security directors and others need to play?
1) Government technology & security leaders need to assess true enterprise needs and requirements to determine what course of action is really required and what “spin” is just sales talk. (Case studies from other governments help in this area, but be sure to call references.)
2) Management of contracts (and contractors) is vital. Even if the product and price and/or service is required and properly awarded, who is “watching the guy who is watching the cash register?” Is the promised value and ROI being delivered?
3) Most government situations contain a mix of public and private sector staffing and projects. Some projects are outsourced and others are not. Some parts of the network are more secure and/or sensitive than other parts. The government leaders need to focus on the management of these different relationships and ensure that customers are getting good service and resources are deployed properly.
4) Some government pros believe that security is a core function of government, and will never fully outsource security protections.
5) Remember, you can outsource the work – but not the responsibility. When things go wrong and/or you get hacked, the vendors will often hide behind trees and the government executive will be the ones answering the tough press questions.
There is much more that could be said on this topic. I plan to come back to more specific areas in the coming year ahead. But for now, I hope that many graduating cybersecurity students, who are coming out of good NSA-certified Information Assurance (IA) training programs, consider public sector opportunities. We need solid pros in the public sector, and there is no better place to gain a wider perspective on the cyber industry than in government. The pay may not be as good, but the diversity in roles and scope of duties will be wider. Working for a good government cyber team can be a lot of fun as well.
I have personally seen some great career moves where new cybersecurity pros work hard as government staff, and over time moved on to become popular industry experts making a lot more money in the private sector and grow professionally. These people tell me that starting in government was a great decision. More than that, seasoned pros have come back into the public sector (after years in the private sector) to help manage our private sector partners and ensure that cyber protections are properly administered with the right value for money.
Please understand that I have a positive view of our technology & security industry colleagues in the private sector. (Note: many security companies are also technology companies so I sometimes use these terms interchangeably.) This piece may seem like I'm coming down on the security and technology vendor community - but my point is the need for balance in the ecosystem. When management is working right, true partnerships and trust will flourish, but both sides need to work hard on communication for this to work. This means understanding the potential pitfalls.
We need trusted relationships at all levels. We need public/private partnerships, multi-state partnerships, local-state-federal partnerships and more. This is not cannot be us/they relationship between vendors and government staff. We need to work together to build trust and secure our enterprises. But we also need to understand current industry dynamics and what’s really happening with our staff, networks and projects on the ground. We live in a complex world. Cyber threats are growing. This must be an extended team effort.
Government security (and technology) pros are a vital part of the solution to the problem.
What are your thoughts on this topic?