State Plays Trump Card to Entice InfoSec Pros

Interview with Minnesota CISO Chris Buse
State Plays Trump Card to Entice InfoSec Pros
You choose: an intriguing job or higher pay? Minnesota Chief Information Security Officer Chris Buse thinks many information security pros would choose the challenge over money.

The ranks of state IT security employees has a number of people who were attracted to government service by the promise of working in an environment that most businesses cannot replicate, says Buse, in the second of a two-part interview (transcript below) with ( Click here for transcript of Part 1.)

Buse describes government work as "a feel-good job," especially for those who have spent years "grinding out money for the stockholders. ... We have a lot of people who have done some pretty remarkable things in their career, but come in here and took pay cuts to be part of our organization."

In the interview, Buse explains how he's looking to find bright, talented computer science graduates from regional universities to join the state's IT security team. He also discusses the role of state CISOs in helping shape national cybersecurity policy.

Eric Chabrow, managing editor, interviewed Buse.

ERIC CHABROW: What challenges are you facing in recruiting and training IT security professionals and what disciplines are most in demand?

CHRIS BUSE: Well to date, when we built up the enterprise security program and staffed up centrally, I don't believe that we had a lot of difficulty attracting and retaining good people. A lot of the people that we brought into government, came into government knowing the pay scale may not be as high as a lot of organizations in the private sector. I think one of the things that is important, and that I stress, is that we are having an opportunity here to build a massive cybersecurity organization for something that is important to government. It is a feel good job for a lot of people that have spent a lot of time in their careers kind of grinding our money for the stockholders. When you work in government, there is the feel good mentality, especially when we are trying to build something from scratch.

We had a lot of people that came into our organization that I had convinced to come in here that had done some pretty remarkable things in their career but that came in here and took pay cuts to be part of our organization.

It is interesting when you talk to these folks, because a lot of them are saying that, "Oh my God, we are coming into government," and some people that came out of the private sector had comments made that, "Oh, you're going to kind of take the easy road," and these folks are saying, "You know what, it is like I have never worked on anything more complex and I have never worked more hours and I have never worked harder for the pay scale that we are getting today."

I think the people that have joined us have been pretty happy with their career decision today, but that doesn't mean that we have like all of the human resources problems solved. One of the issues that we have right now is that we don't have a good HR infrastructure set up for security professionals, in fact, there is no security job class in our government HR system. We have been working now for about six or seven months on a special HR project. We want to create an entire series of positions and job classes for security professionals in government. It is a piece of the infrastructure that you need to have there if you are going to be successful. We have contractors on board that are helping us with that.

We are also partnering with the federal government through their Essential Body of Knowledge Project with the Department of Homeland Security, trying to incorporated the EBK framework into our HR structure and we are making some pretty good progress.

But ultimately what I want to be able to do is I want to be able to go the colleges, specifically those that have the Centers for Excellence in IT Security, and I want to the go to the college students that are the best and the brightest and I want to look them in the eye and I want to say, "You know, what we have some remarkable opportunities here in state government." We have one of the most challenging and complicated security environments that you are ever going to face and if you come with us, here is what we are going to do for you, here is the track that we have and we are going to bring you through three jobs and by the time you are done, we are going to make you a phenomenal generalist and maybe we will provide you with XY and Z for training and we will make you a CISSP and after that you can branch off into certain specialty areas and here are the things that we are going to do. We want to have the jobs in place and we want to have a complete career track and we want to couple that with all the training that will be needed to branch people through this environment.

We hope that we can use this as our marketing mechanism by providing those career opportunities and being able to demonstrate to people what we want to do. And, of course, our salaries are never going to be what Wells Fargo can pay. We know that. But, we think that if we get good people in our door and we provide them with a good training opportunity and they get to know government, they'll learn the passion for government that I have personally.

I think that a lot of those good people are going to want to stay here because it is an awesome environment and we have some really cool people and we do security big time like they probably won't be able to see anywhere else unless they go to a really, really large organization. There are not a lot of organizations that they do vulnerability and threat management across 150,000 endpoints like we do here. That is my passionate answer to a pretty simple question.

CHABROW: Here's my take away of what you just said: You are primarily looking for younger people coming out of school. You specifically said generalists rather than having an expertise, maybe you are looking to get those bright people who you can then shape into the needs that Minnesota has.

BUSE: As we have attrition in certain areas, we are always going to have to hire experienced people that will slot into certain areas, But I would like to see us develop where we have a feeder program. I personally believe in hiring people who have college degrees, preferably in computer science or management in information systems from institutions that have a focus on computer security, which we have a couple of these in Minnesota. I would like to see us bring in these sharp folks right out of college and help them develop and build our programs.

CHABROW: Anything else you would like to add?

BUSE: I am excited about the things that are happening at the national level and I think there are tremendous opportunities in what is going on with moving cybersecurity into the Office of the President.

Looking at the legislation that is out there in Congress right now, with the Cybersecurity Act of 2009 and the Information and Communications Enforcement Act and some of these things, one of the things that I think that we need to do at the state level is we need to help shape that legislation so it is a little more productive for those of us that aren't in the federal government. That is something that I feel passionate about as well and I am pretty active trying to work on those aspects so that there are new opportunities that are available to the federal government so we have to make sure that Congress understands the importance of state government in securing our national infrastructure and that the kinds of benefits that are available in the new legislation also get extended down to the state level.

When it comes right down to it, the giant federal programs that are required by the federal government, the lion's share of the work happens down at the state. We need to be all part of the same fabric that works together.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.