Tight budgets bring people issues to the forefront for CISOs

SAN FRANCISCO - Agency chief information security officers are becoming more human resources savvy as they determine how to keep key programs afloat in the midst of tight budgets.

During a panel discussion at the RSA Conference on Tuesday, a theme among government CISOs was that people issues were a major focus in adopting a "doing more with less" mentality.

"There's a significant amount of incest in the security world," said Matt McCormack, CISO at the Defense Intelligence Agency. "If you have two vacancies, you're going to hire two people, and I will have lost two people. We need to increase the gene pool for security folks."

McCormack said labor costs were soaking up 80 percent of the DIA's IT security budget, causing the agency to dramatically rethink its approach to staffing. As a result, DIA moved 25 percent of its staff out of Washington to Florida and Colorado. "By continuing to hire in D.C., we were continuing to pay a premium for the same people," he said. "If I'm paying 80 percent for labor, a 2 percent to 3 percent increase in average salaries is hard to take if I'm having to deal with 10 percent in budget cuts."

Patrick Howard, CISO at the Nuclear Regulatory Commission, said the information security budget for NRC has remained flat for three years, causing his office to also evaluate its staffing plan. "We're looking across the board to restructure and regrade by fiscal 2016," he said. "We'll be increasing the number of people we have to do the work by lowering the grade structure of the people we do have."

Retiring baby boomers also present an opportunity for agencies to save money, said Brent Conran, global chief security officer for McAfee and former CISO for the House of Representatives. Baby boomers command higher salaries, he said, and so agencies could afford to hire five to six younger workers as two or three boomers leave. "You're going to find that you'll be able to maintain headcount or grow it," he said.

And with such competitive salaries for cybersecurity jobs, McCormack said the federal government has several other perks that cyber professionals are willing to take in exchange for slightly lower salaries. These incentives include four-day workweeks, telework and flexi-place arrangements, he said.

Meanwhile, another key, panelists agreed, is ensuring you can tie dollars to the agency mission. This includes knowing the chief financial officer and articulating requirements that are tied to a strategic agency objective. "It's not only about knowing the people but knowing the process," Howard said. "If you don't know your [chief financial officer] by first name, then you're not going to be successful."

Agencies also will be looking for new technologies that can accomplish several different goals, according to McCormack. "I know you have software X, Y and Z, but this other software can do what all three of those do," he said. "That's what we're going to be looking for over the next several years from the support community -- how can we do things better?"

Conran said the government is not alone in its efforts to cut spending, noting he sees the same issues in the commercial world as well. Centralizing, consolidating and simplifying IT programs are critical, he said. A huge consolidation at the House included moving to the cloud, he added.

"The cloud actually summarizes several of the suggestions from the panelists," said W. Hord Tipton, executive director of (ISC)2, who moderated the panel. "It's a way of modernizing and getting away from legacy systems that keep dragging you down and consuming your dollars."

Still, Tipton added, CISOs must think creatively when determining how to best use their people and give them incentives to stay in their jobs, as the current market for cybersecurity skills is extremely competitive. "Building the talent pipeline is not being offset by efficiencies to the cloud," he said. "It's stemming the growth, but everything we see is that this field is going to continue to grow."