Federal agencies pay an average of $7,000 a year less to cybersecurity personnel than their private sector counterparts, so they need to offer training and other benefits while recruiting more from overlooked groups like women and minorities, according to one of the largest regular surveys of information security workers.
The eighth biannual Global Information Security Workforce Study, done by the Center for Cyber Safety and Education and sponsored by contracting giant Booz Allen Hamilton, cyber recruiters Alta Associates and the International Information Systems Security Certification Consortium or (ISC)², was unveiled Tuesday at (ISC)²’s conference CyberSecureGov in Washington, D.C.
The U.S. government “must enhance its benefits … to attract future hires and retain existing personnel given its fierce competition with the private sector for skilled workers and the unprecedented demand,” said Dan Waddell, (ISC)² managing director, North America. “Unfortunately,” he added, “the layers of complexity involved in fulfilling that goal are significant.”
“Thanks to the record-number of federal GISWS respondents this year, we now have substantial data that will support actionable take-aways and help move agencies closer to achieving that goal,” Waddell concluded in a written statement.
The study is one of the largest surveys of the cybersecurity profession, and sampled the views of more than 19,600 information security workers all over the world — including 2,620 feds: 1,614 from the Department of Defense, and 1,006 federal civilian employees or federal contractors. It comes as the conversation about the federal cyber workforce continues to intensify elsewhere: A group of congressional Democrats said this week that the Office of Personnel Management should be more flexible about the level of education it might accept from applicants for cybersecurity positions.
The federal respondents were asked to list the factors most important to their agency’s ability to secure its IT infrastructure — 87 percent said “Hiring and retaining qualified information security professionals,” was either “very” or “somewhat” important. That’s the same percentage as in 2015. But rising to the second place in the list — viewed as very or somewhat important by 82 percent — was “Awareness of security issues among non-technical staff.” In 2015, just 60 percent listed that as very or somewhat important. The other change since 2015 — having a “trusted internet connection” was marked as very or somewhat important by 69 percent, up 20 percent since 2015 when only 49 percent marked it like that.
Statistics on pay the survey collected show that federal cyber workers average annual pre-tax pay of $118,000 lags their private sector counterparts by about $7,000 a year. On the list of “most effective recruitment incentives in attracting new cybersecurity hires,” compiled from federal staff responses, pay is No. 3 in a tight top of the field. Only 30 percent rated it the best incentive, behind “certification, training and education reimbursement” — 32 percent — and a flexible work schedule by 31 percent.
At the very bottom of the list? The use of headhunters or recruitment consultants — rated as the most effective measure by only 19 percent.
“It can be difficult for government agencies to compete on salary alone when vying for these cyber warriors, they can appeal to a recruit’s sense of mission and purpose, tout the cutting-edge work being done and highlight opportunities for advancement,” commented Ron Sanders, senior executive adviser and fellow at Booz Allen Hamilton. Sanders was the chief human capital officer for the Office of the Director of National Intelligence from 2005-10.
Another way the government can make up for the lower wages it offers is to recruit more heavily from the the demographic groups the industry tends to ignore or shut out: women, minorities and older people. And here the feds may have an advantage, the survey reveals, because nearly more than two-thirds (70 percent) of agencies have programs to encourage hiring from underrepresented groups, compared to just above half (55 percent) in the U.S. private sector.
“In today’s environment where cyber talent is scarce, organizations must recruit and train untapped talent pools, focusing on women, minorities, veterans and older workers,” Sanders said.