Should the Government Pay More for Cyber Talent?

A security engineer who goes by Aloria posed a blunt question on Twitter last week: “How the hell does the CISO [Chief Information Security Officer] of the FTC make less than I do..?” asked Aloria, who works for Tumblr — a place she describes as a “cat meme sharing site.”

Aloria’s tweet, included a link to a job opening at the federal consumer protection agency, which promises to pay up to $160,000 for a CISO. In response, I questioned (perhaps impolitely) whether the point was a fair one. After all, the FTC is the public sector and, for many Americans, $160K would be a very fine salary to live in Washington, DC.

But suffice to say Twitter sided with Aloria in no uncertain terms. A group of security types piped up and said, in effect, “you get what you pay for, and no CISO worth her salt is going to take a big pay cut to muck around at some agency—that’s why government IT is so crummy.” Meanwhile, a recent report suggests the median CISO salary is $204,000 nationwide, and $225,000 in Washington.

I understand the argument, but am still not sure I agree. First, the government is never going to compete with the private sector on wages. All it can offer is some prestige (perhaps) and a sense of public mission. And even if we agree the FTC should pay more, who among you would like to pay more tax to make it happen? I thought so. And keep in mind, this is one security officer at one agency. Any proposed pay raise would also have to be replicated for specialized jobs across the civil service.

Meanwhile, Geoff Belknap, the chief security officer of business messaging service Slack joined in to argue that it takes money to attract crucial skills —and that the “more tax” argument is too simplistic.

https://twitter.com/geoffbelknap/status/814685784531795972

https://twitter.com/geoffbelknap/status/814687767175131136

So there you have it. The debate remains open. We’ll see how President Trump addresses this perceived security skill shortage in government.