7 minute read
Information Domain: Workforce models for the information age
During NZDIA’s IDEAS2020 Part One, Defence told industry its input was needed to deliver the Information Domain – and designing new Defence operating and business models fit for the information age.
As an exercise in early engagement, last year’s IDEAS 2020 Part One was roundly lauded for providing industry with an opportunity to be involved from the starting blocks in discussions around a range of new Information Domain capability areas.
The initiative was itself an acknowledgement of the centrality of industry to the mission of standing up the new information domain.
By the end of the event, Ministry of Defence and NZDF Information Domain Directors had left industry with the challenge of answering key questions around the future Defence Operating Model: What types of operating models, relationship models and workforce models are needed to support the new domain?
Industry’s responses to these questions are detailed in the NZDIA’s soon-to-be-released consolidated IDEAS 2020 Insights Package, and in the presentations and transcripts available in the members-only area of the NZDIA website.
In this article, we feature an excerpt from the Insights Package that explores how in IDEAS 2020 Part Two industry and academia responded to the call to provide its ideas around future Defence workforce models.
Future workforce models
According to former MOD Information Domain Director Nick Gillard, because Defence is looking at new ways of doing business, it is focussed on good workforce modelling, and it believes that industry has a role to play in helping the organisation to achieve this.
“From a workforce perspective, it’s a competitive market out there – we are just but one organisation across government and across the private and public sectors, who are looking for these skillsets and these people,” he said during IDEAS 2020 Part One.
“Will the ‘cyber-warrior’ look different? Are they deployable? Are they New Zealand based? Are they uniformed? Are they civilian? All these kinds of questions are up for discussion.”
He called on industry to help Defence to articulate its point of difference within the skills and labour market, to help in terms of organisational design and the policies and processes that will enable the NZDF to recruit, retain, and remunerate for the information future.
Digital and Data literacy
In his presentation, Constantine Macris, instructor of cyber systems of the United States Coast Guard Academy, cites leading US cryptographer Bruce Schneier’s 2013 warning that the world was moving towards an age of ‘digital feudalism’.
“We don’t have this intimate relationship with the technology that we use every day, Macris explains, “and because of that, it’s become unattainable.” This increasingly compels us to align ourselves with digital feudal lords who “take something in exchange for providing you protection in a dangerous and complicated digital world.”
Alex Matthews from Xequals believes that digital literacy is no longer optional. He echoes Macris’ sentiments in relation to the severing of humans’ relationship with technology. “The divide in technical knowledge, in leadership, and in management is becoming more and more accentuated and stressed as the world relies more and more on digital systems.”
According to Jordan Morrow, Global Head of Data Literacy for Qlik, despite 92 percent of business decision makers saying that it’s important for employees to be data literate, only 17 percent are encouraging or strongly encouraging change.
Qlik’s study found that only one in four decision makers are confident in their data literacy skill set, and one in three C-level leaders are confident. At entry level it’s about one in five.
“If we are lacking those data literacy skills as an organisation how can we confidently say to ourselves we are data-driven?” Morrow asks. “How can we even evolve our culture to be data-driven if the workforce is not comfortable using data?”
From the cybersecurity perspective, Checkpoint Software Technologies’ Ashwin Ram makes the point that basic awareness training constitutes a security control that addresses a major vulnerability – an organisation’s own people. Given that the majority of malware is delivered via email, it’s imperative that “your security awareness training reflects the latest phishing attacks and educate your users about the latest threat trends.”
The importance of simulation
Several IDEAS 2020 Part Two speakers noted the effectiveness of simulation in training enabled by advances in the immersive, experiential technologies of virtual and augmented reality.
Director of the Human Interface Technology Lab at the University of Canterbury, Rob Lindeman, explains that these immersive technologies tend to lead to better situation awareness. Using a case study centred on Fire and Emergency New Zealand’s (FENZ) Air Attack Supervisor Training Simulator, he comments that the virtual reality high fidelity simulator elicited very similar results to the real world in terms of the variability of trainee heart rates.
Lockheed Martin’s David Fallon notes that in the context of multidomain operations, simulation can enable Defence to “conduct the types of activity you need to have with all of the traditional domains, but [to] also add in the newer domains of the EMS [electromagnetic spectrum], the human cognitive space, and of course space as well.”
Replacing People
“Using people as the primary mechanism to fight an automated cyber adversary and refusing to leverage the power of modern software based advanced analytics to fight software based modern cyber threats,” says Major General John A. Davis, “is like bringing a knife to a gunfight.”
President and Chief Financial Officer of Dispel Ian Schmertzler agrees. “Good people with the very best of intentions have been building, procuring, and deploying systems, which are based on a butts-on-seats model, which simply does not remain sustainable, either monetarily or logistically when put under pressure.”
“If we look at intelligence collection at scale, during IDEAS 2020 Part One, the phrase used over and over was, ‘We have not been given any additional staff.’ The solution that had been proposed was to outsource human intelligence and open-source intelligence harvesting to New Zealand based contractors.”
“We don’t have enough skilled coming out of university,” says Callaghan Innovation’s Vic Crone.
“Now, that’s not entirely a bad idea, but you don’t have to lose control over your intelligence harvesting capabilities. You can now run 3,000 MTD [Moving Target Defence] networks with pattern of life infrastructure supporting them with a single employee.” This isn’t a staffing problem but rather an automation problem, and the market has solutions for it.”
Philip Quade sees things in terms of demand and supply. He considers automation and integration part of the cybersecurity solution because of its potential to decrease the demand side of the equation. “The more that we can use machines and automation to better take care of the mundane or large volume tasks in our network the more it’s going to reduce the demand on people to serve these machines.”
Career Pathways
“We don’t have enough skilled coming out of university,” says Callaghan Innovation’s Vic Crone. “So how are you using apprenticeship models in terms of getting people out of school? How are you using midlife re-skilling programs?”
In many instances, she notes, many people don’t want to work for one organisation. “They love working for multiple organisations, so… how are you sharing that talent rather than saying that you have to own everything – because you don’t have to own it all anymore yourself.”
Acknowledging the defence industry’s diverse, high quality talent pool, and history of training and re-skilling people, Datacom’s David Eaton believes that cybersecurity talent needs to be seen through a trade lens.
He suggests that defence sector organisations create pathways for their own talent for whatever stage people are at – whether they’re students or whether they’re mid-career – to create the cybersecurity talent pool they need.
“Ultimately, I think what I’d like to see happen in the defense sector is that it’s focused on what does a sector response look like for cybersecurity operations. Utilising talent pathways, utilising suppliers that have experience in this like Datacom. What does that look like and how can we make that work and improve the cybersecurity posture across the whole of the sector.”
Palo Alto Networks’ Sean Duca points to his company’s Academy program that develops certified network engineers. The program has accumulated close to a thousand different education partners that provide this as an offering to all of their students, and it’s open to the NZDF to partner with.
Taking an historical perspective, Philip Quade comments on the power of the Guild model to establish a large pool of apprentices, and coach them “until they became eventually journeymen and the very best of them became masters. It’s a great model that we can apply to our cybersecurity domain where we can welcome many, many more people in at the apprentice level.”
“We need to stop automatically putting down computer science degree as a prerequisite for some of these jobs that we’re defining… we need to come up with more people and give people more chances to enter our domain.”
“It used to be that the way you served your country was by putting on a uniform, and that was the recognised and fantastic way to serve your country, says Quade. “But I believe that cybersecurity now is a field that allows us to serve our countries in other ways, specifically to help protect our critical infrastructures, whether it be energy, transportation, water, banks, you name it.”