Introduction
Hacktivists, organized criminals, and state-sponsored operatives continue to launch incessant, high-profile attacks on commercial, governmental, and even vital public infrastructure. This has heightened cybersecurity awareness among the concerned organizations as they seek to guard their valuable information and data against being stolen and redistributed in the black markets. Intellectual property, contract negotiations, and trade secrets are valuable targets for criminals with potentially detrimental consequences to the organizations.
States encounter considerable difficulty hiring and retaining cybersecurity experts. According to Bergal (2015), Oregon’s state employment agency was hacked; in South Carolina, millions of social security numbers had been accessed. In Montana, the public health services department had been breached. After the breach in South Carolina, the former computer security chief Scott Sheally had appeared before a legislators committee. He reported to have expressed concerns about security safeguards but was not taken seriously. This illustrates a disconnect between cybersecurity experts and policymakers. The expert had raised the alarm in this incident, but the policymakers had not acted accordingly, probably because of a knowledge gap.
IT departments at the state level are responsible for computer systems belonging to many agencies, from environmental regulation to health and human agencies. The information systems range from websites and portals used for many data-rich services such as driver’s license renewal to enrolling for healthcare services (Bergal, 2017). For this reason, it is a necessity for states to not just hire more workers but also retain the ones they have. It is imperative that they accomplish this in spite of the lingering issue of budget cuts compared with private enterprises. According to a NASCIO study that surveyed 48 IT chiefs, many challenges were identified; one was salary and pay grades that were a stumbling block in attracting and retaining employees.
Cybersecurity experts are in demand mainly because there s a shortage. They, therefore, ask for premium salaries that states cannot afford. The average annual pay for a cybersecurity expert working in state governments was $76000, while it was $95000 in the private sector (Bergal, 2015). Another problem identified is the retirement of existing cybersecurity experts. In Maine, it was reported that 24% of the experts would retire in 2015 (Bergal, 2015). The irony is illustrated by the fact that most states are in rural areas and need to offer higher salaries to attract talent, but they do the opposite (Molis, 2019). It is not merely about pay but also location and career progression.
Why Hiring is a Problem for State: Cybersecurity Specific
Cybersecurity workers shortage is a global problem. It is caused by many factors, the chief of which is the shortage of cybersecurity workers in general. According to a report (Loeb, 2015) in which 649 cybersecurity experts were surveyed globally, 74% had reported increased attacks from the previous year while 82% said they expected to be attacked again in 2015 (Loeb, 2015). It was also reported that less than 50% had assurance that their current teams could handle their current threats. This report showed that it is not that they were not aware of the problem but that there no people to hire. Another reason why there is a lingering cybersecurity problem among state governments is that the current cybersecurity training has not been able to match the needs of the field. CISOs and CIOs know that attacks could happen any day; for this reason, they expect workers to have the skills to address issues from day one.
One more reason for states having problems hiring cybersecurity experts is the rate at which the nature of threats evolves. It is not that academic institutions do not train enough experts than, for instance, doctors, but security threats evolve at such a fast pace that any current breed of experts cannot contain the avalanche. Another cause for the problems is the lack of workforce planning specific to cybersecurity. Because of the fast way the industry evolves, organizations find it challenging to implement workforce structures around cybersecurity departments. With so much talent entering and leaving, compounded with the workload present in organizations, it is hard to establish a training system; this results in disarray that becomes endemic in many organizations.
Why Hiring is a Problem for States: General Reasons
Poor Salary Packages
There is a shortage of cybersecurity experts because of the increasing threats and skill level required. As a result, hiring organizations are supposed to offer competitive packages to attract top talent. States are hounded by budget shortfalls that hamper their ability to compete with private enterprises (“State IT Workforce”, 2015). As pointed out, the average salary for a cybersecurity expert employed by the state was $76000, while the private sector was $95000 (Bergal, 2015). This is a huge difference that can significantly affect talent retention.
Competition from Private Sector
The private sector offers more attractive opportunities for cybersecurity experts in salary and benefits and career growth opportunities. In mega-rich enterprises such as Amazon and Google, employees work with some cutting-edge technologies that may not be present in state agencies. Moreover, government agencies are known for bureaucracy which applies even when implementing new ideas, which could discourage highly creative employees (Hamilton, 2020). State employees also complain about bosses who are unwilling to listen to ideas; when one considers the bureaucracy that comes with implementing new ideas, it is no surprise that the ideas get stonewalled.
Hiring Processes
The typical government agency hiring process takes months. Most of the time, the entire process will take more than double the time it takes in the private sector. By the time applicants are being called for interviews, they have already taken positions in private enterprises. Moreover, most state governments’ entire hiring strategy involves only filling positions left when talent has left their workforce. Instead of hiring on a need basis, it becomes a reactionary process (Hamilton, 2020). For as long as the state government’s hiring process is about only replacing vacant positions, the governments will continue to be left behind by imaginative corporations that hire on a need basis.
Homegrown Pipeline
State governments strive to implement hiring practices that do not tend towards favoritism. While this process is necessary to minimize corruption, it can blind them to the talent that is in their vicinity. Technical assistants and contractors are great candidates for filing some open positions in state agencies (Hamilton, 2020). Despite confirmed credentials, they can take a long time to be confirmed, dampening the spirits of available and motivated candidates.
