Middle Child Syndrome: Process Improvement for Cyber and Information Technology Challenges
Middle child syndrome is the idea that if you are neither the oldest nor the youngest child in a family, you get less attention from your parents and feel “caught in the middle,” according to WebMD. The middle child often may be overlooked, and their contributions to the family dynamic may be undervalued. With this in mind, we can draw an analogy between the middle child in a family and the often-undervalued solution to cyber and information technology (IT) problems in the Department of Defense (DoD): process improvement. In the case of this analogy, the “oldest child” in the DoD’s solution set family would be money; the “youngest child” would be more personnel; and the “middle child” would be process improvement.
The DoD grapples with formidable adversaries in an era marked by rapidly evolving digital threats and state-sponsored cyber espionage. However, the biggest dangers are not necessarily nation-state actors, hackers or activists but ourselves and the inefficiencies we have caused in the “cyber ecosystem.” How are those responsible for operating and protecting the system breeding inefficiency and creating weaknesses and vulnerabilities? It is not because of insufficient funding or a lack of manpower. Instead, the answer lies with process improvement, or in this case, a lack thereof. Changing this and significantly reducing cyber and IT inefficiencies and vulnerabilities requires two things: 1) a comprehensive assessment of cyber and IT systems to identify and document their purpose, organization, relationships to other systems, operational processes, software, hardware, other tools and funding processes/sources to establish an operational baseline for use and comparison; and 2) process improvement maintenance utilizing continuous system assessments, feedback and follow-up actions.
Now, back to middle child syndrome. Many problem solvers in the DoD believe unit problems can be overcome in one of two ways. One way is to look to the oldest child and throw more money at the problem; another is to look to the youngest child and throw more people at the problem. Sometimes it is both. However, the initial response to solving a problem should involve the middle child: look at the processes first and assess whether they work well or should be refined, modified or abandoned. How do you know if you need more people or money if you do not know the processes you are using, why they are being used, where they are being used and whether they are necessary or beneficial? Therefore, we need to spend more time with the processes to unlock the potential for significant improvements and a more secure cyber and IT environment.
Let’s further address the issue of the oldest child. How often have we heard that we need more money to fix the network? This is the first thing proposed when solving an issue. How do we know more money is needed? Have we first looked at the capabilities of the tool sets already owned? Might they already have the capabilities required to solve the problem(s)? Process issues are a large part of why the DoD cyber and IT worlds frequently fail to use all the capabilities of the tools at their disposal. Often, less than 10% of a tool is utilized. This means we could buy three or four tools to meet a requirement, even though an existing tool already has the necessary capabilities. Multiple IT service management (ITSM) solutions exist across the services to illustrate this point further. If we examine a particular ITSM solution, multiple contracts likely exist within and among the services. Do those responsible for acquiring and maintaining the services’ cyber and IT tools communicate with each other about this? Could an enterprise contract be the solution to reduce cyber and IT costs? In the most recent defense budget sent to Congress, there was a request for $13.5 billion across the DoD for all of cyber. With that amount of money available, is funding really a problem, or do the issues lie with why and how the funds are executed? To make even greater gains in cyber and IT efficiency, productivity and cost savings, funding and distribution processes also need examination and assessment and should be refined, modified or abandoned accordingly.
If money isn’t the problem, then perhaps we should address the youngest child—using more people to solve a problem. The issue could be insufficient personnel, but it may also be a lack of necessary skills in the people you already have or outdated or unnecessary processes (e.g., those that could be accomplished through automation rather than manual actions). The proliferation of cyber and IT tools can add to the difficulty of having enough personnel with appropriate training because it may be difficult for people to master them all. For example, changing contracts can result in equipment and software that varies yearly, complicating training and operations, or an airman trained on one type of equipment might be transferred to a base using a completely different system, resulting in a steep learning curve and reduced operational efficiency. While training is often the first budget cut, exacerbating the problem of accurately determining whether you have enough people to achieve the mission, it does not necessarily suggest more money is needed to accomplish appropriate levels of training. It could simply mean someone thinks something else is a higher priority, processes haven’t been refined enough in multiple areas to achieve any cost savings that could go toward training, or perhaps training processes need improvement before more money is added to the equation.
