The conventional wisdom is that government security culture at all levels suffers from a lack of training. But leaving the quality, timeliness and relevance of specific courses aside for a minute, is it possible that the real problem is too much training? Some say yes, but I doubt it.
This topic came up in response to a Federal Computer Week article regarding “Partnership for Public Service creates leadership institute for innovation”
Here’s an excerpt: “The last thing government employees need is more time in a classroom. Where does it end? I swear that between training, conferences, meeting and their generous vacation, federal employees are present for their actual jobs about 50 percent of the year max. They are the most "trained" body of people on the planet? Does it help or hurt, really?
Of course, the comment came from that ever so popular expert “Anonymous.”
This blog got me rethinking about training, so I searched around for more evidence. As I suspected, other surveys say the opposite. A Brookings Institute report entitled: “Federal Employees - "Give us a Chance to Do Our Jobs" reported that federal employees don’t have the required tools – including training – to do their jobs as they would like.
The report also said this about public sector life , “Federal employees also say they contribute to their agency's mission, and half characterize their organizations as very good at helping people. The majority also say that the people they work with are open to new ideas, willing to help other employees learn new skills, and are concerned about their organization's mission.
Unfortunately, these positive views are tainted by persistent perceptions among the workers that the federal government does not give its employees the tools to do their jobs well. Substantial minorities say their organizations do not have enough access to information, technological equipment, and training, and a majority believes their organizations do not have enough employees to do its job well.”
In my opinion, most state and local government organizations require more, not less, training.
Of course, the real issue is the relevance and effectivness of the training received. In tough budget times, training and conferences are the first thing to go in state governments – where we need a balanced budget every year by law. I don’t know of any government organizations that train as well as Hewlett Packard – who have detailed metrics to ensure that extensive training always happens.
While there are entire books and websites on training, there is no doubt that security training competes with many other types of government training. A very different set of questions could be asked about cyber security training and/or technology training. But my main point is that I believe wider views on government training need to be understood and analyzed before security training will be effective in the long run in large organizations.
The Brookings report also stated:
“Asked what might explain the level of poor performance, federal employees and managers are not particularly forgiving toward either their organizations or the poor performers. Only 16 percent say the poor performers do not have the training to do their jobs well. A little more than 30 percent say the poor performers are simply not qualified for their jobs, and 37 percent say their organizations do not ask enough of those employees.”
There are certain problems that more training will definitely not fix.
As an ex-Fed, I have experience in both the public and private sectors and in my opinion the Federal Government does an excellent job with respect to training. As with anything, there are exceptions to this rule -- some Agencies and departments are afforded smaller training budgets -- but for the most part, training is highly regarded and as a result, well funded. While most civil servants in IT Security are well trained, I disagree with the assertion that Feds are trained too much. The majority of individuals I was associated with throughout the government worked extremely long hours and rarely took time off -- the time they spent in training totaled maybe 2 to 3 weeks a year. In my opinion, in an ideal work environment, employees SHOULD go to training/conferences/etc 2-3 weeks a year. Not only do these events help bolster knowledge, they provide opportunities to make contacts in the industry, maintain certification CPEs, and decompress for a while.
As a private sector CISO, I find that training is valued far less than it was in the Federal Government, and employees are negatively impacted as a result.
I have worked for local government for almost ten years as a IT Admin.
From my perspective I see money spent on hardware and software solutions second to none, however when it comes to training time it is the first thing shaved from a budget in a project. We setup beautiful systems with state of the art hardware and industry standard software packages but then there is no thought put into how to slipstream the process changes necessary to take advantage of the installation base. I cannot test employees for computer competency because "it was not a requirement" when they were hired. Without baseline competency we cannot tailor training to help the employees learn new required skills.
Many times people are just turned loose to figure out their own way to make use of systems or we "train the trainer" because "we cannot afford to lose those employees for all that time during training" and then the "trainer" is given no dedicated time or access to the remaining staff to actually train anyone. thus the "trainer" become the go to person for all work related to the new system and everyone else works around it.
We install systems and departmental personal are allowed to "opt out" of using key portions of the new system because their political activist within the system is convinced it is "not how we do things".
Projects are budgeted and approved with no attention to detail or understanding of process and when the real costs start rolling in and the budget is gone the projects are scaled back to fit the factious numbers and as a result there is little or NO return on investment.
Things like:
Purchase hardware but no money for ongoing support contracts
Purchase software suites but no money for a reasonable number of client licenses
Purchase software suites but no money for yearly maintenance agreements
Install new database systems and pay dearly for data conversions but make no provisions for process change in the departments required to maintain the data. then the infighting begins about who is responsible for the full time jobs that need to be done to actually make it work.
Install new integrated database systems but employees keep on working in spreadsheets or access databases because "that's how we have always done it".
I was a Sr. Controls Design Engineer for 21 years before I came here so I do know how things should work and this is the largest waste of time and effort I have ever seen. Everyone is busy but the ROI on any project I have seen in 10 years is almost null if not a negative.
I see managers operating in a fog of decision making that includes nothing more than a superficial understanding of anything within the project making huge decisions that will have impact on operations for years to come. Then when they "bring the project in under budget" they are rewarded with promotions and bigger projects without ever seeing the day in and day out fallout of their horrible decisions during the project process.
Some conventional wisdom states that you shouldn't train your employees too much because all your doing is training them for their next job... I look for jobs because I feel that without the training... whether I pay for it myself or my employer does I'm quickly getting obsolete...
Anonymous Coward wrote..
Some conventional wisdom states that you shouldn't train your employees too much because all your doing is training them for their next job...
My response to folks telling me this is always.... What if we don't train them and they stay.
That usually makes the point!