How govs can strengthen their cyber staff in the new year
Budgetary and staffing challenges are likely to follow state and local governments into 2025, but experts say agencies’ progress toward addressing those obstacles will prevail too.
State and local governments had their cybersecurity work cut out for them in 2024, with the CrowdStrike outage disrupting government operations over the summer, schools fielding rampant cyberattacks and the federal government urging states to better protect vulnerable critical infrastructure.
As governments head into the new year, experts say an adequate cyber workforce is critical to overcome those challenges. But “when it comes to the employment forecast, it is both frustrating and opportunistic,” said Alan Shark, executive director of the Public Technology Institute and associate professor at George Mason University’s School of Policy and Government.
A report released earlier this year by the Public Technology Institute found that local government agencies increasingly have “a dedicated individual” to manage their cybersecurity efforts, such as a chief information security officer or a position with an equivalent title. This year, 67% of 54 local leaders reported that they had such a role, up from 52% in 2023.
Agencies are recognizing that roles like chief information officer or chief technology officer are thinly spread across government’s IT needs, “so we see a steady trend in having a dedicated person just looking at the cyber part,” moving into the new year, Shark said.
But government IT agencies still struggle with workforce and skills gaps, an issue that’s not likely to be resolved soon, he said. For many agencies, their cybersecurity staff have been there for years and have developed institutional knowledge and understanding of legacy systems that will be difficult to replace.
Attracting new workers will create an “enormous burden” for governments, particularly smaller jurisdictions, trying to compete with a private sector that can offer higher, more competitive salaries, Shark said.
In the new year, Shark said governments could focus on realigning and reskilling their current staff to cover gaps in their cybersecurity posture.
“Anytime that you can promote somebody into a more meaningful position, that works [to] the advantage of the employee in terms of their morale and their incentives, and it helps the organization,” Shark said. “I think any good manager is always looking to promote from within if they can.”
Another cyber hiring trend likely to continue in the new year is skills-based hiring, said Meredith Ward, deputy executive director for the National Association of State Chief Information Officers. Maryland was the first state to eliminate college degree requirements for certain public sector jobs in 2022, and since then more than 20 states have followed suit in an effort to attract more potential hires.
California is the latest state to move away from college degree requirements. Earlier this week, California Gov. Gavin Newsom announced the state had removed degree and other educational requirements from nearly 30,000 state jobs.
“There’s always going to jobs that require a four-year degree or an advanced degree,” Ward said. But there are positions, particularly in the IT and cyber world, that don’t, especially if required cyber skills can be obtained through certification programs. Implementing degree requirements where they are not necessary could ward off critical cyber talent, she explained.
But budgeting challenges could stymie governments’ efforts to expand and improve their cyber posture, particularly as the federal State and Local Cybersecurity Grant Program, is set to sunset next year. Plus, some observers are concerned about President-elect Donald Trump’s impact on the Cybersecurity and Infrastructure Security Agency, after Sen. Rand Paul, R-Ky., recently signaled his interest in nixing the program.
Reduced cyber funding and support at the federal level could curtail state and local initiatives aimed at strengthening their cyber workforces, such as financing employees’ cyber certifications or investing in training programs like cyber ranges.
The lack of cyber investment, Shark said, could heighten governments’ vulnerability to increasing cyber risks with the continuous rise of artificial intelligence and generative AI, which bad actors could use to create more severe cyberattacks. The PTI survey, for instance, found that “increasing sophistication of threats” topped the list of barriers to addressing cybersecurity challenges for IT leaders.
“Some states, it seems, are bracing for impact,” Ward said. But governments’ movement toward a more modernized workplace culture shows signs of expanding in the new year, for instance, with agencies offering more flexible hours and remote options for staff.
NEXT STORY: Key factors needed for successful workforce development