State and Local Governments Try to Fix the Cybersecurity Staff Problem
Major retailers are not the only targets for cybercrime, despite what the recent headlines may suggest. State and county governments are equally at risk of attack, and it’s a risk that many take seriously.
“We house information for payroll purposes for people’s health insurance. We are dealing with confidential legal information, confidential criminal information. We have an obligation to do everything in our power to protect all the data that the state has in its possession,” said Ann Visalli, director of Delaware’s Office of Management and Budget.
For Visalli and her colleagues across government, that readiness to get in the game is sometimes thwarted by a lack of skilled players to help carry the ball. Workforce research firm Burning Glass Technologies reports the demand for cybersecurity workers is more than double the overall IT job market. An estimated 300,000 cybersecurity jobs are vacant in the United States, according to Symantec, and demand will likely rise as the private sector faces unprecedented numbers of data breaches and cybersecurity threats.
Government is hobbled here. With demand high and supply short, cybersecurity experts are commanding top dollar, typically $120,000 and up in the private sector. Government struggles to keep up. State officials in Michigan report that their cybersalaries run about 20 percent below market rate.
“We really need to appeal to folks’ sense of the nobility of public service,” said Michigan CTO Rod Davenport.
But that’ll only get you so far. As a result, states and localities are seeking more aggressive methods to woo top cybersecurity talent. Some are pursuing a two-pronged approach, implementing creative recruiting on the one hand, while simultaneously working with industry and academia on the other to build up the general pool of local cyberprofessionals, thus broadening the potential workforce all around.
Before diving into state and local efforts, it helps to step back for a moment to look at the federal government’s cyberagenda. Programs at the federal level often help to set the tone for efforts across the states.
In 2013 the U.S. Department of Homeland Security launched the National Initiative for Cybersecurity Careers and Studies to spur development of a robust cybersecurity workforce. The organization aims to boost awareness, grow the pipeline and encourage advances in the field. For states, this effort comes with such benefits as an online cybersecurity workforce planner.
Working against this backdrop, which defines cybersecurity as a national priority, states have been eager to ensure that their cyber-resources are firmly in place.
In Delaware, recruitment efforts go well beyond the proverbial ad in the paper or online listing. To stretch its IT budget while simultaneously attracting top talent, the state made significant structural changes to its technology apparatus, changes that in turn helped it find and keep skilled cybersecurity players.
The state gained efficiencies when it consolidated its diverse IT operations into a single Department of Technology and Information. One immediate effect was a reduction in duplicate roles: A single expert from the department could now be dispatched to multiple agencies as needed.
In the realm of cybersecurity, the overhaul gave recruiters a significant edge by exempting IT hires from traditional state pay scales. This opened the door to competency-based pay, pay-for-performance and other components aimed at giving state hiring a stronger chance in the face of private-sector competition.
“While we are pretty well positioned now, it is a constant battle,” Visalli said. Under the revised system, “it’s a little faster, it’s a little more flexible, the pay is a little more competitive and it allows for promotion and retention for employees who do achieve what they need to be achieving.”
In the bigger picture, Delaware is working aggressively to build a cyberworkforce throughout the state, reasoning as many do that a robust workforce will benefit government while also helping to ensure a strong economic base among local companies.
To this end, the state recently launched a $3 million Delaware Cyber Initiative, intended to forge alliances between academia, workers and the private sector in order to develop a skilled and innovative cybersecurity workforce. The initiative — part research lab, part workforce development and part business park — includes the University of Delaware, Delaware State University, Delaware Technical Community College and private companies.
If Delaware is being especially aggressive in its efforts to bolster cybersecurity, it may have something to do with the nature of the local economic base. “As more and more data is managed electronically, the need to secure that information becomes critical. Staying ahead of the curve is something all states are dealing with,” Visalli said. “But in Delaware we also are home to a large number of financial institutions that have security as their No. 1 priority, and we need to be responsive to that.”
In Michigan, state IT leaders say they have two cyberpros on the payroll and need to fill five more openings — a hefty shortfall. In particular, they need people who possess not just security expertise but also a broader understanding of systems. “When you are architecting a system at its inception, you need someone who understands all the applications and who also has the depth of knowledge in security,” said Jack Harris, director of network strategies.
Beyond the lack of readily available experts, part of the problem comes down to money. Often, the state just can’t afford to parallel what the corporate world is offering. The state may run a salary survey soon, Davenport said, but in the meantime his department has to work with the budget at hand.
