Conversation

Notices

1. Embed this notice
   Jonathan Kamens (jik@federate.social)'s status on Sunday, 24-Nov-2024 00:49:21 JST Jonathan Kamens

   in reply to

   P.S. I _passionately_ hate the terms "cybersecurity" and "cyber" and strongly prefer "information security" and "infosec", but that battle is long over in the federal government, so I reluctantly go with the flow when I'm communicating about it in government contexts.

   • Embed this notice
     Jonathan Kamens (jik@federate.social)'s status on Sunday, 24-Nov-2024 00:49:22 JST Jonathan Kamens

     in reply to

     2) Competent people don't like working in environments with incompetent people. If you staff up with mediocre people, you drive good people out.
     3) When competent cyber people are forced to spend time on training and on making up for the inadequate work of mediocre colleagues, it saps their productivity.
     Recommendation: Prioritize hiring good people, increasing salaries if necessary to attract them, not on filling seats.
     🧵4/4

     Blaise Pabón - controlpl4n3 repeated this.
   • Embed this notice
     Jonathan Kamens (jik@federate.social)'s status on Sunday, 24-Nov-2024 00:49:23 JST Jonathan Kamens

     in reply to

     Second, when departments use "tricks" to fill cyber headcount, including, e.g., hiring inexperienced people and training them on the job, they are self-sabotaging efforts to build a competent cyber workforce. Three reasons:
     1) Cyber is no different than any other profession: not everyone will be good, no matter how well they are trained. It's hard to fire government employees. If you hire someone who turns out to be mediocre, then you're stuck with mediocre.
     🧵3/4

     Blaise Pabón - controlpl4n3 repeated this.
   • Embed this notice
     Jonathan Kamens (jik@federate.social)'s status on Sunday, 24-Nov-2024 00:49:25 JST Jonathan Kamens

     in reply to

     First, when GAO and NIST require centralized management of the cyber workforce, they create a perverse incentive for departments to centralize the workforce itself, not just its management, because it's easier to centrally manage a centralized workforce.
     This results in departments failing to recognize and act on the importance of embedding cyber experts throughout the department.
     Recommendation: Every IT-focused office anywhere in the department should have cyber staff.
     🧵2/4

     Blaise Pabón - controlpl4n3 repeated this.
   • Embed this notice
     Jonathan Kamens (jik@federate.social)'s status on Sunday, 24-Nov-2024 00:49:26 JST Jonathan Kamens

     The #GAO recently put out a draft report about the challenges faced by several federal agencies, including the #VA, maintaining an effective cybersecurity workforce.
     I had an opportunity to review and provide feedback about the report, and my primary feedback was about two problems the report didn't even touch upon; indeed, the recommendations in the report arguably exacerbate these problems. Here's what I wrote about.
     #CivicTech #GovTech #USGov #infosec
     🧵1/4

     Blaise Pabón - controlpl4n3 repeated this.