Mark Ferrari is Principal and Co-Founder of Latitude Information Security, which provides information security services exclusively to the healthcare industry. He is contracted as the Chief Information Security Officer, Westchester Medical Center Health Network. Mark served in the United States Air Force as a Missile Combat Crew Commander and Flight Leader at Malmstrom Air Force Base, Montana, where he was responsible for operating the LGM-30 Minuteman II and III intercontinental ballistic missile system. He holds the PMP, CISSP, CCSFP, HCISPP credentials and served on the HITRUST Assessor Council 2018-2019.
How did you become interested in the military?
My interest in the military came from two strong role models in my life and an inner call to service. My grandfather was a Navy veteran who served in both WWI and WWII and went on to have a successful career in business. My father is an Army veteran and a very successful entrepreneur. The tradition of military service in my family was certainly an influence, and one I aspired to continue. It always seemed clear to me that at least one key element of the “formula for success” enjoyed by my father and grandfather was their time in uniform. Outside of tradition and the clear career benefits, I always felt drawn to serving. To this day I remain immensely proud that I had the honor of wearing the uniform.
Did your role in the military have any direct relationship to your current or previous roles?
Yes. Without question, being an executive at a cybersecurity consulting firm and working as the CISO of a large healthcare network is a direct result of my military role. I view a career in cybersecurity as the most direct and logical coalescing of my years spent in IT and years spent in the field of missile operations. In studying for my CISSP certification years ago, almost every concept was directly relatable to some element of the Minuteman weapon system and the physical, administrative, and/or technical controls that we lived and breathed every day and, as a result, became second nature.
What experiences while in uniform started you on the path to where you are now?
I can attribute three specific experiences directly to my path to cybersecurity. First, learning and operating the Minuteman II and Minuteman III weapon systems, second, spending time as a Missile Combat Crew Instructor, and third, eventually serving as a Flight Leader. I went into the Air Force with a business degree – a very non-technical discipline. My experience becoming an expert on the operation of a complex weapon system opened my eyes to the possibilities of a more technical career path. Understanding targeting data storage, overwriting target data, securing code components, managing communications crypto, and how launch facilities and launch control centers securely communicate are concepts that I still apply to information systems and cybersecurity today. As an instructor tasked with enhancing combat crew effectiveness, the ability to break down technical concepts into easily understood language was a key skill. In private industry, I’ve found that experience and ability to be invaluable when communicating technical and security needs to non-technical staff and vice versa. Finally, the leadership experience gained as a Flight Leader provided a foundation that enabled me to successfully lead, culminating in running a national consulting organization.
I’ll add one more item gained from the military that is directly relevant to cybersecurity: OPSEC. Every veteran understands – thanks to OPSEC – that even innocuous information in the hands of an adversary, when combined with other pieces innocuous information, can reveal vulnerabilities or can be used to exploit vulnerabilities. This common understanding represents the type of “culture of security” that many cybersecurity leaders strive for within their organizations.
What did you do in the latter part of your service/while you were leaving the military that set you up for success?
This is a tough question – when transitioning from active duty to the civilian job market I had higher hopes for the acceptance and understanding of what skills and qualities serving in the military develops in an individual. For me, this required an openness to “re-tooling” to an extent, and realizing the parallels between a weapon system and an information technology system. Making this comparison was a critical turning point for me, and once I saw it, I enrolled in programming classes which eventually landed me my first role in Information Technology and gave me an edge into private industry. Once inside, it was much easier to allow the leadership and decision-making abilities gained in the Air Force to show through and, coupled with my programming knowledge, build a career that eventually evolved away from purely IT to logically and easily expand into cybersecurity.
