An audit raises questions about CISA's cybersecurity pay incentives and creates fears of losing staff and concerns about balancing oversight with retention.

The Department of Homeland Security (DHS) inspector general's report has raised concerns over the use of cybersecurity pay incentives by the Cybersecurity and Infrastructure Security Agency (CISA). The audit found that between fiscal years 2020 and 2024, CISA had distributed $138 million in the form of incentives, including $1.4 million to 348 employees who were considered ineligible.

Auditors revealed that 240 recipients held positions in mission support offices unrelated to cybersecurity, thereby casting doubt on their eligibility. DHS agreed with the findings, signaling that the program may be overhauled.

CISA employees, however, raised fears that eliminating or restricting the incentives could lead to a brain drain of cybersecurity employees. Many contended that even non-technical positions, including strategy and policy, as well as public engagement, need a strong understanding of cybersecurity to provide friendship and capacity for supporting the frontline practitioners.

One employee stated that it is impossible to make policies or make the public aware of threats such as ransomware without having cyber knowledge. Others admitted there had been abuse but warned against too strict reforms.

With CISA already floundering after heavy staff cuts, staffers fear scaling back incentives will exacerbate retention challenges. As the agency works on the revisions, it is facing a delicate balancing act of being accountable without losing critical cybersecurity expertise.