Equipping the Federal Workforce for the Cyber Age
Building a cyber-savvy workforce will require a paradigm culture shift
Technology has traditionally received top billing in the fight to control cyberspace and there is a concerted effort across all sectors and ranks of government to recruit and onboard professionals who have the training and experience to protect the federal infrastructure in the new cyber dominant world. However, there is increasing consensus that developing secure general federal workforce capabilities are equally important in meeting 21st century cyber challenges.
There is a need, not only for high-level information security training and certification, but for a higher degree of Cyber acumen and awareness coupled with new cultural sensitivity across all levels of federal agencies to meet new requirements and expectations around collaboration, transparency and openness.
In today’s 24x7, borderless, hyperconnected world, Cyber security affects every department, every program and every employee.
To date, federal agencies are just starting to work together to build cyber skills; share cyber workforce strategy and planning; remove barriers related to cyber security recruiting, hiring, and retention; and to increase awareness of cyber challenges and opportunities in the federal government. Until a government strategic blueprint for how agencies should acquire, train, retrain, and manage the cyber security work force exists, agencies will need to raise the bar on developing their employees’ cyber capabilities.
Reorienting our federal workforce will require a comprehensive approach and cooperation from all levels
As Web 2.0 and other technologies fundamentally transform the way government agencies engage with the public to accomplish their mission, agency employees will need to develop and engage new levels of critical thinking, higher-level cyber acumen, and new cultural sensitivities in order to operate safely in cyberspace. To accomplish this, agency leaders will need to fundamentally reorient the culture of the federal workforce to embrace the new “rules of engagement” for operating in Cyberspace. They must also underscore the expectation that all employees are accountable and responsible for safeguarding and sharing information under their purview, regardless of their position or level in the agency. If you touch it (information), you are expected to protect it!
The motivation and commitment needed to create a cyber-savvy workforce goes beyond simply recruiting, training, and retraining. It requires a broad understanding of the scope of the issues and a comprehensive approach to workforce strategy, talent management, and performance measurement. A cyber-savvy workforce is armed with the cyber-risk guidance and awareness to recognize and understand when confronted with a potential threat, what to do or where to go for assistance—within seconds. They must also be abreast of, and have the ability to accomplish their duties in accordance with current laws and policies and address public expectations.
Cyber success will require more than just training. Equipping employees for the cyber age will impact relationships, roles and skill sets across the entire workforce.
Driving cultural change
What we believe agency leaders can do now as they prepare their workforce
Much is being said about the need to produce a competent workforce that can function effectively in this new age of instant technology and access. As recruiters rush to find skilled professionals, their jobs are made more difficult because there isn’t a sound definition for what a cyber-ready professional looks like in terms of prior training and skills. What is obvious is that achieving workforce readiness for new entrants and seasoned staff will require a new culture and the ability to manage change.
Agency leaders should consider driving necessary culture change by instituting new policies and procedures, strong security and privacy training initiatives, and by linking cyber awareness to performance and financial rewards at every level of the organization. They must also develop sound governance policies that enable security, transparency, and collaboration with other agencies when information must be shared. So, what are the fundamental building blocks and actions that agencies can take now to prepare for this change? Let’s start with those in the following list.
- Skills: The broad range of skills required to operate in cyberspace needs to be better defined, understood, documented,
and applied. Otherwise, recruiting, training and other talent strategies will be ineffective in equipping the workforce.
- Policies and practices: Impacts from the “cyber way” of doing business across the agency need to be recognized to support standardization and accountability, and to adjust roles and responsibilities accordingly. If not, there may be gaps in functional coverage, and critical secure channels for efficiencies may be lost.
- Teamwork and collaboration: There must be a greater understanding of how various levels of employees need to work together to communicate, collaborate, and capture synergies. Otherwise, no strategic approach to remodelling a secure cyber workforce can be fully effective.
- Seamless transparency: Agencies with a need to know and a need to share information must learn how to work effectively together across agency lines and develop mutual trust and coordination by developing and fielding tools and communication networks
The need to address these requirements is urgent because the cyber age is already here. It is also dynamic, and tomorrow will likely look different than today. Complicating the landscape is the multisector workforce in which a high proportion of contractor personnel work alongside government employees within the ranks of the federal government. This adds an additional layer to strategic workforce planning and preparedness, because the needs, expectations, and work habits of these employees will vary. These workforce realities require training plans to be developed to meet the various levels of workers in each agency as depicted below:
- Direct frontline operants in cyber offense and cyber security efforts
- Cyber infrastructure support personnel
- Talent management professionals securing and developing resources
- All members of the workforce, including contractors, handling electronic information
Balancing the pressures for quick action with the need for systemic strategic change
Building a new workforce culture will require bold vision, individual discipline, innovative ideas, a structured approach, and a commitment to institutionalizing changes that can revolutionize practices and behavior for years to come. However, leaders must recognize that most change initially triggers skepticism and fear, as well as a recognition of opportunities for advancement. So, executing change mandates must be bottom-up as well as top-down and supported by leaders and employees at all levels in the organization.
As change is integrated into employees’ performance measures, it is important that everyone understands the priorities and expectations. They must also blend the new changes with the tried and true foundation activities and practices to help prevent burnout and resistance caused by too much change too fast.
There is certainly no quick or easy solution to cyber workforce challenges. Agencies are understandably invigorated and motivated by the current Administration’s new way of thinking and are eager to lead the way in adapting to current social and political realities. But, it is critical for agencies not to sacrifice the need for cultural and systemic change in favor of speed.