Looking back—did you do anything that set you back
I have to say the hardest part of my transition to private industry was not necessarily taking the wrong job or choosing the wrong educational program. It was difficult to translate the experience I had in nuclear weapons operations to the private sector. It took me a good couple years to look beyond my specific duties in the military and instead look at the underlying skill sets that I used performing them. For example, when I first left active duty, I was hell-bent on describing alert rates and “command of 50 nuclear weapons.” It took a while to change that to “responsible for the secure operations and continual uptime of over $20 million in system assets and supervision of a team of ten individuals.” Cracking the code on the translation of the incredible experiences that can only be found in the military into terms that will be recognized and valued by private industry took some trial and error, and time.
What are 3 challenges/experiences you’ve faced/had in your current role where you leaned on/used your military experience to help overcome?
The greatest challenge I can think of in the cybersecurity field is the management of a security incident. When an incident notification is made, like a medical emergency, the key is to stop the bleeding – to contain the incident. In this initial phase, tensions and stress levels can run very high as a breach can be disastrous for an organization. My experience in the Missile Launch Control Center (LCC) allowed me to develop a calm, methodical approach to “alarms” and an instinctive ability to continually re-assess and re-prioritize as the situation unfolds. I believe this is a common experience in almost any operational career field in the military. As the incident unfolds, the remediation of open items, establishment of action plans, and eventual summary and briefing to senior leadership all follow the playbook learned in the military.
Secondly, briefings: there was no shortage of “opportunities” in the military to hone public speaking skills. The old formula of “tell them what you’re going to tell them, tell them, and then tell them what you told them” certainly seemed tedious at the time. However, above all else, the ability to confidently speak to a varied audience, one with senior executives, clients, etc. on most any topic, and often with a short window to prepare is incredibly relevant to success in private industry. It is something for which my Air Force experience more than set me up for success.
The third challenge faced on a regular basis is decision making. It may sound simple, but veterans understand that they must prioritize and execute, because indecision is a recipe for disaster. In the private industry the ability to make a command decision with the information at hand, even if it’s not optimal or popular, is a requirement for success. There is a risk of becoming mired down in “analysis paralysis” in most any initiative; the qualities I learned in the military of making a command decision and tenaciously following a plan of action have undoubtedly contributed to my success outside the military.
What sort of education and experience would a veteran need to be part of your team?
This is a great question. I always tell my staff to “be comfortable being uncomfortable.” In the field of information security/cybersecurity, the landscape is constantly changing – attack vectors evolve with alarming speed, technologies, tools, and methodologies are in a continual state of change. While I can offer some specific steps veterans can take to enter the field of cybersecurity, I’ll offer the caveat that once the first round of accomplishments is achieved, don’t stop. Chase the next evolving area. Then the next one after that. Always be a “professional learner.”
For anyone seeking entry into the field of cybersecurity, step one is to get a basic (or an advanced if possible) industry certification. Great entry-level certs to pursue are CompTIA’s Security+ certification and/or ISC(2)’s SSCP (Systems Security Certified Practitioner). I would place these higher on the list before getting a degree in cybersecurity, particularly for a veteran who may already have an undergrad degree (in anything) plus the leadership and operational experience gained in the military, regardless of the MOS. Why certifications? Some would say that certifications only show your ability to get the certification. I don’t necessarily disagree with this point, but it’s only true for those who lack the drive to gain the experience as well. On the path to gaining experience, certs a) provide something demonstrable to help a hiring manager justify choosing you b) show that you chose to take the time to advance your skills – remember not everyone you’ll compete with will be certified and c) validate a base level of understanding of industry topics. Networking experience and certifications carry significant credibility within the cybersecurity world as well; many cybersecurity roles are filled by pulling from network administration areas.
In terms of the types of entry-level jobs to pursue, think of SOC (Security Operations Center) or NOC (Network Operations Center) analyst roles. Also look for IT Help Desk jobs if need be – these may be the most straightforward to get and, while basic, they provide a front row seat to access control, incident detection, and general IT operations. Six months or a year of Help Desk Analyst experience coupled with a Security+ (or similar) certification and you are starting to build a competitive resume for a cybersecurity role. Additionally, you are now inside an organization that likely has cybersecurity analysts and you may be able to eventually transfer internally. Establish yourself, but then discuss your plans and desired path with your management.