Leadership, Culture, and the Military Cyber Workforce

Every military leader emphasizes the importance of cyber operations, but there is a perennial shortage of qualified personnel in the military cyber community, across all the services. As calls for a “Cyber Force” grow louder, the armed services will only become more pressed to improve the three interrelated processes of recruiting, training, and retaining talent to lead the execution of cyber missions.

Talent management debates often fixate on the private sector’s advantage over the military in offering higher salaries and better benefits. In the context of officer talent management, such a focus overlooks what attracts young people toward military service in the first place. While the U.S. military can certainly optimize personnel policies, it should not downplay the intangible factors that the military offers young Americans, specifically opportunities to lead others and be part of a unique tradition and culture.

Recruit, Train, Retain: The Cyber Talent Management Triad

Talent management (in other contexts referred to as human resources or personnel management) requires getting the right personnel into the right roles in the right numbers. This includes bringing enough people into an organization (recruiting), ensuring those people have the requisite skills and knowledge for their respective roles (training), and ensuring an adequate number of those people remain in the organization to help shape that organization’s future (retention). While operational units have been created for cyber operations at all echelons — from the combatant command all the way down to mission teams — the responsibility for recruiting, training, and retention remains with the services. While a hypothetical future cyber force would surely assume this responsibility, the current health of the military cyber workforce remains a clear and present issue for the services to manage.

Successful recruiting, training, and retention efforts for cyber personnel will require resolving (or at least managing) the competing priorities that exist within these three tasks. From a crude bureaucratic lens, talent management can be simplified as filling billets with adequate numbers of properly trained individuals. This imperative can drive bureaucracies to broaden their talent pool by reducing the selectively of their recruiting criteria and the rigor of their training. This approach overlooks the importance of developing leaders who can maintain and enhance the long-term well-being of an institution. If personnel are treated like rows on a spreadsheet, they might as well take their talents to a large corporation that can compensate them better.

It also overlooks the inherent interdependence among the three tasks: A failure in one of these tasks can undermine the other two. This is most obvious when low retention creates personnel shortages, which in turn rushes the onboarding and training processes. But poor training or a slow and ineffective recruiting process can also undermine retention when the costs of tolerating bureaucratic issues outweigh the benefits of service. In short, cutting corners on any single task within the larger human capital enterprise risks creating a talent management “tailspin” whereby all the health of the workforce suffers.

Especially for a relatively young military community like the cyber community, culture can be driven by the quality of personnel. A community of individuals who feel unqualified, unprepared, and therefore unappreciated will soon foster a disgruntled culture. A corrosive culture, in turn, will drive personnel to look for employment elsewhere. While the cyber community is not the only military community that often finds its personnel aggressively recruited by the private sector, the cyber community also competes for talent within itself. For example, cyber personnel often receive different pay and benefits despite performing the same roles, based on their respective service’s policies. While this affords opportunities for experimentation across the services, it risks dividing limited resources in situations where a common standard across the joint force may be preferable.

Bit by Bit: Cyber Leader Development

Rather than trying to beat the private sector model at its own game, a more sustainable talent management strategy should embrace the unique characteristics of military service that attract young people in the first place. For young officers, there are two key components that differentiate the military experience from the experiences of their counterparts in the private sector: opportunities to lead and service culture. These two factors are mutually reinforcing: Leaders must serve as stewards of their community’s culture, and the community’s culture encompasses the norms and values that shape how leaders are developed. Moreover, leadership development and cultural stewardship also enable success within the three fundamental talent management tasks. Strong leaders and a strong culture are needed to inspire young people to join, develop them into leaders in their own right, and provide steady intrinsic motivation for these leaders to continue serving.

Despite the technical nature of the field and the Hollywood image of the “lone hacker,” cyber leaders — like other military occupations — need to be able to make decisions and enable teams to accomplish what they would not be able to accomplish on their own. Like any other warfare area, this is a team sport, and teams almost always need leadership and direction to be successful. Leader development can take both formal and informal forms. An officer’s leadership abilities are tested and developed “on the job” through experience over time and mentorship. In order to assist this process, models have been created for leadership development, such as the Army “Be-Know-Do” model. Be-Know-Do is a holistic framework for officers to consider how their current attributes, knowledge, and actions impact their development as leaders. From the organizational level, the model helps leaders set standards and expectations for future leaders to prepare to accept more responsibility.

This model helps articulate an end-state for an organization to move towards in recruiting, training, and retaining leaders by answering the following questions: What attributes should recruiters seek in prospective officers? What knowledge and skills should be instilled in new officers? And how should officers demonstrate their suitability to being promoted and retained? Considering these questions simultaneously rather than separately can help craft a more comprehensive talent management approach. A more integrated approach signals that the organization is invested in its leaders’ development, rather than treating the recruiting, training, and retention processes as just more “boxes to check off” to remain compliant in a faceless bureaucratic apparatus.

The cyber community can also leverage the Be-Know-Do model to articulate how being a military cyber officer is distinct from being a cyber professional in the private sector. Officers are not just more senior practitioners in a given warfare area — they are responsible for leading teams of technical experts in order to accomplish assigned missions. A basis of technical knowledge is just a starting point for the officer, who must also understand the authorities and broader operational and strategic implications of the actions they direct. Lastly, cyber officers can be responsible for much more than just network security, including a range of offensive, defensive, and intelligence-gathering purposes. These distinctions provide a more concrete vocabulary for the military cyber community to pitch itself as a unique and possibly better opportunity for young people to become cyber professionals and serve their country.

