Widgetized Section

Go to Admin » Appearance » Widgets » and move Gabfire Widget: Social into that MastheadOverlay zone

Thinking Strategically in the Cyber Domain

The views expressed are those of the author and do not necessarily reflect the views of ASPA as an organization. 

By John O’Brien
October 3, 2017

A decade ago, Senator Tom Coburn (R – OK) observed “Americans have a crazy idea, that they should get something for their money even when the money is spent by the government. It is a simple concept, and in policy-speak we call it performance-based budgeting. I know I am new in the Senate, but I am still surprised by the level of resistance in Washington to holding people accountable by measuring their performance.”

Holding people accountable by measuring performance has almost become a daily routine for public administrators and it has been embedded in federal organization’s business processes and policies [witness President Trump’s Executive Order calling for the heads of Federal Agencies to submit reorganization plans to improve the efficiency, effectiveness and accountability of their agency]. Despite this, former Senator Coburn’s observation on the resistance to holding people accountable by measuring their performance remains a viable part of our culture. Nowhere can this be seen than in the area of cyberspace where the notion of results-based performance — cyber performance management remains largely undefined.

Cyber Performance Management

Cyberspace is commonly defined as a domain focused on information and characterized by electronic media to store, modify and exchange information; more than traditional back-office information technology (IT) service, cyberspace includes cybersecurity, cybercrime and cyber-warfare. Federal agencies have developed organizational structures around cyberspace, including the Department of State Office of the Coordinator for Cyber Issues and the Department of Homeland Security Office of Cyber, Infrastructure & Resilience Policy.

Cyber performance management could be defined as where the notion of demonstrated results through outcome-based performance measures, as conveyed in the Government Performance and Results Act of 1993 (GPRA) and the GPRA Modernization Act of 2010.  While many cyberspace organizations endorse the notion of performance management in theory, the challenge is implementing a performance plan into practice that truly focuses on organizational efficiency, effectiveness, and accountability. Cyber organizations frequently fall back on more traditional performance measures based on IT services which may not address strategic-level organizational issues.

Strategic Goals and Objective in Cyber

The GPRA Modernization Act of 2010 specifies that public-sector organizations develop a strategic plan that links mission/vision statements, strategic goals, strategic objectives, performance measure and strategic initiatives that are outcome-based evidence of demonstrated results. Cyber organizations often do not do that. One could think of this in terms of a “What-How” model whereas agency’s strategic goals and strategic objectives are the desired results [the “What“] while strategic initiatives and resources are the method by which results are achieved [the “How”].

Strategic goals are the first line of implementation towards the organization’s mission and vision. They define courses of action and/or end-states that, if accomplished or achieved, will enable the organization to better support its mission and advance towards its vision. By definition, strategic goals are “strategic” in nature; that is, they are broad in scope and deal with high-level issues relevant to the organizations strategy for success (e.g., innovation leadership, operational excellence, customer intimacy). Strategic goals should imply that some form of change should be made in what the organization hope to accomplish (e.g., improve, enhance, increase/decrease).

Strategic objectives are an elaboration of a strategic goal, a “breakdown” of the goal. Each strategic objective should provide greater specificity of the strategic goal that your organization is working to achieve. Strategic objectives are expressed so as to facilitate future assessment as to whether the goal was or is being achieved, are directly measurable, and are outcome/output oriented. A common way of thinking about strategic objectives is to use the acronym “SMART” (See Figure One):

  • S: Specific – Objectives should specify what you want to achieve. For example, a military medical command wants to achieve 93 percent patient satisfaction in 12 months.
  • M: Measureable – You should be able to measure whether you are meeting the objectives or not. For example, this 93 percent patient satisfaction rating over 12 months means that each month patient satisfaction can be measured against a specific target.
  • A: Achievable – Objectives you set are really attainable. For example, is the 93 percent objective in 12 months something that can be done?
  • R: Realistic – Can you realistically achieve the objectives given all the other constraints you have? For example, is the 93 percent objective over a 12 month period realistic given the skills and resources of the command?
  • T: Timely or Time-Bound – The point is the objective must be clear about when you want to achieve the objective. For example, the command has set a period of 12 months to achieve the 93 percent market share target.
Figure One: SMART Objectives

Figure One: SMART Objectives


What is Needed

Cyber organizations need a cyber performance management approach that includes strategic goals and objectives written with a broad, strategic-level focus on the organization. Strategic goals should be written in such a way that clearly shows a shift of responsibility for cyber to the entire organization. Strategic objectives should be measureable and contain outcome-based cyber performance metrics. Here are three examples of objectives that illustrate a well-balanced, strategic approach:  (1) satisfy customer cyber requirements; (2) reduce cycle time for implementing cyber-security system upgrades; (3) increase proficiency of the cyber workforce.

Author: John O’Brien is an Associate Professor in the Information Strategies Department of the College of Information and Cyberspace (CIS). His areas of interest are strategic planning, performance management and public sector ethics. John is a Ph. D candidate in Public Administration through the Center for Public Administration and Policy of Virginia Tech. 

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Leave a Reply

Your email address will not be published. Required fields are marked *