The Big Quit: Why Cybersecurity Pros Are Leaving Government
Public-sector cybersecurity workers are frustrated by the lack of government investment and the bureaucratic slowness to innovate.
A recent tweet by Jen Easterly, head of the top U.S. cybersecurity agency, is not only an amped-up recruitment drive, it’s also a signal that the government is in urgent need of help.
“Join our team,” asserts the post to the sound of loud rock music. “You are the missing piece,” it says, as the final piece of a Rubik’s Cube slots into place to show her agency’s logo. Easterly (@CISAJen), who is director of the Cybersecurity and Infrastructure Security Agency, posts in the tweet that if it weren’t for her curiosity and “love of puzzles” she might not have discovered her career.
The government sorely needs more people like her. There are more than 36,000 unfilled public-sector cybersecurity jobs, according to data gathered by CyberSeek, a Commerce Department affiliated cyber-hiring project. This past summer, the Department of Homeland Security estimated there were about 1,700 jobs it needed to fill in its agency alone.
While a tech skills gap has always persisted in private industry, the deepening shortage in government poses a risk to the Biden administration’s high-profile cybersecurity campaign and to the security integrity of the nation. This issue was made more urgent on November 3rd when the administration issued a wide-ranging cybersecurity mandate, ordering nearly all federal agencies to patch hundreds of vulnerabilities that are considered major risks for intrusion and damage to federal networks.
“We knew five years ago that we needed to add tens of thousands of new cybersecurity professionals to the U.S. government to be successful,” says Ari Schwartz, former senior director for cybersecurity in the Obama White House. “Because the turnover remains high, we are reaching a crisis point where the U.S. government just doesn’t have the talent that it needs,” says Schwartz, who is managing director of cybersecurity services at Venable, a legal service and business-advisory firm.
The government faces multiple challenges in trying to recruit and retain security tech workers. These challenges—pay, funding, resources, and workplace arrangements—are not unique to government. They are becoming hardened amid a workforce that has become more inclined to quit their careers as the pandemic wears on. In August, a record
4.3 million American employees left their jobs, and there are now almost 465,000 unfilled private and public cybersecurity jobs around the country, according to CyberSeek.
Upper limit
The most common challenge the government faces in recruiting savvy cybersecurity professionals is compensation. Tech pros can get up to 50% more pay in the private sector than in public service, says John Bambenek, a cybersecurity expert at Netenrich, which provides cyber-threat detection services.
In the public sector, there is also often an upper limit on pay for even high performers, which is (of course) not the case for the private. In government jobs, “eventually you reach the point where you need to be a political appointee,” he says.
Because the turnover remains high, we are reaching a crisis point.
At the state level, pay may be an even bigger issue. States needed to fill 9,000 cybersecurity jobs last summer, according to CyberSeek. Last year, the average annual salary for a local or state government cyber employee was about $95,412, which is about $25,000 behind federal government pay.
“It will take some creative thinking to deal with the reality that it is just more lucrative to leave the government for the private sector,” says Bambenek.
For Quentin Hodgson, a senior cybersecurity researcher at Rand, a nonprofit research consultant, the decision to leave government is often because workers have had enough. One of the main frustrations is over resources and funding, he says.
In the fast-moving world of technology, it’s too easy to fall behind. Funding limits and resource delays can quickly lead to outdated systems. One area that’s increasingly critical to the deployment of robust cyberdefense in private industry is the emerging practice of DevSecOps, a strategy that brings security teams into software development projects at the start. That, in turn, allows them to spot potential network vulnerabilities before those projects are too far along. Experts say that government cybersecurity is far behind in adopting this practice.
[Read also: 4 simple ways security ops can thrive with hybrid work]
The lack of investment in cybersecurity is increasing risk for government agencies—for being hacked, having sensitive data leaked, and shutting down networks. Local government agencies are under threat, with some 25% saying breach attempts happen every hour and 14% reporting an attempt every day, according to a 2020 International City/County Management Association survey.
“People get frustrated with bureaucracy and process and lack of resources,” Hodgson says. “They feel like they’re not getting the resources they need to do their jobs. And they feel that everybody ignores you as a cybersecurity professional until something goes wrong, and then they start piling on you asking why.”
Burned out
Many public-sector cybersecurity workers are burned out. “If you look at the reasons why people leave, historically, it has generally been associated with burnout,” says J. Michael Daniel, former President Obama’s cybersecurity czar. “For anybody doing cybersecurity during the pandemic, that’s most likely only gotten worse—because of the demands of remote work and the demands of the hybrid workforce.”
