Underprivileged states in the race to recruit cybersecurity pros
CHICAGO (AP) – Austin Moody wanted to apply his cybersecurity skills in his home state of Michigan by teaming up with state police investigators to analyze evidence and track down criminals.
But the recent graduate put the idea aside after learning that an unpaid internship was his only way to get into the Michigan agency.
“I don’t know a lot of people who can afford an unpaid internship, especially when it’s so in demand in the private sector,” Moody said of other cybersecurity job seekers. “Unpaid internships in cyberspace are not really a thing beyond the public sector. “
Hiring and retaining staff who can help fend off a constant stream of cyber attacks and less serious online threats is high on the list of concerns for state technology leaders. There is a severe shortage of these professionals and not enough financial firepower to compete with their federal counterparts, global brands and cybersecurity companies.
“People who are still in school are being told, ‘There is a very good opportunity in cybersecurity, very good opportunities for a high salary,” said Drew Schmitt, senior threat intelligence analyst at from cybersecurity company GuidePoint Security. “And ultimately, these state and local governments just can’t keep up with a lot of private organizations from a pay standpoint.”
State governments are regular targets for cybercriminals, drawn to the treasures of personal data within agencies and computer networks that are essential for patrolling highways, maintaining electoral systems and other key state services. Notable successes since 2019 include the Washington State Auditor, Illinois Attorney General, Georgia Department of Public Safety, and computer servers supporting most Louisiana state agencies.
Cities are also under attack, and they have even fewer resources than states to mount cyber defenses.
With the help of industry groups, the federal government and individual states have created training programs, competitions, and scholarships in hopes of training more cybersecurity professionals nationwide. However, these strategies could take years to bear fruit. States have turned to outside contractors, civilian volunteers and National Guard units for help when their systems are destroyed by ransomware and other hacks.
States were expected to fill nearly 9,000 cybersecurity jobs this summer, according to CyberSeek, a joint project of the Computing Technology Industry Association and the National Institute of Standards and Technology. The total is probably higher because the project does not count jobs that are published only on their own job portal.
Heads of state are reluctant to detail the number of vacancies, fearing it could attract more potential attackers. Senior state security officials have ranked inadequate cybersecurity personnel as a top concern every year since the National Association of State Chief Information Officers and Deloitte began surveying the group in 2014.
The problem is not confined to state governments.
US officials are not hiding their own struggles to hire or retain cybersecurity professionals. The Department of Homeland Security alone has 2,000 cybersecurity job openings, and the Biden administration promoted 300 new hires this summer.
According to a survey by the International Information System Security Certification Consortium, the average salary of $ 95,412 for a local or state government cyber employee was $ 25,000 or more behind in 2020 compared to at the salary of the federal government, the financial services industry and computer services. a professional association.
Information security analysts earned a median salary of $ 103,590 in May 2020, according to the Bureau of Labor Statistics. Cyberseek estimates starting salaries at nearly $ 90,000 for all employers.
Homeland security officials admitted in 2014 that lower salaries put their agency at a disadvantage, but it wasn’t until this year that a rule was released allowing higher salaries for cybersecurity roles – capped at $ 255,800, the maximum salary allowed. for the vice-president.
“The ministry desperately needs a more flexible hiring process with incentives to recruit talent in today’s highly competitive cyber skills market,” says part of the rule that is to come into effect later this autumn.
Leaders in the field often lament the costly and time-consuming certification requirements and background checks that employers insist on for cybersecurity positions, saying this keeps jobs vacant and discourages women and people of color from working in the industry. cybersecurity.
Nicole Beebe, chair of the information security and cybersecurity department at the University of Texas at San Antonio, said states’ struggles were more fundamental. Private companies and the federal government aggressively recruit students during their college studies, sending representatives to courses and job fairs.
State agencies are rarely there, said Beebe, who advises students to weigh multiple job openings long before graduation.
“When it comes to a hyper-competitive field, you can’t just submit a job offer and think it’s going to get the same traction,” Beebe said.
Falling wages in government jobs can be a drag, but many students prefer a position that allows them to leave work at home, which is not always the case with private companies.
The role of a state or local government does not compare to the “meat grinder” of constantly responding to new attacks or vulnerabilities from a cybersecurity team for Microsoft or Amazon, said Michael Hamilton, founder of the project. PISCES. The organization connects cybersecurity students to local governments that don’t have employees focused on this work.
“State agencies can hire interns, prepare them, show them that state government is a promising place to work,” he said. “But what I see them do is just fight with everyone else who wants to hire these people and lose.”
Sienna Jackson, a 2020 graduate of the University of Texas at San Antonio, accepted an engineering position at defense firm Northrop Grumman after interviewing the company at a conference. She started her university studies in accounting, but discovered cybersecurity thanks to a classmate.
After an internship at Dell during her studies, she hoped to find a company of a similar size with a solid training program and other perks.
Salary and moving or housing assistance also mattered to Jackson, who held multiple jobs while graduating and has to pay off his student loans. She hasn’t ruled out state government jobs, but hasn’t seen agencies at campus career fairs or conferences.
“After I graduated and went for an interview, I realized I had a lot of options,” she said. “I can choose where I go and my standards and not just take whatever job comes my way.”
Moody, the Michigan native, was awarded a Department of Defense scholarship that required working for the agency at least a year after graduation. Moody said he understands state governments don’t have the kind of money that federal agencies or private companies spend on recruiting and generous salaries.
But sending cybersecurity staff to talk to students about their work and its importance to thousands of residents of the state can have a big impact without costing money, he said.
“A lot of people want public service jobs and are ready to start there,” Moody said.