Hacked Opinions: Veterans who transitioned into InfoSec
CSO recently questioned six veterans who are all active members of the InfoSec community. The aim of this standalone Hacked Opinions post was to focus on how they transitioned into InfoSec from their military careers, and what advice they'd offer to those looking to follow a similar path.
At the same time, that they were able to move from military careers into their existing jobs is a story in and of itself.
There's a troubling reality that veterans face, not everyone who leaves military service can immediately find a job in a related field. Some can't find work at all.
The good news is that the situation is improving, gradually, according to the latest Bureau of Labor Statistics figures and calculations made by Syracuse University for publication in the October 2015 revision of the Employment Situation for Veterans report.
"Overall, the unemployment rates for all veterans show a gradual improvement (decrease) since 2010, though they remain higher than their non-veteran counterparts. Veterans aged 24 or younger have experienced the highest unemployment, however, this difference has decreased steadily over five years and shows recent signs of convergence with the unemployment rate of veterans 25 years and older," the report explains.
At yet, most polls taken on the topic show that hiring veterans is smart business, as veterans tend to perform better and have lower turnover when compared to the larger workforce.
But the biggest roadblocks are attracting high-quality veterans to open positions, translating military experience into civilian career paths, and transitioning them into the workforce.
Not every job in the military translates into a perfect fit in IT/InfoSec. However, that doesn’t mean the talent pool should be ignored or forgotten.
CSO would like to thank Travis Greene, Mike Orosz, Jeff Schilling, Lewis Kim, Tom Gorup, and Rick Howard for taking the time to speak with us. Their comments can be found on the following pages.
How did you transition from your military career to your current role in InfoSec Was it a natural fit, or did you have to make adjustments
Travis Greene, Identity Solutions Strategist at NetIQ (TG): I imagine my path was similar to many others. I was fortunate to find an employer willing to give me an opportunity, even when my experience and skill set was not an obvious fit.
While I had a computer science degree from the U.S. Naval Academy, I was six-years removed from it and much of the military tech I had been using wasn’t relevant to the civilian market.
There were definitely adjustments to be made, but perhaps not the ones we stereo typically think of. When I first transitioned, I was amazed at how little work actually gets done at “work”. I had to adjust to the much slower cadence of task accomplishment that is expected in the civilian workplace, where relationship building is far more important than it is in the military. What advice would you give to service members who are interested in InfoSec
TG: The interesting thing is that there is a lack of InfoSec talent in the business world.
ISACA’s global survey, The State of Cybersecurity: Implications for 2015, noted that,
The military is actually leading in many InfoSec areas, making those with experience there highly marketable. But even without direct experience in InfoSec, skills such as attention to detail, time management and prioritization, and tenacity are needed in this space. Learn as much as you can before transitioning by reading industry web sites, and understand the role that regulations play in prioritizing the security budget.
Are there any particular strengths that you feel veterans bring to the InfoSec market
TG: Some may assume that those with past military experience are too rigid, looking to follow process to the letter without the flexibility to adjust.
Yet my experience is that the biggest benefit I brought to that first employer was an ability to adapt, learn quickly and have the tenacity to accomplish the “mission”. That meant adjustments and results came quickly, even though it took some investment on the part of my managers to teach me the business.
Anything else you would like to add
TG: For employers, there is a distinct advantage to hiring straight out of the military, even when skills and experience aren’t a perfect match for what you’re looking for – veterans are eager to learn, acquire skills rapidly and will fit your approach with minimal coaching.
How did you transition from your military career to your current role in InfoSec
Mike Orosz, Manager, Threat and Investigative Services, Citrix (MO): I transitioned from uniform to working side-by-side in civilian clothes so my initial transition wasn’t all that difficult.
My transition to Citrix began during interview process, Citrix CSO – Stan Black – and I discussed converged security. During several 1–2 hour conversations we iterated over a concept of how I could specifically pivot my military security skills to benefit his security program.
Was it a natural fit, or did you have to make adjustments
MO: My transition to Citrix life can best be encapsulated as a culture shift.
Working in the military environment was completely structured and roles were limited at times by rank and grade. This is not at all the case with Citrix. Every employee is valued for their unique skills and contributions; those who set out to make positive change are well-received and rewarded. Since joining Citrix, I’ve found myself working across all lines of business, interacting with the most junior to senior executives.
