of the employee. The better an individual’s knowledge, skills, abilities, and other characteristics (KSAOs) fit the requirements of the job, the work team, and organization, the more satisfied (less dissatisfied) the individual is (Lee and Mitchell, 1994; Subramony, 2009; Wolfson and Mathieu, 2018). As retention is influenced by each of these factors, each factor needs to be monitored and appropriately neutralized or countered (e.g., an outside job offer receives a counteroffer).

The process of managing employee retention in the committee’s judgment needs to be evidence-based. Surveys are often useful in capturing attitudinal measures such as job satisfaction and organizational commitment. Similarly, job, team, and organizational fit can be measured via surveys and/or during the developmental phase of an annual (or more frequent) performance appraisal (Borman et al., 1997; Krumm and Hertel, 2013; Levy et al., 2011). To the extent possible, it is advisable that job satisfaction, organizational commitment, fit, and alternative job availability be monitored as frequently as possible (e.g., 3–4 times per year) using analytics and statistical analysis to model individual and group trends, and acting when necessary to counter or neutralize pressures that tend to increase turnover. The organization also needs to be sensitive to generational differences as certain groups, such as millennials, are often motivated by and hold different values than other generations. Generational differences need to be identified and managed along with traditional constructs associated with retention or turnover, such as satisfaction, commitment, and fit measures (including P-O, or person-organization fit; P-J, or person-job fit; P-T, or person-team fit).

Based on a meta-analysis of the turnover literature, Lee and colleagues (2018) developed a typology of four classes of individuals who stay/turnover. The four types of individuals described below should receive different targeted interventions as retention strategies. Some stay in the organization because they want to and can stay (enthusiastic stayers—job is fulfilling and has good fit indices); and those who want to leave the organization and have the ability to do so (enthusiastic leavers—have other jobs available to them). A third group wants to stay but they must leave (reluctant leavers—for example are let go during a downturn in the economy), and those who want to leave but must stay (reluctant stayers—e.g., family/spouse constraints inhibit leaving). It is straightforward to see how individuals in each group would require and respond to alternative internal and external motivation and retention strategies. Similarly, a close examination of satisfaction and embeddedness surveys for each group might reveal important issues relative to turnover. For example, the organization might ascertain it is top-heavy in reluctant stayers, resulting in productivity issues. In the committee interviews with FAA employees, there were discussions of losing younger cyber talent during government furloughs.¹ These employees were reluctant to leave but needed to as they had to support themselves and their families.²

Compensation

According to salary.com,³ the average information security (IS) and cybersecurity salary is $106,972 as of July 2020.⁴ The 2020 Cybersecurity Salary Survey looks at five positions: Security Analyst/Threat Intelligence Specialist, Security Architect/Cloud Security Architect, Penetration Tester, Network Security Engineering, and Security Director/Manager (Cynet, 2020). The survey looks at salaries, relative organizational impacts (e.g., geolocation, industry, etc.), and individual factors (e.g., gender, experience, certification). According to the survey, location matters with salaries being higher in the United States than in other continents. Bonuses were also common except among Security Analysts, ranging between 1 and 10 percent per year. Another finding was that a degree does not guarantee a higher salary; among those surveys, similar salary ranges were found for those with and without a college degree.

In addition to salary, other benefits cybersecurity employees are looking for can be hard to measure; these include the ability to learn on the job; access to a senior person/being a senior person; training resources; potential for contribution/change; organizational culture, organizational fit, and organizational support to retain cybersecurity talent; a cybersecurity vision or strategy; rewards for employees; and leadership for good cybersecurity (Zurko, 2020).

___________________

¹ Focus group discussion with FAA managers and committee members, August 21, 2020. All discussions were conducted in confidentiality, and the names of the participants are withheld by mutual agreement.

² Focus group discussion with FAA managers and committee members, August 21, 2020.

³ More information is available at: https://www.salary.com/research/salary/posting/information-systems-and-cybersecurity-salary.

⁴ More information is also available at the U.S. Bureau of Labor Statistics for Occupational Employment and Wage statistics. Data can be found at http://www.bls.org.

