Hiring and keeping qualified IT staffers, particularly cybersecurity experts, is a serious problem for states.
Internships for veterans, cyber classes for high school and college students and mentoring programs — aimed especially at middle-school girls — are among the ways states are trying to beef up their cybersecurity ranks.
Cybersecurity is the most pressing issue for state information technology officials, as hackers and cybercriminals increasingly take aim at government networks, which contain information such as Social Security, bank account and credit card numbers of millions of people and businesses.
But hiring and keeping qualified IT staffers, particularly cybersecurity experts, continues to be a serious problem for states, according to a recent survey of state chief information officers. Job candidates “don’t perceive state government as an attractive and challenging work environment,” the report found.
State cyber salaries generally can’t match those in private industry and it’s often hard to move up the ladder in state government. And the disappearance of generous government retirement plans is making the jobs less appealing to cyber professionals.
Stanton Gatewood, Georgia’s chief information security officer, said the shortage stems not only from competition from the private sector, an aging workforce and lack of interest from high school and college students, but from states’ stringent educational and experience requirements that make it hard to recruit. “We’re writing requirements that are just through the roof,” he said last month at the National Association of State Chief Information Officers’ annual conference in Austin.
Gatewood recommended that states rethink those requirements and seek out nontraditional job candidates who have different types of backgrounds, such as gamers, code writers and law enforcement and military officials.
“It’s great to understand theory and principles. But our need is immediate,” he said, adding, “We need to put the butts in the seats.”
Nearly 300,000 public and private cybersecurity jobs are available in the U.S., according to CyberSeek, an interactive online tool for job seekers. Frost & Sullivan, a market research firm, forecasts a shortage of 1.8 million cybersecurity workers globally by 2022.
Seeking Out Veterans
Some states are looking to the military to try to fill cybersecurity jobs.
In March, Virginia, which has more than 700,000 veterans, kicked off its Cyber Vets Virginia pilot program in partnership with private industry and a Syracuse University research institute focused on veterans. The program aims to help veterans enter the cybersecurity field in Virginia by providing them free hands-on training, assistance in getting industry certification and career services.
The 12- to 15-week program is open to veterans, those transitioning out of the military, spouses, reservists and National Guard members. So far, more than 125 people have enrolled, said program administrator John Malfitano.
“A lot of them have cyber experience, and cyberattacks are really a new form of warfare and we need to be able to defend against it,” Malfitano said. But even those with experience may need additional training to meet industry certification standards, he said.
In Colorado, the Legislature allocated more than $900,000 this year to create and fund the Veterans Transition Program, a nine-month paid internship at the state technology department for service members leaving the military who have shown an interest or aptitude in cybersecurity or have some cyber experience.
“These are people who already have a demonstrated interest in public service,” said Deborah Blyth, the state’s chief information security officer. “They also have done some consistent time in the military, so I’m not worried about them job-hopping.”
The program started in July, and two veterans already are on board. Officials expect to add eight more.
“We’re hoping to create a pipeline for ourselves,” Blyth said. “So as we have turnover and openings, we are able to have these veterans transition into our agency.”
Focusing on Students
For the last two years, Virginia has offered a public service scholarship program to in-state college students studying cybersecurity. It awards them up to $20,000 a year and in return, they must commit to working at a state agency or institution for as many years as they receive the scholarship.
Virginia also is one of seven states that participate in a partnership with the SANS Institute, a global information security training company, to provide cyber skills to high school and college students through a free online training exercise called CyberStart. The top performers at the state level can win thousands of dollars in scholarships and compete nationally for up to $500,000 in scholarships for more advanced cyber coursework.
Delaware registered 359 students for this year’s program and 20 of them received scholarships at the state level, said Elayne Starkey, Delaware’s chief information security officer. Delaware also has hosted and run weeklong national U.S. Cyber Challenge camps attended by hundreds of young people that offer workshops, labs and a competition, she said.
While such programs are a great way to entice young people to choose cybersecurity careers, Starkey said, it may not be enough to keep the pipeline of cyber talent flowing, considering the large number of experienced staffers who will retire in the coming years.
“It’s a very complex problem that we haven’t been able to find answers to,” Starkey said. “At some point you stop and take a look behind you and ask who’s coming to fill our shoes. And you find there’s no one there.”
While cybersecurity is a booming field, it’s still male-dominated. Women make up only 14 percent of the cyber workforce in North America, according to a 2017 study.
“While cybersecurity is a booming field, it’s still male-dominated.”
State officials say the pool of women qualified to fill cyber jobs is shallow, which makes it difficult for young girls interested in a cybersecurity career to find role models and mentors.
One way Delaware’s IT department is trying to break that cycle is by co-sponsoring an annual event that brings together 150 eighth- and ninth-grade girls to immerse them in technology and give them hands-on practice, Starkey said. One track is devoted to cybersecurity.
In Colorado, Blyth recently worked with a local university to start a chapter of CyberGirlz, an initiative that offers mentoring and workshops for middle-school girls interested in the cybersecurity field.
“The problem we’re having in cyber is that when I open positions, there just are not a lot of women who apply because there are not a lot of women in security,” Blyth said.
Ambareen Siraj, a computer science professor at Tennessee Tech and founder of Women in CyberSecurity, a networking and mentoring group for cyber professionals and students, said young women often can’t relate to the stereotypical image of the cyber techie.
“Many young women going to college think this is a field of socially challenged men wearing black hoodies and hacking away in dark basements, eating pizza,” she said. “We need them to realize that it’s not. It’s a field where they learn how to solve problems using their own skills.”