Defining the Mission of Cyberspace Organizations

The views expressed are those of the author and do not necessarily reflect the views of ASPA as an organization.

By John O’Brien
February 9, 2018

This author has written previous articles for PA Times Online addressing cyberspace and the need for performance-based cyberspace organizations that use performance data to improve operations, all intended to optimize value to the American public. One key element of that is to manage towards specific measurable goals derived from a defined mission statement.

While many federal agencies have developed a results-based performance management culture, the notion of results-based cyber performance continues to remain largely undefined.

Cyberspace Organizations

Cyberspace is an area that is focused on information management and characterized by electronic media to store, modify and exchange information. More than traditional back-office information technology, the notion of cyberspace often includes cybersecurity and cybercrime. Many federal agencies have developed organizational structures around cyberspace, including the Departments of Defense, Homeland Security, and State. For example, the United States Cyber Command (USCYBERCOM) is one such organization. A sub-element of the Department of Defense, USCYBERCOM has been given the following mission:

USCYBERCOM plans, coordinates, integrates, synchronizes and conducts activities to: direct the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries.

The GPRA Modernization Act of 2010 specifies that public-sector organizations develop a strategic plan that links the organization’s mission to strategic goals / objectives that are outcome-based evidence of demonstrated results. Cyber organizations often do not do that. Cyber organizations frequently fall back on more traditional performance measures based on information technology services which may not address strategic-level organizational issues.

Mission Statements

While their intent may be to implement a performance plan that focuses on organizational efficiency, effectiveness, and accountability, cyberspace organizations need a cyber performance management approach that includes mission statements written with a broad, strategic-level focus on the organization. From that “well-written” mission statement, strategic goals should be derived that clearly shows responsibility for cyber to the entire organization, strategic objectives should be measureable and contain outcome-based cyber performance metrics, and strategic initiatives should link to outcome-based results.

The all starts with a mission statement. Mission statements should give the purpose of the organization and states its reason for existence. A mission statement is often derived from mandates and includes the larger social or political needs that the organization seeks to fill.

A well-written mission statement states clearly why the organization exists and describes what the organization does and for whom. A well-written mission statement provides guidance for strategic and operational decisions to meet customers’ stated outcomes. A well-written mission statement should answer the following statement: “Customers seek us out because… [fill in the blanks]”

Nowhere is this more critical than with cyberspace organizations. One technique this author has found useful for teaching the development of mission statements is described below. Senior leadership of cyberspace organizations could benefit from this technique which was adapted from a graphic originally developed in the US Army CIO’s Office.

Developing a Mission Statement

Mission statements are found in the intersection of three organizational areas: Mandates; Customer and Stakeholder Expectations, and What Is Really Being Done. This illustration that an organization’s true mission is found at the intersection of those three areas [see Figure One]:

 

The real “mission” of an organization is found at the center of the graphic, at the intersection of all three areas; this is the area where senior leadership can say “We are mandated by law to do this, and it’s expected of us by our customers and stakeholders and we are doing it.” That is really the baseline function. That is really the mission of the organization.

However, often the case in cyberspace organizations is to be somewhere other than in the center area. To further explain…

• If an organization is mandated to do something and if customers/stakeholders expect it, but the organization is not doing it, then we have an unfulfilled mandate [mission gap]
• If an organization is mandated to do something and the organization is doing it but customers/stakeholders don’t expect the organization to do it, then we have an example of a non-value added function [who cares]
• If customers/stakeholders expect the organization to do something and the organization is doing that something but the organization is not mandated to do it, then we have an example of something outside the mission area [senior leadership putting out daily fires]

In the case of public sector cyber space organizations, this would mean to seek innovative approaches to improve cyber capability against growing threats and avoiding performance metrics used to demonstrate progress that are narrowly focused and fail to capture the progress made to improve cybersecurity.

---

Author: John O’Brien is an Associate Professor in the Information Strategies Department of the College of Information and Cyberspace (CIS). His areas of interest are strategic planning, performance management and public sector ethics. John is a Ph. D candidate in Public Administration through the Center for Public Administration and Policy of Virginia Tech. 

(No Ratings Yet)
Loading...