broken FBI-branded padlock

Nick Carter/Flickr (CC BY 2.0) | Remix by Jason Reed

‘A job at Apple or Google will typically be more attractive and alluring for a recent graduate than a job at the IRS.’

From the IRS to the Office of Personnel Management to the White House’s own email system, it seems like barely a week goes by without some new revelation about a cybersecurity failure within the U.S. government. Despite its best efforts, the government appears increasingly outgunned in the war against hackers.

A report released this week by a cybersecurity trade organization may give some insight into why that might be the case.

Conducted by the International Association of Privacy Professionals, the inaugural Privacy Governance Report aggregates information from interviews with 791 professionals working in the North American electronic privacy industry across the public and private sectors. The report found that, within government, officials tasked with maintaining the security of information gathered from American citizens feel understaffed, under-resourced, and demoralized in terms of their own prospects for career advancement.

The result is a situation where the public sector’s ability to combat the rapidly evolving array of cybertheats aimed at it on a daily basis lags far behind that of private companies.

Seventy percent of privacy professionals working in government said their budget isn’t sufficient to meet their obligations to protect citizens’ data and 63 percent reported that their organizations don’t spend enough money on training. For the entire profession as a whole, those numbers were 59 and 48 percent, respectively.

When it comes to prospects for advancement, public sector respondents were 10 percent more likely to say there was little to no opportunity for upward mobility for them within their group or within their organization as a whole than private sector employees.

The implications for these numbers are worrisome. Managing privacy within large organizations is a rapidly growing field. It took about a decade for the International Association of Privacy Professionals to grow its membership to 10,000 people. It was able to double that number to more than 20,000 in the past two years alone.

People with the skills to deal with privacy vulnerabilities are in extremely high demand. The survey found that about one-third of its member respondents were making more than $150,000. The demand for people with these skills far exceeds the supply across the board. As such, the lower levels of job satisfaction in the public sector indicate the obstacles that stand in the way of government agencies getting the manpower they need.

“Government respondents indicate that the budgets they are working with are significantly smaller than for their private-sector counterparts. Also, the job opportunities they see in this space are more limited,” explained Omer Tene, vice president of education and research at International Association of Privacy Professionals. “The bottom line is that the government seems to be investing less resources when it comes to privacy. “

Tene noted government agencies start from a difficult position when attempting to recruit top tech talent. “In every field, not only in privacy, a job at Apple or Google will typically be more attractive and alluring for a recent graduate than a job at the IRS,” he said, but adding that public service has its own allure. “On the other hand, working for government also has tremendous benefit in terms of the level of interest. You might be dealing with top policy issues that it would take you 20 years in the private sector to even start reaching. High-level policy issues, engagement with senior officials from different private-sector businesses or international. There’s a trade-off there and I think government still have the ability to attract good talent. I wouldn’t write them off.”

Apple may have more cash on hand than the U.S. government, but the study also reveals a possibly more fundamental, if counter-intuitive, fault line dividing the organizations that make privacy a fundamental part of their missions—and therefore allocate resources thusly—and those that don’t.

The report drew a distinction between “regulated” industries—like banking and healthcare, where the government has imposed strict rules on how customer data is handled—and “unregulated” ones like software and retail, where individual companies have a lot more leeway. The report found that, contrary to what one might think, privacy professionals in the unregulated industries reported a tendency among their firms to value their work more highly and expend more resources making privacy core to their mission.

The explanation here is that the existence of strong regulations can shift perceptions. When there are strong rules in place across an industry, managing privacy becomes an issue of regulatory compliance. Companies see a set of rules and, by and large, adhere to them, but don’t necessarily go far beyond that. On the other hand, in the unregulated sector, there’s a tendency among companies that have dedicated privacy teams to view a commitment to protecting user data as something that differentiates them from their competitors. It becomes essential to their mission, rather than just a a box to check to keep regulators off their backs.

In a sense, Tene argues, government can be viewed as just another (highly) regulated industry.

“We’ve been arguing for years that privacy should be seen as a strategic business driver. You see that unregulated companies are getting that because they realized it impacts their brand and their reputation,” Tene said. “If you pigeonhole privacy as just another regulatory matter, it becomes something that that compliance officer deals with.”

While some businesses in regulated industries, at the least the ones on the cutting edge, are expanding their privacy programs as a way to separate themselves from the competition, Tene hopes this mindset will expand to the public sector in light of the recent string of major security breaches.

“It’s important for people who head departments—whether it’s IRS or the Department of Justice or the Department of Homeland Security—to understand how important privacy is and that brand and reputation are important things for a government also,” he said. “They don’t have consumers and there’s no competition typically for governments, it’s still your constituency and the citizens are the ones who are funding you. The first step is just to recognize the importance of this issue, which will help drive resources and budgets.”

Photo via Nick Carter/Flickr (CC BY 2.0) | Remix by Jason Reed

Aaron Sankin

Aaron Sankin

Aaron Sankin is a former Senior Staff Writer at the Daily Dot who covered the intersection of politics, technology, online privacy, Twitter bots, and the role of dank memes in popular culture. He lives in Seattle, Washington. He joined the Center for Investigative Reporting in 2016.