___________________

⁵ Per https://dictionary.apa.org, a construct is a complex idea or concept formed from a synthesis of simpler ideas.

⁶ Focus group discussion with FAA employees and committee members, August 20, 2020. All discussions were conducted in confidentiality, and the names of the participants are withheld by mutual agreement. Focus group discussion with FAA managers and committee members, August 21, 2020.

⁷ Focus group discussion with FAA employees and committee members, August 20, 2020.

competitive areas. Another challenge to retention and advancement is associated with unfair performance evaluations and lack of feedback.

These issues identified by Naff (1994) and others map to the Etti concepts of workplace networks, participation, proactivity, sense of belonging, and reciprocity. In the aforementioned retention barriers identified by the FAA, implementation of a human capital development process would be impactful. Particularly, if salary competition threatens retention, then proactive methods to create clear paths to advancement and higher salaries within the FAA would reduce this threat. Similarly, success at retention early in an employee’s FAA career could provide opportunities to grow and develop expertise in systems thinking around cybersecurity, such that an employee may be cross-trained to understand interdependencies across all relevant components. This form of joint optimization within human capital development advances the personal growth of the employee and their readiness and productivity within the organization, each of which lead to advancements consistent with organizational values.

Focusing on Management Practices and Attitudes as Leading Indicators of Employee Intent to Depart from an Organization

To be effective, human capital development must be led by management practices that support the advancement of employees. Part of leadership development for managers should involve an understanding of the urgency to recruit and retain strong cybersecurity talent. The FAA identified an increasing challenge of balancing permanent cybersecurity employees with contractors, many of whom are former FAA employees (FAA, 2020). It is prudent to connect the dots in this case. A contributor to effective human capital development is shared governance or a perceived sense of power in the workplace. Managers play a significant role in employee perceived power (Schrage et al., 2020). Thus, management styles must be continuously assessed and developed to determine the extent to which a management style is conducive to an effective human capital development strategy.

___________________

⁸ More information is available at: https://www.shrm.org/resourcesandtools/tools-and-samples/toolkits/pages/understandinganddevelopingorganizationalculture.aspx.

or better compensation, reported being blocked from building human capital in the aviation workplace, and, consequently, they made the decision to go elsewhere to pursue opportunities perceived to be more fair and lucrative.

As the Opengart and Ison (2016) study illustrates, retention is associated with organizational culture, and in particular, building an organization where employees perceive opportunities to develop human capital while also working within an organization that offers opportunity and flexibility. Newer generations with tendencies toward higher career mobility will not easily be retained without future-oriented best practices for retention. To avoid a revolving door and keep the best talent to meet increasingly complex and rapidly changing cybersecurity threats, a strong focus on organizational culture must be central to any organization’s priorities and strategic goals. But an intentional plan and process to facilitate retention also needs to be focused on cybersecurity positions in particular.

One way to focus the effort is to conduct a barrier analysis specific to the cybersecurity workforce. This barrier analysis, in the committee’s judgment should be comprehensive and should involve diverse employees, including early-career employees, women, different generations, and underrepresented minorities. There is a need to build a culture of cybersecurity across all facets of an organization. A better positioned workforce will be the first line of defense. The goal is to have workers do what you would have them do to protect systems on their own. By better training the staff on the threats and making it more competitive this will inspire some employees to pursue cyber careers. A “women in technology” program in collaboration with the Women in Technology organization⁹ can help demonstrate the value and importance an organization or agency is placing on recruiting and advancing women in cybersecurity.

TALENT PIPELINE DEVELOPMENT

Addressing the gap in the cybersecurity workforce requires programs that help employers identify the required skills and education programs that develop those skills at all levels of education (i.e., early, mid, and late career). There are several programs and initiatives specifically focused on developing the cybersecurity workforces at the general education, university, and professional levels. Some initiatives are designed to develop a talented cybersecurity workforce and attract them to work in government agencies (Piotrowski, 2020).

