When and Why an Agency CISO Should Consider Parting Ways With a Cyber Contractor

Mohd KhairilX/Shutterstock.com

Featured eBooks
The IT Modernization Mission
Read Now

Ransomware Threat

Read Now

What's Next For Government Cloud

Read Now

Federal Agencies Exploring Computing at the Edge

Read Now
By Mitch Jukanovich

By Mitch Jukanovich

|

Contractor turnover rate increasing—is it time for your agency to part ways too?

As the needs of federal chief information security officers increase at a more rapid pace, so has the rate of cybersecurity contractor turnover—something that decision-makers should anticipate seeing more of in the coming years. Why is the turnover rate increasing, and is now the right time to consider a “parting of ways” with your current cybersecurity solutions provider?

As an organization that supports federal agency customers, my team monitors the status of federal cybersecurity contracts on a weekly, if not daily, basis. What I am seeing is not just an increased number of nonrenewals by defense and civilian agencies, but actual replacement requests for information being posted as “warning shots” for the current providers. That’s a clear indication to me that the CISOs aren’t getting what they need from their existing provider or that the agency’s needs are changing at a pace or scale beyond what the provider can support.

Changing Needs

Over the past couple of years, I have witnessed contracting officers, CISOs and CIOs become more vocal about their frustrations and the need for change: “I wish they would take initiative; Why can’t they lean forward a bit more?; Where is the thought leadership?; I thought these guys were the experts; They know their product, but could care less about our mission and how we are going to get to the next level of security.”

Simply fulfilling tasks as defined in a contract is no longer enough given the evolving nature of threats hitting agencies on a daily basis. Federal CISOs need cybersecurity providers to be part of their collective team, providing advice based on industry best practices, thought leadership and to be more hands-on when it comes to applying their experience and strategy. In other words, agency leaders can’t always define what their needs will be over the course of the contract term, but they need a vendor that understands the overall mission, brings innovation and experience to bear and, most importantly, helps to proactively identify the growing needs as things change.  

The Cost of Change

Meanwhile, the federal government has officially entered the era of cybersecurity accountability. For the CISO, while changing suppliers’ mid-stream on any given program may have significant consequences in terms of costs and resources, inadequate security implementation will result in much greater consequences in terms of accountability. Before replacing an existing contractor, it is important to consider the following:

  • Evaluate the impact of a contractor transition to the overall agency mission. Ensuring a well-thought-out transition plan is key to minimizing risk.
  • Procurements are considered an extra duty for most federal employees. Conducting one that is out of cycle will likely be a costly burden on the workforce.
  • Revisit how expectations were originally defined. Clearly defined statements of objectives and statements of work are two key tenants to “getting what you ask for”.
  • Consider adding a cost-reimbursable line item to your firm fixed price contract. This enables the contractor to implement innovation, thought leadership or evolving mission requirements.  
  • Revisit the contract evaluation criteria. Changing the contract evaluation criteria from lowest price technically acceptable to best value may increase the financial cost to the government, but it allows for innovation and thought leadership.   

When Is the Right Time?

With these considerations in mind, at what stage do you make the change to a vendor that offers greater capabilities and/or capacity? The following are a few questions for CISOs to ask when considering the best time to make a switch:

  • Does the contractor have capacity to evolve with scale? If a vendor cannot rapidly scale, that should be a big red flag. With the exponential increase in the sheer number (and type) of assets agencies need to cover, scalability is key. Security providers must be able to address a potentially rapid increase in scale, and specifically the inclusion of previously non-IP based operational networks and an expanding dependence on cloud.
  • Has your contractor made its “knowledge experts” accessible over the course of the contract? If you don’t have access to experts who can contribute a sound cyber strategy and recommendations based on industry best practices, your program will not advance.
  • Can you easily modify existing contracts to include an advisory role? We recently recommended to a federal customer that our contract include a defined number of hours of our chief technology officer’s time, to be allocated as needed, in order to ensure that what he is seeing throughout the industry can and is being applied in the customer’s environment. An advisory role should be a part of every cybersecurity contract.
  • Was the original contract measurable and/or performance based? If so, this allows you to measure and adjust as needed, ensuring your contractor workforce meets your expectations.
  • Does the contract include the correct requirements within its labor categories? Can you ensure that innovation, critical thinking, and daily execution of industry best practices are included in the labor categories you provide your prime contractors? If not, can they be revised accordingly?  

If your answers to the above questions are “no,” perhaps it is time to consider a nonrenewal or re-bid.

The Need for Advisors

Government contractors that can demonstrate proven best practices and subject-matter expertise at every stage of the contract—from requirements assessment to implementation to reporting—are invaluable. Government cybersecurity requirement writers are not cybersecurity experts and often don’t know what they don’t know in terms of applying effective solutions. Further, what they do know at the time of contract commencement is guaranteed to change frequently.

With a shortage of in-house expertise, government relies on industry for guidance with defining their evolving needs. It is tuning its ear to the voices of innovation and thought leadership that leverage industry best practices and to a contractor workforce that can proactively become part of its team and mission. Greater accountability comes with a greater presence of risk. Now more than ever, contractors must be agile enough to advise and assist in a manner conducive to team success.    

Mitch Jukanovich is the vice president of federal for Tripwire.

NEXT STORY: Machine Learning Could Help Chip Away at the Security Clearance Backlog

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.