The Art of Losing (Your Best Cyber Professionals)

It’s not just up-to-the minute systems that states need in order to protect their critical infrastructure—it’s up-to-the minute professionals.

I was on a panel in Alaska a few weeks back, and the topic shifted to public- versus private-sector innovation.

The non-controversial part of my response was that state governments are innately a bit more cautious and deliberate in their technology decision-making. In fact, states tend to stay anywhere from a few months to a few years behind the private sector’s technology adoption pace.

But the mildly controversial part of my response was that I found this trend generally unproblematic. Unlike some government contractors, I’m not in favor of pushing bleeding-edge innovations on state government buyers before they’re ready.

But I have one exception to that rule—cybersecurity.


In the rapidly evolving, real-time-centric field of cybersecurity, there is simply no place for a two-year (or even two-month) lag in technology advancement.

In fact, if a state ever finds itself two years behind in cybersecurity, that’s a legitimate crisis.

But here’s the real problem: It’s not just up-to-the minute systems that states need in order to protect their critical infrastructure—it’s up-to-the minute professionals.

Meanwhile, the private sector keeps cherry-picking all the top talent in state government agencies, offering salaries well beyond what public-sector pay scales allow. As a result, it’s quite challenging for states to find, develop, and retain upper-echelon cyber professionals.

And as if things weren’t bad enough, state governments also have a geography problem—by virtue of operating in cities like Albany, Sacramento, and Jefferson City, which aren’t necessarily the largest pools for IT security professionals in their respective states.


But enough about the problem; what’s to be done about it?

First, states are having success attracting candidates by emphasizing non-financial benefits—for instance, the autonomy to work on more interesting, creative projects, and the flexibility to work remotely.

The new generation of cyber professionals also tends to have a strong sense of mission and public service. So appealing to the importance and societal impact of working in the government space can be an effective recruitment and retention strategy.

Furthermore, government isn’t alone in this fight. While some in private industry are busy poaching top professionals, others are playing a cooperative training role. Symantec, for instance, has been retained in a number of states to help develop their internal IT staff members.

It is true that once these teams are highly developed, individuals may then decide to leave for the private sector in a few years.


But again—to that—I say live and let live.

A continuous influx of newer, younger, more adaptable professionals can actually be an asset to state agencies—as long as they have experts from the private sector to manage the transitions and help maintain essential continuity.

The key point is movement—never stop advancing. This runs counter to the core mentality of most state governments, but it’s absolutely essential.

In cybersecurity, the minute you stop moving is the minute you fall behind.

Latest Podcasts