Stopping the federal IT security brain drain
- By Greg Kushto
- May 10, 2016
Optional caption goes here. Optional caption goes here. Optional caption goes here. Optional caption goes here.
It's a clichéd but accurate reality, and it's as true in IT security as in any other environment or industry: You're only as strong as your weakest link.
And where is strength more important than at the federal agencies tasked with protecting the lives and livelihoods of millions of Americans?
As government leaders increasingly prioritize cyberspace's role in national security, a critical deficiency has begun to reveal itself: The best and brightest IT security professionals all too frequently migrate to the presumably greener -- or at least more equitable -- pastures of the private sector.
That doesn't bode well given the fact that the federal government needs to hire an estimated 10,000 cybersecurity experts in the next several years. Stopping the brain drain of existing federal IT security talent is imperative, especially as national security threats increasingly take place not on land but in the complex and obscure world of cyberspace. And while the challenge is real, potential solutions are within grasp.
Unorthodox recruiting methods
The Defense Department is actively addressing the problem, most recently through "Hack the Pentagon." Announced by Defense Secretary Ash Carter during the 2016 RSA Conference, the program invites cleared hackers to scour DOD networks for vulnerabilities.
At face value, it's a simple security exercise. But it could also enable the agency to fill security vacancies -- and none too soon. A new recruitment strategy is necessary and overdue, but even innovative programs like "Hack the Pentagon" aren't enough.
Plugging the brain drain requires resources and culture shifts. To recruit and retain the best IT security professionals, agencies must either offer financially competitive jobs or fundamentally change the relationship between government and private-sector IT contractors.
Compensation is the key
The first step is understanding and accepting why employees leave: because the private sector pays more for the same job.
Having worked in both sectors, I've seen it firsthand. Although we'd like to think that protecting our country is reason enough for dedicated and talented IT professionals to stay, even patriots have bills to pay.
Of course, fixing the pay gap requires rethinking our existing GS system -- something more easily said than done. But a few targeted alterations could potentially make a big difference -- for instance, a GS scale created specifically for technology positions.
Such a scale would improve federal IT salaries and eliminate current tensions over "grade inflation" (when the government categorizes tech positions at a higher GS level in relation to the job description). Although that approach wouldn't make government compensation equal to that of the private sector, it would at least make federal IT jobs more competitive.
A new public/private relationship
The irony of the federal IT brain drain is the government's complicity in paying private-sector salaries.
In the IT industry, federal contracts account for significant revenue. And although the private sector has much to offer federal agencies, current rules prevent contractors from fully taking over the roles and responsibilities of departed federal IT employees. If the government can't or won't improve compensation, then the contractors brought in to fill the gap must be allowed to play a more active role in federal IT security.
That would require a more formalized consulting relationship. After all, security doesn't work in a low-bid system. Contractors must be seen as partners who can advise, strategize and plan alongside federal agencies, instead of just workers tasked with implementing a preordained roadmap.
Why? Because the aforementioned brain drain has left the public sector with too few IT professionals who possess the expertise to create comprehensive IT security plans.
To succeed, security must be "baked in" throughout the network life cycle -- not just bolted on at the end. Therefore, security experts (whether federal employees or private contractors) must participate throughout the planning and strategy phases. When federal agencies lose talent to the private sector, they lose the ability to predict how ongoing decisions or regulations might affect their long-term security posture.
An urgent need
Until the government figures out how to mitigate the negative impact of turnover among its IT security professionals, agencies face increased risk and vulnerability.
The potential consequences aren't just hypothetical. In recent years, several major hacks have exposed volumes of sensitive data from government agencies and private citizens alike. Consequently, we know that major intrusions are more than possible. They've occurred already -- and they will again.
Whether through competitive compensation or better partnering opportunities, the federal government needs top IT security talent -- now.
Greg Kushto is director of security and enterprise networking at Force 3.