Attracting a select cadre of cybersecurity professionals to the government’s workforce would not only improve the nation’s cybersecurity efforts but also the government’s cybersecurity workforce as a whole. So how can the government compete with the private sector?
With cybersecurity attacks increasing in frequency and severity and cyber gangs becoming ever more sophisticated, the shortage of cybersecurity professionals to combat them poses one of the biggest threats to public and private computer systems, personal data, and national security. Approximately three million cybersecurity jobs globally remain unfilled this year, and 56% of cybersecurity professionals say that staff shortages are placing their organizations at moderate or extreme risk.
While the private sector is undeniably in great need of cybersecurity professionals, the public sector must compete for the limited supply of qualified candidates, particularly those capable of filling high-level positions. As one DHS official put it, the challenges with recruiting cybersecurity workers to the government is a “national security issue”. The U.S. needs to “figure out how we can build and sustain a cybersecurity workforce as a national asset for America.” Currently, more than 36,000 U.S. public sector cybersecurity jobs remain unfilled, or an astonishing 37 percent of available jobs.
Working for the public sector often comes with a multitude of benefits, such as work-life balance, job security, paid government holidays, generous retirement and other fringe benefits, significant responsibility and experience, and the job satisfaction associated with the critically important task of protecting the country as a whole against cyber threats, both foreign and domestic. But the dramatic shortage of qualified cybersecurity professionals and the multitude of career options available to them means that these perks alone will not suffice to attract top talent, particularly given the lucrative salaries that can be garnered in the private sector. For example, Fortune 500 companies in large cities pay Chief Information Security Officers (CISOs) approximately $400,000 in base salary plus additional compensation. By contrast, the 2021 General Schedule (GS) payscale tops out around $172,500, even after factoring in the highest “Locality Pay Adjustments.” The government, therefore, must create a compelling and competitive financial incentive to accompany the traditional draws of public service.
As the recent “Executive Order on Improving the Nation’s Cybersecurity” recognized, the “Federal Government needs to make bold changes and significant investments to defend the vital institutions that underpin the American way of life.” One of those significant investments must be in the people the government hires. The Cybersecurity & Infrastructure Security Agency (CISA) has recognized the importance of people, stating that among the “Five P’s of CISA’s Success”: People, Partners, Policy, Programs and Public Affairs,” the most important “P” is People. The President’s proposed budget for CISA of $2.1 billion for FY2022, a $110 million increase from the prior year, seeks to advance that aspect of CISA’s success strategy by providing funding for the hiring of “highly qualified experts.”
The federal government’s investment in people must start at the top by attracting a small cadre of leading cybersecurity professionals to fill those positions. To do so, bold yet simple changes should be made to their compensation: a federal tax-free salary and enhanced fringe benefits. Offering a tax-free GS-15, Step 10 salary (currently $172,500 in San Francisco, New York City, and Washington, DC) along with increased matching contributions to retirement plans, more generous vacation and sick leave time. More flexibility in terms of schedule and remote working, for example, would make the government’s overall compensation package competitive, or at least narrow the gap between private and public sector compensation to such an extent that the traditional benefits of public service are not casually cast aside.
Such benefits should not be bestowed lightly. Job candidates seeking this compensation should be required to submit a detailed application to an approval board comprised of civilian and government cybersecurity experts and be required to have extensive cyber experience and a proven track record of success. A vetting process similar to the one high-ranking government officials must undergo should be considered. And the benefits should not be bestowed indefinitely but rather subject to re-evaluation, perhaps after the first two years on the job and then every five years thereafter. Such a renewal process would align incentives and ensure that the government is receiving a benefit commensurate with the additional benefits being bestowed on this select cadre of cyber professionals relative to other government employees. The renewal process would also allow the government to consider whether the benefit is still needed to recruit top talent and prevent it from becoming an entitlement like other government programs; indeed, the shortage of cybersecurity professionals may be a relatively short-run problem, if the proliferation of cybersecurity programs across higher education is any indication.
Attracting a select cadre of cybersecurity professionals to the government’s workforce would not only improve the nation’s cybersecurity efforts but also the government’s cybersecurity workforce as a whole. Top talent, wanting to be mentored, trained, and surrounded by the best in the industry, will be more likely to enter public service, and more importantly, remain employed with the federal government—which will help remedy the attrition problem where more than one in four new cybersecurity hires leaves the federal government in less than a year. With the federal government serving as the largest employer of cybersecurity workers, strong mentoring and training will have a beneficial effect for years to come, not only in the public sector but also the private sector as workers enter the private workforce from government jobs.
While deceptively simple, a federal tax-free salary and enhanced fringe benefits will deliver the needed incentive to attract highly qualified talent to work for the government. Attracting that top talent will provide a bulwark against malicious cyber attacks in the future.
Daniel B. Garrie is the co-founder of Law & Forensics (www.lawandforensics.com), a neutral with JAMS (www.jamsadr.com/garrie), the Editor-in-Chief of the Journal of Law and Cyber Warfare, a Lecturer in Law at the Rutgers School of Law where he teaches cyber warfare, data governance, and cybersecurity law, and a Certified Blockchain Engineer.
Reprinted with permission from the May 26, 2021 edition of Legaltech News © 2021 ALM Properties, Inc. All rights reserved. Further duplication without permission is prohibited.