Free college, stipends help lure critical IT security pros
Last year was a record bad one in terms of the number, and impact, of cyberattacks. That makes IT security professionals among the most in-demand of all tech jobs today.
One area that has historically had a hard time competing for top security talent is government, where security budgets tend to be flat from one year to the next. But a new program – Scholarships for Service – aims to change that picture, paying fully for college tuition, room and board, and even a large stipend, for qualifying students and colleges.
Christopher Buse, chief information security officer with the State of Minnesota, explained to Information Management how the program works, and why he considers it his ace in the hole.
Information Management: What is the size of your IT security staff?
Christopher Buse: I don’t have a definitive number, but probably 40 to 45 individuals across all of the different agencies that we serve.
IM: How is your IT security staff organized?
Buse: The way our hierarchy works, our entry level positions are called security analysts. Those are people that implement workflows, whether it’s in the vulnerability management team or in our security operations center. Analysts come in and act as worker bees, they learn our processes, and they develop. Once they have put in some time and really understand cyber we have a second set of positions – we call them our cyber security engineers.
An engineer is a person who is in that three-year range of experience. They have the knowledge, skills and ability to start doing some independent analysis, to do research, and to fully implement our processes.
Then we move into those people who we call our principal security engineers. Those are generally the top technical leaders over specific areas. They’re the people that help manage and configure our cyber tools. They’re generally regarded as the experts in certain disciplines.
Finally we have security architects. Those people are full time designers; people that run processes, or tools, or operations on a day-to-day basis. They’re also the people that we turn if something is brand new. For example, we’re building out cloud data centers right now. We have security architects full time that are helping to lead those projects to make sure that that bake security controls into those environments from the onset.
IM: What hiring plans do you have in place for security professionals?
Buse: As with every organization both in the public and private sector, there’s this insatiable demand for cybersecurity right now. We joke now that there’s a zero percent unemployment rate, but that is in fact the case. There is a lot of turnover in organizations, so we certainly have unfilled vacancies that we’re working to fill. At the same time we’re also taking a look at how we deliver cybersecurity across our organization, building up centers of excellence in areas that we think will have some long term payback. One example of that is with application security.
IM: What skills do you look for, and what distinguishes a top candidate?
Buse: I look for a well-rounded individual, and when I say that, they have to have a mix of technical, business and communications skills. We’re looking for that candidate that can understand the nuances of IT and IT security, but they can also understand how that relates to a business concept and be able to communicate issues with leaders that are outside of IT.
When I look at candidates, one of the things that really differentiates people would be inquisitiveness. So when I find people that tend to play with technology on their own, that set up their own labs in their house, build servers, do all those kind of tasks on their own because they like technology, those are the people that work out best for us.
IM: How would you characterize the job market overall for IT security people? Worse than we hear? As bad? Not as bad?
Buse: I would say it’s probably worse. First of all, cybersecurity is one of those areas where there is more demand worldwide than there are qualified people to fill all of that demand. But I think everyone is aware of that. In our area -- in the Minneapolis-St. Paul market -- I think we have a more serious situation. Minneapolis-St. Paul has more Fortune 500 companies than any region in the nation. If you look at the big employers in our market, we have several huge employers that are staffing big cybersecurity teams. So that makes our market even more challenging.
IM: How do you compete with the private sector in terms of salaries and benefits?
Buse: Target, and 3M, and United Healthcare – these massive corporations with really big budgets – are looking for those 4-5 year experienced professionals. If I’m going to try to stack up against those corporations purely on dollars I’m going to lose.
One of the things that we’re doing inside our organization is present ourselves as an entry-level employer. Most organizations want experienced professionals. We’re trying to be an entry level employer. We’re trying to grow people from the ground up.
Another big part of it is mission. Hopefully people that join our organization love government as much as I do and have a good feeling about bettering society. If they don’t, the good news is that we’re providing some really talented people to the private sector that know security on a really big scale and have experience with security tools that almost all organizations use today.
IM: What other steps is government taking to best compete for security talent?
Buse: We have something pretty special going on in government right now. Because government has had such a hard time attracting and retaining talent for cybersecurity, Congress helped initiate a program called Scholarships for Service. This is something that I consider my ace in the hole. It’s the thing that gives me an advantage in a world where price alone would put me at a disadvantage.
The way the program works is that for top cyber universities around the country and for the students that are in the program, the federal government will pay the college costs for those students, fully – their tuition fees, room and board, and it also pays they a stipend on top of that. There’s one university in Minnesota that participates. The undergraduate students get a $24,000 a year stipend and graduate students get a $35,000 a year stipend. It’s really phenomenal.
Obviously the demand to be in this program from a student perspective is really high. So what we find is that because the financial benefits are so great, the students that come out of that program are really the cream-of-the-crop.
Also, for every year of college that you get funded, you have to work an equal number of years in government. If I have a student that gets three years of college paid for, then they have a three year commitment to work in government.
I’m really working the Scholarship for Service angle really hard. I really think the Scholarship for Service program is my ace in the hole to get really good talent in the door when, right now, I’d have a very difficult time competing without a program like this.
IM: What is our advice to other hiring managers how they can best locate, lure and attract the talent that they need?
Buse: One of the most important things that security leaders can do today is to establish relationships with academia. Know the college programs in your area. Know the professors on a first name basis.
I spend time going out to colleges, giving guest lectures, to make sure the students know about us and look at us as a viable employer. I’ve always believed that if you’re a cyber security leader and you’re not getting out and doing public presentations, including presentations at colleges and universities, you’re just not doing your job in today’s environment. So get out there and beat the pavement, make sure that students know you, and that you’re actively marketing to those individuals.