Ineffective recruiting methods
Many states have convoluted recruitment processes that can seem daunting for prospective employees. For instance, in the state of California, one is supposed to create a career profile on a website (“How to Get a State Job”, n.d.). A person is expected to ensure that their credentials are up to date. The next step is to look for exams based on one’s category and then apply for the exam. After taking the exam, the results indicate eligibility for specific jobs. Up to this point, one still has not applied for the job, yet the results may take a month. After application and meeting minimum requirements, one can be called for interviews.
Recommendations
Increased Awareness
Problems cannot be solved until there is increased awareness about the magnitude of the challenge. Because of the way governance works, politicians are at the helm of developing and implementing cybersecurity policies. The problem with relying on politicians is that they may not conceive the gravity of the matter because of insufficient knowledge. This can be solved by cybersecurity experts becoming more vocal and educated on the need to do more even when the attacks are yet to happen.
Curricula Revamp
It is not just a shortage of cybersecurity workers but that even those that have them may not have the reassurance that they could handle problems. The cybersecurity industry evolves very fast; by the time universities embark on developing curricula, threats have already evolved, and graduates are rendered semi-skilled. This problem is amplified by the lack of workforce planning in many cybersecurity departments in organizations. The issue eventually becomes a vicious cycle that stakeholders cannot escape.
Increased Budget Allocation
One of the biggest shortfalls for state and even federal governments is their failure to match the private sector in matching salary packages for cybersecurity experts. In a free society where individuals have choices and are driven by self-interest, the badge of public service is not enough to keep them in government jobs. As it stands, there is no other option for state governments but to measure up to the industry standard or forget about ever attracting top talent.
Reorganized Recruitment Process
State and federal governments are hounded by antiquated HR practices that are slow and bureaucratic. Their recruitment methods do not evolve with time or to fit circumstances. It is fair that government agencies are supposed to uphold fairness for all but this rigidity where processes cannot be adjusted to fit specific needs has made them unsuccessful in sourcing talent. State governments could also leverage the concept of a homegrown pipeline to make it easier for internal talent.
Workforce Planning
Workforce planning has the potential to alleviate cybersecurity personnel issues among state governments. It is important for an organization to have a clear knowledge of its cybersecurity needs, whether human resources, capital and infrastructural. This will help them to define a clear organizational cybersecurity framework. The industry has reached maturity levels that call for organizations to have a clear inventory of their needs. Once they have conducted this inventory, and as part of the maturation process, they can then start forecasting their future cybersecurity workforce requirements. According to the Department of Homeland Security (2014), the workforce planning process involves four steps. The first step is conducting a thorough inventory of the current workforce. The second step is to perform demand and supply analysis; supply analysis checks who is doing the current job while the demand analysis determines an organization’s goals. The third step is to countercheck the above demand and supply datasets to identify gaps. Finally, the ultimate step is to develop a plan to fill the gaps.
Conclusion
Cybersecurity is one of the most vital fields in computing. The government manages information systems that typically handle sensitive information that contains loads of personally identifiable information (PII). For this reason, the agencies are a target of hacktivists and criminals whose desire is to sell the data on the black market or simply for philosophical reasons. State governments have no choice but to take the threats seriously.
This research has been conducted to highlight the cybersecurity challenges facing state governments. It has been established that state governments face this challenge because of problems that are inherent in the cybersecurity field itself. These challenges center around the fact that cybersecurity is a highly evolving sector that people fail to keep pace with. The problems are not limited to the sector since it has also been observed that state governments also have weaknesses as they fail to attract and retain talent. This failure to attract top talent has been attributed to low budgets that make them offer uncompetitive remuneration packages. It has also been revealed that state governments have archaic recruitment strategies that earn them disdain from young talent.
It has been recommended that to overcome these challenges in the cybersecurity field; there has to be a holistic approach that will address both intrinsic and extrinsic issues. One of the proposed solutions has been to restructure the training processes for cybersecurity professionals since their skills are susceptible to obsoleteness; it has also been recommended that state governments rectify their recruitment princesses to align with their competitors in the private sector. Another proposed solution has been to implement workforce planning. Through workforce planning, the agencies can conduct an analysis of their current workforce, analyze their demand and supply, identify the gaps and develop plans to bridge the gaps.
References
Bergal, J. (2015). Hiring cybersecurity staff is hard for states. PewTrust.
Bergal, J. (2017). Desperate for cybersecurity workers, states help build the next generation. Governing.com.
Department of Homeland Security (2019). Best Practices for Planning a Cybersecurity Workforce White Paper.
Hamilton, J. (2020). 5 reasons the federal government struggles to attract top talent. ClearanceJobs.
How to get a state job. (n.d.). Ca.gov.
Loeb, M. (2015). Cybersecurity talent: Worse than a skills shortage, it’s a critical gap. TheHill.
Molis, J. (2019). Attracting and retaining top talent: 5 ways to make them come to you. BizJournals.
NASCIO (2015). State IT Workforce: Facing Reality with Innovation (28). Web.