What advice would you give to service members who are interested in InfoSec
MO: Follow this 3-part skill translation process:
Basically my advice is to identify which company or region you’d like to be in and laser focus your unique skills against the urgent needs of your dream employer!
Are there any particular strengths that you feel veterans bring to the InfoSec market
MO: Veterans bring the wealth of U.S. Military and DoD analytical techniques.
I always liken private sector InfoSec problems to an episode of the TV series, “South Park.” The premise of the “Simpsons Already Did It” episode was whatever you are trying to do has already been done by the cast of “The Simpsons.”
So, just as the “Simpsons Already Did It,” so has the military. As a matter of fact, the military has not only done InfoSec, it’s developed structured analytical techniques to take seemingly disparate information, analyzed it, determined root cause and probable tactical / strategic outcomes.
Veterans bring structured analytical techniques which can be swiftly implemented for quick wins and as InfoSec capability multipliers.
Anything else you would like to add
MO: My last note to veterans is to recognize companies are embattled in a never-ending InfoSec war. Bring your military talents to the table and apply them like it’s a day-by-day fight for survival… success will follow.
How did you transition from your military career to your current role in InfoSec
Jeff Schilling, CSO, Armor (JS): I was doing cybersecurity in my role as the Chief of Current Operations with Army Cyber Command.
So for me, it was about orienting myself on the cyber threat to civilian industry which is markedly different than the threats I encountered in the DoD.
I feel fortunate to have had the opportunity to have run a civilian incident response team for 18 months that gave me a great perspective on threat actors for over 300 different companies.
Was it a natural fit, or did you have to make adjustments
JS: Cybersecurity is not much different than the security operations we do as soldiers in our current conflicts in the Middle East.
That is one of the great experiences that soldiers bring to InfoSec, experience in managing security operations. The technology is easy to teach, leadership skills and an operational mindset are hard to find in the security field.
What advice would you give to service members who are interested in InfoSec
JS: Make cybersecurity your hobby, learn how the technology works. That will be your gap in knowledge when you join the civilian workforce. Set up your own computer lab in your house or in the public cloud and learn how a firewall, IDS/IPS works.
Are there any particular strengths that you feel veterans bring to the InfoSec market
JS: Operational experience and leadership.
Those are the two biggest gaps I find in the market today that veterans can fill. Most folks in InfoSec want to be the “talent” and individual contributors. Former military folks naturally gravitate to leadership roles and thrive.
Anything else you would like to add
JS: Don’t expect to get a job in InfoSec just because you are a veteran.
Like most fields, there is a barrier of entry that requires you to have a base of knowledge that will make you a value add to the team. Make cybersecurity your hobby, get hands on experience through volunteering and through social clubs who do weekend “capture the flag” competitions.
Tinker in your own cybersecurity lab and learn how the technology works.Get certifications that are relevant to the career path you want to go.
In most cases, you can use your GI Bill to pay for those classes and certifications.
How did you transition from your military career to your current role in InfoSec Was it a natural fit, or did you have to make adjustments
Lewis Kim, DAST Manager, Threat Research Center, WhiteHat Security (LK): As a reservist, the transition process was relatively seamless.
As many vets have mentioned before, you need to change your mindset and expectations within the civilian sector. The military has a very efficient way of running but that’s mainly due to the strict rules and regulations that we adhere to. The civilian workplace usually has a lax environment which can be challenging to deal with if you are use to getting things done in a military fashion.
What advice would you give to service members who are interested in InfoSec
LK: Take the initiative and start researching on your own first. If you keep yourself informed with the current trends, the vernacular, and general fundamentals of InfoSec, the more appealing you will be to potential employers and networkers.
Are there any particular strengths that you feel veterans bring to the InfoSec market
LK: The discipline and work ethic are honestly some of the most important strengths you receive in the military that work in any industry. Improvising and thinking outside the box is also a highly-valued skill in the InfoSec market.
Anything else you would like to add
LK: Though the hiring market may seem intimidating, requiring potential candidates to meet strict skill sets and experience, don’t be deterred.
There are many emerging companies that are willing to train, and build future InfoSec professionals. I came from a non-technical background, without any prior InfoSec experience. I have been with my company for over 5 years now and am still loving it.
