Cyber Security Skills at a Small Agency
During my first month working as an IT Security Specialist in a small Federal agency, we experienced a cyber incident. As our response unfolded, I found myself playing a full cast of characters, a much broader role than the job title alone might imply.
My small agency did not yet have a security operations center, but we did have very talented network and server administrators, and together we dove into the logs and reports to get a full picture of what exactly had happened. My hands-on IT skills came in handy that day, as I was an incident responder, with a little bit of server admin and forensic analyst thrown into the mix. That’s three hats in one day!
As we gathered additional details to keep our reporting to US-CERT up-to-date, I found myself coordinating information exchange and collaboration between my agency and Homeland Security. As my agency’s management team also required periodic updates, I was soon their go-to resource for the latest status on our progress. For the next several days, I played the role of inter-agency liaison and information clearinghouse. With less than a month’s Federal service, I was suddenly that guy right in the middle of it all at my small agency, wearing two more new hats.
We drove the incident towards closure, and our incident response gave way to recovery efforts, but my job was still not over. Agency management still needed answers to questions, like: What did we do right? What could we have done better? Do we need any changes to security controls, policies or procedures? My role shifted from facilitating lessons-learned sessions to updating System Security Plans and modifying a couple of IT procedures. That’s another three hats to wear!
So, all in connection with a single cybersecurity incident, I had eight hats to wear, and an opportunity to use and develop skills from a wide swath of the cybersecurity workforce. Wearing multiple hats like that challenged and strengthened my abilities constantly and helped me develop into a CISO.
This story highlights that while no Federal agency has unlimited cybersecurity resources, small agencies often have to make creative use of scarce resources to support some very big missions.
Small Agency Landscape
There are over 150 non-CFO Act Federal civilian agencies, and almost 50 of those have one or more Federal High Value Assets (HVAs), defined in M-17-09 as a system or data that, if breached or disrupted, could cause a “significant impact to the United States’ national security interests, foreign relations, economy, or to the public confidence, civil liberties, or public health and safety of the American people.” However, even small agencies that do not have HVAs have big missions—missions important enough to require the existence of a Federal agency.
A small agency IT Security Specialist is only a “specialist” in a very broad sense. A small- to mid-sized agency is a great place to develop one’s cybersecurity skills due to the breadth of skills required of a smaller number of teammates. Employees must dive into a variety of efforts, like:
- leading regulatory compliance while strengthening the overall cybersecurity posture of the agency,
- designing and implementing security controls and technologies,
- managing multiple technology vendors and service providers, and
- serving as a master communicator, cyber evangelist, and liaison to other Federal agencies.
In the face of the constantly and rapidly evolving cyber threat, adaptability and creativity are key ingredients to a stronger cybersecurity posture. The nation’s small Federal agencies are special places where adaptive and creative cybersecurity workers can truly shine.