Building a Cyber Culture

While the lack of a “Cyber Force” precludes a cyber service culture, nurturing a distinctive and attractive culture remains critical in order to pitch to young people that being a military cyber officer is not like any other job, as well as in maintaining cohesion across a community that is currently administratively dispersed across all of the services.

A RAND study comparing the cultures of the traditional military services (Army, Navy, Marine Corps, and Air Force) and U.S. Special Operations Command reveals how they all compete against one another for resources, roles and missions, and personnel. This report’s inclusion of Special Operations Command alongside the services is important because it reveals how a relatively young military organization can forge its own culture in order to attract and retain personnel from both within and outside the military. While others have compared cyber operations to special operations, from a cultural standpoint, the special operations and cyber communities are largely alike in that personnel within these communities have more in common with each other than with colleagues from their services. For example, an Army and a Navy cyber officer likely have more common experiences than a Navy cyber warfare engineer and a Navy surface warfare officer, besides initial ascension experiences like the Naval Academy or Officer Candidate School.

While commonalities exist, the cyber community cannot and should not attempt to replicate the special operations community’s culture. Compared to the earlier discussion of cyber talent management challenges, the talent management landscape for the special operations community is starkly different. The RAND report notes that, “Due to its elite reputation and secretive, direct action missions, [special operations has] little trouble drawing far more applicants than it can select.” A cyber community should aspire to be inclusive, rather than exclusive. As Max Smeets argues in these same pages, the field of military cyber is much broader than the single work-role of the “hands-on-keyboard” cyber operators — information technicians, lawyers, planners, analysts, and administrators also fill vital roles in supporting and executing a cyber operation. In addition, the cyber community should not be treated as synonymous with a specific organization or place of duty. While U.S. Cyber Command is the central coordinating entity for cyber operations, personnel who perform duties in cyberspace for organizations outside of the command’s direct auspices should not be excluded from the military’s big-tent cyber community.

Finally, a significant part of a service’s self-perception rests on how the community represents itself to the rest of the military as well as the general public. When members of the military cyber community go home at night, what do they tell their friends and families about what they did that day? Seeing as the average American likely owns multiple internet-connected devices, a more compelling explanation than “It’s classified.” would help the military cyber community better explain how it contributes to national security. This further underscores the reality that technical knowledge alone is not enough for cyber leaders — in order to help shape the culture, leaders in the cyber community ought to be able to clearly and concisely communicate the community’s role in combatting malicious cyber activity. Hopefully, very few Americans will ever find themselves being targeted with a foreign country’s military munitions — however, virtually every American citizen and company is a potential target of a foreign cyber operation. For better or worse, culture is determined not just by dynamics within the community, but also by the community’s image in the broader military and public landscape.

Competing Is About Being Different

While being two distinct goals, developing leaders and developing a culture are interdependent processes. Leaders are responsible for creating and maintaining a healthy culture and, in turn, the health of a culture in part determines the quality and quantity of the pool of leaders available to assume leadership roles in the future. Placing leadership and culture at the center of the military’s talent management strategy for cyber professionals serves to sharply distinguish the benefits of the military experience from the more material advantages of a private sector cyber career.

Building a common culture could begin with forging a common experience. U.S. Cyber Command, the National Security Agency Cybersecurity Directorate, and the Cyber National Mission Force might consider creating a common training experience for junior officers slated for a cyber billet — like a Captain’s Career Course or Expeditionary Warfare School for joint cyber officers. Similar to the Army’s Ranger School and the Navy’s SEAL training, a common training experience creates opportunities for officers to form bonds with each other and also link generations through a shared experience. Considering cyber operations officers come from all of the services, the opportunity to learn leadership fundamentals in a cohort setting will prepare officers to understand their roles and how to work together.

The cyber officer training curriculum must include technical fundamentals, but this should not be the sole focus. Cyber operations — both offensive and defensive — is often the art of the possible, and officers responsible for planning and executing cyber operations should understand the full range of factors, to include technical, legal, strategic, tactical, and, most importantly, human factors. This course curriculum should include deep dives on the role of cyber operations across the strategic, operational, and tactical levels of warfare. The ability to lead and conduct novel missions across the levels of warfare can be leveraged as an advantage to keep junior officers in the military, as such experiences are not readily available in the private sector. This more problem-focused training model can stand out as more rewarding and engaging than the private sector’s model of chasing expensive online credentials.

To prevail in the competition against the business world over a fixed pool of cyber talent, the military might be wise to heed the advice of that world’s premier strategist, Michael Porter: “Competitive strategy is about being different. It means deliberately choosing a different set of activities to deliver a unique mix of value.” While necessary, re-engineering benefits and personnel management policies alone will not be sufficient to sustain a healthy cyber workforce. Rather, the military cyber community — regardless of whether it becomes its own service or remains spread among the current services — should embrace and even enhance the unique aspects of military life when compared to the private sector. Consequently, differentiation rather than optimization should be the path forward for the cyber workforce.

Nicholas Romanow is a cryptologic warfare officer stationed at Ft. Meade. He currently serves as the operations officer for the National Security Agency’s Cybersecurity Collaboration Center. He is a graduate of the University of Texas at Austin and was previously an undergraduate fellow at the Clements Center for National Security.

The views expressed belong solely to the author and do not reflect official views of the Navy, the Department of Defense, or part of the U.S. government. A version of this paper was presented at the Naval War College Cyber and Innovation Policy Institute Summer Workshop. The author would like to thank the attendees and the faculty for their input on this paper.

Image: Staff Sgt. Devin Boyer