Some of these initiatives are designed to characterize cybersecurity knowledge, skills, and abilities to improve understanding of what is required in various cybersecurity roles. The National Initiative Cybersecurity Education (NICE) Framework was developed to provide a common frame of reference and common language to describe cybersecurity roles and the knowledge, skills, and abilities needed to perform work in those roles (Newhouse et al., 2017). Mapping existing and future job roles to knowledge, skills, and job tasks like those in the NICE Framework is a crucial step in establishing a cybersecurity workforce. It is important to understand what skills are required for each job role so that recruitment and training efforts ensure the required skills in the cybersecurity workforce, and using a common framework may help standardize within different lines of business within the FAA and across organizations. It is also important to recognize that lacking current knowledge and skills in the cyber realm need not be a barrier to pursuing training or a career in cyber, as having requisite aptitudes and traits (e.g., systems thinking, need for cognition) serve as a sufficient predictor for future competency in cyber occupations (Coovert, Wiernik, and Martin, 2019, 2020).

In the committee’s judgment, there may be resistance to investments in the talent pipeline because these investments are for the long term and do not fill current positions, may be viewed as a distraction, and may divert resources from other needs. However, such investments are in the national interest and in a governmental organizations’ long-term interests.

Early Training Talent Pipeline Development

There has been focus in recent years on developing skills and interest in cybersecurity at the K–12 level. For example, the United States Department of Homeland Security (DHS) Cybersecurity Education Training Assistance Program (CETAP) and the Air Force Association’s CyberPatriot National Youth Cyber Education Program are

___________________

⁹ More information is available at: https://www.womenintechnology.org.

intended to give K–12 teachers cybersecurity education tools to develop an awareness of cybersecurity issues and career fields.¹⁰ Government agencies may help ensure the long-term workforce needs are met by actively supporting and visibly participating in these programs. There are increasing efforts and studies aimed at high school students to attract future talent and increase the perceived value of cyber science (Turner et al., 2014).

The largest high school cyber defense competition is the Air Force Association’s CyberPatriot competition program.¹¹ This program was created to inspire K–12 students toward cybersecurity or STEM careers and gives teams the task of managing a network for a small company. The competition is at the core of the program and involves middle and high school students.

Another organization making high-quality computer science an integral part of the K–12 educational experience is CSforALL.¹² The CSforALL initiative connects providers, schools, funders, and researchers to equip students with computational thinking skills.

Other programs for younger elementary (K–6) school children include the Air Force Association’s CyberCamps, which teach the basics of cybersecurity, and the Cyber Education Literature series for early elementary students.¹³ Other organizations have also implemented programs aimed at younger children, such as the Girl Scouts of USA’s Cyber Challenge. In 2019, a national computer science program was sponsored by Raytheon to help close the gender gap in STEM fields by preparing girls to pursue careers in fields such as cybersecurity, computer science, artificial intelligence, and robotics. Finally, universities are beginning to develop programs to engage students beginning in grade school. At the University of South Florida for example, there are special coding camps targeted at several specific grade groups, including Grades 3–5 “Elementary CyberCamp”; grades 4–6 “Everyone Can Code Camp”; grades 6–8 “Middle School CyberCamp”; and grades 9–12 “High School CyberCamp.”¹⁴

Finding 4-2: Continuing through college, groups such as the National Collegiate Cyber Defense Competition bring together highly skilled individuals about to enter the cyber workforce. Groups and activities such as these provide opportunities for an organization to contact and recruit developing cyber talent.

College-Level Talent Pipeline Development

Programs directed at training university students and recruiting them to government agencies have been successful in providing high-quality graduates of programs to federal agencies. The Scholarship for Service (SFS) program¹⁵ is the most well-known of the internship programs for cybersecurity. SFS students receive fellowships in exchange for 2 years of service in a federal agency. As discussed in Chapter 3, the majority of employees hired through the SFS program stay in the position beyond the required service time. Because there are a limited number of SFS graduates, and graduates can choose which government agency in which to serve their required time, competition for these graduates is keen. To take full advantage of the SFS program, employers need to actively recruit SFS graduates and ensure their workplace is perceived as desirable.

