The contributions of ex-military personnel expand beyond their time of public service. They come to private-sector cybersecurity roles ready to take on foes that range from harbingers of mischief to deliverers of destruction.
"The importance of paying attention to even the tiniest of details due to potential impact and lives on the line is drilled into every military member," says Devon Bryan, global chief information security officer at Carnival Corp. and co-founder of the International Consortium of Minority Cybersecurity Professionals, now known as Cyversity. "Irrespective of branch of service and without regard to rank or station, the military emphasizes the necessity of working hard and with a passion for excellence, which are key for the infosec challenges of today."
It's no secret that former service members come prepared with training that many companies in the private sector find beneficial. But just which military skills transfer best to private cybersecurity jobs?
"An understanding of physical security and access control," says Oxana Parsons, senior cyber intelligence analyst at LookingGlass Cyber Solutions.
Many skills, even those seemingly unrelated to cybersecurity or IT, easily transfer, she adds.
"In the military I have learned how to set up a local network — and I did it as a HUMINTer [human intelligence collector], so [even] not really an IT-related job can still provide some related training," Parsons says. "Also, in the military there are lots of opportunities to receive foreign language training and intelligence training, which taught me to understand the tradecraft behind intelligence collection and analysis."
Other experienced vets point out that their collaboration and self-assessment skills alone can prove priceless to private-sector defense measures.
"Cybersecurity is such a broad field. The ability to be comfortable both knowing and accepting what you don't know, while being humble enough to seek out who does, is a particularly powerful skill to master," says Alex Diaz, customer success leader at Horizon3ai, who served both as a military intelligence officer and an enlisted all-source intelligence analyst in the US Army.
Fulfilling Private Cybersecurity Needs
"As cybersecurity grows in prominence as a risk factor for organizations, private firms will need experienced and capable leaders to manage their security postures," says Matt Georgy, chief technology officer at Redacted. "Veterans bring a unique perspective working in chaotic situations and often making consequential decisions in high pressure situations."
Previously, Georgy served as chief of intelligence of the US Air Force 18th Fighter Squadron, lead US government forensics analyst in Baghdad, and held several technical leadership roles at the National Security Agency (NSA).
While one could argue that all military service is security-related, not all ex-military personnel currently employed in cybersecurity served in security-related positions. Even so, their training often transfers to a new position in the private sector.
"I did not work in security while in the military. But I can find similarities to when I worked in a Navy Combat Information Center (CIC) or a Tactical Operations Center (TOC)," says Josh Smith, cybersecurity analyst at Nuspire, who previously served as operations supervisor, mission control and evaluation supervisor, and operations and logistics department head in the US Navy. "All require the ingestion of data, analyzing what was received, disseminating it to the appropriate parties, and taking action based on the findings."
The constant shape-shifting of threats and attackers is familiar to military-trained professionals. That alone is a major plus to employers looking to protect themselves from whatever digital abomination is cresting the horizon next.
"Military veterans have a very wide skill set, as we're often asked to work outside of our specific roles," Smith says. "We're exposed to numerous situations that are dynamic, stressful, 24/7, and leave no room for error. Cybersecurity is very similar in this respect. Cybersecurity never sleeps and is consistently changing. Veterans can easily adapt to this lifestyle."
For those who transferred their cybersecurity skills directly from public to private concerns, commonalities between the sectors smoothed the transition.
"Military operations are steeped in risk and threat by their very nature, so military veterans develop a keen sense for assessing and weighting threat and risk," says Mac McMillan, CEO of healthcare cybersecurity, privacy, and compliance consultancy CynergisTek. Formerly, McMillan was director of security at the Defense Threat Reduction Agency for the Department of Defense (DoD).
"On a personal level, their sense of urgency, structure, discipline, etc., is well-suited for cyber and IT jobs," McMillan adds.
