AV is an anonymous veteran (hence AV) who worked in the information technology and intelligence fields during their enlisted time in the US Air Force. They now work in the information security field working with the Federal Government.
How did you become interested in the military?
I studied a strategic foreign language and the corresponding region while in college and wanted to put my skill set to use in a way that protected our national security.
Did your role in the military have any direct relationship to your current or previous roles?
Some of what I worked on did have a direct relationship to the work I do now. However, for the most part, I’d say the relationship was loose or indirect. My formal military job specialty code did not reflect my day-to-day duties. I worked in a communications squadron that did primarily IT work, but, due to my language and regional background, I was utilized in multiple operational settings. As is typical in the military, the exact position or role I had rotated on a regular basis, and there was little opportunity to deep dive or specialize in anything for more than a few weeks or months.
What experiences while in uniform started you on the path to where you are now?
It became clear to me that superiority of the cyber domain was pivotal to the relationship between the United States and the region I specialize in. Continued study of the cyber domain through various training opportunities, coupled with an immense amount of self-study, led to my interest in this branch of information security.
What did you do in the latter part of your service/while you were leaving the military that set you up for success?
I started my job hunt 12 months out. I cannot recommend this strongly enough. You will likely not be given an actual piece of paper with a job offer and a start date until you are 1-2 months from separating but delaying your job search until that time frame is a well-advertised mistake – especially in information security. The use of job codes in the military, especially in cyber career fields, creates a false sense of uniformity; that the information security field can be chunked together out of five or ten different job titles. This couldn’t be farther from the truth–there is no way to adequately understand the depth of the field until you are working in it.
My best advice to anyone looking to transition into this field – including those who are doing so from existing cyber roles – is to get your resume in order as soon as possible, join professional networks (LinkedIn, ClearedJobs, ClearanceJobs, USAJobs, etc), engage with organizations like VeteranSec/VetSec, and figure out what you are interested in and what you are qualified for. I also strongly believe that you should be studying new things while they are interviewing for roles. Study means a lot—and it does not have to match the exact role you’re interviewing for. Just be ready to show your interviewers that you are constantly curious and learning–there isn’t much room in the information security field for people who are not.
Looking back—did you do anything that set you back
I can’t stress this enough: learning to automate security processes through a scripting language (Python, PowerShell, Ruby, etc.) will set you leagues apart from any of your information security peers that are unable to do so. I did not spend a lot of time learning to program during my self-study time while I was in the Air Force, and I really wish I had. Here’s why: In the military, your mission may involve one or many moving parts, but the information security field is much more vast than that. On an enterprise level, defensive information security professionals researching a particular threat actor or attack campaign often need to work with thousands of different URLs, IP addresses, domain names, hashes, and other kinds of artifacts. Even penetration testers can only get by with automated tools for so long and will eventually need to learn to build their own automated attack solutions. Other job positions have their own version of this, but the principle exists all the same. It does not take a four-year degree to learn how to do this, it takes midnight oil and an unwavering application of elbow grease. But it is completely worthwhile and will serve you well virtually no matter what you do.
A few more things I’d like to mention, because this is the most important question–I could honestly fill up an entire article with thoughts and ideas:
On two occasions, I almost pursued certifications that I later found out were entirely worthless for securing employment. The entire certification industry is highly overrated – maybe even a scam – and out of hundreds of certification options, there are probably ten that will contribute anything to finding employment in an information security position somewhere down the line.
Degree programs are similar in this regard. Information Security is an intrinsically specialized subject. I wouldn’t recommend pursuing it as a bachelor’s degree. Masters/advanced academic degree programs are a little different as they are typically much more specialized and allow for more flexibility of what you’re studying. I would strongly recommend going into any ‘Cybersecurity’ graduate program with a strong understanding of what you’re looking to focus on – whether that be a technique, technology, threat actor, policy, framework, or anything of the like.
Lastly, I would strongly, strongly advise against boot camps that promise to ramp you up towards any kind of certification. The VA’s recently unveiled VET-TEC program is great if you’re looking to get into Data Science or Web Application Development, but any kind of ‘boot camp’ that is pushing you towards a certification is likely a money mill looking to rob you of your educational benefits and I strongly advise against going into one.