The National Security Agency (NSA) and the DHS sponsor the National Centers of Academic Excellence in Cyber Defense Education (CAE-CDE) program.¹⁶ This program aims to decrease vulnerability in the nation’s infrastructure through cyber defense education and research. The program includes the CAE-CDE program for Associate, Bachelor, Masters, and Doctoral programs; and the Centers of Academic Excellence in Cyber Research (CAE-R). The CAE-CDE is a “national quality standard for certifying and maintaining high quality of cybersecurity education with rigorous and consistent requirements for program evaluation and close alignment to specific

___________________

¹⁰ More information is available at: https://niccs.us-cert.gov/formal-education/integrating-cybersecurity-classroom.

¹¹ More information about the Air Force Association’s CyberPatriot program is available at: https://www.uscyberpatriot.org/.

¹² More information about CSforALL is available at: https://www.csforall.org/.

¹³ More information is available at: https://www.uscyberpatriot.org/afa-cybercamps/getting-started/afa-cybercamp-overview and https://www.uscyberpatriot.org/Pages/Special%20Initiatives/CELS-Overview.aspx

¹⁴ More information is available at: https://www.usf.edu/education/about-us/summer-programs.aspx.

¹⁵ More information is available at: https://www.sfs.opm.gov/.

¹⁶ More information about the history and management of the CAE-CDE is available at: https://www.nsa.gov/resources/students-educators/centers-academic-excellence/.

cybersecurity knowledge units” (Dawson et al., 2018, p. 127). Dawson and colleagues note that “[o]ut of over 5300 colleges and universities in the U.S., only about 200 of them have achieved the CAE-CDE designation status” (p. 127).

Currently, education for cybersecurity is available at 2- and 4-year academic institutions, with varying courses, programs, and degrees. These may be focused on cybersecurity, computer science and engineering, management information systems, and other information technology-related areas (NRC, 2013). Cybersecurity education is also available as part of other fields of study such as business.

There is a current push for universities to establish centers to advance cybersecurity education and workforce development programs, such as the Virginia Tech program to help Amazon’s new headquarters staffing.¹⁷ Their roles vary, including curriculum development, co-curricular initiatives, building of the K–12 pipeline, and so forth. Another example is the Center for Infrastructure Assurance and Security (CIAS) at The University of Texas at San Antonio, which created the Collegiate Cyber Defense Competition (CCDC)¹⁸ along with several other competition programs. CCDC is similar to other competitions in many ways; however, it is the only one that focuses on managing and protecting an existing network infrastructure. The competition, especially the top performers, routinely attracts recruiters for hiring.

Diversity Through College-Level Talent Pipeline Development

One path to increasing the talent pool available to a cyber workforce would be to emphasize the recruitment of minorities and women, groups that have traditionally been overlooked in this field (Burrell, 2018). As discussed above, programs in higher education can be an effective component of an organization’s recruitment and selection strategy; this includes efforts to increase the diversity of the cyber workforce. As recently pointed out (NASEM, 2019), a great pool of potential STEM talent can be found at the more than 700 minority-serving institutions (MSIs) across the United States.

Finding 4-3: Institutional partnerships with MSIs can both expand the talent pool for high-demand positions and ensure diversity in the workforce for the long term.

Student-Level Talent Pipeline Development

Beyond institution-level initiatives to promote cybersecurity, interventions with individual students can also bolster the cybersecurity talent pipeline. Scholarship programs, such as those administered through the Center for Cyber Safety and Education (Center), formerly (ISC)² Foundation, provide scholarship opportunities for undergraduate, graduate, minorities, women, and Veterans.¹⁹ The 2020 KnowBe4 Scholarship for Black Americans in Cybersecurity is a $10,000 scholarship that can be used for tuition, fees, books, electronics, and housing, while the 2020 (ISC)² Women’s Scholarship provides $1,000 to $6,000 to individual women pursuing or planning to pursue a degree in the field of cybersecurity or information assurance.

