As the cyber threat landscape morphs and state and local government technology operations become more closely entwined, the officials charged with protecting state networks also face increasing difficulty in training and recruiting talent to carry out a public-sector cybersecurity mission, a new survey of state chief information security officers found.
The biennial report, conducted by the National Association of State Chief Information Officers and Deloitte, showed that like their CIO colleagues, CISOs are staring down a talent gap — including new challenges in attracting younger workers to government service.
Meanwhile, more local governments and school districts, as swamped as ever by ransomware and other threats, are turning to their states for help, growing the burden on state cybersecurity operations, even as overall staffing remains roughly level from 2020, when NASCIO and Deloitte last interviewed CISOs.
“The workforce issue has really reached a crisis level with cybersecurity workforce in state government,” Meredith Ward, NASCIO’s director of policy and research and a co-author of the survey, said in an interview. “Competing for salaries, trying to retain folks when there’s other opportunities has been a real challenge.
No major incidents
While the struggle to compete with the private sector and the federal government has been a recurring trend for state CISOs looking to staff up, this year’s survey found many states throttling back on many of the qualities that appeal to millennial and Generation Z workers entering the prime of their careers. Just one-quarter of states are offering remote work as a recruiting perk for their open cyber jobs, despite nearly 90% of the CISOs who responded to the survey saying they’re confident in their employees’ ability to work from home.
Many CISOs were also not fully aware of their agencies’ diversity, equity and inclusion policies. While such policies are not typically overseen by information security chiefs, how they’re implemented affects CISOs’ ability to hire.
“They’ve told us in the past that there haven’t been any major incidents because of remote work,” Ward said. “So this is something that I know that our CISOs and our CIOs continue to advocate for.”
The hiring process can also be slow, the survey found. Half of the 53 state and territorial CISOs who participated said it takes between three and six months to make a mid-level hire, while 46% said it can take more than six months to hire someone at the director level. As an upshot, CISOs grow more reliant on contractors to fill the gaps.
Outsourced cybersecurity services have their place, though: 52% of CISOs said they contract out security operations center work, while 38% outsource risk assessments. CISOs also said they have more confidence in service providers than they do in other third parties, like local governments and public universities.
Collaboration improving, but still limited
State cybersecurity operations are forming increasingly tight collaborations with local governments and public universities, especially as the “whole-of-state” model takes hold. But the breadth of those relationships with locals and educational agencies remains narrow, with more than half of CISOs reporting “limited collaboration” with local governments, state universities, community colleges and K-12 districts.
Those bonds could become closer over the next few years, though, as the Department of Homeland Security begins its $1 billion state and local cyber grant program, which will require states to redistribute 80% of funds they receive to local entities. While the overall amount in the grant program is “not enough to guarantee progress at the local government level,” the survey report read, CISOs said they were optimistic about using the funds to provide shared services.
CISOs also reported optimism about expanding partnerships with public colleges and universities — both to bridge the gulf between state and local governments and to find future talent.
“Particularly in the context of local governments consuming services, why wouldn’t public higher ed train their students as part of the curriculum, and have them doing part time work?” said Srini Subramanian, a Deloitte principal and the survey’s other author. “I think that is a model that is evolving, and we are going to see such creative new ways that the systems are going to address the talent crisis in the future.”
More states have launched similar endeavors in recent years, including in Texas, where earlier this year the state Department of Information Resources opened a regional SOC on the campus of Angelo State University to serve communities in West Texas. Additional regional centers are planned at other colleges around the state.
CISOs as business leaders
The survey found that CISOs’ roles are changing. The rapid acceleration toward cloud applications and digital services brought on by the COVID-19 pandemic has created new management challenges, while ongoing threats like ransomware and emerging threats against critical infrastructure increase pressure on states.
But for the first time since Deloitte and NASCIO started surveying CISOs, those officials no longer say budgetary constraints are their top concern. Most states now have dedicated line items for cybersecurity in their budgets, and some are even spending more than 10% of their overall tech budgets on security, a figure in line with large federal agencies.
More CISOs also find themselves briefing their states’ leaders more often. Thirty-eight percent said they speak to the governor on an ad-hoc basis, and 19% reported having those meetings monthly. These trends point to cybersecurity becoming more central to state governments’ overall operations and possibly to CISOs being seen more as business leaders like their CIO counterparts, Ward said.
“I’ve become encouraged, especially in the last four or five years, that cybersecurity is becoming so much more a part of state government and leaders are really understanding how important it is, and that we need to be proactive,” she said. “So what we hope is that this attention continues in a positive manner and that CISOs can really get some of their initiatives done in states and that cybersecurity never becomes an afterthought again.”