State Cybersecurity Defense Bogged Down by Strained Workforce Resources

CINCINNATI — The strength of state government cybersecurity operations is only as strong as the personnel assets a state government is able to recruit and retain to protect its vulnerable networks and information resources.

That’s been an ongoing theme within the state government technology community for years and one that’s been omnipresent during Great Recession-era budget slashing. And it’s been a top agenda item at the National Association of State Technology Directors annual conference being held in Ohio’s third-largest city this week.

“The hackers only need to be right once and we have to be right all the time,” Stu Davis, the Ohio state government’s chief information officer, said in his opening remarks on Monday.

“Something is going on everyday that we have to watch out for,” Davis said, noting that “attacks will get more sophisticated as time goes on.”

That glum assessment of the ongoing cyber threats is nothing new. And the forecast for state government IT security challenges remains cloudy—not necessarily because of the threats themselves, but from the personnel side of the cybersecurity equation.

“There are more jobs than applicants. The workforce is not there,” Tom Duffy, executive director of the Multi-State Information Sharing and Analysis Center, told a packed hotel ballroom of technology officials, private-sector IT security partners and other attendees of a NASTD conference session on threats facing state and local government on Tuesday morning.

“States are struggling with resources. What I’m hearing is that they don’t have the staff … they feel like they’re barely keeping up,” Mark Ferrell, a solutions architect with CenturyLink Government, said during a cybersecurity panel session on Monday.

Making matters worse, limits on public-sector salaries make recruiting calls from the private sector hard to resist for the top talent state government IT shops is able to attract. “Your really good people are getting five or six calls a month about jobs,” Ferrell said.

During a presentation on state government workforce challenges and opportunities on Monday John Hochar, the deputy secretary for human resources in the commonwealth of Pennsylvania, laid out the overall predicament facing the state government ranks.

After the Great Recession forced many states to shift IT budget resources away from hiring to more immediate needs, like maintaining critical infrastructure, there’s a looming workforce crisis just as the cybersecurity threats states are facing become more complicated.

“Everyone is weak in their response capability,” Brad Antoniewicz, who works in security research at Foundstone, said during Monday’s cybersecurity panel discussion.

State governments are staring down a “silver tsunami,” and state government IT shops are not immune to this ongoing long-term human resources vulnerability.

On average, 30 percent of state government workforces across the nation are eligible to retire in the next five years, according to Hochar.

“Aging out of the workforce is a big concern for me,” Duffy said of the impacts on cybersecurity defense.

The current average age for state government workers is 45.6 years; the current average age for new hires is 36.1 years; and only 13.5 percent of the current state government workforce is under the age of 30, Hochar said.

And it’s that millennial age group that state government IT operations need to recruit and retain to be strong to face future challenges. That’s not an easy task. “That cultural shift is a huge challenge for state governments,” he said.

State government civil service requirements, cumbersome hiring processes and bureaucratic complexities—for instance, state job classifications may not necessarily line up with the actual job duties—make recruiting top talent difficult.  

If a state government isn’t able to streamline the hiring process, top prospects will lose interest and look elsewhere, so “make sure you can speed it up as much as you can,” said Leslie Scott, executive director of the National Association of State Personnel Executives.

Hochar laid out some recommendations for how to make the state government hiring process more attractive for millennials, which apply for IT shops, ranging from reviewing time-off policies to encourage better work-life balance to embracing tuition assistance and/or loan-forgiveness programs.  

It can also require thinking outside the box. Since many states have rigid skillset requirements for job postings, that can often prevent the development of emerging talent.

If a particular job candidate shows great professional promise and is trainable, state governments shouldn’t hesitate from taking a chance. “Hire for attitude and train for skill,” Scott said.

Antoniewicz said that strategic hiring early on can lead to better hiring down the road, though it’s not always easy.

“Making that first strong hire that can bring in other resources,” Antoniewicz said, since top talent can draw other top prospects. “If you can find that right person, it can be powerful.”

But there are far more simple attributes states need to promote, too, especially when it comes to IT operations, Hochar said.

Simply put, there’s so much “cool technology” that top talent gets to work with in state governments. “We have to do a much better job in branding that,” he said.