FAA TALENT PIPELINE DEVELOPMENT

There are well-established models for MSI student internships at other federal agencies that the FAA might consider adopting or adapting. The National Geospatial-Intelligence Agency and NSA are good examples. In the committee’s judgment, the most effective internship programs are centered around the student experience, such as supporting mentorship and other engagement with students throughout the academic year.

A spectrum of opportunities for broader engagement exists that runs from informal interactions with faculty to support for campus visits by FAA employees, and providing support for scholars-in-residence. Such activi-

___________________

¹⁷ More information is available at: https://vt.edu/innovationcampus/News/2019/June/innovation-campus-location.html.

¹⁸ More information on competition details is available at: https://www.nationalccdc.org/.

¹⁹ More information about all the scholarship opportunities is available at: https://iamcybersafe.org/s/scholarships.

ties would represent a change in practice and culture from what the committee understands to be the norm in cybersecurity at the FAA. The FAA does this in other areas of the organization, and both NSA and CIA support scholars-in-residence programs at MSIs for this purpose. FAA technical staff and managers can both proactively reach out to faculty and use research with universities as an opportunity to develop relationships with faculty who will create talent pipelines.

There may be a need to create new programs to meet unique or specific FAA cyber workforce needs. For example, there may not currently be education and training programs targeted at detailed government technical oversight of industry technical programs (i.e., aircraft manufacturers).

To formalize a human-centric cyber-education curriculum, Caulkins and colleagues (2016) analyzed the NICE, the National Cybersecurity Workforce Framework, and the DHS National Initiative for Cybersecurity Careers and Studies (NICCS) educational framework. After a gap-analysis, the human-centric educational training curriculum was developed and implemented in a pilot educational program at a large university. Important elements of this work include the integration of three overarching frameworks, a gap analysis, and the focus on human-centric training for behavioral cybersecurity.

How might we conceptualize training for a cybersecurity workforce? And how might these be applied to the FAA’s situation in particular? One proposed model is to utilize a framework associated with military strategy (Church, 2016). There are several flavors proposed, but the author argues that we can leverage what we do well in the military and apply it as a framework for dealing with cyber issues. Another strategy often advocated is that the focus of cyber awareness training should be to try to “get into the attacker’s head.” Many training programs to thwart attackers focus only on the explicit—that which is observable. Martiny and colleagues (2015) believe a more successful approach would be to try and understand the belief states and goals of the attacker. This argues for training a cognitive understanding of the attacker.

Training

Training is an essential part of a cyber aware workforce. Key elements include training regarding social engineering and that the fact any part of the cyber-physical system can be attacked. Developments in the training area include the fact that individuals with different personality factors are more or less likely to succumb to threats of social engineering (Cusack and Adedokun, 2018; SEI, 2014). Cloud-based training has developed the capability of providing training at both the worksite and off worksite of the employee. Additionally, developments of training strategies employing serious games, gamification, and digital sandboxes of different types are increasing the capability to provide realistic training under realistic conditions for a variety of cyber-related occupations.

Formal training methods are employed by the FAA where individuals are sent to universities for specialized cyber training for short periods.²⁰ Other less formal training approaches include peer mentoring (Janeja et al., 2016) and peer influence (Li et al., 2016b) to improve cybersecurity behavior in organizations. Zafar (2016) advocates for the use of behavioral training, having found correlations between habit creation and security threats (e.g., password sharing, phishing, unauthorized cloud computing).

Below are three examples of what the committee means by personnel practices that could support professional development and motivate the cyber workforce. These are not intended as mandates, but illustrations of policies and procedures that likely would benefit the FAA.

1. Allow time away and expensing of registration fees for security workshops.
2. Strategically and fairly use temporary duty assignments to other agencies or FFRDCs so that staff can assess and import security practices that have proven to work well elsewhere.
3. Make broader use of, and publicize internally, short-term “red teams” that allow security-minded technical staff, even those without NICE security job titles, to research new attack techniques on FAA systems,

___________________

²⁰ Focus group discussion with FAA employees and committee members, August 20, 2020. All discussions were conducted in confidentiality, and the names of the participants are withheld by mutual agreement. Focus group discussion with FAA managers and committee members, August 21, 2020.

whether in Atlantic City test facilities or elsewhere. Perhaps more important than the budget outlay is the management skill in creating “blameless post-mortems” (i.e., after action reviews of lessons learned) that widely spread the knowledge gained through the FAA without creating embarrassment or hard feelings.

