I had a coincidental meeting with two government cyber professionals in the same weekend. Neither one knew me before Saturday, but as we talked I found that both of these women were getting out of the business entirely, one after 15 years. I thought this was odd until they talked to each other about what was driving them out of the career field.
Both said it was their IT people who would not accept security policies nor respect what they did as Cybersecurity professionals. They were tired of beating their heads up against the wall every day, even though the money was good. No respect was the bottom line.
I could relate to some of that, but when you work for the Intellgence side of security, it is a little different. Security was built into builds, operations and maintenance. We did have a CIO buy curtains and a new carpet with his security budget (they were so outrageously expensive he got caught and removed), but for the most part the IT people accepting of what they knew had to be done to have systems in that environment.
But what these two were describing is something else again. One said that in her latest endeavor the CIO said the government employees could work at home, which included software development, testing, and almost any software acquisition. They had no idea where these geniuses were getting software and most of it was public domain stuff. The security for that working at home was less than adequate (by my standards) though I won’t say what it was. It was cheap, easy to get to, and came with libraries of subroutines they could use. No wonder our government cannot keep its information safe.
The other said there was next to no understanding of what agile development was supposed to produce. They weren’t having sprints, they didn’t post the schedule for sprints and they did everything ad hoc until a government rep checked up on them and they had a meeting. It was all for show. They had a lot of idle time and were bored stiff. They had to contact these people individually to stay abreast of what was being done. That was ad hoc too. Didn’t they invite you to the development meetings? I went to them but they didn’t invite me, and were not happy about having me there.
I wish I could say this is nothing new, but it is new. IT is getting to the point where they pay no attention to security at all, if these accounts are true. I think they were doing the right thing by getting out of the field. As I used to tell my students, if they aren’ paying any attention to you, they don’t want somebody to help them with security - they want somebody to blame.
No comments:
Post a Comment