The shortage of cybersecurity experts is well documented. So what are agencies doing to fill the gap?
Major retailers are not the only targets for cybercrime, despite what the recent headlines may suggest. State and county governments are equally at risk of attack, and it’s a risk that many take seriously.
“We house information for payroll purposes for people’s health insurance. We are dealing with confidential legal information, confidential criminal information. We have an obligation to do everything in our power to protect all the data that the state has in its possession,” said Ann Visalli, director of Delaware’s Office of Management and Budget.
For Visalli and her colleagues across government, that readiness to get in the game is sometimes thwarted by a lack of skilled players to help carry the ball. Workforce research firm Burning Glass Technologies reports the demand for cybersecurity workers is more than double the overall IT job market. An estimated 300,000 cybersecurity jobs are vacant in the United States, according to Symantec, and demand will likely rise as the private sector faces unprecedented numbers of data breaches and cybersecurity threats.
Government is hobbled here. With demand high and supply short, cybersecurity experts are commanding top dollar, typically $120,000 and up in the private sector. Government struggles to keep up. State officials in Michigan report that their cybersalaries run about 20 percent below market rate.
“We really need to appeal to folks’ sense of the nobility of public service,” said Michigan CTO Rod Davenport.
But that’ll only get you so far. As a result, states and localities are seeking more aggressive methods to woo top cybersecurity talent. Some are pursuing a two-pronged approach, implementing creative recruiting on the one hand, while simultaneously working with industry and academia on the other to build up the general pool of local cyberprofessionals, thus broadening the potential workforce all around.
Before diving into state and local efforts, it helps to step back for a moment to look at the federal government’s cyberagenda. Programs at the federal level often help to set the tone for efforts across the states.
In 2013 the U.S. Department of Homeland Security launched the National Initiative for Cybersecurity Careers and Studies to spur development of a robust cybersecurity workforce. The organization aims to boost awareness, grow the pipeline and encourage advances in the field. For states, this effort comes with such benefits as an online cybersecurity workforce planner.
Working against this backdrop, which defines cybersecurity as a national priority, states have been eager to ensure that their cyber-resources are firmly in place.
In Delaware, recruitment efforts go well beyond the proverbial ad in the paper or online listing. To stretch its IT budget while simultaneously attracting top talent, the state made significant structural changes to its technology apparatus, changes that in turn helped it find and keep skilled cybersecurity players.
The state gained efficiencies when it consolidated its diverse IT operations into a single Department of Technology and Information. One immediate effect was a reduction in duplicate roles: A single expert from the department could now be dispatched to multiple agencies as needed.
In the realm of cybersecurity, the overhaul gave recruiters a significant edge by exempting IT hires from traditional state pay scales. This opened the door to competency-based pay, pay-for-performance and other components aimed at giving state hiring a stronger chance in the face of private-sector competition.
“While we are pretty well positioned now, it is a constant battle,” Visalli said. Under the revised system, “it’s a little faster, it’s a little more flexible, the pay is a little more competitive and it allows for promotion and retention for employees who do achieve what they need to be achieving.”
In the bigger picture, Delaware is working aggressively to build a cyberworkforce throughout the state, reasoning as many do that a robust workforce will benefit government while also helping to ensure a strong economic base among local companies.
To this end, the state recently launched a $3 million Delaware Cyber Initiative, intended to forge alliances between academia, workers and the private sector in order to develop a skilled and innovative cybersecurity workforce. The initiative — part research lab, part workforce development and part business park — includes the University of Delaware, Delaware State University, Delaware Technical Community College and private companies.
Best Cybersecurity Schools
A recent survey asked experienced technology and information security pros for input on the best cybersecurity programs. Feedback came in on more than 400 institutions, from community colleges to programs granting doctorates in cybersecurity-related fields. Here’s who came out on top:
Photo: Arlington County, Va., Chief Information Security Officer Dave Jordan. Photo by David Kidd
Jordan also collaborates with area peers through the National Capital Region Council of Government. Through its CISO subgroup, “we can instantly reach out to each other. In the event I see something peculiar and I want to share that with my colleagues, I can do that,” he said. “By having this ability to question the community, we are able to provide added value to each other.”
Even as states and localities struggle with their own cyberworkforce needs, some are looking beyond their own walls, sponsoring broad community partnerships meant to foster cybertalent for the coming years.
In Maryland, the Howard Tech Council teams with the Howard County Economic Development Authority and local tech incubator Innovation Catalyst to offer a CISO-in-residence program. The program gives more than 300 member organizations access to a range of security consulting services and expertise. This in turn helps to build a culture of awareness — an important first step toward workforce development.
“Typically you don’t see these firms really considering the implications of not protecting their intellectual property, protecting themselves from the undue harm associated with folks who may be looking to steal their goods,” said Howard Tech Council Executive Director Patrick Wynn. In addition to providing access to experts, the program helps to put the issue of cybersecurity that much higher on the communal radar.
A similar effort can be seen at the state level in Florida, where the Legislature recently budgeted $5 million to create the Florida Center for Cybersecurity at the University of South Florida. “There is a huge supply and demand problem in the marketplace. We need to create a workforce that can respond to the needs of the market,” said Sri Sridharan, managing director of the online program, which conveys both degrees and certificates. “Our objective is to crank out thousands of qualified students.”
Besides building up a cyberworkforce statewide, the program could provide state and local IT offices with a cost-effective way to fill jobs that today stand empty, Sridharan said.
“They can find people they already have, put them through a quick certificate program, get them knowledgeable in areas where they think there is a hole and then get them back to work,” he said.
“For a state or county government with somebody earning $65,000 or $70,000, you can put them through a certificate program, you pay them another $10,000 and they will stick around,” he said. “That is a significant pay increase, so you get the need met and you don’t have to budget $120,000 to $150,000 for that position.”
Ultimately, though, it’s a balancing act.
On the one hand, there’s the immediate, short-term pressure to get people into chairs as the cybercrime wave continues to swell. Many IT leaders will continue to struggle with the short-term need, an issue exacerbated by the fact that states can’t match private-sector pay.
On the other hand, a rising tide floats all boats: When states invest in broad-ranging workforce development programs with an eye on cybersecurity, they likely will be creating a new potential pool of cyberworkers ready to take up places in state IT operations.