States' efforts to improve cybersecurity are being hindered by lack of money and people. States don't have enough funding to keep up with the increasing sophistication of the threats, and can't match private sector salaries, says a new study.
This just-released report by Deloitte and the National Association of State CIOs (NASCIO) about IT security in state government received responses from chief information security officers (CISOs) in 49 states. Of that number, nearly 60% believe there is a scarcity of qualified professionals willing to work in the public sector.
Nine in 10 respondents said the biggest challenge in attracting professionals "comes down to salary."
But the problem of hiring IT security professionals isn't limited to government, according to Jon Oltsik, an analyst at Enterprise Strategy Group (ESG).
In a survey earlier this year of about 300 security professionals by ESG, 65% said it is "somewhat difficult" to recruit and hire security professionals, and 18% said it was "extremely difficult."
"The available pool of talent is not really increasing," said Oltsik, who says that not enough is being done to attract people to study in this area.
Oltsik's view is backed by a Rand study, released in June, which said shortages "complicate securing the nation's networks and may leave the United State ill-prepared to carry out conflict in cyberspace."
The National Security Agency is the country's largest employer of cybersecurity professionals, and the Rand study found that 80% of hires are entry level, most with bachelor's degrees. The NSA "has a very intensive internal schooling system, lasting as long as three years for some," Rand reported.
Oltsik said if the states can't hire senior people, they should "get the junior people and give them lots of opportunities to grow and train." Security professionals are driven by a desire for knowledge, want to work with researchers and want opportunities to present their own work, he said.
Another way to help security efforts, said Oltsik, is to seek more integrated systems, instead of lot of one-off systems that require more people to work on them.