Security Awareness Programs & Computer-Based Training

The Multi-Sector Federal Workforce and Infosec

Advice from a Former Air Force Assistant Secretary
The Multi-Sector Federal Workforce and Infosec

One of the critical challenges facing the government is how best to integrate work across multiple disciplines while maintaining a secure computing environment.

Ruby DeMesme, a former Air Force assistant secretary for manpower, reserve affairs, installation and environment, sees information technology as shaping the way government workers perform their jobs. No longer are jobs aligned with a predefined assignment, but are dynamic, requiring critical thinking and the ability to navigate technology to determine how best to perform a variety of tasks.

"We have a multi-sector workforce and we have a multi-generational workforce and we have the ability to deliver information instantaneously around the world," Ruby DeMesme, now a senior adviser at the consultancy Deloitte, said in an interview with (transcript below). "But, when all of these confluences or ideas and factors and events come together, it means that the person in the workforce must be very comfortable with their knowledge or know where to get information on a split second notice; it is not even minute by minute today, it is second by second."

For decades from the inside, and now from the outside, Ruby DeMesme has seen the role of the federal government worker evolve over the years.

DeMesme has written a paper entitled, Equipping the Federal Workforce for the Cyber Age, in which IT security plays a critical factor.

In the interview, DeMesme explains the:

  • Meaning of the word equipping in context to the Internet-age federal workforce.
  • Synergy between cybersecurity and an IT-savvy workforce.
  • Commitment the federal government must make to create a 21st century workforce.'s Eric Chabrow interviewed DeMesme.

DeMesme was named Air Force assistant secretary in 1998, where she directed and managed Air Force human resources management policies and programs for more than 2 million active and reserve members, civilians and families. She oversaw strategic planning on issues including recruitment, training, retention and separation policies and programs.

During her 22-year tenure with the Department of Defense, DeMesme regularly testified before Congress and worked with lawmakers and other government officials to secure funding for military benefits programs. She also served as a senior adviser on military matters to former Sen. John Glenn, D.-Ohio.

DeMesme graduated magna cum laude from St. Augustine's College and was awarded a master of social work degree from the University of North Carolina.

ERIC CHABROW: Your advising Deloitte. and a recent paper you helped prepare is entitled Equipping the Federal Workforce for the Cyber Age. Why is the term "equipping"? What equipment or tools do federal workers need to be prepared for the digital age?

RUBY DeMESME: We actually used the term equipping because I think it is more than education, whereas usually the workforce needing to learn more or to have more training or to have a greater awareness of things. I think in the cyber world, it goes a little bit beyond just learning about it. Equipping means having the abilities, the opportunities, the training and the tools to ensure that they are really prepared to change the way they work in the new world of work environment.

I think cyber is one of those initiatives that is kind of new. It incorporates a lot of what we have to do to protect our information and our people and our identities in this nation. And so it to me describes the ability to go beyond merely looking at something in a new way but actually developing new ideas and skills around working in a new cyber environment.

CHABROW: What is a cyber-savvy workforce and where does cybersecurity fit into that type of workforce, and how would you rate this cybersecurity awareness or savviness of the federal workforce?

DeMESME: A cyber-savvy workforce is one that is very comfortable in delivering the right kinds of services at a time when you have a need to know and need to share, and it needs to protect information simultaneously. Savvy means that you are confident that you not only have the knowledge but you have the tools and you have the capabilities that you need infrastructure-wise in the workforce to actually perform on a say to day basis.

For the most part, we think about IT when we look at the cyber workforce. We know that there is security that must be built in the tools of the trade. We know that we have Internet capabilities that are international, that we are having split-second information coming at us in requests all the time.

In a workforce of today, I do not believe we are prepared to meet and protect the information in a cyber environment. It is something that they have not been required to do. It is a skill that is developed over time and many of our people in the workforce are at the baby boomers age and they have not had to deal with simultaneous requests for information. They haven't had to deal with immediate release of information on CNN. They haven't had to deal with a 2.0 web, there were the safe books and all of these conundrums of information is currently out there in the workplace.

They are having to re-look and re-think about what information means, and to understand that everybody in the workforce is responsible and accountable for it. So, as we look at preparing the workforce, it is more than what do we do for training for all these people, what do we do about making sure that we have the right skills, what do we do to make sure that we have the infrastructure in place. It is looking at all of these things holistically and deciding what each person needs to be responsible for and accountable for in a 24/7 work environment where information is constantly flowing and things are constantly changing.

CHABROW: It is not just being familiar or even comfortable with the technology but because of technology and the informational flow, most job descriptions in some way of federal workers has changed.

DeMESME: They have changed tremendously. Unfortunately they have not kept up with the changes in our environment. As we look at new competency modeling and deciding what we need to do that was different from what it was yesterday, as we look at building jobs we recognize that we can't build them only on one skill like we used to. They are multi-faceted jobs. It is the ability to think critically about the work that you are performing.

