There has been a number of hacking incidents at American state level recently. In Oregon the state employment department’s own website suffered a breach, while in South Carolina hackers were able to infiltrate the state network and access millions of social security numbers from the revenue department. Security breaches have also taken place in the public health and human service agency in Montana.
Cyber Security Warning
The country’s top information technology officers are already warning that cybersecurity is becoming more critical than ever, with hackers increasing the amount of crimes they commit in order to access some of our most important personal data, such as birth certificates, and driving license. Its important to take the necessary security precautions and have a well established security team behind you.
Chief Information Officers (CIOs) are concerned that there is a lack of security professionals working in the industry, and that American states were finding it difficult in hiring and retaining qualified IT staff, especially experts in cyber crime. Meredith Ward of the National Association of State Chief Information Officers (NASCIO) commented that cybersecurity is one of the most important issues that the government and organizations are facing.
April 2015 saw a meeting between the state CIOs, federal officials and congressional members of staff from Washington D.C. They had set up a meeting together to request more financial help for cybersecurity, and also to discuss method to help build the state’s future IT security workforce. Each of the American State’s is suffering from lack of sufficient funding to help strengthen this security frontline, and this is in part due to the way that federal grants are structured.
Administrative expenses are usually capped with federal grants to states, and cybersecurity for a state is considered an administrative cost, and in the same category as office supplies. This is the main reason that a state usually doesn’t have the money to strengthen their security defences enough to protect against the published cases of hacking.
It’s the responsibility of the specific state’s IT department to develop and oversee the computer systems that are used by the agencies ranging from environmental regulation to health and human services. This also includes the state’s websites and portals that are used by the public for everything from signing up to the state’s healthcare exchange to renewing a driver’s license.
IT Staff Analysis
NASCIO conducted a survey of IT chiefs from 48 states, and found that the challenges of hiring qualified staff, and retaining was one of the many difficulties that they faced.
- 92% of the states responded that pay and salary was a factor in attracting and keeping the right staff.
- 86% of states said they were having trouble recruiting qualified security personnel, compared to 4 years previous it was only 55%
- 46% of the states agreed that it would take 3-5 months to fill their senior IT positions
One of the biggest barrier in retaining staff is the salary lag of the public sector, which often lose their staff to the higher paying private sector. When the salary for cybersecurity analysts from the U.S. Bureau of Labor May 2014 is compared there is an average salary of $76,000 paid to state analysts, while the private sector paid $95,000. IT security professionals are often headhunted by private sector recruitment agencies, compounding the problem.
Public Sector Strategy
As well as shortcomings in the area of pay, there is also a lack of a specific career path in state government. Most IT and cyber security professionals are looking for a logical career progression. They want to go from being university and college graduates, and move up the career ladder to a position such as chief information security officer for their state.
States are making efforts to tackle this, with many reclassifying and reviewing their job classifications and offering greater flexible work schedules. Smme states are also giving performance rewards emphasizing career development and the benefit of continuous education with some reimbursing tuition fees, and offering greater career internships. They are even social media and digital advertising, to try to attract staff, and slo using bonuses and encouraging contractors to sign up as state employees instead.
States also face the difficulty of their existing knowledge base retiring, and taking valuable skills out of the marketplace. In the same NASCIO survey, about 1/4 of those surveyed responded that 21% to 30% of staff would be eligible for retirement in the next year. For larger states, this wasn’t an issue, but for smaller states such as Rhode Island and Maine this will have a huge effect.
In Maine 24% of the 480 employees in the state’s IT agency are retiring within the next 2 years, which is thousands of hours of valuable experience. The Maine IT office struggles to fill all it’s vacancies with on average 50 open slots at any given time. They are trying to turn this round into a positive though, by having internal IT teams select interns from local colleges in the state, and assign them mentors, to help pass along valuable knowledge to the next generation of security workers
As well as local partnerships, and better internship programs, states are also finding individuals with proven work ethics to make the transition to IT security. Recruiting military veterans and working with the National Guard to build a pipeline for potential hiring is starting to come to fruition, as those dedicated already to service for their country are more likely to stay within the government career path, and be retained by the state IT departments.
Future of Funding
It’s important that the funding and mechanism for state IT security is overhauled and almost revolutionized, if key public services that the public now take for granted are to be securely retained, and kept up to date with demands. As there are a number of highly publicized hacking and security breaches in all sectors, public and private, so the shift to providing more resources for this area should start to pick up. Will this ensure the next security breach does not happen? Its unlikely.