Mark Hofer

Cyber Security Professional with Eclectic Hobbies

Cybersecurity

Peter Drucker on Cyber Warriors

Mark

Nearly fifty years ago in 1974, the great management thinker, Peter F. Drucker (1909-2005), published his tome Management[1]. In this work and other writings Drucker can teach us why our ability in the cyberspace domains is not as successful as we have hoped or been promised. While generally using business examples throughout the book, Drucker consistently and adamantly asserts that “management is the specific and distinguishing organ of any and all organizations.”[2] So when he is talking about “capital and labor,” we can safely translate that as “platform and manning.” He constantly heralded the rise of the “knowledge worker,” telling organizations they needed to adapt, although few still have.

Cyber Warriors as Knowledge Workers

The terms “knowledge work” and “knowledge worker” are sixty years old. They were coined around 1960, simultaneously, but independently by Princeton economist, Fritz Machlup and Peter Drucker.[3] Meanwhile, the manning construct we have in place in the military goes back to the Revolutionary War. It has been updated in bits and pieces, but the fundamental construct of unskilled or skilled manual laborers serving in the enlisted ranks and the professional class serving as officers. This no longer works. The cyber warfare career tracks do not neatly fit into the skilled labor category. Manual work has been supplanted by knowledge work, and cyber warriors resemble the latter and not the former.

“Economic theory and most business practice see manual workers as a cost.”[4] This is how the Navy sees most of its ratings. Each new ship class tries to reduce the total number of crew required. During the “optimal manning” push of the late noughties saw a Flight-I/II Arleigh Bruke-Class Destoryer designed for about 360 officers and crew with around 260 authorized (now back up to about 315). For the Navy, crew was a cost. Every time the United States enters a major war, the size of Army increases and when the war is over, it reduces its end strength. If soldiers weren’t a cost, there would be no need to draw down. This does not work with knowledge workers and cyber warriors.

“But knowledge workers own the means of production. It is the knowledge between their ears. And it is a totally portable and enormous capital asset.”[5] For example, the E-5 systems administrator can leave the military and take all her system administration skills and do the very same work for any small or medium size business. All the investment the service has put into that person goes out the door with her. It is completely portable, unlike that Gas Turbine Systems Technician. A GS2 getting out at the same time as other the hypothetical E-5, is likely never to touch another gas turbine in his life. It is not that the GS2 is without skill or experience; his experience not nearly as portable as system administrator’s.

“Knowledge workers see themselves as equal to those who retain their services, as ‘professionals’ rather than as ‘employees.’ The knowledge society is a society of seniors and juniors rather than of bosses and subordinates.”[6] The overemphasis of rank on military culture is inimical to knowledge workers. Cyber warriors see themselves as key members of the team and not simple labor, no matter how junior they are. Only in the U.S. Military can a someone get postgraduate degree at company expense[7] and continue as a terminal E-7. Sane organizations would place him in a professional level position based on ability and not on executive potential. Cyber warriors see that ceiling and find it insulting, humiliating, and unjust to be capped in potential due to the way they entered the service.

We must look at our cyber warriors as different in kind than the rest of our force. This does not mean that they are morally better or worse. They require different management and leadership approaches as well and different supports. Leadership of cyber warriors cultivates them as professions, trets them with respect, which will ensure the investment in human capital is protected.

Managing and Leading Cyber warriors

“Managing knowledge work and knowledge workers is essentially a new task. We know even less about it than we know about the management (or mismanagement) of the manual worker. It is, therefore, a more difficult task.”[8] Peter Drucker goes on to expound on what does not work when trying to make knowledge workers productive. All of which applies to cyber warriors.

This new and different task needs to be recognized as such if we are to make every cyber warrior effective and our cyberspace operations successful.

What Does Success and Productivity Look Like?

“We cannot truly define, let alone measure, productivity for most knowledge work.”[9] Mean time to repair, number of manhours used vs. allotted, square footage of the ship painted, accuracy of gunnery; we can meaningfully measure work in the traditional military specialties. The same is not true for cyber warriors. The service member working as an exploitation analyst collecting intelligence has metrics: amount of foreign intelligence collected in bytes, number of operations conducted, and so forth. But two cyber warriors working two different missions will have wildly different metrics. An intelligence collector or analyst working the Russia mission would have largely been ignored for the two decades prior to 2014. In February 2022, that analyst’s contributions to the President’s Daily Brief would have soared. The work performance of the analyst may not have changed, nor her effectiveness. The interest from key decision makers changed.

Take the same cyber warrior and put them doing defensive cyberspace operations and you must come up with whole new metrics. Measuring effectiveness is still a shot in the dark. Number of “cyber-attacks” stopped? It doesn’t matter if you don’t stop the one you should have. We know how to measure activity: number of scans conducted, amount of traffic monitored, number of files investigated, etc. But activity is not the same thing as effectiveness.

Leadership Through Fear Negates Effectiveness

One thing we know doesn’t work is leadership though fear. However, fear as motivation has been getting culturally phased out since at least the end of the draft. But while I can get a Sailor to paint the bulkhead and do maintenance, however sloppily, though fear. The same is not true among cyber warriors.

“Knowledge workers, except at the very lowest levels, are not productive under the spar of fear; only self-motivation and self-direction make them productive. They have to be achieving to produce at all.”[10] A analyst cannot produce useful intelligence analysis, if they are fearful of their NCIOC or Commanding Officer because they will get chewed out or go to Article 15 if they fail to provide insights. The work itself requires the cyber warrior to be self-motivated and self-directed to do good analysis. Fear doesn’t produce shoddy work; it produces no work. When a person in leadership demands Sailors follow his direction, he will not only fail to get their best work, but even mediocre work.

