In a global fight to attract and keep cyber professionals, the Department of Defense says it “must transform the way we approach human capital management” with new and innovative approaches, with a top official asserting “this is not business as usual.”
The DOD released its cyber workforce strategy in March and on Thursday published its implementation plain aimed at ensuring the goals and objects of the strategy are achieved.
As part of the plan, the Pentagon is taking a “different approach,” Mark Gorak, principal director for resources and analysis for the DOD Chief Information Officer, told DefenseScoop ahead of the public rollout, viewing the solution as a collaboration between government and the private sector.
“We feel this is a national challenge. It’s not only a department challenge, it’s also a private-public challenge. We view this as a partnership, versus competition, because when we look at our workforce we see civilians, we see military, and then we have our contractor support. And we view that as one team, one fight,” he said.
No longer should it be frowned upon for personnel to cycle out of the department to go work for a contractor that could be supporting the DOD or national security missions. Gorak said they are all essentially on the same team and the key will be to maintain relationships with those cyber professionals and companies to facilitate greater transfer of skills.
“If we train them and they’re educated and they are very good at what they do and then decide to leave the DOD, whether they’re civilian or military, that’s fine because now they will support a company out there in other sectors that will help the nation. I view that as a win-win,” he said.
Maintaining good relationships with people that leave can foster more collaboration and even allow personnel to come back in to serve in time of need, with a greater wealth of knowledge and experience.
“If we leave on good terms and then we establish partnerships with these firms, or these even individuals, in times of surge or in times of national need … we can have those partnerships with them and call them up when they [are] needed for a month or three months or something, to have that partnership back and forth,” Gorak said. “That way they have all of their training on the industry side and all their experience and they can bring it back to DOD and have those exchanges and partnerships. [That] is one of the things we’re really pushing.”
Gorak wants this new plan to be adaptable over its five-year time lifecycle with the opportunity to take “bold actions” with what is essentially a living document, allowing the department to pivot if certain aspects aren’t working.
“I’ve really pushed for the implementation plan to be agile, flexible and responsive. Most plans in DOD are five-year-out plans. I don’t know where my cyber workforce is going to be in five years,” he noted. “In order to attack that challenge, we have to have innovation. We had to do something new, because we’re not keeping up with our demand … I’m willing to try anything, right. Even if I don’t believe in it or it doesn’t sound good, I want to try it. Then we’ll prove whether it can work or not. That’s part of our whole approach. That’s our mindset going into it. It’s a little different. I’m going to take some risk. I have the full backing of the DOD CIO on this that will measure this and if it doesn’t work, we’ll stop. If it does work, can it scale?”
Recruiting and retaining
There is currently a 24% vacancy rate in cyber positions, according to Gorak, but the department aims to cut that in half during the first two years of strategy implementation.
The uniformed services currently aren’t having problems attracting cyber talent to initially join their ranks. However, that is not the case for the civilian components of the force.
To recruit new people, Gorak highlighted what has been one of DOD’s main selling points for years, and arguably, the main advantage it has over the private sector: mission.
“If you want to work offensive, legal offensive cyber operations, the one place you can do that is in the DOD. Nowhere else can you actually do that,” he said. “If you want to become a great defensive cyber operator, the best way to do that is become an offensive cyber operator so you can see both sides. The breadth of our mission compares to none.”
Additionally, officials are trying to lower the barrier to entry by instituting assessment-based hiring. Too often, jobs have onerous requirements for experience and academic credentials, which Gorak said are only met by a small subset of the population. Instead, they want to focus more on what a potential new employee can do as opposed to how many years experience they have or how many accolades they’ve accrued.
“What we’d rather do is say, ‘Hey, here’s what you’re going to do on this job, your interview is going to be an assessment on a cyber range to see if you can actually do it and then you’re hired,’” Gorak explained. “But I didn’t ask you about your experience, I didn’t ask you about your education. What I care about is what can you do. Because we have people with very little education and experience who actually can program and do a lot. And the vice versa, may also be true. You could have lots of education from 30 years ago and you haven’t worked in the field and the field has changed so much you don’t know the current systems of today.”
The other aspect to recruiting is starting early and young. The DOD wants to begin with K-12 across the country. Part of that is simply educating the wider public that they don’t have to put on a uniform — which might be an unattractive prospect to some — but rather, they can serve as a cyber civilian in the department.
By getting kids started early — through partnerships and scholarships — it can also accelerate their eventual employment.
“The schools get scholarship money from us to have their students go through those programs and then we get those students early. Then they have to serve as a fellowship or an intern during their summers, so we start their security grants early. Then upon graduation, they’re guaranteed a DOD job,” Gorak said.
When it comes to retaining its workforce — especially on the civilian side — the DOD must be more accommodating and flexible to the modern state of office work.
“Expanding remote work and teleworking I think is key,” Gorak said. “The more remote workers you have, location doesn’t matter anymore, because they are wherever they are and they’re performing their duties from wherever they are supporting. They could move to different areas within the system.”
At times personnel might have to work in secured facilities, but Gorak wants to be more tactful and flexible regarding what employees want.
Using data to improve the workforce
The strategy and the implementation plan sought to do a deep dive on the department’s cyber workforce. The plan has 22 objective and 38 initiatives tied to four goals that include: executing consistent capability and assessments to stay ahead of force needs; establishing a talent management program to align with current and future requirements; facilitating a cultural shift to optimize personnel management activities; and fostering collaboration and partnership to enhance capability development and operational effectiveness.
Each one of those objectives are tied to key performance indicators that measure success. Those will help the department make data-driven decisions based on the impact the initiatives have on the four pillars: identification, recruitment, retention and development.
If the initiative helps the goal, Pentagon officials will keep it — if not, they’ll get rid of it, Gorak said.
Moreover, the department sought to define all the work roles for cyber personnel in crafting the strategy and implementation plan. This will help components and services address training, shortfalls and incentives.
“I need to pinpoint and target incentives to those populations, which actually lowers from a DOD perspective our total outlay of incentive programs. And I can pinpoint and then hopefully fix, or at least make it competitive for salaries for those specific work roles where we’re short,” Gorak said. “But having that data to know where we’re short and how many we need are key to the success of our program.”
When it comes to enforcing the implementation plan, Gorak said the Pentagon has some enforcement mechanisms that it can impose upon components, but he’d rather use incentives than sticks.
“I’ve always found that, at least within the department, trying to hold the stick over somebody never works. They’ll wait you out. Rather, we’d like to incentivize,” he said. “If you will complete this, if you become an expert, you can add incentive. If you have so many people exchange in your exchange program, we’re going to give you an incentive. That incentive could be monetary, it could be award, it could be additional resources. What I found is, once people catch on and see the benefits of the program, the program — whatever it is — the initiative has to produce a benefit.”
The ultimate incentive or return on investment for organizations, Gorak said, is reaching full strength with a workforce that’s motivated and performing at a high level.
“That’s our ultimate goal. If you can have and you have that cohesion and that culture established, then the program will take care of itself and actually, I won’t need a job then,” he said.