Principal Director for Resources & Analysis for the Department of Defense, Office of the Chief Information Officer, Mark Gorak. (DoD photo by U.S. Air Force Tech. Sgt. Jack Sanders)
AFCEA AUGUSTA 2023 — The Pentagon is taking a new approach to help solve its cyber workforce retaining and recruitment challenges, one that will require thinking “outside the box” and a cultural shift within the department itself, Mark Gorak, principal director for resources and analysis for the Pentagon’s chief information officer, tells Breaking Defense.
At the center of that, he said during an Aug. 16 interview, is the department’s new cyber workforce implementation plan, unveiled earlier this month following the publication of DoD’s Cyber Workforce Strategy.
“The strategy is vague. The implementation plan is where the rubber meets the road, where we actually assign metrics to every single initiative,” Gorak said. “We track that data through time and see if it’s performing or not because I’m not going to spend resources on programs that are not performing…That’s the power behind implementation plans, is you actually can see change, measure it over time.”
The implementation plan [PDF] includes 22 objectives and 38 initiatives all tied to four broad goals: executing capability assessments and analysis processes to stay ahead of force needs; establishing a department-wide talent management program; facilitating a cultural shift; and “fostering collaboration and partnerships to enhance capability development, operational effectiveness and career broadening experiences.”
But while Gorak said he has empowered his team to “think outside the box” and he didn’t say no to any initiative, the department isn’t tied to those 22 objectives and 38 initiatives. In fact, Gorak said, he’s committed to doing away with some of them if they fail to impact the four goals; similarly, he’s open to adding new initiatives if they seem promising.
“I know that’s unheard of in DoD, but that’s how we’re going to go through the process,” he said. “And we’re going to start with these 38, we’ll probably end with more. It’s a five year plan. And I want to plan to be agile, flexible and responsive to the customer base, the users, the organizations, the [services], etc, out there.”
One of DoD’s goals in the implementation plan is to reduce its current cyber workforce vacancy rate, which sits at about 24%, by half the amount in two years. But the figure is more complicated than meets the eye, Gorak said. There’s both good and bad turnover in the total workforce, which includes military, civilians and contractors.
“So the level of turnover is important to us, and what type of turnover it is, right?” Gorak said. “I don’t like that metric…Are we turning over because people are being promoted? That’s a good thing. Are we turning over because people are going to industry? That is also a good thing. Are we turning because people are leaving the [military] and becoming civilians? That’s also a good thing from a DoD perspective. Are we retaining our best? That’s a good thing. I don’t want to retain those not performing.”
Working Towards A Cultural Shift
As part of retaining its workforce, DoD is thinking of ways to shift the norms of behavior for its people.
“So anybody who leads knows that the hardest thing to do is change culture,” Gorak said. “I want to maintain the good things we have, but change some of the culture…What I’m looking at is within the HR community, for instance, we have authorities today, under our cyber excepted service, to do hiring much faster, and to have incentives given to our workforce at a much higher level.
“What we find [is] it’s not being used, because it’s an exception to policy…So having our HR workforce out there know all these exceptions and then willing to use them is a new mindset,” he continued. “So those are kind of the programs that we’re looking at to change part of that culture and mindset. And I think we have to do that in order to retain the force we have.”
One idea is to move towards flexible work hours and the ability to work remotely, both now widely available in the commercial sector that competes with DoD for talent. But the last part also brings up security concerns, whether its devices like Alexa that are “always listening,” or even family members or the home environment itself.
“So within the home, you know, what space do you have available with closed doors, closed windows, shades, pulled stuff like that,” he said. “And of course, as you move up the classification level remotely, those become even more demands to mitigate those risks.”
Gorak added that DoD is looking to establish a program for its cyber workforce where people can maintain their security clearances after they’ve left the department, in case there’s a crisis and the department needs a surge force on call.
Through one of the goals outlined in the plan, DoD wants to establish a dedicated fund to help advance cyber workforce development, piggybacking off of the acquisition workforce’s own version of the fund, Gorak said. Though Gorak didn’t give a specific dollar value (he pointed to the millions), he said the fund would be initially internally funded and then, if proven successful, DoD would go to Congress and ask them to support it.
The fund would pay for degrees, certifications, courses and overall “maintain a higher level of development” in the department, Gorak said.
“Because in our workforce, it’s always changing,” he added. “And keeping up with that change requires constant education, and development. No longer are the days where you can be hired into a cyber position and stay there for life without ever having to go to training.”
Overall, Gorak said the workforce challenge is a national challenge. “Every 11 seconds, there’s a new cyber attack,” he said. “The threat is becoming faster, more complicated, more complex and from more different sources. I don’t see that threat reducing in the future. I see it only increasing.”
