As the world increasingly relies on digital resources to get work done, good cybersecurity becomes more and more vital to the effective operation of local governments. The Broward Florida School District was recently reminded of this the hard way when their systems were hacked, their data was ransomed for $40 Million, and they had over 26,000 of their documents leaked online as a result. At NextRequest, we strive to make governments more accessible and transparent, and a major piece of transparency is security. That’s why we recently sat down with Kevin Gowen to discuss how he thinks small government agencies can best enable themselves to defend from cyber attacks. Gowen is the Chief Information Security Officer at Synovus, a regional financial corporation headquartered in Columbus, GA. Synovus is based out of a small town and has more limited resources than larger competitors which makes it experience some of the same difficulties building their cybersecurity infrastructure as many small governments. Despite this challenge, Kevin and his team have been able to implement their strategy with great success.
One of the core issues that small agencies face is the extreme difficulty that comes with attracting good cybersecurity candidates. Gowen notes that with a growing demand for cyber professionals, the talent pool just isn’t big enough for a lot of organizations to feel like they have a competitive edge. “Everyone is fighting over the same scarce resource and it’s almost a hierarchy,” says Gowen. “If I’m trying to compete for the same talent as Google, I’m going to have a very difficult time.”
In Gowen’s experience, the talent-pool issue can be mitigated by gaining a deeper understanding of an agency’s cyber needs. By knowing precisely what an organization is trying to accomplish, it can implement security correctly from the beginning, rather than have to make up for gaps after the fact. He finds major value in leveraging CIO organizations, IT organizations, and other tech communities, saying they’re, “great places to compare notes with people that are facing similar challenges to you, and you can understand what's important to [your organization].” Gowen is also not opposed to a more direct approach. “One of the first things I did [in my current role at Synovus] was bring a third party in to look at our program to see what we were doing and give me some guidance on, ‘Here's what you... are doing well. Here's what you... need to improve.’” He says, “to have people understand the bigger picture, I think, opens up the opportunity to folks who might’ve never thought about [working in cybersecurity].” This has very much been the case with the analysts and strategists he’s been able to attract to his team over the years.
Gowen has found great success recruiting fresh talent straight out of school by using a local strategy. And even though schools with well-known computer science programs like Georgia Tech in Atlanta are within driving distance of Columbus, Gowen doesn’t feel the need to only go to Georgia’s large tech centers. For smaller organizations, he sees a disadvantage in trying to recruit from major programs that goes back to his pecking-order theory: he knows students at a Georgia Tech or similar school will be highly sought after by tech giants that are difficult to compete with. Instead, Gowen looks in his own backyard. “Columbus State [University] has a really good cyber program, so we've built a relationship with them. We hire students as co-ops, we do summer internships, things like that…. we get good people, we give them a really good experience in working with us.” Gowen sees teaming up with local colleges and universities as a win-win scenario: The students get an opportunity to put their field of study to practice and learn what the real world is like, while his team gets to know the future workforce of the industry on a personal level. By the end of an internship, it’s Gowen’s goal to have taught students a valuable skill set and have his organization be the students’ employer of choice. That way, he doesn’t have to re-recruit them or chase after higher priced free agents who he then has to train.
While his local strategy has served him well, Gowen, like many other leaders, realized during the COVID pandemic that a lot of his organization’s work can effectively be done from remote locations. He still wants to invest in talent from the Columbus area, but he now knows that attracting or keeping someone doesn’t necessarily depend on convincing them to physically be at his headquarters anymore. “I've got an outstanding guy who does threat hunting and active defense stuff on our cyber team who lives in Austin, Texas. He’s not moving here.” And Gowen has no issue with that. Instead, he just sees a new opportunity to effectively recruit from a much wider area.
By widening the scope of the talent he looks for and finding alternative methods of recruiting, Gowen has found that there are enough candidates that meet his needs that he is able to be discerning in who he chooses to bring into his organization. Given the dynamic nature of the cybersecurity arena, what Gowen likes to look for in candidates is a cultural add as opposed to a cultural fit. “Who's going to bring an experience, a perspective, some knowledge? Whatever is different [to] help make the workforce more diverse from every perspective.” As he looks to make his team more inclusive of different backgrounds, Gowen also likes candidates who are highly inquisitive and excited and hungry to put themselves at the forefront of their field. He notes that in cyber, “you're gonna deal with bad stuff a lot more than good stuff, so [I like] people who are energetic and resilient and interested in taking on a challenge.”
With all the success he’s had attracting good people, Gowen puts a great deal of emphasis into retaining those people, and he feels that piece of the puzzle is too often ignored in his industry. “If I'm constantly chasing talent because I can't keep the ones that I have,” says Gowen, “that's a losing battle. It just gets more and more expensive because the next person is generally always going to cost you more than the last one did.” To maximize retaining his employees, Gowen takes a two-prong approach: The first begins with implementing a productive onboarding experience that sets clear goals and expectations. Once that’s been established, he gives his team regular feedback so they’re constantly growing. The second involves continually investing in training and development for his team. He knows that can seem tough for agencies that tend to have tight budgets, but he believes that, “making the physical investment [not only makes] you safer from a cyber security standpoint, it also reassures the people that you employ, you care about keeping them happy, and that makes them stay longer.” Not investing sends a message to a team that they’re not important to an organization’s success, even though as events continually prove, cybersecurity is one of the most crucial departments in a government agency, no matter how small.