NEWS + ADVICE
Veterans are Both Uniquely Qualified and Completely Unprepared for Civilian Cybersecurity Careers
An interview with Joe Krull, Director of the Denim Group in San Antonio.
What is Cybersecurity
I hate the term cybersecurity. The term was first used I think I read somewhere in 1994. It was used by someone who was trying to make the term broader than it was. I will never use the term cybersecurity unless I am in the presence of a government official or someone affiliated with the government. We don’t call this cyber on the commercial side. Although there are some executives that are drinking the Kool-Aid, I am not sure they understand what it means. The basic definition is the methods, the technologies, the people and the processes that we use to defend computers and networks. That is the generic description of it.
What makes this cyber? I think someone was clever and they probably piggy-backed off of some government pronouncement or something Al Gore wrote. It’s Information Security nothing more. It is the same thing I have been doing since 1975.
I will tell you something that is missing from the definition all over the place is that we are always talking about defense; we aren’t talking about offense. If you want to boil this down to where it belongs it also includes the people that are doing the attacks for good. We have to assume that we have folks in our agencies that go out and do the same kind of attacking to the attackers that they do to us. But you never see the word offense anywhere in the definition of cybersecurity. It is my feeling over time, as we get further and further behind our adversaries, you may see the day when lawyers throw up their hands and say, “Okay we get it now. Start doing active measures against the people attacking you.” They don’t today, but I can see the day when they do.
Many companies don’t realize that they also need to engage their employees in their overall security picture. Most of my time now is working with a lot of Fortune 500 companies and major brands. I find that until you run a simulated phishing and telephone social engineering attack, you don’t know what you have. When we do an exercise like that and we present the results to the management it is pretty eye opening. That is what starts the conversation around the fact that all it takes is one person doing something they shouldn’t do that draws down the entire company’s defenses. Unfortunately the click through rates for these simulated emails continues to be extremely high.
I have been in information security for 40 years. The first 20 was with the federal government working in the intelligence community. When I came out of the government I had a bit of a struggle making the transition over to the civilian world but I figured out how to do it and within a couple of years I found myself as a senior security executive for Phillips in Europe.
I was very lucky because a lot of doors opened for me. But I have interviewed hundreds of veterans since that experience and I have been unsuccessful in finding the right people coming out of government service that can readily adapt themselves to a commercial role. This has been very frustrating for me. In my last three roles we have hired very few veterans and I can tell you the root causes as to why. This is based on literally hundreds of interviews with veterans for Accenture, PwC, Denim Group and my own company after I left Philips.
Specialization. In the military we specialize. We put someone behind a console and put them into a role. They become a consummate professional on one little piece of a broad area of cybersecurity. So when they move into the commercial world where they need utility fielders if you will, people who can do lots of different skills around security, they can’t adapt. Unfortunately the veterans are one trick ponies and they don’t really offer what the organizations need. Only the very large organizations where they have teams of hundreds of security professionals have the liberty and flexibility to say okay I just need a firewall jockey or I just need someone who manages the intrusion detection capability.
So we see the resumes for almost everyone who comes out of Security Hill and we interview quite a number. Time after time, they know one thing and one thing only. Based on this we have only hired a couple of veterans and the ones that we have hired have such gaps in their knowledge that it makes it very difficult for them to first be a consultant and second to understand that budgets are not unlimited, that commercial organizations have finite funding and they have to work within a budget. It is really frustrating for them.
In fact a few years ago we did a security assessment for a financial services company. They had a veteran who had taken over the role of their security manager and he was still trying to run the commercial enterprise as a government organization. Necessarily the organization said to him you do not quite understand what we do as a business and we think you should move on.
So this is my frustration right up front. Overspecialization is the number one, and number two is that we see people are very comfortable in the military. After they have completed their training and gone on a few assignments they get with the flow, they know what to say, what not to say, how to comport themselves but they are not really good about standing up and saying, “Hey boss that is not a very good idea.”
They are much more passive, much more reserved and more cooperating. But sometimes in information security you have to call the baby ugly. This is another thing that limits our veterans. They need to be able to think independently and be able to voice their concerns and understand that they need to sometimes take the blowback associated with that.
And the last thing our military professionals talk a different language and this is regardless if they are in security, or a heavy machinery operator. They speak in acronyms, jargon and terms that business professionals just don’t get, which alienates them. It is even more pronounced in security than anywhere else.
Do Veterans Have Unique Qualifications for Careers in Cybersecurity
Veterans do possess experience that uniquely qualifies them for careers in security because they have been exposed to real world threats and they have been exposed in many cases to advanced technology. Commercial organizations are hungry for that kind of expertise. So in this respect, veterans are very qualified.
What Do You Recommend for Veterans Considering a Cybersecurity Career
Veterans need to be able to think wide and broad and become a security generalist because that is what the world needs today. Learn how to talk more business and less military jargon.
It is imperative that they get certified in at least one area of security as that is just the ticket today to enter into the market.
This entry was posted on Monday, March 16, 2015 8:14 am