Major retailers are not the only targets for cybercrime, despite what the recent headlines may suggest. State and county governments are equally at risk of attack, and it’s a risk that many take seriously.
“We house information for payroll purposes for people’s health insurance. We are dealing with confidential legal information, confidential criminal information. We have an obligation to do everything in our power to protect all the data that the state has in its possession,” said Ann Visalli, director of Delaware’s Office of Management and Budget.
For Visalli and her colleagues across government, that readiness to get in the game is sometimes thwarted by a lack of skilled players to help carry the ball. Workforce research firm Burning Glass Technologies reports the demand for cybersecurity workers is more than double the overall IT job market. An estimated 300,000 cybersecurity jobs are vacant in the United States, according to Symantec, and demand will likely rise as the private sector faces unprecedented numbers of data breaches and cybersecurity threats.
Government is hobbled here. With demand high and supply short, cybersecurity experts are commanding top dollar, typically $120,000 and up in the private sector. Government struggles to keep up. State officials in Michigan report that their cybersalaries run about 20 percent below market rate.
“We really need to appeal to folks’ sense of the nobility of public service,” said Michigan CTO Rod Davenport.
But that’ll only get you so far. As a result, states and localities are seeking more aggressive methods to woo top cybersecurity talent. Some are pursuing a two-pronged approach, implementing creative recruiting on the one hand, while simultaneously working with industry and academia on the other to build up the general pool of local cyberprofessionals, thus broadening the potential workforce all around.
Before diving into state and local efforts, it helps to step back for a moment to look at the federal government’s cyberagenda. Programs at the federal level often help to set the tone for efforts across the states.
In 2013 the U.S. Department of Homeland Security launched the National Initiative for Cybersecurity Careers and Studies to spur development of a robust cybersecurity workforce. The organization aims to boost awareness, grow the pipeline and encourage advances in the field. For states, this effort comes with such benefits as an online cybersecurity workforce planner.
Working against this backdrop, which defines cybersecurity as a national priority, states have been eager to ensure that their cyber-resources are firmly in place.
In Delaware, recruitment efforts go well beyond the proverbial ad in the paper or online listing. To stretch its IT budget while simultaneously attracting top talent, the state made significant structural changes to its technology apparatus, changes that in turn helped it find and keep skilled cybersecurity players.
The state gained efficiencies when it consolidated its diverse IT operations into a single Department of Technology and Information. One immediate effect was a reduction in duplicate roles: A single expert from the department could now be dispatched to multiple agencies as needed.
In the realm of cybersecurity, the overhaul gave recruiters a significant edge by exempting IT hires from traditional state pay scales. This opened the door to competency-based pay, pay-for-performance and other components aimed at giving state hiring a stronger chance in the face of private-sector competition.
“While we are pretty well positioned now, it is a constant battle,” Visalli said. Under the revised system, “it’s a little faster, it’s a little more flexible, the pay is a little more competitive and it allows for promotion and retention for employees who do achieve what they need to be achieving.”
In the bigger picture, Delaware is working aggressively to build a cyberworkforce throughout the state, reasoning as many do that a robust workforce will benefit government while also helping to ensure a strong economic base among local companies.
To this end, the state recently launched a $3 million Delaware Cyber Initiative, intended to forge alliances between academia, workers and the private sector in order to develop a skilled and innovative cybersecurity workforce. The initiative — part research lab, part workforce development and part business park — includes the University of Delaware, Delaware State University, Delaware Technical Community College and private companies.
Best Cybersecurity Schools
A recent survey asked experienced technology and information security pros for input on the best cybersecurity programs. Feedback came in on more than 400 institutions, from community colleges to programs granting doctorates in cybersecurity-related fields. Here’s who came out on top:
University of Texas, San Antonio, San Antonio Norwich University, Northfield, Vt. Mississippi State University, Starkville, Miss. Syracuse University, Syracuse, N.Y. Carnegie Mellon University, Pittsburgh Purdue University, West Lafayette, Ind. University of Southern California, Los Angeles University of Pittsburgh, Pittsburgh George Mason University, Fairfax, Va. West Chester University of Pennsylvania, West Chester, Pa. U.S. Military Academy, West Point, N.Y. University of Washington, Pullman, Wash. Source: 2014 Best Schools for Cybersecurity, sponsored by HP Enterprise Security and independently conducted by the Ponemon Institute If Delaware is being especially aggressive in its efforts to bolster cybersecurity, it may have something to do with the nature of the local economic base. “As more and more data is managed electronically, the need to secure that information becomes critical. Staying ahead of the curve is something all states are dealing with,” Visalli said. “But in Delaware we also are home to a large number of financial institutions that have security as their No. 1 priority, and we need to be responsive to that.” In Michigan, state IT leaders say they have two cyberpros on the payroll and need to fill five more openings — a hefty shortfall. In particular, they need people who possess not just security expertise but also a broader understanding of systems. “When you are architecting a system at its inception, you need someone who understands all the applications and who also has the depth of knowledge in security,” said Jack Harris, director of network strategies. Beyond the lack of readily available experts, part of the problem comes down to money. Often, the state just can’t afford to parallel what the corporate world is offering. The state may run a salary survey soon, Davenport said, but in the meantime his department has to work with the budget at hand. Some internal recruiting may help to close the gap. “There is some interest from people here, just because it is a hot area and because IT people like diversity in their work. So that is something we are considering,” Harris said. In the grand scheme, the state’s best hope for filling out its cyber-rolls may come from programs such as the Michigan Cyber Initiative. Besides raising awareness, the program also serves as an economic development vehicle, especially for companies with an interest in security. For example, Michigan offers a beta test program for cybersecurity companies looking to deploy pre-release products within segments of the state’s IT infrastructure. All this in turn helps to build the overall pool of available cybersecurity talent. At the county level, many IT managers find themselves facing the dual burden of stingy salaries, paired with volumes of digital activity that rival those of some of the biggest corporations. So their workforce solutions need to be all the more creative. Take for instance Arlington County, Va., population 250,000. There are about 4,500 users on the county network, which processes some 1 trillion events every day. To keep it all safe, the county employs an IT security staff of one: Chief Information Security Officer Dave Jordan. That’s it. “The first thing I had them do is put in a small chapel at the end of the hall,” Jordan quipped. In the absence of a formal cybersecurity workforce, Jordan bridges the gap by enlisting the aid of others in the organization as ad hoc security watchdogs. He briefs IT help desk workers constantly on issues related to security, sending out multiple alerts daily. “They are the first filter and then if there is something they can’t answer, they send it to me,” he said. “Everybody who works in the IT department has a security component.” Reaching out even further, Jordan leverages the combined power of the county workforce as a sort of extended security operation. “I’ve enlisted the aid of my 4,500 people. I talk to every single employee that is hired: I talk about the rules of the house, I talk about basic IT security, how you should use your email or not use it — basic things like that,” he said. Security practices are written down, “but it’s better to have the eyeball conversation. I will get in an elevator and someone will tell me I am the only one they remember from orientation. And I’m not even that funny. But I give them information that they care about, I make it relate to them in their personal lives. I give them information to protect their personal, private information at home, and that helps them to make the connection.”
Photo: Arlington County, Va., Chief Information Security Officer Dave Jordan. Photo by David Kidd
Jordan also collaborates with area peers through the National Capital Region Council of Government. Through its CISO subgroup, “we can instantly reach out to each other. In the event I see something peculiar and I want to share that with my colleagues, I can do that,” he said. “By having this ability to question the community, we are able to provide added value to each other.”