Skill Development and Training Through Certification

Along with formalized academic training, certification programs can be used to complement and expand cybersecurity knowledge, skills, and abilities. Organizations providing certifications have the advantage of frequently updating information and competencies while also being more responsive to emerging threats in the cybersecurity landscape (Knapp et al., 2017). Other programs such as the U.S. Cyber Challenge (USCC) have identified strategies to train and assess students to fulfill cybersecurity roles.

Workplace Flexibility

Workplace flexibility is a powerful tool to apply in retention as well as recruiting (as discussed in Chapter 3). Changes in telecommuting perspectives related to the COVID-19 pandemic are becoming increasingly cited as an important issue for employees. Work-life balance is an important factor for many younger employees and is increasingly important for all employees (Singh, 2019). Flexible work schedules and flexibility in work location may be a way to bring talent to less desirable locations. Organizations having difficulty retraining or keeping employees because of the work locations should consider allowing telecommuting for job roles that do not require employees to be on site.

RETIREMENT

As discussed in Chapter 2 of this report, the FAA has an experienced workforce with many employees getting closer to retirement-eligible age or having accumulated the years necessary to retire from the organization. For years, experts have been predicting a wave of retirements in the federal government, and urging federal agencies to prepare for the inevitable “tsunami” of retirement-eligible employees leaving the workforce (Lewis and Cho, 2011). This anticipated shift has prompted focus on how to recruit and retain the numbers needed to maintain the workforce and how to capture knowledge from these highly skilled employees. In its interviews, the committee heard about employees staying on past their retirement because they enjoy the mission and experience a sense of fulfillment working in their current positions, but this is not a long-term or comprehensive solution. It is critical that an organization develop strategies to ensure that specialized knowledge related to its mission and operation is captured and transferred effectively to new employees. One strategy would be to establish a list of critical positions within the cybersecurity workforce and track the succession plans for each position on a regular basis.

Such a large wave of retirements also presents any organization with an opportunity to identify shifts in the needed skills and knowledge and recruit employees to fill gaps. The fast pace of changes in cybersecurity affects the skills and knowledge needed to effectively perform cybersecurity, which means that job functions may change equally rapidly (Vasileiou and Furnell, 2019). On-the-job training and reskilling can support the development of these skills but in limited ways, and some job functions may require recruiting new individuals with unique skillsets and experiences (Burrell, 2018). Taking advantage of openings due to retirements may allow the opportunity to evaluate emergent needs and refresh the workforce with those new skills (Dawson and Thomson, 2018). As workers retire, it is important for managers and recruiters to avoid replicating the position description of the outgoing employee and rushing to hire workers with identical skillsets. Instead, they might take the time to look at where the cybersecurity workforce is moving and recast the position for the future, critically evaluating what new skills might be required. Though this takes additional time, it is likely well worth the effort to thoroughly understand present organizational needs, project future needs, and how to further the diversity of skills through a conceptualization of these positions. This may be an effective strategy particularly for agencies that tend to have low turnover and fewer open cybersecurity positions, such as the FAA.

2020). Agility is a critical benefit of this people-centric perspective. Based on organizational theory, too much centralization may restrict the agility of an organization, especially those that rely on knowledge-based roles (as opposed to routinized or skill-based roles) (Hendrick, 2009; Moşteanu, 2020).

Charlie Lewis, Expert Associate Partner at McKinsey & Company, provided information on organizational design from the perspective of strategic management. Trends in how organizations are changing include challenges with organizational leadership, talent acquisition and retention, risk-based investment, business enablement, cyber hygiene, and regulatory compliance. According to Lewis, when thinking about how an organization should be structured, organizational leadership needs to be empowered to influence the business. CISO units should not be perceived as a wall or impediment. They should be seen as innovation enablers.

