How to Acquire and Develop InfoSec Talent in Government, Part 2

Last week, we began talking about the challenges of hiring information security (infosec) talent for government and all sectors. We also talked about ways to find potential candidates, some traditional and some a bit more creative.

This week we’ll focus on how we build these skills. This is not as straightforward as it sounds. In many cases, you can’t just have your staff take computer-based training (CBT) and reap all the supposed rewards. As we mentioned last week, a good information security program is comprised of staff with top-notch technical and soft skills.

What do you need now, and what can you wait to develop?

One of the first questions you should ask is: What skills or services are needed right now? Depending on your existing staff, you may have to augment with contracted workers, if you have funding to do so. This is one of the many chicken/egg problems agencies face when trying to mature their information security program. You have to keep the lights on and provide basic services (incident response, patching, etc.) before you can add and enhance services. It will take some time to understand where this balance lies.

NOTE: Staffing agencies in your area may not have the skills you’re looking for either. In my experience, it has been a hit and miss.

NOTE #2: If you are looking at staff augmentation, do this only for commodity security services if you can help it. Any position that requires more in-depth knowledge of the organization or relationship building with other departments is somewhat wasted on contractors (unless you are looking to do a contract to hire).

Remember how I suggested looking outside your IT department for potential infosec candidates last week? This works well if you can afford the time and resources to groom candidates into well-oiled security machines. This applies to internships and other employee development programs as well.

These are time-consuming. In an ideal situation, you’ll have your top performers in charge of candidates’ development, or at least participate in training. Unfortunately, our top performers, who make up 20% of our workforce, do 80% of the work (aka the Pareto Principle). You’ll have to have a tough conversation with yourself. Can you afford to lose some of their productivity so that they can train staff who may or may not work out? Here’s the kicker – How many of us have consciously slowed down the progress of a project by having a less-experienced staff member working on it, instead of our “A” player?

If you haven’t, why not? How do you expect your team to grow in skill and confidence if they don’t have the opportunities to learn and make mistakes? Perhaps our new team member eventually becomes a stellar infosec employee.

But what if they leave for greener pastures? In my current position, I had a member of my team receive a job offer that paid almost 50% more than what they were making. It happens, especially if you do a good job of training them and refining their skills. We need to be prepared to say that’s OK, that someone else benefited from our mentorship and training.

So, take stock of what skills and resources you need now and in the future. Identify what training is needed, both technical and soft-skills-related, and coordinate training when it is optimal. Don’t offer threat hunting training, for example, when staff don’t have an opportunity to take advantage of what they’ve learned. By the time they get to it, they might have forgotten everything they studied.

Assess what skills are needed to develop your staff

It’s one thing to assess what skills are needed based on your infosec program and services. It’s another to base it on the existing skills of your team. And this is where things might get a bit personal. It is human nature to sometimes inflate one’s capabilities. Let’s face it, not a lot of people like being told they need more work in some aspect of themselves. This is why formal objective self-assessments are popular. You aren’t interjecting bias into the analysis – although I have heard plenty of people criticize (in many cases, appropriately) the legitimacy of the questions being asked. This is why I prefer to either conduct the analysis myself or bring in someone (preferably on the team) whom I trust if I am unable. The biggest reasons are:

  • the assessment is done in the context of what it’s really like to deliver a work product and
  • the conversation about the skills assessment tend to lead to other conversations that need to be had.

Look, most of us aren’t great about having constructive conversations with staff about how they need to improve. I suggest that this should be a regular conversation though. The more we have his sort of dialogue, the easier it is.

NOTE: This is easier to do if you let the employee reciprocate and provide constructive criticism on how you can be a better supervisor to them.

In infosec, if we aren’t constantly honing our skills, then we are going to be even farther behind the bad guys. This is an example of where the bear analogy – you only need to run faster than your buddy! – doesn’t work. Our competition isn’t other government agencies. It’s the bad guys.

Walk the walk when it comes to training

Obviously technical training is important, especially in the infosec field. So are soft skills. But in some instances, they can both be hard to build up. Regardless of the training required, you need to be disciplined when establishing it. Let your staff take time off to train. It is so easy, especially with computer-based training, to push it off due to competing work efforts. Before you know it, it’s been a year and your subscription has expired without your team having gone through a class.

I have seen agencies refuse to let engineers with old skills (e.g. mainframes, old programming languages, etc.) learn new skills. And I’ve either seen them leave or, worse, do the bare minimum. It’s easy to get wrapped up in the now and put off thinking about tomorrow. One surefire way to drive off technologists, especially infosec staff, is to not invest in their skills and let them stagnate.

Soft skills might be a different story. Especially for those who come from a purely technical background, your employees might not put the same stock into soft skills as you do. It’s our jobs as leaders to help explain why they are so important. Here are a few examples:

  • If someone is looking to move up the career ladder (whether technical or managerial), communication skills become more important, not less. Give examples of such!
  • The IT field can be crowded, even though the job market for infosec staff has been strong for years now. If you are looking to differentiate yourself from the competition, communication skills are a great way to separate the wheat from the chaff.
  • At the end of the day, infosec is looking to translate technical acumen into business services. Much of what we do in infosec isn’t inherently understandable by non-technical employees. It’s up to us to translate what we do into terms that the organization can natively understand.

I hope the last two weeks have given some food for thought regarding acquiring and developing infosec talent!

Interested in becoming a Featured Contributor? Email topics you’re interested in covering for GovLoop to [email protected]. And to read more from our Winter 2021 Cohort, here is a full list of every Featured Contributor during this cohort.

Lester Godsey is the Chief Information Security and Privacy Officer for Maricopa County, Arizona, which is the fourth most populous county in the United States. With over 25 years of higher education and local government IT experience, Lester has spoken at local, state and national conferences on topics ranging from telecommunications to project management to cybersecurity and data. His current areas of professional interest center around IoT (Internet of Things) technology and data management and the juxtaposition of these disciplines with cybersecurity. You can follow Lester on LinkedIn.

Leave a Comment

Leave a comment

Leave a Reply