Rank Is Optional
Higher ranks in any military branch generally signify accomplishment and experience that are also highly prized in the civilian world. However, limiting hiring to high-ranking ex-military applicants is shortsighted.
"As CISO of the US Marine Corps, I dealt with many early-day cyber incidents from both nation-state threat actors and crime syndicates ... like the Melissa virus and ILOVEYOU," says Carl Wright, chief commercial officer at AttackIQ.
Officers and enlisted members participate in training programs worth millions of dollars to earn Military Occupational Specialty (MOS) designations.
"One of those areas is cybersecurity, and within cyber you have defensive operations and offensive operations," Wright says. "The level of training these individuals receive to protect our most critical infrastructure and carry out cyber operations against our adversaries goes far beyond most private-sector offerings and is highly transferable to a career in the private sector."
Ex-military personnel bring excellent security practices to other areas as well.
"While I did not directly work in a security billet, my team worked to design software and had security requirements we had to align with," says Heath Anderson, VP of information security and technology at LogicGate and former system test architect for the US Air Force. "This experience was some of the best education around security principles I could have asked for, since we had to focus on the intent of the requirement in order to make it actionable in our code for the software we were designing and testing."
For his part, Andrew Maloney, chief operations officer and co-founder of Query.AI, worked on a help desk and in systems administration until 2003, when he was deployed to Oman, in the Middle East, to manage the base's perimeter security firewalls and proxy servers.
"This was my break into cyber," says Maloney, formerly systems administrator/security engineer for the US Air Force.
Bringing Softer Skills to Bear
Skills including leadership, planning, and organization and traits like duty, responsibility, and loyalty make military vets excellent team members and leaders in civilian roles, McMillan adds.
"The military not only expects these things from its members, they spend time teaching these skills to their members," he said. "All too often these are not things that are either taught or stressed in the private sector, which is a shame because there is nothing particularly proprietary about any of them."
Successful in cybersecurity and in the military means sharpening soft skills as much as hard skills.
"The one common denominator that I have seen be the most successful is the insatiable desire to learn," says Brad LaPorte, a security consultant who served as systems administration branch chief in the US Army Pacific Command. "Cybersecurity is technically difficult and not for the faint at heart. It requires long hours and constant diligence to keep up with the multidaily changes that occur in this field. Those [who] constantly read, write, learn, and mentor others are exponentially more successful. Anyone can learn this stuff, but it requires them to put the work in."
It isn't just the hard-nosed tactics that win battles. Almost always, adding soft skills to the mix hones the best defenses.
"The skill that I found most beneficial is the ability to think in terms of the 'big picture' but act at a lower level." says Phil Hagen, faculty fellow at SANS Institute and formerly a computer network defense analyst and IT manager with the US Air Force. "Knowing the overall strategic or tactical arc of your actions is a big part of infosec. Infosec is a huge effort, and if you try to solve it all, it's going quickly to turn into a fool's errand. Seeing the long-term goals but identifying the dozens of smaller, interim milestones has been very helpful."
Responding to conflict and always being ready to assume command also top the soft skills most in demand from ex-military personnel.
William Mendez, managing director of operations at CyZen, says all military personnel are trained as leaders, since the nature of conflict creates uncertainty around when you may land in a situation where you have to assume command.
"Personnel with military backgrounds have the skills to lead successful teams," he says. "They often gain the respect of other members through leadership traits such as empathy and motivation. They often lead by example, always mentoring and never asking anyone to do something they would not be willing to do themselves."
Every day, those who previously served their country can still stand guard. Their paths to cybersecurity careers are as varied as those of their civilian counterparts. Their dedication and sense of duty, however, remains intense.
"Employers have a cybersecurity skills gap to overcome, and they should see the military as a hugely untapped resource," says Susan Peediyakkal, infosec operations manager at NASA Ames Research Center. "Companies should consider building their own mentoring programs or partnering with organizations that have programs in place to ensure that veterans get the essential training and networking resources they need to build a successful career in cybersecurity."