Thanks to the cybersecurity skills gap, Danny Bradbury finds military veterans are serving in a different kind of role
Veterans spent their lives serving a mission of defense. Cybersecurity professionals do the same. Could employing vets be a way to fill the skills gap?
Companies struggling to find cybersecurity skills might be overlooking one of the biggest potential talent pools. According to the US Bureau of Labor Statistics, 4.3% of the US labor force were veterans in 2016. Of those people, 4.3% were unemployed. At the same time, research firm Cybersecurity Ventures claims that there will be 3.5 million unfilled jobs in cybersecurity by 2021.
Those returning from the services are usually in search of jobs. They might just have the character – and perhaps even the specific skills – that private sector cybersecurity teams need.
Lauren Burnell thinks so. Before becoming CISO at information technology and services company PCM-G, she served as a cryptologic warfare officer specializing in cyberspace operations, signals intelligence and electronic warfare. She spent time as a cyber lead at the NSA and drove the Navy’s tactical response during its first named cybersecurity operation.
“What we’re good at doing is understanding an overarching vision and executing it,” she says, describing what those in the services call the commander’s intent. They see the commander’s goal and use their own problem-solving capabilities to achieve it.
Burnell believes that teamwork is another big part of the benefit that veterans bring to the table. “We have learned that we have to completely rely on our team, and we bring that into our environment,” she says, adding that this can be a rare quality in business. “Corporations don’t always leverage and empower their teams as much as they could to get a good result.”
Companies must keep an open mind about employing veterans, says Shelly Stewart. She is the director of Paving Access to Veterans Employment (PAVE), a program created by Paralyzed Veterans of America. Now in its tenth year, the program started out as a targeted vocational rehab program for disabled veterans, but has since flowered into a broader movement to help all veterans find civilian employment.
“There are a lot of stereotypes that are portrayed in the media and movies,” she says. “We must try to debunk the myth that the general population has about individuals who are transitioning out of the military. They are not damaged goods. They are not problems in the workplace. They are able to fully contribute just like everyone else.”
Veterans transition out of the military and into civilian life for many reasons, and at many points, explains Angela Messer, executive vice-president and cyber lead at Booz-Allen Hamilton (BAH). She served as an army officer for six years before returning to a civilian role.
“There are gates at which people in the military have to make decisions about their careers,” she says. “One of those is four to six years, where you have a time in service that you’re required to do, either for university or for your enlistment.”
Those people are in their mid to late twenties. The second wave happens 10 to 12 years in, she adds, when people have reached a certain rank and are deciding whether to go the distance with a 20-year career.
There is also a smaller proportion of people transitioning later in their military careers. “It’s a different type of talent than mid to junior talent,” she explains. “There’s a lot more operational understanding.” These are planners and strategists.
“We must try to debunk the myth that the general population has about individuals who are transitioning out of the military”
A Deeper Level of Expertise
?As professionals mature in military roles, they bring another invaluable quality that is hard to match among civilian candidates: experience, says Wayne Fullerton, the senior VP of sales at PCM-G who hired Burnell. “I don’t think industry always understands the investment that the military makes in its individuals,” he adds.
Burnell’s own career illustrates the point. He spent four years studying while in the military before serving for 16 years there as a communications officer. Comparatively, in his 20 years of civilian work, he has had perhaps six weeks of training.
The armed services is a good incubator for a wide variety of technical skills, says John Yarger. He is the technical manager within the cyber workforce development directorate at Carnegie Mellon University’s CERT division, and he studied computer science at the US Naval Academy both before and after becoming a marine. While in the Marine Corp, he was a communications officer for 20 years before retiring in 2013.
“We do a lot more installing and breaking down of those networks for tactical deployment,” he says, adding that the US armed services have moved away from training in garrison environments into deploying tactical communications movements. He cites the US Navy’s Marine Corp Intranet, rolled out in 1998, as an example environment for practically training service personnel in technical skills.