The DoD still relies heavily on manual cyber work, but the next war will be won at the speed of technology, not by the soldier, sailor, airman, Marine, Guardian or Coast Guardsman. Trusting automation and orchestration, as well as newer technologies such as artificial intelligence (AI), can drastically reduce the time required for certain tasks and free personnel to focus on other missions and more strategic activities. For example, using automation and/or AI for the patch management process can reduce the time required from several hours to just a few minutes, if not seconds. This ensures systems are updated with the latest security patches and frees IT staff to work on other critical mission tasks. Similarly, automated vulnerability scanning can continuously monitor the network for potential threats, providing real-time insights that enable faster response times. It often seems that the solution to a problem involves acquiring more personnel, but frequently, the core problem is not a lack of people but the need for different processes.
Many network processes today are undocumented or undefined. Unlike in the past, where technical orders or manuals detailed operations and maintenance, today’s networks lack such comprehensive documentation. As a result, tools are underutilized and improperly integrated into the DoD’s cyber ecosystem, leading to inefficiencies and increased costs.
Proper processes can resolve many issues. For instance, understanding and utilizing a tool’s full capabilities can eliminate the need for redundant tools. Establishing more effective software and user management processes can prevent unnecessary spending on unused licenses and equipment. Patch and vulnerability management are other areas that need improvement. Each base might use different solutions even with the same equipment, highlighting the lack of standardized processes. Reactive crisis management prevails over proactive process development.
To solve these issues, dedicated teams must document, dissect and optimize all processes and be agnostic about specific tools and capabilities. This approach will streamline operations, free up resources and reduce costs. Additionally, testing and certifying new tools before deployment can prevent network disruptions and ensure smooth integration. Outdated processes like the Planning, Programming, Budgeting and Execution Process and the Federal Acquisition Regulations system also need updating to support rapid technology acquisition. The speed of technology, not airmen, will win future wars. More rapid governance processes can facilitate faster technology deployment, reducing costs and manpower requirements.
Decision-makers must recognize that sufficient funds are already allocated to networks but aren’t spent effectively. Addressing the middle child syndrome by first focusing on processes to optimize resources and enhance network efficiency will improve overall operations. Leadership must prioritize documenting, refining and automating processes, ensuring that money and personnel are utilized effectively.
Moreover, the importance of continuous process improvement cannot be overstated. It requires regularly reviewing and updating processes based on feedback and lessons learned. This iterative approach ensures that processes remain relevant and effective. Involving personnel in the process development and improvement stages also fosters a sense of ownership and accountability, leading to better adherence and implementation. In the fast-paced world of cybersecurity, threats are constantly evolving. Well-documented and flexible processes allow for quicker adaptation to new challenges. For instance, during a cyber attack, having a clear incident response process can make the difference between containing the breach quickly or suffering prolonged damage. The process (whether manual or using AI) should outline steps for identifying the attack, isolating affected systems, eradicating the threat and recovering normal operations. Additionally, any new information that could improve future responses should be evaluated and adopted into the process if it proves beneficial.
One practical example of process improvement in action is adopting the ITIL (Information Technology Infrastructure Library) framework in IT service management. The ITIL framework provides a set of best practices for delivering IT services and managing IT infrastructure. Organizations can improve service delivery, increase efficiency and enhance customer satisfaction by adopting ITIL principles. The framework emphasizes the importance of aligning IT services with the needs of the business, which in the context of the DoD means ensuring that cyber and IT infrastructure supports mission-critical operations.
In conclusion, the analogy of middle child syndrome aptly applies to the current state of cyber and IT within the DoD. Financial and personnel resources are crucial, often the most visible, and frequently the first to be addressed. However, the true leverage point lies in the processes governing how these resources are utilized. By focusing on process optimization, the DoD can enhance efficiency, reduce costs and improve the overall effectiveness of its cyber and IT operations. This requires a concerted effort from leadership to prioritize process documentation, standardization and continuous improvement, as well as automating where appropriate to ensure the “middle child” receives the attention it deserves.
Marc Packler leverages an immense and diverse skill set derived throughout his 25+ year career in the U.S. Air Force to positively impact digital security, digital transformation, risk management and strategic operations within organizations across a vast array of industries. Packler maintains prestigious credentials, such as Comp TIA Advanced Security Practitioner (CASP+). He has a master’s degree in both national security strategy and management information systems and is a widely acknowledged subject matter expert and public speaker on digital protection and risk management matters. Packler and Tony Thomas are partners in Quadrant Four.
Tony Thomas gained vast experience in leadership and management over the course of his distinguished 34+ year military career. Throughout his career, he gained experience in all facets of the cyber ecosystem across the DoD and industry. Thomas holds a Bachelor of Science degree in electrical engineering and several master’s degrees in systems management of global cyber telecommunications, military operational arts and sciences, and national resource strategy. He is also a widely acknowledged subject matter expert and public speaker on matters of cybersecurity and risk management.