As such, many states continue to work at developing effective ways to address their cybersecurity staffing needs, often taking approaches that are specific to their needs and individual situations. This was a topic of discussion at the recent National Association of State Chief Information Officers (NASCIO) Annual Conference, held earlier this month in New Orleans.
For Kansas, tackling the problem includes maintaining an active internship program that helps create a talent pipeline. Internships can give young people real-world education and experience to both develop their careers and let them know if they really like this work. Too often, however, there’s a mismatch between the "sensationalized" cybersecurity activities in movies and the actual work state governments need done, Kansas CISO John Godfrey told Government Technology.
“That maybe creates a little bit of a disconnect sometimes about what you see, what you believe it to be and, then, ultimately, sometimes what it really is,” he said.
People curious about cybersecurity may envision that they’ll be actively hacking, for example, but frequently what states really need is more people to work in their security operations centers.
“How do we drive attention and attraction to these positions? I think there is interest in it, but the interest is sometimes for roles or positions that may not always be the ones that we need to fill in the organizations,” Godfrey said.
The states have also been discussing with local universities about how to better coordinate their training opportunities. Godfrey also noted the federal Office of the National Cyber Director has been encouraging starting recruiting cyber talent as early as middle school.
Over in Nebraska, CIO Matt McCarville is building an internal cybersecurity department. He’s starting “from scratch,” he said during a NASCIO panel.
“We had one person doing cybersecurity — moonlighting, essentially,” he said.
To get this off the ground, he’s partnering with universities on a joint security operations center, and is also hiring high school students for internships.
“Cybersecurity people are a little unaffordable, especially on a public-sector budget,” McCarville said.
He also noted that internships bring in at least short-term help.
“If we can pay for their undergrad, pay for their associate’s degree, maybe pay for their master's, we get them for two to four years. I think that’s about all we can hold onto at this point. After that, I can’t afford them,” McCarville said.
Meanwhile, New Hampshire helps people get a start in cyber via a nonprofit it collaborates with and other public-private partnerships. Here, too, early-stage professionals aren’t expected to stay long-term in public service. But state CISO Ken Weeks said that he hopes they’ll return at a later stage in their careers.
“We know eventually they’re going to come back to us,” Weeks said.
Weeks highlighted the idea of a “portable cybersecurity workforce,” where professionals move between different organizations throughout their careers, learning new skills at each one. That vision is key to how New Hampshire expects to continue staffing its own cyber team.
Weeks is part of a five-person cyber team, while other members of the larger IT department also handle some aspects of cybersecurity. His team is fully staffed, and the IT department currently has its lowest vacancy rate in nearly a decade, Weeks said. A high emphasis on training has helped retain staff who might otherwise retire or leave to the private sector. But, even so, many of the current staff are eligible to retire, and that day will eventually come.
New Hampshire isn’t set up for in-house succession planning or internal talent pipelines, Weeks said. That’s because there aren’t positions consistently opening up, so there’s no guarantee there’ll be a role available for someone after they’ve trained up.
“For us in New Hampshire, it really tends to be a gap [after someone leaves], and then you hope you can find the right person,” Weeks told Government Technology. “There’s really no way to develop a [talent] pipeline unless you maintain relationships outside.”
Rather than prepare people for roles that may not manifest, the state instead looks to hire externally when needs arise. Close relationships with the state university system and local business leaders means these partners can all recommend candidates to each other when one has a need.
