Former South Carolina Department of Revenue computer security chief Scott Shealy appears before legislators investigating how hackers accessed tax information. Shealy left the agency before the hacking and said his bosses didn't take seriously his concerns about keeping data secure. States face cybersecurity threats and have trouble recruiting staff to combat it. (AP)
In the last few years, Oregon’s state employment department website was breached. In Montana, it was the public health and human services agency. And in South Carolina, hackers were able to access the Social Security numbers of millions of taxpayers in the state revenue department’s computer system.
Top information technology officers warn that crimes like these point to why cybersecurity is critically important for state agencies, whose computers contain a wealth of personal information—birth certificates, driver’s licenses, Social Security numbers and tax records—that appeal to identity thieves. And they demonstrate the need to have a well-trained team in place that’s prepared to prevent and repel hacking attacks.
But a recent report by the National Association of State Chief Information Officers (NASCIO), composed of states’ chief information technology officials (CIOs), found that states are plagued by a number of problems in hiring and retaining IT staff— especially cybercrime experts.
“Cybersecurity is one of the most important issues we’re facing today. It’s one of the things CIOs are the most concerned about,” said Meredith Ward, NASCIO senior policy analyst and author of the report. “The challenge is that if the folks aren’t there to deter, detect and prevent, it becomes a catch-up game.”
Late last month, state CIOs met with federal officials and congressional staff in Washington, D.C., to request more financial help for cybersecurity and discuss ways to help build states’ IT security workforces.
“States aren’t receiving sufficient funding to do what’s necessary. A lot is because of how federal grants are structured,” said Mitch Herckis, NASCIO’s director of government affairs.
Federal grants to states typically cap administrative expenses to save money, and a state’s cybersecurity expenses are considered an administrative cost, the same as other overhead expenses such as office supplies, he said. That often leaves states without enough money to cover their IT costs.
“We’re trying to raise awareness about that and get more direct resources from the federal government to the states,” Herckis said.
State IT departments oversee the computer systems used by nearly all agencies, ranging from health and human services to environmental regulation. That includes websites or portals used by the public for everything from renewing driver’s licenses to signing up for a state’s health care exchange.
State CIOs are tasked with improving government efficiency, customer service and saving taxpayer dollars. That’s why they say it’s so important to recruit and retain staff. But it’s been difficult, especially after years of tight budgets and competition for staff from private industry.
The NASCIO study, which surveyed IT chiefs from 48 states, found that those challenges will only be getting tougher. Among the findings:
- Nearly 92 percent of states said salary and pay grades presented a challenge in attracting and keeping employees.
- 86 percent of states said they’re having trouble recruiting people to fill vacant slots. Four years ago, only 55 percent of states reported having that problem.
- 46 percent of states said that it takes three to five months to fill senior positions.
“What are we going to do about this?” said NASCIO’s Ward. “It’s not something that can be ignored.”
The study found that recruiting and keeping staffers with cybersecurity experience is one of the greatest challenges. That matched the findings of a 2014 Deloitte-NASCIO cybersecurity study, which found that nine of 10 state IT officials surveyed reported that the biggest barrier to attracting cybersecurity talent is salary, which generally can’t match that offered by private industry.
According to U.S. Bureau of Labor Statistics data from May 2014, the mean annual salary for cybersecurity analysts in state government was about $76,000; it was about $95,000 in the private sector.
“Cybersecurity is in such high demand in the private sector. People with the training and experience can go to the marketplace—even someone working in the state government—and they can get paid a lot more,” said Srini Subramanian, a state cybersecurity principal at the consulting firm Deloitte & Touche LLP who co-authored the study.
Subramanian said pay isn’t the only challenge in hiring and keeping cybersecurity staffers. Another is the lack of a clearly defined career path and a way to move up the ladder in state government, he said.
“These cybersecurity professionals are looking for career progression,” Subramanian said. “How can they get from being a new analyst out of college to the chief information security officer for the state? This is another hurdle.”
States have tackled these issues—for cybersecurity and other IT positions—in a number of ways, the latest NASCIO survey found. Many are reviewing job classifications and offering flexible work schedules. Some are giving performance awards or emphasizing career development and continuing education, or perks such as tuition reimbursement and internships.
Other tactics include using digital advertising and social media, giving signing bonuses and converting contractors to state employees.
But recruitment and retention aren’t the only problems IT officers face. They’re concerned about the number of employees with years of experience who are retiring. The survey found that in nearly a quarter of the states, 21 percent to 30 percent of IT staffers will be eligible for retirement in the next year.
“For a large state, that might not be such a big deal,” said NASCIO’s Ward. “But for smaller states like Maine or Rhode Island, 21 to 30 percent has a huge impact.”
In Maine, retirement and recruitment obstacles have been causing major headaches for the state’s IT agency, according to CIO Jim Smith. Smith said that about 24 percent of his 480 employees will be retiring in the next two years. “That’s thousands of years of experience,” he said.
Maine’s IT office is scrambling to fill openings as it is. At any given time, it has about 50 open slots.
“We’re in a rural area. It’s difficult to attract people,” Smith said. “Losing 20 percent of your workforce is transformational. You really have to think about that in a different way.”
Smith said it’s particularly difficult to hire experienced cybersecurity staffers because the pay is much better in private industry and the employment rate in that field is practically 100 percent. Maine pays about $70,000 for cybersecurity professionals, he said.
“I don’t know if we have a great approach on this. We continue to beat the bushes,” said Smith, who has eight cybersecurity staffers on his team. “It’s a real challenge.”
Smith said his office has been more successful in coming up with innovative ways to recruit other types of IT staffers.
One was to revamp its internship program and create partnerships with colleges in the state. An internal team selects interns based on their IT skills, interviews them and matches them to the right position. They’re also assigned mentors.
“Years ago, we’d bring in an intern and say ‘go make coffee,’ Smith said. “Now, we give them real work. They write real code. They help us with new technology.”
As part of the program, interns are given a business problem and asked to research what others in the industry are doing and propose a solution. Some, for example, were tasked with revamping the IT department’s employment website. They’ll be presenting their proposal to other state agency heads and possibly the governor, Smith said.
So far, about 70 percent of the 30 interns have become full-time employees, Smith said.
Smith said his office also is trying to recruit military veterans and is working with the National Guard to “build a pipeline” for potential hires.
Maine’s IT department also is focusing on doing a better job of “branding,” when it comes to recruitment.
“We tell people we can offer them a different experience than they can get in the private sector. We have some very exciting jobs,” Smith said. “They can write software for radio communications on the mountaintops. They can work with corrections or with inland fisheries and wildlife or with helping families in need.”
He said that the “giving back” element is important in trying to recruit staff.
“This generation wants meaningful work, the opportunity to give back,” he said. “We also hit the older population who are near the end of their career with the same argument. We’re sort of going after both sides.”
Ultimately, the problems state IT offices face in recruiting and keeping staff will filter down to residents, Smith said. They could end up having problems accessing information from state websites, whether it’s getting tax refunds or securing fishing licenses.
“If we don’t solve this, you’ll see degradation in services to citizens,” he said. “That would become a real problem for the public.”