How to Improve Effectiveness

Drucker details seven of the steps to improving knowledge worker productivity:

  • Define the task
  • Focus on the task
  • Define results
  • Define quality
  • Grant autonomy to the knowledge worker
  • Demand accountability
  • Build into tasks continuous learning and teaching[11]

Defining the task is not a straightforward problem that you can find in the rare, well-written OPORD or the most recent version of the service tactics publication.  It will not come from higher headquarters or the pros from Dover. It will have to come from the cyber warrior himself. Leadership at all levels will need to be able to align the request with the larger goals, and leadership will need to communicate large amounts of information down the ranks to enable those on the at the lowest levels to come up with the right answers.

As Drucker states, “Work on knowledge-worker productivity, therefore, begins with asking the knowledge workers themselves, What is your task? What should it be? What should you be expected to contribute? And What hampers you in doing your task and should be eliminated?[12] All poorly thought out, poorly written orders from higher headquarters in the information domain must go through this before useful work of any sort could begin.

“Map all the important stuff on your network” is not a task. What’s important? To whom? For what? How detailed and current does the map need to be? Cyber warriors at multiple echelons need to coordinate and redefine the task before productive work can begin. Leadership must invite those they purport to lead into the work of defining the work instead of merely passing on problems to their subordinates.

Retention of the Cyber Warrior is Different

“We already know what does not work: bribery. In the past ten or fifteen years many businesses in America have used bonuses or stock options to attract and keep knowledge workers.”[13] Drucker points out for the civilian sector, that the way the Military has traditionally approached retention of service members does not work with cyber warriors. Retention bonus in all their forms can only close the gap in pay between military pay and private sector pay only so much. This is especially true for interactive operators and officers with cybersecurity expertise, where a doubling or tripling of one’s salary after leaving the service is the norm.

Drucker states, “dissatisfaction with income and benefits is a powerful disincentive. The incentives, however, are different.”[14] The fact that any cyber warrior, with highly remunerative civilian options, signs on for a second enlistment proves this to be true. “The management of knowledge workers should be based on the assumption that the corporation needs them more than they need the corporation. They know they can leave. They have both mobility and self-confidence.”[15] The Department of Defense needs cyber warriors more than cyber warriors need the DoD. The problem is, only the service members seem to know this. The Department does not. To be more precise, the DoD behaves as if it does not know this simple fact.

“The first thing such people want is to know what the company is trying to do and where it is going.”[16] The truly unique incentive the military has is the ability to do work that is impactful to the world in a way that cannot be done legally anywhere else. Our cyber warriors know the mission of the service and often of the unit they are assigned to. However, whenever the work they are doing appears to be misaligned with where they think the mission is going, they will quickly become disgruntled.

“Next, they are interested in personal achievement and personal responsibility—which means they need to be put in the right job.”[17] The military only occasionally succeeds here and then only by random chance. The individual cyber warfare specialists are too diverse internally (e.g., the various types of jobs a Navy IT or CTN can do). We do not place service members based on where their skills and interest best align. Too often, we take an expert in one subfield and tell him to go do another for “diversification”. With all too perishable skills in the cyberspace disciplines, this can mean atrophying one skill the cyber warrior likes and is an expert in to achieve mere competency in one he doesn’t. Neither the Department nor the service member benefit and that service member will leave the military at the next opportunity. Because he knows he has options.

“Knowledge workers expect continuous learning and continuous training.”[18] In more traditional skill areas this means getting additional formal schooling (e.g., advanced service school or a university degree). That is periodic education and periodic training. Once you make it to a certain level, the Navy is not interested in paying for it. The Department could provide this by expanding formal options, but more relevantly by building continual education and training into the rhythm of the work. Expand the training budgets to allow more unconventional training options at the community, unit, and personal level. Giving every individual cyber warrior her own personal training budget would allow the Sailor to pursue what topics most interest and challenge her.

“Above all, they want respect, not so much for themselves but for their area of expertise. … [Knowledge workers] expect to make the decisions in their own area.”[19] This means taking them seriously throughout systems acquisition, operational planning, and current operations. The relative success of the services has been changing over time, and there is still a long way to go for each of them.

Conclusion

Cyber warriors are not the same as service members in other specialties. Drucker’s distinction between knowledge workers and manual workers holds true in the uniformed services as well. Leading and managing this new type of warrior requires new management and leadership approaches. The Department would do well to learn from the late Austrian-American and adapt its practices to meet the challenge presented by cyber warriors. If it fails to do so, the result will be predictable. The largest capital asset in the information domain will continue to walk out the door at the earliest opportunity. Mediocre pay and superficial respect will be answered with ineffectual work.

[1] Drucker, Peter F. Management: Tasks, Responsibilities, Practices. 1974.

[2] Drucker, Peter F. Management: Revised Edition. 2008. Pg 67.

[3] Ibid, 38

[4] Ibid, 201

[5] Ibid, 201

[6] Ibid, 39

[7] Naval Postgraduate School’s Applied Cyber Operations (MACO) Curriculum, https://nps.smartcatalogiq.com/en/current/academic-catalog/departments/department-of-information-sciences/applied-cyber-operations-maco-curriculum-336/

[8] Management: Revised Edition, 187

[9] Ibid, 188

[10] Ibid, 188

[11] Ibid, 209

[12] Ibid, 199

[13] Ibid, 56

[14] Ibid, 56

[15] Ibid, 56

[16] Ibid, 56

[17] Ibid, 56

[18] Ibid, 56

[19] Ibid, 56