With IT workforce shortages, particularly in cybersecurity-related fields, continuing to dominate conversations in state governments, the National Governors Association and National Association of State Chief Information Officers on Wednesday published a new report on some of the steps states have taken to fill the gaps — and where they’re still falling short.
The 12-page report follows NASCIO surveys from last year in which chief information officers and chief information security officers said it’s increasingly difficult to recruit and retain talented technology professionals in the public sector. Both groups of officials cited lingering effects of the COVID-19 pandemic, stodgy job titles and a workforce now dominated by mid-career millennials, who increasingly expect employers to offer things like remote-work options and diverse workplaces.
And talent shortfalls can only exacerbate states’ existing cybersecurity woes.
“Simply put, states are not poised to face existing and future cybersecurity threats if they cannot first fulfill their workforce requirements. To rise to the challenge, state leaders must collaborate and share ideas to achieve results-driven solutions,” the report reads.
But NASCIO and NGA policy experts argued that statewide officials from governors on down are becoming increasingly attentive to these issues.
“You’ve heard everyone say cybersecurity is a shared responsibility,” said Meredith Ward, NASCIO’s policy and research director, and a co-author of the report. “And I’d add cyber workforce is a shared responsibility. We’re pleased with how much focus governors have put on cybersecurity. This is the next step.”
While NASCIO and NGA have long collaborated on developing cybersecurity policy ideas, the focus on workforce intensified last June at an NGA cybersecurity conference in Columbus, Ohio. Ward told StateScoop that a packed ballroom of state technology leaders and governors’ staffers exposed a lot of IT agencies’ frustration in finding people to protect state networks — and how elected leaders can help address the problem.
Among the “common roadblocks” that came up during that discussion were the unavailability in some states for remote work, outdated job titles and requirements that don’t align with private-sector equivalents, inflexible residency requirements and a lack of upskilling programs, student internships and entry-level opportunities. While many of these issues had been percolating for years before 2020, the pandemic made them more obvious, Ward said.
“The thing about workforce, there are a lot of things I could’ve told you three or four years ago that states need to modernize,” she said. “But until you get that movement that we’ve gotten in the past few years, that’s huge. We really saw now is the time, strike while the iron’s hot.”
The NGA-NASCIO report highlights a few states that’ve taken steps improve their cybersecurity hiring and recruitment. The Georgia Technology Authority is developing a fellowship program with Georgia Tech that will have participating students spend six months working for a state agency, followed by six months with a private employer. South Carolina has since 2019 ramped up its use of social media in job recruitment, training workers at 22 agencies as “content creators” to create posts about job opportunities with the state. And Texas agencies increased their ranks of female tech employees after rephrasing job listings to encourage people to apply even if they don’t meet every qualification listed, according to the NASCIO report.
The report also emphasizes the importance of workplace policies promoting diversity, equity and inclusion. That’s a topic that many state CIOs around the country have prioritized in recent years, even as some governors stake their political identities on opposing diversity initiatives writ large.
NASCIO and the NGA cited market research by Deloitte finding that companies that promote inclusive workplaces — factoring in not just race, gender and sexual orientation, but also physical and mental ability, religious affiliation or geographic location — have 22% lower turnover, 22% greater productivity and 39% higher customer satisfaction, in addition to greater profitability.
“More diverse teams are smarter teams,” Ward said. “It’s one of those things, at least in my personal opinion, that a lot of people are more aware when you realize something needs to be corrected.”
Meeting people ‘where they are’
In nearly every state, it also takes more than just the concerns of the CIO or CISO to effect changes in how people are hired and retained. Human resources departments have also been heavily involved in the conversation, according to the report.
And an increasing number of states have enacted enterprisewide policies that reduce the number of jobs that require four-year degrees and replace academic requirements with skills gained through prior experience. Maryland did so last March with an executive order from then-Gov. Larry Hogan. North Carolina Gov. Roy Cooper on Monday signed a sweeping order that encourages state agencies to recruit people based on their accrued skills and experience, rather than just college diplomas. Cooper also told agencies to train HR staff in finding ways to extend opportunities to people with disabilities and people who’ve been incarcerated.
Cooper’s executive order could cover 75% of all state-government positions, according to the governor’s office.
“You don’t necessarily need to have a degree to be great at your job and North Carolina is in need of talented people who can get things done,” he said in a press release.
IT and cybersecurity recruitment challenges will be a major topic of conversation at NASCIO’s upcoming midyear conference in Washington, Ward said.
“So often in government, a lot of time we do things that are blanket reactions or blanket policies,” she said. “I like that states are being adaptable.”