It is important for cybersecurity in any organization to fit within the structure and the operating model of the broader business and to be a part of the broader business or the broader organization in a way that allows it to support the achievement of the business strategic goals and understand what to secure, why to secure, and where their focus should be in both how they operate to support delivering value and determining the competencies needed (Lewis, 2020). Additionally, the processes, integration, and linkages required with existing governance structures need to be considered across the entire business. Finally, in thinking about how to structure the organization, Lewis suggested bringing in new people, and take the processes and the operating models decided upon to structure the organization as a whole (Lewis, 2020).

Lewis explained that when looking at the operating model as a cyber-specific operating model, there are key design choices to consider. These design choices include the service catalog (what are the services provided and where do they go), risk ownership (clarifying the division of stakeholders who are accountable, responsible, consulted, and/or informed in the cyber risk management process), and lines of defense (as they pertain to cybersecurity and risk are discussed in more detail below). In his presentation, Lewis outlined three lines of defense for cybersecurity:

• The first line typically includes the IS department and business units.
• The second line of defense is composed of risk managers looking at aggregate risks at an enterprise level.
• The third line evaluates the overall process of cyber risk governance.²¹

For the most part, these are fairly standard operating model design considerations that would be applied. Cybersecurity should be no different from any other part of the organization. It just serves a different, newer function. Close coordination across these three independent lines of defense is enabled by five foundational elements that are the keys to success: (1) lifecycle understanding of controls; (2) strong process definition; (3) clear definition of roles and responsibilities; (4) talent distribution; and (5) enterprise-wide agreement between roles and responsibilities (Lewis, 2020). The key takeaway is that there should be close coordination across these independent lines. They may be independent, but they need to work together.

Peter Cooper, CEO of Pavisade, discussed cybersecurity challenges in the aviation workforce. Leadership coordination, accountability, and expertise in aerospace safety are fairly well understood throughout the entire organization in aerospace, all the way up to the CEO (Cooper, 2020). For example, there are dedicated flight safety chains and a well-established culture of flight safety. But for aviation and aerospace cybersecurity, the challenge is finding the balance between leadership, coordination, accountability, and expertise.

Cooper noted it is critical to understand workforce push and pull factors to attract, develop, and retain a cybersecurity workforce. The future workforce will need to:

___________________

²¹ More information is available at: https://securityintelligence.com/take-a-load-off-delegate-cyber-risk-management-using-the-three-linesof-defense-model/.

when necessary, questioning whether those decisions will force the organization to operate outside of its risk tolerances.

Hybrid/Federate First Line CISO Teams

Based on private-sector best practices, neither a fully centralized nor a fully decentralized model for a first-line cybersecurity program can be effective in a large complex organization. To best deliver on the mission, the cybersecurity organization itself is ideally, in the committee’s judgement, a hybrid organization composed of two basic types of teams: (1) a cybersecurity organization-wide team and (2) a vertically integrated specialized team.

Ideally, one core set of teams would support the entire FAA in a shared and horizontally integrated fashion. These teams would directly report to the FAA’s CISO, and their budgets, in the committee’s judgement, should be centrally managed. These teams would focus on governance functions as well as the development and operations of critical capabilities that need to operate across the enterprise to be operationally and economically effective.

These core teams would be augmented by a set of highly specialized teams that are vertically integrated with the different units they support within the FAA ecosystem even as they remain connected to the core. These teams could be matrix managed by both the CISO as well as the lead role of the group with which they are aligned. The budget for these groups should be managed by the CISO as agreed with the relevant department heads.

The key first line horizontal functions are:²²

• Strategy and governance
  • Policy writing
  • Cyber tech strategy
  • Risk measurement and reporting
  • Risk identification/risk acceptance or policy exception management
• Information security operations
  • Identity and access management
  • Vulnerability and threat management inclusive of red team
  • Data protection
  • Supply-chain IS risk management
• Cybersecurity operations
  • Security operations center
  • Threat hunting
  • Incident response
  • Cyber threat intelligence
  • Cybersecurity fusion center
• Core security technology engineering and architecture standards
  • Network, data center, cloud, and end point security engineering
  • Application security architecture and engineering
  • Cyber innovation

As the first-line security engineering and operations teams are built, another private-sector best practice should be, in the committee’s judgment, overlaid on the previous model; this is the idea of organizing around the concept of Plan, Build, and Operate (PBO). Under the PBO rubric, one function would excel at strategy, one at engineering, and one at execution, with all tied together through the shared services delivery goal.

