全球智库信息集成服务系统

Information Technology (IT) and Information Security Should Be Managed as Two Separate Disciplines

• Treating the disciplines separately would increase effectiveness and efficiency.
• Reductions in the size of the cyber workforce might result.

IT Should Remain a Critical Core Function

• Despite a trend toward outsourcing, USAF must retain some redundancies to ensure that it can deliver services in cyber-contested warfighting environments at operating locations around the world.
• USAF might be able to find efficiencies above current levels by applying consolidation of IT capabilities to the extent possible.
• On average, companies maintained approximately 20 times more IT personnel than information security personnel. Given this standard, USAF should consider a cyber manpower review, as its information security workforce is smaller than one might expect based on commercial practices.

Technical Depth of Cyber Leadership Should Be Valued and Cultivated

• Managing IT and information security as two separate disciples increases the technical depth of individuals in those fields.
• There is opportunity for gradually developing the breadth required for senior positions by using an approach that still reinforces technical depth.
• Encouraging technical depth in the officer corps need not be in conflict with USAF promotion and career field management practices.

To meet the challenges of the cyberspace era — including the rapid rate of change in technology, the growing cyber threat, and the need to integrate cyber with operations in other warfighting domains — the U.S. Air Force (USAF) must find effective ways to organize, train, and equip its cyber forces. Cyber Practices: What Can the U.S. Air Force Learn from the Commercial Sector? identifies approaches to cyber organizational and workforce issues. Specifically, this report describes efforts to identify successful processes and practices from the commercial sector that might be applicable to USAF. To ascertain successful commercial practices, the authors took a twofold approach: a wide-ranging literature review and interviews with a carefully crafted set of commercial organizations, selected for their similarities to USAF and for their reputations of cyber excellence. Companies were identified to be similar to USAF in size, cyber functions performed, exposure to cyber threats, and operational environment. The authors found strong parallels in the commercial sector for Department of Defense information network operations and defensive cyber operations. Although none of the companies interviewed were as large as USAF or required to function in deployed and contested operating environments, the commercial practices described in the report are likely to be applicable to USAF and result in effectiveness and efficiency gains. The authors describe the basis for each practice, the benefits it conveys, and how it could be implemented by USAF.

• Chapter One

  Introduction and Methodology

• Chapter Two

  IT and InfoSec Have Different Workforce Management Practices

• Chapter Three

  IT Is a Critical Core Function Performed by a Large Staff

• Chapter Four

  Technical Leadership Is Valued and Cultivated

• Chapter Five

  Traditional Practices Predominate for Recruiting and Retention

• Chapter Six

  Commercial Practices Might Aid USAF

• Chapter Seven

  Options for USAF to Implement Commercial Practices

• Appendix A

  Characteristics of Companies and Organizations Interviewed

• Appendix B

  Semistructured Interview Questions

• Appendix C

  Organizational Design

• Appendix D

  InfoSec Suborganizations