How many $40K ransoms would an org have to pay before it was cheaper to have a security team? The demands might be small to make it cheaper in the short term to pay instead of try to fix the problem. Obviously there are large costs external to the ransom payment, but you don't have to get those funded via political process.
Also, in my experience working for state government, engineers were considered a waste of money. Hiring was difficult because they wouldn't pay anywhere close to the market rate, and techies weren't allowed to earn more then managers. There was a parade of sales people pitching the director to lay off the devs and outsource everything, and then pat each other on the back for "slashing government waste." It seems like most of their apps should in principal should not need to have been completely reinvented from scratch, but having people who don't work here responsible for security causes an agent-principle problem; from the point of view of the contractors who don't care about your security and the bureaucrats who don't understand it, everything except management is just a cost center.
If you do manage to fix anything, the new director will throw it away and start over with a new vendor contract next election. Also, if you are paid by the gvt and are not a cop or a politician, you will be despised as a "useless feeder" and face the risk or furlough, de-funding, re-org, hiring freezes, etc, that make it hard to reliably get anything done.
If the public doesn't want a public sector, why fight them by trying to work there?
I think Schneier was right to point out that security is an economic externality, and that a high level political solution is likely necessary.
EDIT: A couple of people here have pointed out that a "cyber" insurance industry is emerging. I find this encouraging because it at least seems possible for that to be a politically acceptable mechanism for pricing security; your premiums could be contingent on compliance as determined by the insurer, who has skin in the game to understand security and hire real professionals as auditors. I'm not sure how that translates to actually fixing security, but it seems like a start.
100% agreed. I've always found it very ironic that governments want the best and brightest when they never pay market rates. Not only do they want the best and brightest, they want them to selflessly serve their country at the cost of financial advancement. Is it surprising that they end up getting the lower end of the crop?
https://18f.gsa.gov/ was a fantastic move and exactly what we need. Unfortunately, it took a group of extremely successful private sector individuals to give up their careers temporarily in pursuit of fixing something.
Thanks, that's an interesting story, and a cool idea. My experience was before I got to SF, so there was really not a lot of local talent around.
I was an intern back then, and I liked my boss and my team, and what we were working on. I got an offer for a mid-level position, but I went elsewhere partly because of the apparent instability.
Also, in my experience working for state government, engineers were considered a waste of money. Hiring was difficult because they wouldn't pay anywhere close to the market rate, and techies weren't allowed to earn more then managers. There was a parade of sales people pitching the director to lay off the devs and outsource everything, and then pat each other on the back for "slashing government waste." It seems like most of their apps should in principal should not need to have been completely reinvented from scratch, but having people who don't work here responsible for security causes an agent-principle problem; from the point of view of the contractors who don't care about your security and the bureaucrats who don't understand it, everything except management is just a cost center.
If you do manage to fix anything, the new director will throw it away and start over with a new vendor contract next election. Also, if you are paid by the gvt and are not a cop or a politician, you will be despised as a "useless feeder" and face the risk or furlough, de-funding, re-org, hiring freezes, etc, that make it hard to reliably get anything done.
If the public doesn't want a public sector, why fight them by trying to work there?
I think Schneier was right to point out that security is an economic externality, and that a high level political solution is likely necessary.
https://www.schneier.com/essays/archives/2007/01/information...
EDIT: A couple of people here have pointed out that a "cyber" insurance industry is emerging. I find this encouraging because it at least seems possible for that to be a politically acceptable mechanism for pricing security; your premiums could be contingent on compliance as determined by the insurer, who has skin in the game to understand security and hire real professionals as auditors. I'm not sure how that translates to actually fixing security, but it seems like a start.