Some internal recruiting may help to close the gap. “There is some interest from people here, just because it is a hot area and because IT people like diversity in their work. So that is something we are considering,” Harris said.
In the grand scheme, the state’s best hope for filling out its cyber-rolls may come from programs such as the Michigan Cyber Initiative. Besides raising awareness, the program also serves as an economic development vehicle, especially for companies with an interest in security. For example, Michigan offers a beta test program for cybersecurity companies looking to deploy pre-release products within segments of the state’s IT infrastructure. All this in turn helps to build the overall pool of available cybersecurity talent.
At the county level, many IT managers find themselves facing the dual burden of stingy salaries, paired with volumes of digital activity that rival those of some of the biggest corporations. So their workforce solutions need to be all the more creative.
Take for instance Arlington County, Va., population 250,000. There are about 4,500 users on the county network, which processes some 1 trillion events every day. To keep it all safe, the county employs an IT security staff of one: Chief Information Security Officer Dave Jordan. That’s it. “The first thing I had them do is put in a small chapel at the end of the hall,” Jordan quipped.
In the absence of a formal cybersecurity workforce, Jordan bridges the gap by enlisting the aid of others in the organization as ad hoc security watchdogs.
He briefs IT help desk workers constantly on issues related to security, sending out multiple alerts daily. “They are the first filter and then if there is something they can’t answer, they send it to me,” he said. “Everybody who works in the IT department has a security component.”
Reaching out even further, Jordan leverages the combined power of the county workforce as a sort of extended security operation. “I’ve enlisted the aid of my 4,500 people. I talk to every single employee that is hired: I talk about the rules of the house, I talk about basic IT security, how you should use your email or not use it — basic things like that,” he said. Security practices are written down, “but it’s better to have the eyeball conversation. I will get in an elevator and someone will tell me I am the only one they remember from orientation. And I’m not even that funny. But I give them information that they care about, I make it relate to them in their personal lives. I give them information to protect their personal, private information at home, and that helps them to make the connection.”
Jordan also collaborates with area peers through the National Capital Region Council of Government. Through its CISO subgroup, “we can instantly reach out to each other. In the event I see something peculiar and I want to share that with my colleagues, I can do that,” he said. “By having this ability to question the community, we are able to provide added value to each other.”
Even as states and localities struggle with their own cyberworkforce needs, some are looking beyond their own walls, sponsoring broad community partnerships meant to foster cybertalent for the coming years.
In Maryland, the Howard Tech Council teams with the Howard County Economic Development Authority and local tech incubator Innovation Catalyst to offer a CISO-in-residence program. The program gives more than 300 member organizations access to a range of security consulting services and expertise. This in turn helps to build a culture of awareness — an important first step toward workforce development.
“Typically you don’t see these firms really considering the implications of not protecting their intellectual property, protecting themselves from the undue harm associated with folks who may be looking to steal their goods,” said Howard Tech Council Executive Director Patrick Wynn. In addition to providing access to experts, the program helps to put the issue of cybersecurity that much higher on the communal radar.
A similar effort can be seen at the state level in Florida, where the Legislature recently budgeted $5 million to create the Florida Center for Cybersecurity at the University of South Florida. “There is a huge supply and demand problem in the marketplace. We need to create a workforce that can respond to the needs of the market,” said Sri Sridharan, managing director of the online program, which conveys both degrees and certificates. “Our objective is to crank out thousands of qualified students.”
Besides building up a cyberworkforce statewide, the program could provide state and local IT offices with a cost-effective way to fill jobs that today stand empty, Sridharan said.
“They can find people they already have, put them through a quick certificate program, get them knowledgeable in areas where they think there is a hole and then get them back to work,” he said.
“For a state or county government with somebody earning $65,000 or $70,000, you can put them through a certificate program, you pay them another $10,000 and they will stick around,” he said. “That is a significant pay increase, so you get the need met and you don’t have to budget $120,000 to $150,000 for that position.”
Ultimately, though, it’s a balancing act.
On the one hand, there’s the immediate, short-term pressure to get people into chairs as the cybercrime wave continues to swell. Many IT leaders will continue to struggle with the short-term need, an issue exacerbated by the fact that states can’t match private-sector pay.
On the other hand, a rising tide floats all boats: When states invest in broad-ranging workforce development programs with an eye on cybersecurity, they likely will be creating a new potential pool of cyberworkers ready to take up places in state IT operations.