CHICAGO — Austin Moody wanted to apply his cybersecurity skills to his home state of Michigan, working with investigators for the state police to analyze evidence and track down criminals.
But a recent graduate put the idea aside after learning an unpaid internship at a Michigan agency.
“I don’t know many people who could afford to take an unpaid internship, especially when it’s in such high demand in the private sector,” Moody said of fellow cybersecurity job seekers. “Unpaid internships in cyber are really nothing beyond the public sector.”
A constant stream of cyber attacks and hiring and hiring employees to help address less serious online threats is at the top of the list of concerns for state technology leaders. There is a severe shortage of those professionals and not enough financial firepower to compete with federal counterparts, global brands and specialized cybersecurity firms.
“People who are still in school are being told, ‘There’s a really good opportunity in cybersecurity, there are really good opportunities for higher salaries,'” says Drew, a principal threat intelligence analyst at cybersecurity firm Guidepoint Security. Schmidt said. “And ultimately these state and local governments can’t keep up with a lot of private organizations from a salary standpoint.”
Cities are also vulnerable to attacks, and they have fewer resources than states for cyber security.
Aided by industry groups, the federal government and individual states have created training programs, contests, and scholarships in hopes of producing more cybersecurity professionals nationwide. However, those strategies can take years to pay off. States have turned to outside contractors, civilian volunteers and National Guard units for help when their systems are taken over by ransomware and other hacks.
States need to fill about 9,000 cybersecurity jobs this summer, according to CyberSec, a joint project of the Computing Technology Industry Association and the National Institute of Standards and Technology. The total is probably higher because the project does not count job listings that states have posted only on their own employment portals.
State leaders are reluctant to elaborate on the number of vacancies, worrying it could attract more potential attackers. Top security officials in states rank inadequate cybersecurity staff among their top concerns every year, since the National Association of State Chief Information Officers and Deloitte began surveying the group in 2014.
The problem is not limited to the state governments.
US officials make no secret of their own struggle to hire or retain cybersecurity professionals. The Department of Homeland Security alone has 2,000 cybersecurity job vacancies, and the Biden administration promoted 300 new employees this summer.
According to a survey conducted by the International Information Systems Security Certification Association, the $95,412 median salary for a local or state government cyber worker is $25,000 or more in 2020, compared to salaries in the federal government, financial services industry and IT services. a trade union.
According to the Bureau of Labor Statistics, information security analysts earned a median salary of $103,590 in May 2020. CyberSeek puts the starting salary for all employers at close to $90,000.
In 2014 Homeland Security officials recognized that low pay was putting their agency at a disadvantage, but it took until this year to publish a rule allowing higher pay for cybersecurity roles – capped at $255,800, The maximum salary allowed for a Vice President is:
“The department is in dire need of a more flexible recruitment process with incentives to secure talent in today’s highly competitive cyber skills market,” reads part of the rule due to take effect later this fall.
Field leaders often impose the costly and time-consuming certification requirements and background checks that employers insist on for cybersecurity roles, saying jobs remain vacant and preventing women and people of color from working in cybersecurity. discourages.
Nicole Beebe, chair of the Department of Information Security and Cyber Security at the University of Texas at San Antonio, said states’ conflicts are more fundamental. Private companies and the federal government aggressively recruit students during college, sending representatives to classes and career fairs.
State agencies are rarely there, said Beebe, who advises students weighing multiple job offers long before they graduate.
“When it’s a highly competitive field, you can’t just submit a job posting and think it’ll get equal traction,” Beebe said.
Low pay in government jobs can be a turnoff, but many students prefer a position that lets them leave work at home, which is not always the case with private companies.
Michael Hamilton, the founder of the PISCES project, said the role of state or local government doesn’t compare to a “meat grinder” for Microsoft or Amazon in constantly responding to new attacks or vulnerabilities on the cybersecurity team. The organization connects cyber security students with local governments that don’t have the staff to focus on that job.
“State agencies can compete with interns, groom them, show them that the state government is a promising place to work,” he said. “But what I see them doing is getting into a fight with all the people who want to hire these people and lose.”
Sienna Jackson, a 2020 graduate from the University of Texas at San Antonio, accepted a job as an engineer at defense company Northrop Grumman after interviewing with the company at a conference. She started college as an accounting major but discovered cyber security through a classmate.
After an internship with Dell during college, she hoped to find a similar-sized company with a stronger training program and other benefits.
Pay and moving or housing help also mattered for Jackson, who worked multiple jobs while earning his degree and had to pay off his student loans. He didn’t rule out state government jobs, but didn’t see agencies at career fairs on campus or conferences.
“Once I graduated and was doing interviews, I realized I had a lot of options,” she said. “I get to choose where I go and not accept my standards and whatever work comes my way.”
Moody, a Michigan native, received a scholarship from the Department of Defense, which required working for the agency for at least a year after graduation. Moody said he understands that state governments do not have as much money as federal agencies or private companies spend on recruitment and generous salaries.
But getting cyber security staff to talk to students about their work and its importance to the state’s thousands of residents can make a big impact without much cost, he said.
“Many people want to be in public service roles and are ready to start there,” Moody said.