When and Why an Agency CISO Should Consider Parting Ways With a Cyber Contractor

As the needs of federal chief information security officers increase at a more rapid pace, so has the rate of cybersecurity contractor turnover—something that decision-makers should anticipate seeing more of in the coming years. Why is the turnover rate increasing, and is now the right time to consider a “parting of ways” with your current cybersecurity solutions provider?

As an organization that supports federal agency customers, my team monitors the status of federal cybersecurity contracts on a weekly, if not daily, basis. What I am seeing is not just an increased number of nonrenewals by defense and civilian agencies, but actual replacement requests for information being posted as “warning shots” for the current providers. That’s a clear indication to me that the CISOs aren’t getting what they need from their existing provider or that the agency’s needs are changing at a pace or scale beyond what the provider can support.

Changing Needs

Over the past couple of years, I have witnessed contracting officers, CISOs and CIOs become more vocal about their frustrations and the need for change: “I wish they would take initiative; Why can’t they lean forward a bit more?; Where is the thought leadership?; I thought these guys were the experts; They know their product, but could care less about our mission and how we are going to get to the next level of security.”

Simply fulfilling tasks as defined in a contract is no longer enough given the evolving nature of threats hitting agencies on a daily basis. Federal CISOs need cybersecurity providers to be part of their collective team, providing advice based on industry best practices, thought leadership and to be more hands-on when it comes to applying their experience and strategy. In other words, agency leaders can’t always define what their needs will be over the course of the contract term, but they need a vendor that understands the overall mission, brings innovation and experience to bear and, most importantly, helps to proactively identify the growing needs as things change.  

The Cost of Change

Meanwhile, the federal government has officially entered the era of cybersecurity accountability. For the CISO, while changing suppliers’ mid-stream on any given program may have significant consequences in terms of costs and resources, inadequate security implementation will result in much greater consequences in terms of accountability. Before replacing an existing contractor, it is important to consider the following:

• Evaluate the impact of a contractor transition to the overall agency mission. Ensuring a well-thought-out transition plan is key to minimizing risk.
• Procurements are considered an extra duty for most federal employees. Conducting one that is out of cycle will likely be a costly burden on the workforce.
• Revisit how expectations were originally defined. Clearly defined statements of objectives and statements of work are two key tenants to “getting what you ask for”.
• Consider adding a cost-reimbursable line item to your firm fixed price contract. This enables the contractor to implement innovation, thought leadership or evolving mission requirements.  
• Revisit the contract evaluation criteria. Changing the contract evaluation criteria from lowest price technically acceptable to best value may increase the financial cost to the government, but it allows for innovation and thought leadership.   

When Is the Right Time?

With these considerations in mind, at what stage do you make the change to a vendor that offers greater capabilities and/or capacity? The following are a few questions for CISOs to ask when considering the best time to make a switch:

• Does the contractor have capacity to evolve with scale? If a vendor cannot rapidly scale, that should be a big red flag. With the exponential increase in the sheer number (and type) of assets agencies need to cover, scalability is key. Security providers must be able to address a potentially rapid increase in scale, and specifically the inclusion of previously non-IP based operational networks and an expanding dependence on cloud.
• Has your contractor made its “knowledge experts” accessible over the course of the contract? If you don’t have access to experts who can contribute a sound cyber strategy and recommendations based on industry best practices, your program will not advance.
• Can you easily modify existing contracts to include an advisory role? We recently recommended to a federal customer that our contract include a defined number of hours of our chief technology officer’s time, to be allocated as needed, in order to ensure that what he is seeing throughout the industry can and is being applied in the customer’s environment. An advisory role should be a part of every cybersecurity contract.
• Was the original contract measurable and/or performance based? If so, this allows you to measure and adjust as needed, ensuring your contractor workforce meets your expectations.
• Does the contract include the correct requirements within its labor categories? Can you ensure that innovation, critical thinking, and daily execution of industry best practices are included in the labor categories you provide your prime contractors? If not, can they be revised accordingly?  

If your answers to the above questions are “no,” perhaps it is time to consider a nonrenewal or re-bid.

The Need for Advisors

Government contractors that can demonstrate proven best practices and subject-matter expertise at every stage of the contract—from requirements assessment to implementation to reporting—are invaluable. Government cybersecurity requirement writers are not cybersecurity experts and often don’t know what they don’t know in terms of applying effective solutions. Further, what they do know at the time of contract commencement is guaranteed to change frequently.

With a shortage of in-house expertise, government relies on industry for guidance with defining their evolving needs. It is tuning its ear to the voices of innovation and thought leadership that leverage industry best practices and to a contractor workforce that can proactively become part of its team and mission. Greater accountability comes with a greater presence of risk. Now more than ever, contractors must be agile enough to advise and assist in a manner conducive to team success.    

Mitch Jukanovich is the vice president of federal for Tripwire.