Welcome to The Pipeline, where we highlight members of the military community who are working in cybersecurity.
Why the Pipeline? In the military (at least from my Air Force perspective), getting into your career field/specialty is straightforward. There is a training pipeline that begins with basic training and ends with you as a fully-fledged, mission qualified member of your career field. If you stay in the pipeline and advance/pass training, you will end up in your assigned job. This could take a few weeks or many years.
Moving from the military community to the civilian job market is not as straightforward. There are ample opportunities but few clear paths, especially in cybersecurity. After all, what does cybersecurity mean? Working in a Security Operations Center (SOC)? Development? Network architecture? Which one of the literally hundreds of cybersecurity training or education programs is best? How do you learn about cybersecurity careers to truly know how to get in and what you are getting into?
Our intent is to have members of the military community tell their story, describe how they got to where they are, and how others could follow. There may not be a pipeline in the cybersecurity world, but our hope is to provide some career path clarity.
Our first profile is Dan Costantino. Dan is the Chief Information Security Officer (CISO) and Associate Chief Information Officer (CIO) at Penn Medicine. In his role, Dan oversees Information Security and IT Infrastructure programs for one of the top academic medical institutions in the United States, including six hospitals, the Perelman School of Medicine and over 40,000 employees. His experience includes co-managing multiple cybersecurity consulting practices and managing clients ranging from startups to Fortune 500 companies. He served in the United States Marine Corps from 2007 to 2012.
How did you become interested in the military?
As a young boy I idolized two men – my father and older brother. My father was a small business owner who was extremely busy and worked twelve-hour days and my brother, who is nearly twenty years older than I am, played a second father-figure role in my life. I consider myself very fortunate to have had both in my life at such a young age. These two incredible men naturally had many things in common, but the one that stood out to me was that both served in the United States Marine Corps. While neither of them encouraged me to follow the path they took through the military, both had qualities about them that couldn’t be ignored. They displayed a level of discipline, grit, drive, and confidence that I desperately wanted to experience myself. This led to my decision that I too wanted to serve my country and challenge myself to achieve the title of U.S. Marine. A title that wasn’t taken lightly in my childhood home growing up.
Did your role in the military have any direct relationship to your current or previous roles?
When I decided to join the Marine Corps, I originally requested to be a Military Police Officer. After learning there were no available spots for that role, I selected another occupation and was told the same. In hindsight, these other roles being filled may have been one of the best things that could have happened to me. I redirected my attention to a role that matched one of my greatest teenage obsessions – technology. I enlisted with a Military Occupational Specialty code (MOS) of 0651, otherwise known as a Marine Corps Cyber Network Operator. My role in the military exposed me to many of the fundamental technologies, concepts, and practices that I still draw from today.
What experiences while in uniform started you on the path to where you are now
Most of my time in the Marine Corps was spent in 3rd Battalion, 2nd Marines, an infantry battalion based out of Camp Lejeune, North Carolina. I was part of the communications platoon in support of this battalion and had the opportunity to deploy overseas on three separate occasions with them. It was during these deployments that I learned the most. How to operate under pressure, when to be strategic and when to be tactical, and how to wear “multiple hats” to do whatever it takes to support the mission. One hat I was asked to wear was cybersecurity. Our platoon implemented a wide range of technologies in some of the most active combat zones of Afghanistan. Those technologies included virtualization, switching and routing, IP-based radios, satellite communications, and more. These communications needed to be secure, and it was this challenge that intrigued me more than any other.
What did you do in the latter part of your service (while you were leaving the military/ETSing) that set you up for success?
Nearing the conclusion of my military service I was sure I wanted to pursue a career in technology and cybersecurity. The Marine Corps had equipped me with skills in five years that may have otherwise taken me decades to learn. Those skills include leadership, discipline, strategic planning, and on-the-job technology and cybersecurity training. What I didn’t understand was business, therefore I was unsure of how to apply these skills in private industry. In the latter part of my service I began taking college courses in pursuit of learning how cybersecurity concepts were applied in a business setting. At the conclusion of my service, I chose to start a career in consulting. My primary reason being that I wanted to learn about as many business models as I could in the shortest amount of time possible. That is exactly what happened, and I thank a good friend and mentor of mine, Gokhan Munuz for giving me my first real opportunity post-military. Pairing my newfound (albeit limited) knowledge of business with the experiences learned through the military set me on a path and trajectory that felt well aligned with my professional goals.
What challenges or experiences have you faced in your current role where you used your military experience to help overcome?
My military experience has helped me overcome several different challenges, both administratively and technically.
The first and most important challenge that it helped me overcome was in my pursuit of my first post-military job. After spending five years in the Marine Corps, resume writing, and interviewing were near the bottom of my list of skills. The Transition Assistance Program (TAPS) certainly helped but walking into my first interview was one of the most intimidating moments of my professional career. I believe my military experience is what helped me get through it successfully. Having previously learned in the Marine Corps how to overcome some of my greatest fears, I was able to speak clearly and confidently, maintain good posture, fight off my nerves, and listen carefully when being spoken to. I wanted that job badly and the person interviewing me could tell that not only was I committed to success but would do whatever it took to quickly fill any experience gaps I might have had.
Being a cybersecurity leader, I’ve been faced with many high stress situations, including major cybersecurity incidents that required careful coordination and response leadership. In every one of these situations I’ve drawn on my military experience in some way, knowing I had faced and overcome similar or more high impact challenges in my past.
What sort of education and experience would a veteran need to be part of your team?
The cybersecurity industry currently suffers from a lack of trained professionals to fill a growing list of open roles; however, many companies overcomplicate the path to breaking into a field so desperate for talent. It’s a confusing reality and likely leads to thousands of highly capable candidates selecting a different career path each year. I’ve said for years that the three primary qualities I look for in a young cybersecurity candidate are drive, a high level of curiosity, and critical thinking. None of those qualities have anything to do with firewalls, experience using Kali Linux, or threat hunting. Those kinds of skills can be learned and applied rather quickly by someone with the right level of passion and perseverance. That said, you will only increase your chances of breaking into the cybersecurity industry if you build a strong technical and business foundation on top of the three qualities mentioned above.
Invest time in learning the foundational elements of technology, such as server administration, computer networking, and basic programming before moving onto security-related topics, such as encryption, risk management, network segmentation, and more. Next, learn about the basics of what makes a business run. There are many leaders who unfortunately would have you believe this is some mad science – it’s not. There is a bottom line (or several) in every business. Learn what they are and begin working backwards. How does each business unit support the bottom line and what kind of basic workflows and technologies does it take to do it well? Maybe it’s a high amount of external information sharing, or perhaps that business unit leverages cloud-based software to process sensitive information. Spend time understanding these practices before attempting to design security safeguards to protect them. In order to be effective, you need to understand how to operate before you can defend. Understanding the core concepts of technology and business will position you for success in nearly any industry vertical.
Apply for entry-level roles and try to avoid the programs that will severely narrow your security discipline and exposure. You want to drink from a firehose early on and identify a mentor that is willing to invest time in your success. Don’t be discouraged if a few programs turn you away. For every cybersecurity program that overcomplicates the skills needed to be successful, there are at least two that are willing to invest time in a candidate with the right mindset and motivation.