This report describes commercial practices for cyber workforce management and organization, as determined from a literature review and interviews with reputable organizations that have similarities to the U.S. Air Force (USAF). These practices are applicable to USAF as it endeavors to improve the management of its cyber forces. The authors describe the basis for each practice, the benefits it conveys, and how it could be implemented by USAF.
What Can the U.S. Air Force Learn from the Commercial Sector?
- How does the commercial sector organize and manage its cyber workforce?
- Which practices from the commercial sector are applicable to the Air Force?
To meet the challenges of the cyberspace era — including the rapid rate of change in technology, the growing cyber threat, and the need to integrate cyber with operations in other warfighting domains — the U.S. Air Force (USAF) must find effective ways to organize, train, and equip its cyber forces. Cyber Practices: What Can the U.S. Air Force Learn from the Commercial Sector? identifies approaches to cyber organizational and workforce issues. Specifically, this report describes efforts to identify successful processes and practices from the commercial sector that might be applicable to USAF. To ascertain successful commercial practices, the authors took a twofold approach: a wide-ranging literature review and interviews with a carefully crafted set of commercial organizations, selected for their similarities to USAF and for their reputations of cyber excellence. Companies were identified to be similar to USAF in size, cyber functions performed, exposure to cyber threats, and operational environment. The authors found strong parallels in the commercial sector for Department of Defense information network operations and defensive cyber operations. Although none of the companies interviewed were as large as USAF or required to function in deployed and contested operating environments, the commercial practices described in the report are likely to be applicable to USAF and result in effectiveness and efficiency gains. The authors describe the basis for each practice, the benefits it conveys, and how it could be implemented by USAF.
Information Technology (IT) and Information Security Should Be Managed as Two Separate Disciplines
- Treating the disciplines separately would increase effectiveness and efficiency.
- Reductions in the size of the cyber workforce might result.
IT Should Remain a Critical Core Function
- Despite a trend toward outsourcing, USAF must retain some redundancies to ensure that it can deliver services in cyber-contested warfighting environments at operating locations around the world.
- USAF might be able to find efficiencies above current levels by applying consolidation of IT capabilities to the extent possible.
- On average, companies maintained approximately 20 times more IT personnel than information security personnel. Given this standard, USAF should consider a cyber manpower review, as its information security workforce is smaller than one might expect based on commercial practices.
Technical Depth of Cyber Leadership Should Be Valued and Cultivated
- Managing IT and information security as two separate disciples increases the technical depth of individuals in those fields.
- There is opportunity for gradually developing the breadth required for senior positions by using an approach that still reinforces technical depth.
- Encouraging technical depth in the officer corps need not be in conflict with USAF promotion and career field management practices.
- USAF should align career fields with either IT or information security, since these are different disciplines that require different management and training approaches.
- Increase the size of the USAF information security workforce. Commercial practice should be considered a lower bound for USAF force structure planning assessments.
- Improve the accession of cyber-capable personnel by looking for candidates with relevant degrees from universities with noted cyber programs and establishing aptitude tests.
- Structure organizations, including cyber squadrons, according to the guidelines laid out in organizational theory and consolidate the management of these organizations to the greatest extent possible to achieve efficiencies.
- USAF should approach outsourcing, whether to contractors or other government providers, in a way that bolsters the expertise of USAF cyber personnel, as opposed to replacing the need for it.
Table of Contents
Introduction and Methodology
IT and InfoSec Have Different Workforce Management Practices
IT Is a Critical Core Function Performed by a Large Staff
Technical Leadership Is Valued and Cultivated
Traditional Practices Predominate for Recruiting and Retention
Commercial Practices Might Aid USAF
Options for USAF to Implement Commercial Practices
Characteristics of Companies and Organizations Interviewed
Semistructured Interview Questions