Examples of vertical/local functions are:

• FAA Internal Applications Security Specialists;
• FAA External Applications Security Specialists;

___________________

²² This is meant to be an illustration of one such model; many variations will exist.

• FAA External Airframe Security Specialists; and
• FAA Airport Security Specialists.

Concluding Thoughts on Organizational Structure and Design

In the above sections, best practices associated with organizational design have been enumerated along with examples. Given the changing demographics of the United States, best practices, in the committee’s judgement, would ideally align with future cybersecurity needs and would include the populations that have not been equitably considered as contributors of their talent, skills, and knowledge to the FAA. Intentional efforts to apply these workforce best practices are integral to recruiting, developing, and retaining a robust cybersecurity workforce.

SUMMARY

This chapter has examined how the FAA should retain the talent needed for a diverse cybersecurity organization. Using the ELC model as guidance, the committee has made findings and recommendations in the areas of retention, development and advancement, and retirement. At every point, the committee has also considered issues of diversity. With these as a path forward, the committee believes that the FAA will be able to over time become a high-performing and diverse cybersecurity organization.

Conclusions and Recommendations

Difficulty competing with commercial entities that have higher compensation packages is one of the current challenges faced by the FAA in building its cybersecurity workforce. While one of the biggest benefits of working in the private sector is the higher salary potential, organizational reputation and positioning are critical components of recruitment and talent attraction efforts. The FAA relies on its staff to be mission focused and supports their cybersecurity workforce to complete their tasks.

As described in Chapter 3, managing an employee’s success and thus the organization’s success, takes place across multiple stages: attraction, recruitment and hiring (onboarding), development, advancement, retention, and retirement (separation). These are critical components that the FAA can and should pursue as indicated in the recommendations below.

CONCLUSION 4-1: It is critical that the Federal Aviation Administration develop strategies to ensure that specialized knowledge related to the FAA mission and operation is captured and transferred effectively to new employees.

RECOMMENDATION 4-1: The Federal Aviation Administration should monitor, and revise if necessary, its personnel practices to support the development of the necessary skills to meet the ever-changing demand in the current and future cybersecurity workforce.

RECOMMENDATION 4-2: The Federal Aviation Administration should provide professional development opportunities to refresh skill sets of current cybersecurity employees and ensure sharing of key institutional and mission-specific knowledge with newer cybersecurity staff.

RECOMMENDATION 4-3: The Federal Aviation Administration (FAA) cybersecurity employees and the cybersecurity program as a whole will benefit from a Chief Information Security Officer (CISO) that can develop a comprehensive cybersecurity strategy that crosses multiple complex domains in the FAA. The CISO’s reporting structure needs to support a strong governance model, which ensures that the CISO has both the independence and the access required to effectively manage the FAA’s cyber risk posture. In support of such leadership responsibility, the FAA should position the CISO role at the most senior level of the non-political appointees within the organization. Given the scarcity of qualified

people, the FAA should consider variances from current pay-scale limitations in order to be a competitive employer.

RECOMMENDATION 4-4: Employee retirement, at the end of the lifecycle model, offers organizations the opportunity to rethink organizational needs and required skill sets, which in turn helps refocus talent recruitment and the next iteration of the employee lifecycle. The Federal Aviation Administration should ensure that all efforts to upskill and evolve the cyber workforce include the agency’s risk management, cybersecurity compliance, and independent assurance capabilities.

RECOMMENDATION 4-5: The Federal Aviation Administration should enable the success of the cybersecurity program and the Chief Information Security Officer by designing a hybrid organizational model leveraging private-sector best practices such as blending core and edge (vertically integrated) functions as well as the plan, build, operate model.

REFERENCES