Will Retirements Put Federal IT at Risk?20% of IT Security Workforce Could Retire in 3 Years
Retaining qualified IT security talent remains a challenge for governments because often they can't compete with the higher salaries the private sector offers. Exasperating the situation for the federal government is that a sizeable percentage of its cybersecurity workforce is closing in on retirement age.
A survey of some 22,000 federal government employees whose jobs include cybersecurity tasks reveals that the majority of them above age 40 are at least 10 years away from retirement eligibility, but nearly 12 percent could retire within one year, with almost 9 percent more eligible to retire within three years. That could prove to be a substantial loss of institutional knowledge.
There is still ambiguity surrounding the definition of a cybersecurity professional and the competencies required.
The potential loss of experienced personnel could lead to a shortage of skilled employees and place a greater burden on the existing cybersecurity staff, as well as seriously affect the daily operations of the federal government, according to the 2012 Information Technology Workforce Assessment for Cybersecurity, the study issued earlier this month by the Department of Homeland Security and the Federal CIO Council.
"It is important to point out that, even though an individual may be eligible for retirement, it does not necessarily mean this person will be retiring right away," the report says. Still, no one can be sure.
[See the chart, Federal IT Security Employees Eligible for Retirement, at the end of this article.]
More than three quarters of federal workers who perform some IT security tasks are older than age 40, compared with just 5 percent of them being age 30 or younger, presenting the federal government with potential risks to the current and future pipeline of cybersecurity professionals, especially among managers.
Of course, the government would likely pay less for new individuals hired because they don't have the experience of those who retire. That's because the aging cybersecurity workforce members are among the higher paid federal employees. Nearly 71 percent belong to pay grades GS-11 to GS 13 ($50,287 to $93,175 annually) and nearly 22 percent belong to GS-14 to GS-15 ($84,697 to $129,517 annually).
Defining and then identifying who is a cybersecurity professional isn't easy, and that presents a big challenge for the federal government in replenishing its ranks. IT security duties are dispersed across various federal organizations and occupations. "There is still ambiguity surrounding the definition of a cybersecurity professional and the competencies required, as well as the training required to adequately satisfy these competencies," the report says.
That ambiguity is caused, in part, by the reality that more and more information security tasks are being incorporated into information technology and other occupations. Take a look at the occupation classifications of the 22,000-plus federal employees conducting IT security tasks in the chart below: IT management, criminal investigation, electronics engineering and program management, to name a few.
As the federal government looks to replace those who will retire, not all of the skills to be lost should be replaced on a one-to-one basis. That's because of the rapid evolution of information technology and the cyber-threat requires a myriad of talents.
Purdue University Computer Science Professor Eugene Spafford says the government should think of its future as it recruits new personnel. Too often, he says, organizations hire the best hackers with specific skills to address immediate threats. "The long-term danger that we have is that we're going to moving all this stuff into ... an environment that is going to change because of technology and laws, and we're not doing enough to build up a cadre of people with deep experience in basic principles" to address the new challenges, Spafford says.
That's sound advice.