As a follow-up to our recent post about targeting cybersecurity work in your contracting business, I sat down with TAPE’s cybersecurity program manager Stewart Wharton to give you a glimpse behind the scenes.
Stu, what does a typical day look like for the TAPE cybersecurity team? Is there any such thing?
It’s a very high visibility, fast-paced environment, working for one of the largest federal law enforcement agencies in the U.S. The team is involved with all aspects of analyzing threats and vulnerabilities.
We do a daily assessment of risk to the systems; we do a lot of reporting using a variety of dashboards. We can suggest fixes, and make sure those fixes are acceptable. We also follow up to ensure that the systems people have implemented them.
It’s a lot of analysis work – analyzing data to see if it’s a threat, a vulnerability, or a mitigation, and also determining the likelihood of the impact of the vulnerability to a system, and the overall risk to the system.
We just wrote in this blog about how government contractors can find cybersecurity work by approaching their existing customers. How has TAPE used this strategy?
Our customer base has grown twice in the year and a half that we’ve been here. And we continue to look at other entities within the agency that could use our BPA (blanket purchase agreement) – an existing contracting vehicle that any federal customer can funnel money to, as long as the scope of the BPA is within cybersecurity.
What is the most common misconception you hear about cybersecurity?
That cybersecurity is all about tools and technology, when really a lot of breaches are socially engineered and simple, such as a user opening an email or attachment they shouldn’t have. Yes, breaches in security can be highly technical, but it can also be amazingly simple.
What do you wish everyone knew about cybersecurity in the workplace?
No matter what job you’re doing, whether you’re at work or at home, everyone should be more aware of how simple it is to give away the keys to the kingdom, just by doing the wrong thing with your email.
- Don’t open an email if you don’t recognize who it’s from or it’s not from an official account in your workplace.
- Don’t open attachments if you don’t recognize who it’s from. Attachments are the easiest way to get a bug or virus into your system.
- Don’t share your password or write it on a sticky note and keep it on your laptop. When working remotely in an airport, you’d be amazed how easy it is for someone to look over your shoulder. They can find out a lot about you, and then pretend to be you.
What do you see going on in the cybersecurity industry right now?
There is a huge demand signal for people doing this kind of work, but at the same time, the quality of people able to do this work is increasing. A lot of graduates are hitting the streets with certifications or degrees that used to take somebody five or ten years of experience to get.
These young workers have all the right credentials but not a whole lot of experience. While this means the cybersecurity market has been flooded with talented individuals, what used to be a high value work area has been somewhat watered down.
What’s the most rewarding thing about your work in cybersecurity?
That at the end of the day, our team and I have helped national security across the United States. Cybersecurity is officially recognized as a domain where the enemy can wage war against you, so we need to be prepared on that same kind of footing.
In a previous post, I wrote about how to get started in cybersecurity. You can talk to your current customers, the ones with whom you already have relationships, and see if anybody needs help in this area. This could be even one or two people, or re-scoping or retitling somebody’s duties to include a cybersecurity component. You just need a place to start.
In the wake of the OPM breach where the personal information of millions of current, former, and prospective Federal employees and contractors was compromised, interest in cybersecurity is reaching even newer heights.
So what does this mean, and how can cybersecurity contractors take advantage of the current environment?
- We know that more money is going to come in.
- We know that cybersecurity jobs are going to come up.
- We know that agencies are looking to score high on their small business scorecard.
- While at the big business level cybersecurity work is often done at a data center or a security operations center, a lot of the day-to-day core work is done by small businesses.
So the critical factor is to follow through with your relationships. We talked in the last post about steering your current clients towards new cybersecurity work. Let’s talk now about another set of relationships.
Most small businesses have favorite prime contractors that they’re working with. Let’s say you’re in the IT support field, or another area that would allow a natural migration into cybersecurity.
Ask if your prime contractor has any job openings on existing cybersecurity contracts that their current subcontractors may not be able to fill, or any upcoming procurements they’re targeting.
They may be willing to consider people who have customer knowledge and a good name in an agency, even if they’re not necessarily functionally competent. They know the relationship carries weight in the evaluation of the proposal.
Your prime contractor is going to do most of the legwork in procuring these cybersecurity jobs, so in these cases you need to work on your relationship with that prime. This is a good opening for us to talk about how almost all large businesses have what they call a diversity person.
This person serves a similar role as the OSDBU, acting as a small business liaison to help small companies find and win opportunities within the company. Just like the government ODSBUs, these corporate representatives don’t necessarily have any work for you, but they can help you get on teams.
Also make sure to update your entry in that company’s supplier database, and include keywords related to cybersecurity. That will put you in front of the people who are already actively looking for help.
Targeting cybersecurity in your contracting business? Work your relationships. It all starts from there.
We know that cybersecurity is a major concern these days. That’s why it’s one of the few areas, across the board, that is not seeing a budgetary decrease. Yet the other side of this coin is that we have a lot of people wanting to be part of this trending issue simply because it’s so popular right now.
So how does a true cybersecurity expert distinguish themselves? First off, by actually having some work. If you’re actually working in the cybersecurity field, you’re going to be taken a lot more seriously than someone looking for their first piece of work in the field.
If you’re an up-and-coming cybersecurity expert, or trying to build a cybersecurity practice for your company, it may be worth your while to get a small one-person or two-person job under your belt. Do your best work. Then you can legitimately claim to be in the field, no matter what the level. Believe me, somebody who is in the field is way more valuable to the customer than someone who pretends to be, or wants to be in the cyber arena.
Is your customer worried about cybersecurity? Chances are, they are – it may even be one of the issues keeping them up at night. Because you have a relationship with your customer, they may come to you for help, even if cybersecurity isn’t part of your current project.
At that point all you need to say is, “You know I do something like that in a different shop. Do you want me to bring my expert down here so we can chat about your needs?”
Whether or not it leads to new business, you’ve strengthened your customer relationship and positioned yourself as an experienced cybersecurity firm. If business does come out of it, so much the better. If you can get an advisory task, no matter how small, you can now claim to have past performance. That’s the key.
Also, don’t forget that cybersecurity is a big umbrella, from the advanced forensics and offensive operations, down to simple Certification and Accreditation work to ensure FISMA standards are met. Stretching the cyber definition is one way to develop past performance and build relationships.
Whatever the outcome – if you’re in the cyber world, make sure everything else is up to date – your web site, your marketing collateral, etc. Then you can take advantage of this burgeoning field of readily available $$ – and small businesses are especially welcome.