States bend hiring practices to fill IT, cyber gaps
As state chief information officers and chief information security officers name staffing as their top challenge, officials across state governments are taking steps to change longstanding hiring rules in hopes of staying competitive.
During a session Tuesday at the National Association of State Chief Information Officers conference in Louisville, Kentucky, government IT leaders shared details on some of the programs they’ve launched over the past few years and how they’ve paid off. In many cases it involves tailoring jobs and recruitment toward young people entering the workforce for the first time, rather than seasoned professionals.
“We have a very hard time reaching individuals in the middle of their career,” said North Dakota CISO Michael Gregg. “I can get them out of college.”
‘I can’t hire enough’
Gregg estimated that about 20% of his staff is likely to step down in the next five years, creating more challenges for an agency that runs cybersecurity for the entirety of the state’s public sector — from state government down to local school districts, covering about 250,000 endpoints. He also said North Dakota’s small overall population shouldn’t downplay the task at hand.
“People say the state’s not very big population-wise,” he said. “That’s true, but I can’t hire enough people internally to meet my needs.”
Gregg said the North Dakota Information Technology Department is launching a “student SOC,” or security operations center, program. The program, which he said he hopes will eventually reach every school in North Dakota’s university system, will put students in a virtual security operations center, where they’ll work with incident response playbooks and learn skills that could later be used in state government. The first is set to open at Bismarck State University, in North Dakota’s capital city.
Skills acquisition
NASCIO’s annual member survey found that both building talent pipelines and the call to public service are still very effective recruiting tools for finding younger workers, even if they don’t plan to stay more than a few years.
“Young people today want this ability to say ‘we’ve learned something,'” Gregg said. “They’re not as concerned about benefits, but they are interested in learning about skills.”
Gregg said his office has started competitive apprenticeship and internship programs, with apprentices working 30 hours per week during their term in exchange for a three-year commitment to the state government upon finishing the program. One recent internship posting garnered about 150 applicants for a single position, he said.
North Dakota also continues to be flexible about remote working arrangements — especially popular among millennials entering the middle of careers — even as other states dial back on their COVID-19-era policies. Gregg said that could give his state a competitive edge in hiring.
“We support work-from-anywhere,” Gregg said. “If you’ve got people in their state that are interested, we will poach them. But if you move to the same model we use, you can poach our people.”
Lowering requirements
More states are also lowering the academic requirements for their cybersecurity jobs. Melissa Leaman, Maryland’s assistant secretary of finance and administration, recalled her state’s recent move to eliminate four-year degrees as a prerequisite for many government jobs in favor of skills training and past experience. She also reminded other state officials and vendors in the NASCIO audience that nearly every organization represented at the conference is competing for the same talent pool.
“You are our competitors in the workforce,” she said. “We all struggle with the same issue. Our labor force is going to be retiring.”
Leaman said Maryland faces an additional challenge of competing directly with the federal government, as well as the administrations of Virginia and the District of Columbia.
Other states have found success in dropping academic barriers from their IT jobs. Indiana CIO Tracy Barnes said that participants in the three-year-old State Earn And Learn, or SEAL, program — which gives workers of any educational attainment level opportunities to be paid as a government workers while learning new skills — have a 90% retention rate. That’s been crucial, as Indiana “lost a lot of talent” during the pandemic, he said.
Gregg, the North Dakota CISO, said he’s also had to revise his job listings, like no longer requiring applicants for certain entry-level positions to be a Certified Information Systems Security Professional, an industry credential that can take years to earn.
“If you’ve got a bootcamp, if you’ve got a two-year degree, come talk to us,” he said. “No four-year degree or CISSP required.”
