Hiring cybersecurity staff is hard for states

 

Connecting state and local government leaders

Facing recruitment, retention and retirement hurdles, states are finding creative solutions to attract and keep cybersecurity talent.

This article originally appeared in Stateline, an initiative of the Pew Charitable Trusts.

In the last few years, Oregon’s state employment department website was breached. In Montana, it was the public health and human services agency. And in South Carolina, hackers were able to access the Social Security numbers of millions of taxpayers in the state revenue department’s computer system.

Top information technology officers warn that crimes like these point to why cybersecurity is critically important for state agencies, whose computers contain a wealth of personal information -- birth certificates, driver’s licenses, Social Security numbers and tax records -- that appeal to identity thieves. And they demonstrate the need to have a well-trained team in place that’s prepared to prevent and repel hacking attacks.

But a recent report by the National Association of State Chief Information Officers (NASCIO), composed of states’ CIOs, found that states are plagued by a number of problems in hiring and retaining IT staff— especially cybercrime experts.

“Cybersecurity is one of the most important issues we’re facing today. It’s one of the things CIOs are the most concerned about,” said Meredith Ward, NASCIO senior policy analyst and author of the report. “The challenge is that if the folks aren’t there to deter, detect and prevent, it becomes a catch-up game.”

Late last month, state CIOs met with federal officials and congressional staff in Washington, D.C., to request more financial help for cybersecurity and discuss ways to help build states’ IT security workforces.

“States aren’t receiving sufficient funding to do what’s necessary. A lot is because of how federal grants are structured,” said Mitch Herckis, NASCIO’s director of government affairs.

Federal grants to states typically cap administrative expenses to save money, and a state’s cybersecurity expenses are considered an administrative cost, the same as other overhead expenses such as office supplies, he said. That often leaves states without enough money to cover their IT costs.

“We’re trying to raise awareness about that and get more direct resources from the federal government to the states,” Herckis said.

Hiring obstacles

State IT departments oversee the computer systems used by nearly all agencies, ranging from health and human services to environmental regulation. That includes websites or portals used by the public for everything from renewing driver’s licenses to signing up for a state’s health care exchange.

State CIOs are tasked with improving government efficiency, customer service and saving taxpayer dollars. That’s why they say it’s so important to recruit and retain staff. But it’s been difficult, especially after years of tight budgets and competition for staff from private industry.

The NASCIO study, which surveyed IT chiefs from 48 states, found that those challenges will only be getting tougher. Among the findings:

  • Nearly 92 percent of states said salary and pay grades presented a challenge in attracting and keeping employees.
  • 86 percent of states said they’re having trouble recruiting people to fill vacant slots. Four years ago, only 55 percent of states reported having that problem.
  • 46 percent of states said that it takes three to five months to fill senior positions.

“What are we going to do about this?” said NASCIO’s Ward. “It’s not something that can be ignored.”

The study found that recruiting and keeping staffers with cybersecurity experience is one of the greatest challenges. That matched the findings of a 2014 Deloitte-NASCIO cybersecurity study, which found that nine of 10 state IT officials surveyed reported that the biggest barrier to attracting cybersecurity talent is salary, which generally can’t match that offered by private industry.

According to U.S. Bureau of Labor Statistics data from May 2014, the mean annual salary for cybersecurity analysts in state government was about $76,000; it was about $95,000 in the private sector.

“Cybersecurity is in such high demand in the private sector. People with the training and experience can go to the marketplace -- even someone working in the state government -- and they can get paid a lot more,” said Srini Subramanian, a state cybersecurity principal at the consulting firm Deloitte & Touche LLP who co-authored the study.

Subramanian said pay isn’t the only challenge in hiring and keeping cybersecurity staffers. Another is the lack of a clearly defined career path and a way to move up the ladder in state government, he said.

“These cybersecurity professionals are looking for career progression,” Subramanian said. “How can they get from being a new analyst out of college to the chief information security officer for the state? This is another hurdle.”

States have tackled these issues -- for cybersecurity and other IT positions -- in a number of ways, the latest NASCIO survey found. Many are reviewing job classifications and offering flexible work schedules. Some are giving performance awards or emphasizing career development and continuing education, or perks such as tuition reimbursement and internships.

Other tactics include using digital advertising and social media, giving signing bonuses and converting contractors to state employees.

But recruitment and retention aren’t the only problems IT officers face. They’re concerned about the number of employees with years of experience who are retiring. The survey found that in nearly a quarter of the states, 21 percent to 30 percent of IT staffers will be eligible for retirement in the next year.

“For a large state, that might not be such a big deal,” said NASCIO’s Ward. “But for smaller states like Maine or Rhode Island, 21 to 30 percent has a huge impact.”

Maine efforts

In Maine, retirement and recruitment obstacles have been causing major headaches for the state’s IT agency, according to CIO Jim Smith. Smith said that about 24 percent of his 480 employees will be retiring in the next two years. “That’s thousands of years of experience,” he said.

Maine’s IT office is scrambling to fill openings as it is. At any given time, it has about 50 open slots.

“We’re in a rural area. It’s difficult to attract people,” Smith said. “Losing 20 percent of your workforce is transformational. You really have to think about that in a different way.”

Smith said it’s particularly difficult to hire experienced cybersecurity staffers because the pay is much better in private industry and the employment rate in that field is practically 100 percent. Maine pays about $70,000 for cybersecurity professionals, he said.

“I don’t know if we have a great approach on this. We continue to beat the bushes,” said Smith, who has eight cybersecurity staffers on his team. “It’s a real challenge.”

Smith said his office has been more successful in coming up with innovative ways to recruit other types of IT staffers.

One was to revamp its internship program and create partnerships with colleges in the state. An internal team selects interns based on their IT skills, interviews them and matches them to the right position. They’re also assigned mentors.

“Years ago, we’d bring in an intern and say ‘go make coffee,’ Smith said. “Now, we give them real work. They write real code. They help us with new technology.”

As part of the program, interns are given a business problem and asked to research what others in the industry are doing and propose a solution. Some, for example, were tasked with revamping the IT department’s employment website. They’ll be presenting their proposal to other state agency heads and possibly the governor, Smith said.

So far, about 70 percent of the 30 interns have become full-time employees, Smith said.

Smith said his office also is trying to recruit military veterans and is working with the National Guard to “build a pipeline” for potential hires.

Maine’s IT department also is focusing on doing a better job of “branding,” when it comes to recruitment.

“We tell people we can offer them a different experience than they can get in the private sector. We have some very exciting jobs,” Smith said. “They can write software for radio communications on the mountaintops. They can work with corrections or with inland fisheries and wildlife or with helping families in need.”

He said that the “giving back” element is important in trying to recruit staff.

“This generation wants meaningful work, the opportunity to give back,” he said. “We also hit the older population who are near the end of their career with the same argument. We’re sort of going after both sides.”

Ultimately, the problems state IT offices face in recruiting and keeping staff will filter down to residents, Smith said. They could end up having problems accessing information from state websites, whether it’s getting tax refunds or securing fishing licenses.

“If we don’t solve this, you’ll see degradation in services to citizens,” he said. “That would become a real problem for the public.”

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.