Deloitte has developed a secure workforce service designed to help agencies in their efforts to synchronize their workforce preparedness actions across the landscape so that no element of the workforce is left behind. Our service is also designed with built-in flexibility to help agencies as they adapt and incorporate new capabilities to respond to the continuously evolving cyber environment.
Deloitte recognizes that current pressures facing federal government agencies are real, immediate and multifaceted.
To have a chance at succeeding, we believe that leaders and staff must take the following steps:
- Provide tools and training that equips their workforce to protect and safeguard both data and information as well as individual privacy and identity
- Accelerate and develop a more robust capability to address the complexity of the cyber domain—covering both opportunities and risks
- Match their long-term cyber strategy with an organizational construct that effectively leverages their workforce to meet needs and requirements
- Put mechanisms in place to quickly adapt workforce capabilities to new demands as the cyber environment changes
To respond to these challenges, Deloitte advocates the use of a three-tiered approach to shore up capabilities in the short-term, while moving quickly to transform Cyber capacity and management mechanisms. Moreover, we have developed services designed to help agencies in their efforts to implement this three-tiered approach.
Deloitte’s approach to developing a cyber-savvy workforce
Deloitte has a three-tiered approach to developing a Cyber-savvy workforce
Tier 1 Immediate Responsive Training
Our Tier 1 services include helping federal agencies with their efforts to take short-term actions to effectively prepare for urgent and existing cyber threats. The major elements of effective Tier 1 Immediate Responsive Training include:
- A robust and widely communicated mechanism for validating, prioritizing and responding to immediate cyber threats
- Alignment of cyber workforce competencies with the most mission-critical agency priorities
- The use of metric tools to determine where vulnerabilities exist and mechanisms for corrective action
- A phased approach to training that yields steady and continuous improvements
- Multiple levels of training to meet the needs of the total staff with different levels of access, responsibility and accountability for information sharing
Your Tier 1 efforts should be role specific, linking groups to responsibilities and competencies associated with the defined priorities to better target training.
Tier 2 Medium-term Secure Workforce Adjustment
Our Tier 2 services include helping federal agencies with their efforts to use a structured method for defining a future, cyber-prepared agency workforce in the medium term. The approach revolves around:
- Defining competencies, aligned to agency strategy, across all cyber functions.
- Redefining or creating new roles based on providing full competency coverage
- Sizing the workforce appropriately to meet current and anticipated demands
- Evaluating the current state of the workforce against the mid-term future blueprint
Included in our services is a road map that accompanies this approach; describes the changes and interventions we believe are needed to build a more secure workforce; and, recognizing the dynamic nature of the cyber domain, includes leave-behind tools and a knowledge-transfer process designed to help you in your efforts to refresh your workforce plans periodically and regularly.
In Tier 2, you should address a broader scope of cyber offensive and security requirements and develop the flexibility for continual improvements.
Tier 3 Long-term Aligned Configuration
Our Tier 3 services include helping federal agencies with their efforts to better leverage workforce capacity through systemic reconfiguration. We believe this broader human capital perspective provides the basis for true system change across all aspects of workforce strategy. Our recommended steps include the following actions:
- Reexamination of role definitions and organizational placement
- Standardization of cross functional jobs that facilitates better hiring, training, deployment and communication
- Re-evaluation of talent management delivery methods to institutionalize more effective best practices in hiring, developing and managing for cyber competence
- Formalization of alignment between enterprise Cyber planning and workforce needs
We believe Tier 3 activities are central to long-term cyber success because of the sustainable synergies created between the workforce and enterprise cyber strategy. The value will be greatest if Tier 3 is part of a broader organizational transformation.
Meeting the challenge
Success will require changing habits at all levels of the agency
The cyber age is here today and with it come challenges, but also opportunities. Cyber training is a reasonable response, but to be effective, it cannot be compartmentalized or delegated to a subset of the workforce. Building a truly aware cyber workforce also involves a long-term strategic approach to changing the culture, the perceptions and the capabilities of each and every person who is privy to information within an agency. Thus, invoking preparedness to meet today’s cyber challenges requires a commitment and comprehensive strategic approach toward equipping and incentivizing the general workforce — in all roles and at all levels.
For example, as cyber threats become more intense and governments rush to improve their procurement and acquisition processes, a closer look is being taken at the acquisition workforce community. The federal government has recognized that the Acquisition Workforce, one of their most important career fields, is in trouble. Lack of trained professionals on current staff, heavy reliance on contractor personnel to preform most of their IT development and procurement functions, and the requirement to decrease the number of contractors have created the need to immediately increase federal staffing throughout the government. Given this, we believe there is an immediate need to design and execute training to upgrade and reorient employees responsible for safeguarding privacy and sharing information in the cyber world so they can more effectively function in this new world of need-to-know, need-to-share and need-to-protect simultaneously.
Deloitte understands the magnitude, scope and complexities of cyber challenges, and we bring the human capital and organizational-change knowledge to help federal agencies in their efforts to connect cyber implications to their workforce. We understand that cyber security is not just about adding a layer of cyber-skilled professionals to the cake. It’s about changing the habits and culture of the entire workforce to ensure that transparency and collaboration are benefits, not vulnerabilities. With our knowledge and experience, we have developed incremental yet time-sensitive, strategically aligned services designed to help federal agencies in their efforts to train and educate their employees to think and do differently, and provide them the tools for cyber success.