Looking Ahead at the Cybersecurity Workforce at the Federal Aviation Administration (2021) / Chapter Skim
Currently Skimming:
4 Additional Employee and Organizational Considerations
4 Additional Employee and Organizational Considerations
Pages 55-74
The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.
From page 55... ...
model by turning to a consideration of the third and fourth stages of the ELC: Retention and Retirement. The committee first describes opportunities for the FAA's talent retention, talent pipeline development, and retirement.
|
From page 56... ...
In the committee interviews with FAA employees, there were discussions of losing younger cyber talent during government furloughs.1 These employees were reluctant to leave but needed to as they had to support themselves and their families.2 Compensation According to salary.com,3 the average information security (IS) and cybersecurity salary is $106,972 as of July 2020.4 The 2020 Cybersecurity Salary Survey looks at five positions: Security Analyst/Threat Intelligence Specialist, Security Architect/Cloud Security Architect, Penetration Tester, Network Security Engineering, and Security Director/Manager (Cynet, 2020)
|
From page 57... ...
In the committee's conversations with cybersecurity professionals in the FAA, the individuals indicated that they often feel that, due to a lack of resources, the issues they find in the security of their systems cannot be resolved.6 Additionally, the professionals expressed that they felt that sometimes management listened more to contractors than the full-time employees and involved contractors in decision making while excluding FAA employees.7 5 Perhttps://dictionary.apa.org, a construct is a complex idea or concept formed from a synthesis of simpler ideas. 6 Focus group discussion with FAA employees and committee members, August 20, 2020.
|
From page 58... ...
The outcome for the FAA of increasing perceptions of appreciation would include increased job satisfaction and less turnover among its cybersecurity workforce. FAA RETENTION Due to the shortage of qualified cybersecurity talent, unemployment rates for this workforce population are low to non-existent.
|
From page 59... ...
. Effective human capital development is grounded in a systematic, strategic plan to grow employees' professional capabilities and to understand employees' current needs and future aspirations within the organization (Alnachef and Alhajjar, 2015)
|
From page 60... ...
A contributor to effective human capital development is shared governance or a perceived sense of power in the workplace. Managers play a significant role in employee perceived power (Schrage et al., 2020)
|
From page 61... ...
These practices, shaped by a specific organizational culture, undermine almost every concept identified in the Etti model for human capital. In essence, women who wanted higher 8 More information is available at: https://www.shrm.org/resourcesandtools/tools-and-samples/toolkits/pages/understandinganddeveloping organizationalculture.aspx.
|
From page 62... ...
study illustrates, retention is associated with organizational culture, and in particular, building an organization where employees perceive opportunities to develop human capital while also working within an organization that offers opportunity and flexibility. Newer generations with tendencies toward higher career mobility will not easily be retained without future-oriented best practices for retention.
|
From page 63... ...
At the University of South Florida for example, there are special coding camps targeted at several specific grade groups, including Grades 3–5 "Elementary CyberCamp"; grades 4–6 "Everyone Can Code Camp"; grades 6–8 "Middle School CyberCamp"; and grades 9–12 "High School CyberCamp."14 Finding 4-2: Continuing through college, groups such as the National Collegiate Cyber Defense Competition bring together highly skilled individuals about to enter the cyber workforce. Groups and activities such as these provide opportunities for an organization to contact and recruit developing cyber talent.
|
From page 64... ...
The competition, especially the top performers, routinely attracts recruiters for hiring. Diversity Through College-Level Talent Pipeline Development One path to increasing the talent pool available to a cyber workforce would be to emphasize the recruitment of minorities and women, groups that have traditionally been overlooked in this field (Burrell, 2018)
|
From page 65... ...
FAA technical staff and managers can both proactively reach out to faculty and use research with universities as an opportunity to develop relationships with faculty who will create talent pipelines. There may be a need to create new programs to meet unique or specific FAA cyber workforce needs.
|
From page 66... ...
Organizations having difficulty retraining or keeping employees because of the work locations should consider allowing telecommuting for job roles that do not require employees to be on site. RETIREMENT As discussed in Chapter 2 of this report, the FAA has an experienced workforce with many employees getting closer to retirement-eligible age or having accumulated the years necessary to retire from the organization.
|
From page 67... ...
. Further information-gathering briefings during this study provided more information relevant to organizational design and the success of the FAA cybersecurity workforce initiative.
|
From page 68... ...
. Charlie Lewis, Expert Associate Partner at McKinsey & Company, provided information on organizational design from the perspective of strategic management.
|
From page 69... ...
Finding 4-4: The FAA cybersecurity employees and the cybersecurity program as a whole will benefit from a CISO that can develop a comprehensive cybersecurity strategy that crosses multiple complex domains in the FAA. CISO Independence In the committee's judgment, it is critical that the CISO have a high degree of independence in order to challenge failures to execute key security controls.
|
From page 70... ...
The budget for these groups should be managed by the CISO as agreed with the relevant department heads. The key first line horizontal functions are:22 – Strategy and governance • Policy writing • Cyber tech strategy • Risk measurement and reporting • Risk identification/risk acceptance or policy exception management – Information security operations • Identity and access management • Vulnerability and threat management inclusive of red team • Data protection • Supply-chain IS risk management – Cybersecurity operations • Security operations center • Threat hunting • Incident response • Cyber threat intelligence • Cybersecurity fusion center – Core security technology engineering and architecture standards • Network, data center, cloud, and end point security engineering • Application security architecture and engineering • Cyber innovation As the first-line security engineering and operations teams are built, another private-sector best practice should be, in the committee's judgment, overlaid on the previous model; this is the idea of organizing around the concept of Plan, Build, and Operate (PBO)
|
From page 71... ...
CONCLUSION 4-1: It is critical that the Federal Aviation Administration develop strategies to ensure that specialized knowledge related to the FAA mission and operation is captured and transferred effec tively to new employees. RECOMMENDATION 4-1: The Federal Aviation Administration should monitor, and revise if neces sary, its personnel practices to support the development of the necessary skills to meet the ever-changing demand in the current and future cybersecurity workforce.
|
From page 72... ...
The Federal Aviation Administration should ensure that all efforts to upskill and evolve the cyber workforce include the agency's risk management, cybersecurity compliance, and independent assurance capabilities. RECOMMENDATION 4-5: The Federal Aviation Administration should enable the success of the cybersecurity program and the Chief Information Security Officer by designing a hybrid organizational model leveraging private-sector best practices such as blending core and edge (vertically integrated)
|
From page 73... ...
2020. "The FAA Cybersecurity Workforce Overview." Presentation to Committee on Cybersecurity Workforce of the Federal Aviation Administration by FAA Cybersecurity Steering Committee (CSC)
|
From page 74... ...
2020. "UPS Cybersecurity Defense In-Depth Strategy." Presentation to Committee on Cybersecurity Workforce of the Federal Aviation Administration.
|
Key Terms
This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More
information on Chapter Skim is available.