Sure, ransomware, cyber threats, nation-state adversaries, patching systems, identity management, critical infrastructure protection, audit findings, budget woes, new risk management tools, security operations center improvements, tabletop exercises, zero-trust architectures, supply chain security and more are constantly on their minds.
Nevertheless, the winner is, to quote a recent conversation with a state CISO, “Vacancies! So many unfilled cyber positions. It’s become a crisis. I’ve lost four of my top eight cybersecurity managers/experts this year alone. What can I do?”
No, these hiring and staff turnover problems are not new. We’ve been talking about attracting and maintaining cybersecurity talent in government
for decades.
But a perfect storm of mounting cyber attacks, workforce shifts created by COVID-19, the growing global shortage of experienced cyber pros, and increasingly uncompetitive salary and benefit packages offered in the public sector have turned what was once a stream of concerns into a flood of problems with severe knock-on effects.
So if the cyber talent shortage is so dire, what can be done?
Redesign your hiring practices and pay scale for cybersecurity professionals. If you want to compete as an employer of choice in cybersecurity, it may be necessary to build a new career path and pay scale that is separate from other technology roles. For example, in order to compete with the private sector for cyber talent, the U.S. Department of Homeland Security (DHS) rolled out a new talent management and compensation system. The agency has seen great results, exceeding their hiring goals by more than 50 percent.
No doubt, DHS has advantages, including more resources than most government agencies, and yet many state and local governments can offer attractive options — like working from home — that are not available to three-letter federal agencies. Besides pay and benefits, recruitment should highlight career path options, a flexible work environment, local culture and security training opportunities.
Change what you are looking for and develop talent in house. Another attractive option is to grow your own team with technical expertise from other disciplines, such as system administrators, programmers, database experts and help desk professionals. Yes, degree mandates, certifications and/or other position requirements will likely need to be adjusted, but hiring passionate achievers with most of the required skills can still be effective. Consider building partnerships with local community colleges and universities to help attract interns and students in a win-win scenario.
Partner more with the private sector. When changing your hiring practices is a bridge too far, more security leaders are hiring contractors and/or bringing in managed service providers (MSPs) to run either part or all of their security programs. Indeed, the market has changed dramatically over the past few years, and now almost any technology or security function can be purchased as a service.
While this solution may seem like an obvious choice, you need to strengthen contract management skills on your team to ensure you get the right contract staff or MSP solution. Beware of vendors swapping in unqualified cyber pros after an initial “honeymoon period.” Try to establish longer-term solutions and not just plug short-term holes.
Lasting government cyber solutions require looking beyond your organization. Building strategic relationships with other governments and nonprofit groups like the Multi-State Information Sharing and Analysis Center (MS-ISAC) can enable operational economies of scale. Finally, remember you can outsource the work, but not the responsibility. Whatever direction you take, you must become one team that works well together to enable the business of government.