Download

Download eBook for Free

FormatFile SizeNotes
PDF file 1.1 MB

Use Adobe Acrobat Reader version 10 or higher for the best experience.

Purchase

Purchase Print Copy

 FormatList Price Price
Add to Cart Paperback108 pages $28.50 $22.80 20% Web Discount

Research Questions

  1. How does the commercial sector organize and manage its cyber workforce?
  2. Which practices from the commercial sector are applicable to the Air Force?

To meet the challenges of the cyberspace era — including the rapid rate of change in technology, the growing cyber threat, and the need to integrate cyber with operations in other warfighting domains — the U.S. Air Force (USAF) must find effective ways to organize, train, and equip its cyber forces. Cyber Practices: What Can the U.S. Air Force Learn from the Commercial Sector? identifies approaches to cyber organizational and workforce issues. Specifically, this report describes efforts to identify successful processes and practices from the commercial sector that might be applicable to USAF. To ascertain successful commercial practices, the authors took a twofold approach: a wide-ranging literature review and interviews with a carefully crafted set of commercial organizations, selected for their similarities to USAF and for their reputations of cyber excellence. Companies were identified to be similar to USAF in size, cyber functions performed, exposure to cyber threats, and operational environment. The authors found strong parallels in the commercial sector for Department of Defense information network operations and defensive cyber operations. Although none of the companies interviewed were as large as USAF or required to function in deployed and contested operating environments, the commercial practices described in the report are likely to be applicable to USAF and result in effectiveness and efficiency gains. The authors describe the basis for each practice, the benefits it conveys, and how it could be implemented by USAF.

Key Findings

Information Technology (IT) and Information Security Should Be Managed as Two Separate Disciplines

  • Treating the disciplines separately would increase effectiveness and efficiency.
  • Reductions in the size of the cyber workforce might result.

IT Should Remain a Critical Core Function

  • Despite a trend toward outsourcing, USAF must retain some redundancies to ensure that it can deliver services in cyber-contested warfighting environments at operating locations around the world.
  • USAF might be able to find efficiencies above current levels by applying consolidation of IT capabilities to the extent possible.
  • On average, companies maintained approximately 20 times more IT personnel than information security personnel. Given this standard, USAF should consider a cyber manpower review, as its information security workforce is smaller than one might expect based on commercial practices.

Technical Depth of Cyber Leadership Should Be Valued and Cultivated

  • Managing IT and information security as two separate disciples increases the technical depth of individuals in those fields.
  • There is opportunity for gradually developing the breadth required for senior positions by using an approach that still reinforces technical depth.
  • Encouraging technical depth in the officer corps need not be in conflict with USAF promotion and career field management practices.

Recommendations

  • USAF should align career fields with either IT or information security, since these are different disciplines that require different management and training approaches.
  • Increase the size of the USAF information security workforce. Commercial practice should be considered a lower bound for USAF force structure planning assessments.
  • Improve the accession of cyber-capable personnel by looking for candidates with relevant degrees from universities with noted cyber programs and establishing aptitude tests.
  • Structure organizations, including cyber squadrons, according to the guidelines laid out in organizational theory and consolidate the management of these organizations to the greatest extent possible to achieve efficiencies.
  • USAF should approach outsourcing, whether to contractors or other government providers, in a way that bolsters the expertise of USAF cyber personnel, as opposed to replacing the need for it.

Table of Contents

  • Chapter One

    Introduction and Methodology

  • Chapter Two

    IT and InfoSec Have Different Workforce Management Practices

  • Chapter Three

    IT Is a Critical Core Function Performed by a Large Staff

  • Chapter Four

    Technical Leadership Is Valued and Cultivated

  • Chapter Five

    Traditional Practices Predominate for Recruiting and Retention

  • Chapter Six

    Commercial Practices Might Aid USAF

  • Chapter Seven

    Options for USAF to Implement Commercial Practices

  • Appendix A

    Characteristics of Companies and Organizations Interviewed

  • Appendix B

    Semistructured Interview Questions

  • Appendix C

    Organizational Design

  • Appendix D

    InfoSec Suborganizations

Research conducted by

The research reported here was conducted within a fiscal year 2014 project entitled Best Practices to Inform USAF Cyber Squadrons of the Future, sponsored by Maj Gen Earl Matthews, director of Cyberspace Operations at Headquarters USAF, and conducted within the Force Modernization and Employment Program of RAND Project AIR FORCE.

This report is part of the RAND Corporation research report series. RAND reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND reports undergo rigorous peer review to ensure high standards for research quality and objectivity.

Permission is given to duplicate this electronic document for personal use only, as long as it is unaltered and complete. Copies may not be duplicated for commercial purposes. Unauthorized posting of RAND PDFs to a non-RAND Web site is prohibited. RAND PDFs are protected under copyright law. For information on reprint and linking permissions, please visit the RAND Permissions page.

The RAND Corporation is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.