What are 3 challenges/experiences you’ve faced/had in your current role where you leaned on/used your military experience to help overcome?
I actually want to hijack your question and recommend to your readers that they specifically do not rely on nor overutilize their military experience to overcome situations they face in the information security world. This isn’t a criticism of the military – it’s just that within each branch of service, there are very rigid structures that define work culture, progression throughout your career field, innovation efforts, projects, etc.
Information security has its own set of structures, but they are far, far less rigid. The threat landscape is so broad, diverse, and imminent that there are very few information security ‘rockstars’ and a whole lot more of ‘the right person for the right time’. That’s what you’re trying to be – ‘the right person for the right time’. Being able to do and understand one or two things very well and being open to leveraging them in different contexts is much more important than being diverse in each end of the team.
So with that, if you would allow, here is the inverse answer to your question – three challenges/experiences I faced/had in the military that I would handle differently in my current role.
Not a problem-go ahead!
- In the military, my skill set only mattered as it pertained to my job code. If I was great at solving [Problem X] but my job code and immediate office was solving [Problem Y], then it would take me months or even years of jumping through hoops and networking with the right people to find myself in a [Problem X] situation, and I couldn’t ever stay there indefinitely because it wasn’t in my job code. That’s how manpower documents work. Womp, womp. That’s frustrating. In the information security field, we need skills. Hard, technical skills. If there are ten people in a room and one of them is a proficient reverse engineer, then when the opportunity comes to reverse engineer something, it doesn’t matter if that person’s job title is ‘Threat Intelligence Analyst’, ‘Network Engineer’ or ‘Incident Responder’. I am not a job code anymore. I am a professional with a set of ever-developing and expanding skills.
- In the military, your awards and decorations were indicative of very major accomplishments. This may be one reason why military members are so vulnerable to the certification industry – we often feel the need to have some stamp of approval to show that something happened, or that we are capable of it. That’s not how it works in information security. A good certification is a measure of knowledge – it shows that you can understand a subject well enough at a base level to learn more about it, and perhaps even to apply that research to an active offense/defense operation. It is worthwhile specifically because having a strong base understanding of a subject is necessary to apply it to the ever-evolving threat landscape that you will be facing day in and day out. But don’t ever, ever think that an award or certification is a measurement of superiority over anyone else. You leave that system the moment that you leave the military.
- In the military, there is a large attachment to organization, from your branch of service all the way down to your individual offices. Insignias and slogans are markers of pride, and military culture largely relies on these to forge identity. The information security field is void of this, and over-attachment to your organization will do you more harm than good in many positions. Consider that I’m tracking a specific threat actor who is exploiting VPN services. If I want to be as efficient as possible, I’ll network with other security professionals from other companies and organizations who are tracking the same threat. I’ll share information with them – on a ‘need to know’ basis – so that we can pool our combined knowledge and defeat the threat from multiple angles. If we don’t do this, the threat actor wins. It’s as simple as that.
What sort of education and experience would a veteran need to be part of your team?
I came into the information security field with a background in a very specific strategic language and region. I can’t emphasize how important that was to my success, and it took me years to attain such a level of proficiency in that language that it was worthwhile for anyone to hire me on the basis of it. That worked for me, but it isn’t very easy to plan, especially because people aspiring to be in information security typically don’t have a lot of time to be immersing themselves in foreign languages. If you know a strategic language, you can be taught security concepts much easier than security professionals can be taught advanced language proficiency.
That being said, everyone vaguely interested in this field has been told to go look into help desk, systems administration, and networking roles, so here are a few other fields I’d recommend you look into if you want to be an information security professional that doesn’t follow the standard order of things.
- Data Science / Machine Learning
- Software Engineering / Development
- Mobile Application Development (iOS/Android)
- Web Application Development
Cyber.Media has also created a series highlighting members of the military community who are working in cybersecurity. To read more about moving from the military community to the civilian job market, visit:
Veteran Security (VetSec) – An organization and online community for training, networking, and advice
The Pipeline: Dan Costantino (CISO/CIO and United States Marine Corps Veteran)
The Pipeline: Mark Ferrari (Entrepreneur, CISO, and United States Air Force Veteran)