States struggling in race to recruit cybersecurity
CHICAGO — Austin Moody wanted to apply his cybersecurity skills in his home state of Michigan, teaming up with investigators for the State Police to analyze evidence and track down criminals.
But the recent graduate set the idea aside after learning an unpaid internship was his only way into the Michigan agency.
“I don’t know many people that can afford to take an unpaid internship, especially when it’s in such high demand in the private sector,” Moody said of fellow cybersecurity job seekers. “Unpaid internships in cyber aren’t really a thing beyond the public sector.”
Hiring and keeping staff capable of helping fend off a constant stream of cyberattacks and less severe online threats tops the list of concerns for state technology leaders. There’s a severe shortage of those professionals and not enough financial firepower to compete with federal counterparts, global brands and specialized cybersecurity firms.
“People who are still in school are being told, ‘There’s a really good opportunity in cybersecurity, really good opportunities for high pay,’” said Drew Schmitt, a principal threat intelligence analyst with the cybersecurity firm Guidepoint Security. “And ultimately these state and local governments just can’t keep up from a salary perspective with a lot of private organizations.”
State governments are regular targets for cybercriminals, drawn by the troves of personal data within agencies and computer networks that are essential to patrolling highways, maintaining election systems and other key state services. Notable hits since 2019 include the Washington state auditor, Illinois’ attorney general, Georgia’s Department of Public Safety and computer servers supporting much of Louisiana’s state agencies.
Cities, too, come under attack, and they have even fewer resources than states to stand up cyber defenses.
Aided by industry groups, the federal government and individual states have created training programs, competitions and scholarships in hopes of producing more cybersecurity pros nationwide. Those strategies could take years to pay off, however. States have turned to outside contractors, civilian volunteers and National Guard units for help when their systems are taken down by ransomware and other hacks.
States needed to fill nearly 9,000 cybersecurity jobs as of this summer, according to Cyberseek a joint project of the Computing Technology Industry Association and the National Institute of Standards and Technology. The total is probably higher because the project doesn’t count job listings that states posted only to their own employment portal.
State leaders are reluctant to detail the number of vacancies, worrying that could further entice potential attackers. States’ top security officials have ranked inadequate cybersecurity staffing among their top concerns every year since the National Association of State Chief Information Officers and Deloitte began surveying the group in 2014.
The problem isn’t limited to state governments.
U.S. officials make no secret of their own struggles to hire cybersecurity pros or retain them. The Department of Homeland Security alone has 2,000 cybersecurity job vacancies, and the Biden administration promoted 300 new hires this summer.
The $95,412 average salary of a local or state government cyber employee lagged by $25,000 or more in 2020 compared with the pay in the federal government, the financial services industry and IT services, according to a survey conducted by the International Information System Security Certification Consortium, a trade association.
Information security analysts earned a median salary of $103,590 in May 2020, according to the Bureau of Labor Statistics. Cyberseek puts starting salaries close to $90,000 across all employers.
Homeland Security officials in 2014 recognized that lower pay was keeping their agency at a disadvantage, but it took until this year to publish a rule allowing higher salaries for cybersecurity roles — capped at $255,800, the maximum salary allowed for the vice president.
Leaders in the field often bemoan the expensive and time-consuming certification requirements and background checks that employers insist on for cybersecurity roles, saying that keeps jobs vacant and discourages women and people of color from working in cybersecurity.