Hunting cybersecurity talent
For state and local governments, “It is better to spend thousands of dollars on a good cybersecurity staffer than millions of dollars on dealing with an attack,” says Bruce deGrazia, program chair and professor of Cybersecurity at the University of Maryland’s University College (UMUC). deGrazia tells GPN that state and local governments desperately need cybersecurity staffers because of the personal, high-value records that public entities maintain.
Those records are connected with the services that governments provide. “Currently,” says deGrazia, “governments appear to be hoping that they won't get attacked, because they can't/don't want to spend the money for staff. When they do get attacked — and they will, because the data is so valuable — they end up spending millions of dollars to identify and ameliorate the damage resulting from the attack.”
What’s tough for governments, says deGrazia, is the high demand for experienced IT security talent. “The competition for good cybersecurity staffers — particularly those who understand the workings of government — is tough, because the best candidates get recruited by the federal government or the private sector,” deGrazia says.
The Adelphi, Md.-based UMUC offers undergraduate and graduate degrees in cybersecurity and cybersecurity policy, as well as graduate certificates in cybersecurity technology and cybersecurity policy. The school, which offers courses at more than 150 worldwide locations, has more than 7,000 students in cyber-related programs. UMUC cybersecurity graduates often find employment in government and the private sector, say UMUC administrators.
With the hugely expensive consequences of IT security threats, it makes sense that the Lexington, Ky.-based National Association of State Chief Information Officers (NASCIO) lists cybersecurity issues at the top of their priorities for state CIOs in 2015. NASCIO lists below some of the cyber threat and data areas that need to be addressed as priorities under the umbrella heading of “Security”:
Security: risk assessment, governance, budget and resource requirements, security frameworks, data protection, training and awareness, insider threats, third party security practices as outsourcing increases, determining what constitutes “due care” or “reasonable” in government IT security management.
NASCIO continues to beat the cybersecurity drum. Beyond its 2015 priorities list, NASCIO just issued a call to action to state chief information officers regarding government IT work forces. At the top of the CIO list: Security. In its “State IT Work Force: Facing Reality with Innovation” survey that was released April 16, more than two-thirds of state CIOs (67.3 percent) said IT security skills and disciplines present the greatest challenges to CIOs in attracting and retaining IT employees in state government. IT security is the work force skill that is most in demand among state CIOs. It outranks application development, programming, mainframe/legacy support, data analytics, cloud platform knowledge and other in-demand IT skills.
The NASCIO survey findings mesh with a recent Public Technology Institute 2015 “Local Government IT Executive” poll that finds cyber and network security ranks number one among the challenges facing today’s local government IT executives. Meanwhile, a 2015 American City & County survey shows 62 percent of responding local government administrators said their agency would place more value and importance on cybersecurity by 2020 than the agency does now.
One sign that governments will be recruiting more cybersecurity talent: they are updating and improving their defenses, and those IT tools need to be managed. About 10 percent of government agencies have upgraded to next-generation security software, such as firewalls that block threats at the app level, reports Menlo Park, Calif.-based Cybersecurity Ventures. The report also notes that government agencies are adding big data analytics geared to security. The market for these software security tools could reach $20 billion over the next three years, the company says in its second-quarter 2015 forecast report
Governments recruiting cybersecurity practitioners need to find candidates with a mix of skills, says Richard Forno. He is director of the Graduate Cybersecurity Program at the University of Maryland, Baltimore County (UMBC). Forno also serves as assistant director of the Baltimore-based UMBC Center for Cybersecurity. “It’s really the same in government and the private sector. You need people that have the right mix of technical talent and the ability to apply that talent effectively in the workplace,” says Forno, who has 20 years of experience in the cybersecurity and IT fields.
Forno tells GPN that cybersecurity practitioners need a combination of technical and soft skills. Technical skills, he says, include knowledge of networks, computers, networking, security principals and technologies–all the talents that a network or systems administrator would bring to the table. Soft skills, he says are characteristics that make a staffer a good professional. “Can you work well with people? Can you communicate well? Are you a team player? Do you have a thirst for knowledge?” Forno says.
Local government officials face an extremely competitive field when they want to hire a cybersecurity staffer with those skills, says Steven Weber, associate professor in the Department of Electrical and Computer Engineering at Philadelphia-based Drexel University. Weber also serves as the director of the Drexel Cybersecurity Institute.
Weber says qualified graduates of programs like Drexel’s enjoy very lucrative job offers immediately upon graduation, and that the field’s apparent talent shortage presents a real challenge for government hiring. Weber advises that governments form relationships with local universities, like Drexel, through cooperative education placements. “Drexel offers cooperative education placements at both the undergraduate and graduate levels. These co-ops give the student valuable job experience and the employer a great evaluation of potential permanent employees,” Weber says.
Seasoned IT executives in the private sector can do their part to ease the local government cybersecurity talent shortage, says Dave Jordan, chief information security officer (CISO) for Arlington County, Va. Less than 15 percent of the 3,031 county governments in the U.S. have a CISO, estimates Jordan.
“Does your locality have a CISO? Ask them, and if the answer is ‘No, there is no budget,’ chances are there are a few more jurisdictions close by in the same situation. Make an offer to several of them and have them share your salary,” Jordan stated in a recent Norse Corp. blog.
Jordan said the tasks the CISO does for one county could probably be duplicated in the other jurisdictions to ease the burden. “Just go for it,” he urged. “It’s honest work and there is never a dull moment!”
Michael Keating is Senior Editor at Government Product News, an American City & County sister brand.