The infosec brain drain
It's time for the federal government to sound a security alert — of a different
During the past six weeks, two of the government's most influential
security experts have announced plans to take jobs in the private sector:
Richard Guida, chairman of the Federal Public Key Infrastructure Steering
Committee and a 28-year government veteran, and Tom Burke, an associate
commissioner for information security at the General Services Administration's
Federal Technology Service and a 23-year veteran.
The government is losing a vast store of institutional knowledge, as
well as two experienced leaders in a field where leadership is sorely needed.
Those departures also remind us that the information technology worker
shortage that afflicts all of government will be felt in information security
offices as well. And a brain drain in security, at even a fraction of the
rate in other IT fields, could exact a heavy toll.
Federal agencies were already dependent on the Internet for sharing
information and making transactions when the dot-com industry exploded.
The Net economy has agencies envisioning even more dramatic ways to deliver
But the digital government vision will unravel if agencies do not put
adequate safeguards in place. It's more than configuring firewalls; agencies
need people who have the imagination that allows them to match technology
to new applications and emerging threats.
Part of the solution is for agencies to thoroughly document their security
policies and procedures so that institutional knowledge does not go out
the door with departing employees. But that is not enough. Information security,
like all technology disciplines, depends on the creativity and vision of
individuals. If those people leave for the private sector, that is where
agencies must turn.
Outsourcing security services, or involving industry in policy-making,
is a frightening thought for many people. Government, in general, hesitates
to make outsiders privy to information about its vulnerabilities or failings.
That mindset has to change. If cyberthreats continue to grow, and security
experts continue to leave, the government will find itself woefully unprepared.