How did you transition from your military career to your current role in InfoSec Was it a natural fit, or did you have to make adjustments
Tom Gorup, Security Operations Manager, Rook Security (TG): I served in the Infantry which, I think, made it an easier transition.
There were obvious technical aspects which needed to be hit heavy, but the overall concepts carried over quite well. There are a number of times which I have found military TTP’s apply quite well. For example, OCOKA (Observation of Field of Fire, Cover and Concealment, Key Terrain, and Avenues of Approach), whether you are setting up a battle position or securing your network, these 5 categories can be applied.
Sense of urgency also maps over quite well. The IT and security industry are moving at lightning speed. You need to be dedicated and extremely motivated to keep up, but you also need to have the understanding that time is always of the essence. Lingering security issues pose as great threats and must be addressed in a timely manner.
What advice would you give to service members who are interested in InfoSec
TG: Don’t be overwhelmed by the technical side, all of that will come in time. Accept the fact early on that you will not know everything about InfoSec.
You will constantly find technology, attacks, and protocols that will keep you guessing, but also make you a more seasoned InfoSec professional. Stay focused and continue to apply yourself. All the pieces will fall into place in due time.
Are there any particular strengths that you feel veterans bring to the InfoSec market
TG: LDRSHIP (Loyalty, Duty, Respect, Selfless Service, Honor, Integrity, and Personal Courage).
Soldiers are drilled from the beginning to instill these values. I feel these are the most valuable attributes of any good soldier, employee, or person.
Not only this, but the willingness to do whatever it takes to meet the objective. “It’s too hard” or “that’s impossible” are not responses often, if ever, heard from soldiers.
How did you transition from your military career to your current role in InfoSec Was it a natural fit, or did you have to make adjustments
Rick Howard, CSO, Palo Alto Networks (RH): I was already in InfoSec when I was in the military. I had the technical skill sets. What I did not have was an understanding of business and business culture.
I knew coming out of the military after 23 years that I would have to adjust to a civilian setting and I consciously tried to do that.
But my first couple of performance ratings after I retired from the military had a lot of phrases like this in them: “Comes off as too stern,” “Employees are afraid to speak their minds when he is around,” and “Too direct in his taskings.” Like I said, I tried hard not to do those things but it took me a while to find the right tone in a commercial environment.
What advice would you give to service members who are interested in InfoSec
RH: When many military people retire, they seek jobs with Defense Industrial Base companies like Northrup Grumman, General Dynamics, etc. There is nothing wrong with that. Those are good companies and the people there do good work in supporting our government and the military.
The leadership structure in these companies is very similar to the military structure -- very hierarchical — and there are a lot of retired military people working there. For many retired military, this is a comfortable place to be when they hang up their uniform for the last time. Some use this as a stepping stone to transition to a pure commercial job later in their civilian careers. Pure in this case means that the company’s primary customer is not a government. Other retired military stay and have productive and engaging careers in this Defense Industrial Base space.
I did not do either of those. My first job after I retired from the military was with a commercial security firm that had no ties to any government. I threw myself into the deep and cold waters of the pure commercial pond. I am not saying my way is better but it did force me to learn about the commercial space a lot faster than I would have going through some transitional period. On the other hand, I did rub a few “pure” civilians the wrong way as I stumbled my way through the experiences.
Are there any particular strengths that you feel veterans bring to the InfoSec market
RH: A common theme between the military community and InfoSec community is that there is an adversary that can and must be stopped; an adversary that we must prevent from being successful. That idea binds the two communities together.
Anything else you would like to add
RH: Hiring a veteran is a smart thing to do regardless if you are an InfoSec firm or not.
This is not true for all veterans for sure, but generally you can expect a high work ethic, a can-do spirit and a desire to do the right thing. This is not to say that you cannot find those things when you hire non-military people. You can. Most of the non-military people I have worked with in my career have these qualities in spades but generally, they acquired those traits on their own through family and past experiences.
Veterans did all of those things too, but also went through the added crucible of the military where leaders ingrained those traits into them as part of the larger culture. How can you not want that kind of employee in your organization
And, just as an aside, it is the right thing to do. These men and women have laid their lives on the line so that the rest of us can sleep in peace. Now that they have finished their watch, the least we can do is give them a hand as they transition.