“You get more broad exposure to that full stack of building the physical transport, and then building all the layers above it for the operating systems and all the other security layers that get interwoven into that,” he adds.
Some people leaving the services may not understand that the experience they have gained in the military could place them in a cybersecurity role, says Josh Keeley. He spent seven years as a UK marine before becoming a manager and cloud specialist at cybersecurity recruitment company Blackthorn Trace. “When you actually speak to them, they realize that their skills are very suitable,” he says.
Keeley finds veterans hoping for a cybersecurity career through various routes. Aside from referrals, these include the Liquid List, a job seeker’s event where people leaving the services can meet blue chip employers looking for talent.
“Our military is a high-tech military. They may not be doing code but they’re operating technical equipment”
Cybersecurity Roles for Veterans
What kind of veteran makes a good cybersecurity professional, and what civilian roles are open to them? Example positions Keeley recruits for include threat intelligence analysts, security operations center analysts and penetration testers.
These roles typically require veterans from the Army Intelligence Corps, or an equivalent combat intelligence arm of the Royal Navy or the RAF, he explains. “The technical skill set is so niche that you can’t just be one day patrolling the streets and the next day be sat in a SOC monitoring the network to ensure that there are no attacks. It’s too big a transition,” he warns.
That doesn’t mean infantry and other staff who haven’t been in intelligence or SIGINT roles can’t get into cybersecurity positions in civilian life, though. For those veterans, an interest in cybersecurity might start as a hobby. They will often do courses like CREST or CHECK to get onto the ladder, following up with their Offensive Security Certified Professional (OCSP) accreditation. Their backgrounds will then often enable them to gain a foothold in a commercial career, he says: “Being ex-military, companies will give you a chance as a junior pen tester.”
Duke Birch is an example of a veteran who came into a civilian IT role without serving in intelligence. He was in the military for 20 years as a scout, conducting reconnaissance during military missions overseas.
“If you’d told me two years ago that I was going to be associated with IT in any form I would have looked at you cross-eyed,” he says.
When Birch left the services, his brother, also a vet, asked him to join VSO Inc, a services company handling cloud migration. Birth recruits veterans for the vsquod program, which provides tier one and two support staff for clients. That team’s goal involves building up 75% of its employee base from veteran talent.
These employees begin by simply being computer adept. Birch will either point them toward industry certifications that they can get themselves, or occasionally take the most promising people without certification.
“That is a ground up arrangement. We work through the basics,” he says, adding that level one staff may have the grit that many vets bring without the enterprise IT experience. “Some of them have never heard of a remote desktop. We fill entry-level roles and it’s a progression.”
Even those who haven’t been in intelligence or cyber roles in the services still have a level of technical adeptness, explains BAH’s Angela Messer.j”
“Our military is a high-tech military. They may not be doing code but they’re operating technical equipment. We shouldn’t underestimate their ability to learn tech.”
Those in service must understand and operate a broad array of interconnected systems, from infantry upwards. This gives many of them the potential to quickly get on a cybersecurity career track, even if they don’t have the necessary industry certifications.
Even veterans who have specialized in cyber operations need those industry certifications when they transition into civilian jobs, points out Messer. Companies focusing on these employees must often invest extra time and effort in helping them get the industry qualifications they need.
BAH puts its new veterans through the Cyber Warrior Scholarship program, which it launched with (ISC)² in 2013.
“We have underwritten all the expenses associated with getting them the certification that they need, including training, text books, some mobile study materials and testing and the first year of the certification maintenance fees. It’s a jump starter for getting our veterans into a cybersecurity career.”
Cybersecurity may be just the profession for veterans hoping to reboot their careers in a civilian role – and veterans may be the missing link for companies on the search for cybersecurity employees with the aptitude and discipline to succeed. Working with specialist recruiters, veteran-friendly employers, veteran networks and industry contacts could yield valuable results for both former service people and cybersecurity managers hungry for expertise.