How to Acquire and Develop InfoSec Talent in Government

I’d like to give a shout out to Troy Adams for this week’s topic.

Let’s face it, information security professionals are hard to find, regardless of sector. According to Varonis.com, the total amount of unfilled information security (infosec) positions in 2021 will reach 3.5 million in the U.S. alone.

Given what we see in the news about information security, that’s not much of a surprise. Coupled with the competition for resources, government has the challenge of typically paying less than its private sector counterparts. On the surface, that’s hardly the recipe to entice seasoned infosec professionals or new ones, for that matter, to come work for your agency.

Before we can talk about how to acquire and develop infosec talent, we need to discuss recruitment challenges that are unique to government. Pay is obviously a concern. I understand that government, in general, cannot match private sector pay. But what I would strongly encourage HR departments to do is to get us in the ballpark. I have seen many government agencies that  only compare salaries against other government agencies when conducting market studies. Consider combining public and private sector pay ranges and positions instead.

Here’s another way of looking at it. Who are agencies competing against for jobs? It depends. For example, people who work as court bailiffs have a pretty narrow niche in the job market. This isn’t to take anything away from those in this field, but this is not a skill set that many companies, public or private, are focused on. Given this day and age, people with cybersecurity skills are wanted by almost everyone. So if we are competing for positions that everyone covets, then why would we limit market studies to only other government agencies, who consistently underpay?

For those who read this and say money isn’t everything, well, you’re right. However, there are numerous studies that state that salary needs to be acceptable before other non-monetary factors have a significant influence. A study by John Gibbons in 2006 makes this very point. Money isn’t everything, as long as the salary is sufficient. And it’s where government can and does make a difference.

There are a lot of workplace variables that come into play when selling a job in government. Some of these are fairly universal, like retirement programs, not having to meet quotas, etc. Some are more unique to the agency in question. What I would emphasize is that all government agencies exist to serve the public. We are here to support our residents and businesses and make their lives better. Yes, there is plenty of argument about how to best do this, but I would posit that everyone expects water when they turn the facet. When they call 911, they expect public safety to respond to their emergencies. And when people are sick, they expect government to help those in need.

What I have told job candidates is that they can make more money in the private sector, but there is something liberating about working for an organization whose number one priority isn’t the bottom line. Do we want to be judicious in the use of public funds? Of course. But we don’t prioritize meeting shareholder expectations over the welfare of our constituents. Government, when done right, is a service organization. I and many of my co-workers take immeasurable pride in our ability to say we make a difference. So why wouldn’t you want to work for government? is what I ask at interviews.

So to summarize, in government, there are:

• good general benefits, usually a retirement package of some sort,
• a decent wage – you typically won’t get crazy rich but you’ll make a decent living, and
• you can have a direct and significant impact on the community and people’s lives.

OK, so we have our pitch ready for potential candidates. But how do you get them in the door? I know, that’s the tricky part. No exaggeration, I had an employee in my current team for a whole four weeks before they left for greener pastures. I had another employee who left for a position in the private sector making 50% more money than we were paying. It happens in government, and it happens all the time in the cybersecurity field.

Here are a couple of thoughts to bring folks in:

• Look at partnering with local educational institutions. This is a great way to find diamonds in the rough and is a good way to strengthen government ties with the local community. In my previous position, I helped form an internship program with a local four-year college.
• Participate with professional organizations. This is a way to make your agency known and start building relationships. As mentioned earlier, infosec employment can be very fluid. The person you met last week at your meeting might be on the hunt for a new challenge the following week. For people wanting to get into the field, this is a good way to get information and start making contacts. Most major cities have some presence with the following entities:
  • ISACA
  • ISC2
  • ISSA
  • Infragard
• Look beyond the acronym soup and other “requirements.” This one is a bit trickier for government as we tend to be very rigid in our minimum requirements. What I can tell you is this – two of the smartest people I have ever worked with in government infosec don’t have bachelor’s degrees. One has no degree and the other an associate degree, and they can run circles around me technically. Another point is, that information security doesn’t need just keyboard jockeys. We need people who can communicate well, write effectively and translate technical speak into business language. This is not your typical SOC analyst or security engineer.
• Analyze what your infosec program is lacking and look to fill those skill sets, not a job description per se. For larger agencies, you might have candidates in other departments that you were unaware of – find them! In a previous role, I negotiated 30% of an employee’s time who was in a department outside of IT. It just so happened that in addition to being a business expert in their department, they had gone to school and received their bachelor’s degree in Information Systems. They wanted some hands-on IT experience, and I needed someone with technical chops to help us out. This would have never come to fruition if I hadn’t gotten to know people outside my department and build my internal network (perhaps another blog topic…).

As usual, I have let this blog get a bit long so next week we’ll talk about talent and skills development in government. Have a great week!

Interested in becoming a Featured Contributor? Email topics you’re interested in covering for GovLoop to [email protected]. And to read more from our Winter 2021 Cohort, here is a full list of every Featured Contributor during this cohort.

Lester Godsey is the Chief Information Security and Privacy Officer for Maricopa County, Arizona, which is the fourth most populous county in the United States. With over 25 years of higher education and local government IT experience, Lester has spoken at local, state and national conferences on topics ranging from telecommunications to project management to cybersecurity and data. His current areas of professional interest center around IoT (Internet of Things) technology and data management and the juxtaposition of these disciplines with cybersecurity. You can follow Lester on LinkedIn.