Compounding it all is a cumbersome hiring process. The federal government often does extensive background checks, a routine that can put workers off given that few such examinations are required by private enterprise. In addition, if an applicant has any prior drug history, even a minor one dating back to high school or college, they are usually prohibited from working for the government.
Industry experts also point to the need to look at younger talent through a different lens. Daniel, who is currently president and CEO of the Cyber Threat Alliance, a nonprofit cybersecurity association, says some education demands are unnecessary.
“Are we imposing arbitrary requirements that turn people off?” he says. “Are you requiring master’s degrees when you don’t need a master’s degree?”
In recognition of this particular issue, DHS Secretary Alejandro Mayorkas launched an Honors Program, which includes an effort to recruit recent graduates with degrees in cybersecurity-related fields to a one-year professional development course. Those who complete the program will be eligible for full-time cybersecurity positions at the department.
[Read also: Cybersecurity for good—how NPower is bringing diversity and opportunity to the industry]
Robert Spalding, a retired Air Force brigadier general who served as a defense official in Beijing, says he left the military after becoming fed up with using outdated systems on B-2 stealth bombers. He says the government’s lack of talent and infrastructure in cybersecurity and defense technology is at a crisis point.
“Not only are we at a crisis point, we have been at a crisis point for a while with no signs of reform in sight,” he says.
To address the issue, Spalding believes the government should reduce defense spending on weapons and focus instead on investment and recruitment in infrastructure, manufacturing, technology and STEM education.
Private-sector help
As the government’s challenges in hiring tech talent and building out cyberdefenses have grown, private-sector cybersecurity services to government agencies have flourished. “The private sector is doing almost everything for the government,” Schwartz says—providing both cybersecurity products and personnel. And these ventures are being run by former government tech workers and by tech graduates who may have previously considered a public-sector career, he says.
Private firms are offering basic cyber services: penetration testing, hardware security audits, software patch audits, payment gateway security, and authentication and data encryption services, says Ken Bodnar, a data transformation practitioner.
“At a minimum, most federal agencies use private-sector technology and tools, such as firewalls, network management, email filtering, and monitoring,” says former cybersecurity czar Daniel. “What varies from agency to agency is the mix between in-house, contractor, and out-sourced cybersecurity services. The larger, more technically capable agencies do more in-house.”
[Read also: To improve cybersecurity, federal agencies should modernize IT first]
Private services and tools should ensure that government network security is robust and offers proactive threat-detection capability. For example, these tools should enable agencies to catalog their network asset inventory so they know exactly where sensitive data is stored. They should also operate zero-trust practices and ideally provide a threat hunting platform, as well as implement automated patch management and software monitoring.
Indeed, automating tedious tasks—of which there are more in the public sector—is a key challenge facing government agencies. While the private sector constantly provides resources and pushes itself to reduce inefficiencies that can lead to loss of revenue, the public sector doesn’t drive toward the same goal. Instead, its drivers are digital transformation, constituent satisfaction, and national security.
Lack of automation also explains why public-sector cybersecurity jobs are harder to fill. There are dozens of manual processes that government employees perform that their private-sector counterparts may not. These can include manually patching across multiple operating systems, creating and enforcing compliance rules across all endpoints, using multiple outdated legacy tools, and manually combining data from all of them in a way that lends itself to quick decision-making.
The encrypted future
Encryption will be the next public-sector frontier for tech enterprises, says Bodnar. Among the areas of development: homomorphic encryption, which enables changes to encrypted data without decrypting it; zero knowledge proofs, which allow a party to prove to another party that a statement is true without conveying any information; and eIDV (electronic identity verification), which uses public and private data sources in order to match individuals.
Spalding, for his part, is currently setting up a venture to offer government agencies encrypted defense technology solutions.
Across the nation, vacant public cybersecurity roles of varying job descriptions and seniority are staying unfilled. Experts say the government needs to lean into a sense of mission in order to increase recruitment, raise its cybersecurity capabilities, and keep on top of innovations in the field. At senior levels, public cybersecurity jobs can feel more meaningful than jobs in private enterprise, and the government should leverage that, says Daniel.
“You have the ability to directly drive policy outcomes and participate in international negotiations and things like that,” he says. “You can’t always really get that in the private sector.”
The last word should go to Michael Hamilton, a former CISO for the city of Seattle. “Local governments make the toilet flush and your water drinkable, and cyberattackers can easily hold all that up,” says Hamilton, who is founder of the Public Infrastructure Security Cyber Education System (PISCES) project, which connects cybersecurity students to local governments. “These are supercritical cyber positions, but people are often frozen out of these jobs because the pay isn’t competitive.”