Across all industries, workforce recruitment and retention are more challenging than they’ve been in decades, with the total unfilled job vacancies in the U.S. more than double what it was 10 years ago. In cybersecurity, this problem has been well-documented for over 20 years, with the most recent credible estimates showing over 600,000 unfilled positions. Within state and local government this gap is compounded by an increasing number of retirements among the most experienced workers, who, according to data from the Rockefeller Institute of Government, are retiring at roughly three times the rate of their private industry counterparts. Further, these retiring workers are uniquely experienced in the systems and processes that drive the complex operation of public sector security and have developed the human networks necessary to accomplish important goals. 

In the current environment, it’s necessary to reduce both the extent and the frequency of this erosion of experience. 

Step One: Capture Institutional Security Management Knowledge 

The impact of increasing retirements – and other separations – within state and local government is magnified by the accompanying loss of institutional knowledge that workforce has developed and leveraged to optimize their performance. Collecting this expertise in a comprehensible and usable format will require additional considerations: 

  1. Allow enough time for a thorough examination. A report from recruiting site recommends allocating at least 12 months to capture the full scope of a pending retiree’s knowledge of internal systems and processes.
  2. Develop reusable materials. Data gathered during this process will be useful across your organization beyond simply informing a new employee in the same position. Take the opportunity to create outputs that can be used in adjacent positions and formalize a process for keeping this information up-to-date and accurate.
  3. Look for opportunities to evolve. Roles that require non-standard processes and bespoke communication paths are indicators of an organization that has grown beyond expected capabilities. As you document the required elements of delivering these roles’ outcomes, watch for areas that can be standardized and for existing processes that can be enhanced to systematize operations for consistency and repeatability. 

Step Two: Create Clear and Evolved Security Role Descriptions 

While you document the activities and interactions that have made a retiring practitioner or manager effective, ensure the replacement job description realistically captures the full scope of that individual’s responsibilities and outputs. State and local government leaders succeed in an environment driven by a combination of technical need, threat evolution, and political reality. As a result, security roles spread beyond a formal list of responsibilities.  Create job descriptions that evoke both an accurate and attractive role. While state and local government organizations may struggle competitively in the areas of compensation or technical resources, they are leaders in addressing issues of scale, privacy, exposure, and mission. Experienced security practitioners seeking a new challenge, a more stable work environment, or exposure to the public stage, will be attracted to state and local roles that offer an avenue for delivering such nontechnical value in addition to requisite technical duties. 

Step Three: Expand and Augment Your Execution Partners 

Successful cybersecurity teams rely heavily on their networks to stay informed with timely advice and insight into emerging threats and trends. As you consider filling your cybersecurity headcount shortfall, refocus your problem definition on expected organizational outcomes. The post-pandemic technology environment has evolved to support an increasing number and variety of services that were once considered onsite necessities. In the 2021 State CIO Survey, a majority of participating National Association of State CIO members reported increasing efforts in multiple areas, including continuous security assessment, zero-trust, vendor management, and traditional security disciplines like endpoint detection, awareness, and identity management.  

This strongly indicates that even in an absence of the pressures caused by the retirement of an experienced workforce, increased collaboration and external support are desirable. Engaging external subject matter experts and service providers presents an opportunity for state and local leaders to focus on their security strategy and efforts to ensure internal support. External teams can be engaged to execute time-consuming or resource-intensive tasks like monitoring, auditing, and testing, while the dedicated local expertise is driving implementation of policy guidelines. 

It May Not Be That Bad 

The dire concerns over the retirement skills gap and subsequent loss of expertise may prove to be an overestimation of the immediacy of the problem. There may be time to treat this as a project, not a problem. In her May 2022 Washington Post article, Abha Battari writes about an emerging pattern of retired workers returning to the job market. Whether because of financial pressures and opportunities, excellent health, or demand for a specific skillset, it’s possible that some of these empty positions may be refilled, or the duties performed, by recent retirees.  To capitalize on this trend, organizations will need to create the right environment and compensation strategy. In a paper titled “The Aging Workforce: Finding the silver lining in the talent gap”, Deloitte highlights four areas to consider: 

  1. Design roles and career paths that suit returning employees.
  2. Design an incentive structure that considers the benefits of ongoing healthcare, reduced hours, and new deliverables like mentoring and process documentation.
  3. Ensure that new offers and opportunities are equitable and frequently reviewed.
  4. Include planning for ongoing development of older workers outside their parochial job scope. 

Planning to Succeed

The simplest analysis of the demographics of the aging U.S. population has been pointing to the arrival of this skills gap across all sectors for decades. More recent developments around the expectations of employees and the increasingly competitive nature of recruiting are exacerbating this problem for state and local leaders seeking to maintain and expand the quality and capabilities of their staff.  Recognizing that there are opportunities to stabilize, optimize, and reimagine service delivery at the state and local level will transform this from an exercise in plugging holes to a strategy for increasing efficiency, productivity, and job satisfaction. 

Learn More

For additional insight into the evolving cyber workforce, tune into NuHarbor’s PWNED podcast for an episode on The Future of Cybersecurity 

Listen Now

Author: Jack Danahy, Vice President of Product and Engineering