Valuing FISMA: Interview with Immigration and Customs Enforcement CISO Gil Vega
ICE, as the unit is known, also gives its employees a great sense of doing public good.
"We all know we are not going to be millionaires working for the federal government so there has got to be another pull to this service," Vega says, in an interview with GovInfoSecurity.com. "What we find in the folks that come to us from the Fannie Maes and the JP Morgan Chases and SAIC and Booz Allen Hamilton is pretty much the same story ... taking ownership of the mission. Once you change clothes from a contract employee to that of a federal employee you become part of something that to many people is more meaningful."
In the interview, Vega also discussed the cybersecurity skills the agency seeks and the value the Federal Information Security Management Act brought to the agency.
Vega spoke with Eric Chabrow, GovInfoSecurity.com managing editor.
ERIC CHABROW: A just issued report from the Partnership for Public Service says there is a shortage of cybersecurity workers in government. What is the situation at ICE?
GIL VEGA: We face some of the same challenges that our counterparts across the federal domain face, especially in a hot job market, even in this economy in Washington, D.C. It has been a challenge that we have met so far utilizing some of the hiring flexibilities that we have been afforded by Congress.
As you know, there is direct hiring authority for information security professionals that managers like myself can use and it makes it much more flexible in terms of timelines and competition rules and our ability to offer incentives to entice folks to come work for the government.
Where we found success is in hiring many professionals hand selected from some of the top Fortune 500 companies across Washington, from New York, places in California. We have been able to bring in very highly qualified technically proficient security professionals using this direct hire authority and other recruitment flexibilities that we have.
We have got a few vacancies now, which we are always interested in filling. We have not honestly had a problem recruiting, retaining and rewarding high quality talent in this area.
CHABROW: What are some of the incentives that you use?
VEGA: We have a lot of tools in our toolbox. Our human capital team has led the way in the department in using these flexibilities. We're able to match salaries these days, we are able to elevate leave earnings rates, we are able to offer relocation incentives and we are also able to offer sign on bonuses in exchange for service agreements, in the appropriate case.
CHABROW: Is working for the government itself an incentive?
VEGA: We all know we are not going to be millionaires working for the federal government so there has got to be another pull to this service. What we find in the folks that come to us from the Fannie Maes and the JP Morgan Chases and SAIC and Booz Allen Hamilton is pretty much the same story. I think we can generalize it in terms of taking ownership of the mission. Once you change clothes from a contract employee to that of a federal employee you become part of something that to many people is more meaningful.
You own the mission as a federal manager. You have got different responsibilities. You have got responsibilities to the Constitution and to the people. We have heard that quite often that perspective, that inside knowledge, that ownership is really meaningful for a lot of people who are looking to come into federal service.
CHABROW: What IT security skills are most in demand today?
VEGA: The skills that are most elusive for us and the skills that we definitely want to focus on are the technical skills. I think at some point in the near future, hopefully the FISMA (Federal Information Security Management Act) statute will be improved. I know there is some competing legislation in Congress right now that may end up taking FISMA in a different direction and I think it is not too early to begin retooling for that. I believe that FISMA probably evolved into more of a continuous monitoring type statute away from the document-centric approach that we taken thus far. And to deal with that, we are going to need individuals who understand technology and are able to help provide network surveillance and intrusion detection, computer forensics, and more of the technical skills that are going to lead us into the 21st century and allow us to provide that security blanket across our vast and complex environment.
We are always going to be interested in folks who can help us make risk management decisions and support our FISMA requirements. I think the skills that will allow CISOs across the federal domain become more successful are obviously going to have to be focused on the technical skills.
CHABROW: From what you see out there, are there sufficient people with those skills?
VEGA: Well, I think there are; in fact finding the right fit is always a bit of a challenge. Working for the federal government, let's just say it is a different authorizing environment and some folks cannot easily make that transition. So it is a balance between individual expertise and their ability to deal with the things that come at us every day in a federal agency.
I will tell you that there is no shortage of applicants because of the downturn in the economy, but we have got many resumes and we have got folks that are interested in coming to work for the federal government. I think we can afford to be a little bit choosy at this juncture. There is a lot of work involved in selecting the right candidate. I think they are out there and it is just up to us to decide on which candidate is a better fit.
CHABROW: I don't know if you read the Partnership for Public Service Report, but it seems that you feel there are a concerns about a dearth of qualified IT security professionals is overstated.
VEGA: I wouldn't say that. Here in Washington, it is no secret that the economy here is still pretty hot. There is high competition for these folks here. There are a lot of people in town still hiring. Out across the nation, I am sure there are areas where there are shortages of qualified IT security folks, but here in town there is a lot of movement between agencies, there are a lot of folks in the larger consulting groups that are gaining an interest in federal employment.
I am not willing to dismiss any concerns over this issue because I know this is an issue in some agencies that either don't have the flexibilities that we have or haven't employed them. So all I can answer to is what we have experienced here at ICE and we have been able to find the folks that best work for us.
CHABROW: Let's talk about the Federal Information Security Management Act, which Congress is considering updating. Does FISMA have elements that you like and feel should be retained?
VEGA: I think what you will hear in the community and from me also is that FISMA was a great start and it got the attention of federal CIOs, program managers and agency heads. It was great for raising the visibility of what it is that we do and we have been doing it now for about seven years. It is probably a good time to re-look at it and I know Congress is doing that now with a lot of help form private industry and government groups.
The idea of accountability of agency executives is a great thing that FISMA has done for us and I think that has got to continue in the future. Laying the responsibility for the security program at the highest level of the agency is the key to success and I hope that is something that is retained in any new fall along legislation.
CHABROW: What provisions do you think should be incorporated in FISMA reform legislation?
VEGA: I touched on it earlier, I think what we really need to do, and several of my counterparts at other agencies within DHS and other executive agencies would agree, I think we have got to start turning the direction of our efforts more toward a continuous monitoring approach of our IT assets and building the skills to do that.
Right now, FISMA is important to us and it always will be important to us. Obviously, every year we are graded on our performance, but a lot of the work that we and other agencies do is focused mainly on compliance with FISMA metrics that feed into a scorecard that drive the grade that agencies receive.
I think as the security programs across the federal domain mature, and they have matured greatly in the past seven years since FISMA came out, especially in a time of limited resources, it is time to start directing those resources where some of us believe we are going to get the most bang for our buck.
I personally believe that we need to start focusing more on continuous monitoring of the environment, surveillance, forensics, understanding configurations across the enterprise, understanding who is accessing our devices and providing that security blanket across the enterprise and then finding a meaningful way to measure our performance with regard to that, because unless you have that ability to gain that level visibility across your environment, it is very difficult to make enterprise-wide risk management decisions.
CHABROW: Are you doing any of that on your own?
VEGA: We absolutely are. Here at ICE we have made significant investments in both the Tier One and a Tier Two security operations center. We are focused on these advanced persistent threats that are coming at DHS. We are focused on the script kitties (programs developed to attack computer systems) that we will always have. We are focused on understanding what it is our user population is doing in our environment so that we can feed those details into our architecture group and make our computing environment even better.
We are balancing our limited resources between what it is we must do with FISMA, which is important work; you know I have told the CIO here that we are in the midst of retooling because FISMA is retooling. It is going to change eventually and it is always a good thing to be able to monitor your environment in real time and that is what we are moving toward.