We asked Jonathan Sholtis, Program Director in CSRA’s Defense Group and Head of CSRA’s Cyber Institute, to share his insight on standardizing cyber training and accelerating the cultivation of skilled cyber practitioners.
Thinking Next Editors (TN): What impact will the Cyber Executive Order (EO) have on agency heads now that they are charged with a larger role in assuring cyber accountability?
Jonathan Sholtis: Bottom line—cyber requirements are ubiquitous to agency and leader success. Agency and DoD leaders cannot effectively advance the mission without a solid understanding of and command over cyber risks and priorities.
TN: What type of insight and training will leaders need as many have not been integrally involved with cyber initiatives in the past?
Sholtis: The question today is, “How do I get smart fast?” Agency heads don’t have the time and scale to participate in months-long training programs.
Government organizations are making progress in standardizing cyber training for many rank-and-file personnel. For example, the Department of Defense (DoD) is investing in training all of its personnel in cyber regardless of their job function. At the senior officer level and above, however, there has been no mandate for standardized training.
As an agency head or commanding officer, it’s not essential to understand the inner workings of malware or the latest types of cyber exploits. Instead, what is critical is that leaders understand the risk vectors and the capabilities to respond to those risks that their agency or command must have. In other words, they need to know what cyber resources are available to them and how to best leverage them to minimize risk.
TN: What other aspects of the Cyber EO will introduce new requirements for training and skill sets?
Sholtis: The greatest requirement and impact of the EO is standardization—specifically the development and delivery of standardized training across the entire government. For example, in the past, cyber training in the DoD was managed by individual commands with no centralized coordination and/or oversight. This approach yielded inconsistent results and precluded the sharing and adoption of best practices across the entire Department. It also did not optimize cybersecurity spend. The DoD has made significant strides on this front in the last eight years with the creation of the U.S. Cyber Command (USCYBERCOM), which will reach full operational capability in 2018.
Under the EO, instead of each agency head acting alone, they will now have a roadmap and a clearly defined structure of peers and subordinates with whom they can work to implement strategies and capabilities. These capabilities will also be aligned to defined cybersecurity work roles. The work roles will define critical knowledge, skills, and abilities required to operate successfully.
TN: What cyber training/talent requirements are most acute for agencies right now?
Sholtis: Agencies have several distinct challenges right now. First, there are simply not enough people with the skills needed for the operational environment. The demand is high, and supply is low, driving up costs and making it exceptionally difficult to recruit and retain the very best talent. The skills shortage requires agencies and organizations to divert resources and personnel that should be focused on other mission-critical initiatives for training in a new area—namely cyber.
The second challenge is that it can take years to build successful cyber operators—not weeks or months. And, as risks and threats continue to grow in complexity, we require the expertise of specialists, who, much like in the medical profession, are certified in specific areas of practice. The current environment is also driving the need to move from a knowledge-based professional evaluation process to a performance-based process.
TN: How is CSRA helping?
Sholtis: We are helping to drive a more cyber-capable Federal government in three ways.
First, we are investing heavily in cyber training and education for our own workforce. We have developed a cybersecurity curriculum that we leverage with our own employees—the program is aligned to a performance base versus a knowledge base. We are focused on creating cybersecurity practitioners and operators versus individuals who are simply knowledgeable about the cyber risk environment. We equate it to a “vocational education” approach that includes theoretical curriculum while prioritizing hands-on training and experience. This investment is good for CSRA and good for our public sector clients.
Second, CSRA operates a unique Cyber Institute that designs, develops, delivers, and maintains readily accessible and available education, training, and simulations to support the ever-evolving needs of our Federal customers in cyberspace. We train more than 25,000 students annually in the DoD, alone. Over the years, we have honed business processes and best practices for crafting and delivering effective cyber education and training.
Finally, we are partnering with academic institutions in the training of the next generation of cyber practitioners. For example, we worked with Louisiana Tech University who created the first cyber engineering degree program in the country. We have built our Integrated Technology Center in Bossier City, LA, near the university to foster long-term career opportunities for this new workforce. We are also working with Bossier Parish Community College to create and support various technical-focused cyber education programs.