In the past we were more aligned with looking at a position and you had tasks that were identified in advance and you went out and you were evaluated on how you performed those tasks. But in today's new world of work, it is dynamic in nature. You must not only know how to have the technical skills and employ those on a day to day basis, but how to actually get beyond what is expected and what is written on the paper and discern from what you are being assigned on a day to day basis, what you need to do to actually do your work.

And this is even more critical that we look at how to integrate work across multiple disciplines. We have a multi-sector workforce and we have a multi-generational workforce and we have the ability to deliver information instantaneously around the world. But, when all of these confluences or ideas and factors and events come together, it means that the person in the workforce must be very comfortable with their knowledge or know where to get information on a split second notice; it is not even minute by minute today, it is second by second.

CHABROW: This seems to me maybe an insurmountable challenge in part because it is just the structure of government. Government despite technology is still very siloed and there is competition among agencies. What realistically can we expect government to do to be prepared for this new digital cyber age?

DeMESME: Well, one of the things we have to do is we have to define exactly what cyber age really means and. as you know, with the government, many times we have a tendency to pull what another area, for example, professionals in other career fields are now being moved into the career fields for cyber. We have different agencies creating cyber commands and we are putting different people with related skills into those commands to do the work.

In today's world, it is not insurmountable because the mission must be accomplished. We have to phase our approach in how we actually attack the problem. We can't expect that overnight we are going to have a new paradigm, a new culture, a new acceptance of cyber as a way of doing the work, but as we continue to attack these issues bit by bit, then they relate it to something that is meaningful; when there is an outcome from an action.

When we look at the hackers and what they are doing and we look at how to fix one thing at a time, we will get there, but it will not be overnight. There will be a need to focus on the frontline people first who are actually building the systems and the tools, but then we must reach back and pull forth those who are actually handling information on a daily basis. So, we have maybe four to five different levels of training that we need in an organization that must be simultaneously and they must be different to attack the different areas where work is being performed at different levels within the organization.

CHABROW: Can you tie in the cyber-savviness of the professional that the federal government should have and the cybersecurity-savviness of that professional?

DeMESME: They are interrelated. The cybersecurity is extremely important because that is where the protections come in. The cyber center that goes across the security minded individuals and those who are focused on building those systems to those who are the handlers, those who actually deliver the information, those from the developers to the end users across that spectrum.

As I said, they are interrelated skills that are needed, but they are different levels of skills, but the information has to be flowing to those who are building so that they will know what it is that they are trying to address because they are not the ones necessarily at the end of the phone when it rings and the information, or they are not the ones sitting at their desk when someone is putting a worm into your system to corrupt it, but they must know what is happening so that they can build the right safeguards.

I see an inter-relatedness between the secure workforce and the cyber-savvy individuals who work day to day. They have different faces at different times because at some point people perform a myriad of functions that are not linear in nature. We have a very complex mission that we are trying to develop and execute in a complicated environment and when you do that, there are just many moving parts. They are not unrelated. They are not always tied together. But I think through education, awareness and training that people will understand how to put those pieces together so that you can have a more secure workforce from security to the workforce itself being ready and it is all mission related.

CHABROW: To achieve what you envision, what must the administration, Congress and/or the agency heads do to make sure federal employees practice health IT security, know how to use information, and so on?

DeMESME: They have begun to do that. You know this administration has put forth some edicts. They have put into their hiring someone to now they are head of all this cyber activities in the organizations. We read constantly that agencies are trying to prepare themselves through training. They are investing in education and institutions that can train people to have the skills to move them to the federal workforce. They are looking to the private sector to share with them knowledge that they have gained over time, so contractors are working alongside government officials everyday to make sure that there is an integrated approach.

But I think. in terms of looking at the workforce itself, if they would take a look at what agencies need to look at several levels of workforce dynamics. That can help them prepare the workforce. There has to be a secure workforce culture around that allows the agencies to look at end-to-end capabilities development. There would have to be a competency development, wherein the agencies are looking at how they can analyze, create and validate knowledge, skills and abilities and behaviors of the people in the workforce.

And then they have to look at the workforce planning and strategy, which enable agencies to look at their human-capital distance plan that looks at focusing the organizations and providing the road map that they need to develop the right organizational capabilities in demographics; to really look at what they desire, what people they really would need to further their mission goals. And, there has to be talent management, the ability to identify, select, align, develop and reward employees in the workforce through all service lines, form the leadership all the way down to the entrants into the workforce.

And then, of course, they need to make sure that there are workforce analytics, and how they can display and analyze critical information to make business decisions to make sure that they are solutions that addresses our business intelligence and handles data in a secure environment. Doing so, they will have a holistic viewpoint of what they will need to meet tomorrow's demand for information in the workforce.

It is not an easy thing to do. It is not a one size fits all. It is going to have to be customized, based on the missions of agencies are performing. You start with a skilled workforce, the people you know will be on the front lines, and then you tie it in with those who are complementary workforce that will deal with the information and there has to be a continuous communication flow between these groups, and of course, collaboration among other agencies.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.