INSIDE THE

NEWS + ADVICE

Veterans are Both Uniquely Qualified and Completely Unprepared for Civilian Cybersecurity Careers

Posted by Kathleen Smith

Joe Krull, Denim GroupAn interview with Joe Krull, Director of the Denim Group in San Antonio.

What is Cybersecurity

I hate the term cybersecurity. The term was first used I think I read somewhere in 1994. It was used by someone who was trying to make the term broader than it was. I will never use the term cybersecurity unless I am in the presence of a government official or someone affiliated with the government. We don’t call this cyber on the commercial side. Although there are some executives that are drinking the Kool-Aid, I am not sure they understand what it means. The basic definition is the methods, the technologies, the people and the processes that we use to defend computers and networks. That is the generic description of it.

What makes this cyber? I think someone was clever and they probably piggy-backed off of some government pronouncement or something Al Gore wrote. It’s Information Security nothing more. It is the same thing I have been doing since 1975.

I will tell you something that is missing from the definition all over the place is that we are always talking about defense; we aren’t talking about offense. If you want to boil this down to where it belongs it also includes the people that are doing the attacks for good. We have to assume that we have folks in our agencies that go out and do the same kind of attacking to the attackers that they do to us. But you never see the word offense anywhere in the definition of cybersecurity. It is my feeling over time, as we get further and further behind our adversaries, you may see the day when lawyers throw up their hands and say, “Okay we get it now. Start doing active measures against the people attacking you.” They don’t today, but I can see the day when they do.

Many companies don’t realize that they also need to engage their employees in their overall security picture. Most of my time now is working with a lot of Fortune 500 companies and major brands. I find that until you run a simulated phishing and telephone social engineering attack, you don’t know what you have. When we do an exercise like that and we present the results to the management it is pretty eye opening. That is what starts the conversation around the fact that all it takes is one person doing something they shouldn’t do that draws down the entire company’s defenses. Unfortunately the click through rates for these simulated emails continues to be extremely high.

Sometimes in cybersecurity you have to call the baby ugly. Do Veterans Do Well in Cybersecurity

I have been in information security for 40 years. The first 20 was with the federal government working in the intelligence community. When I came out of the government I had a bit of a struggle making the transition over to the civilian world but I figured out how to do it and within a couple of years I found myself as a senior security executive for Phillips in Europe.

I was very lucky because a lot of doors opened for me. But I have interviewed hundreds of veterans since that experience and I have been unsuccessful in finding the right people coming out of government service that can readily adapt themselves to a commercial role. This has been very frustrating for me. In my last three roles we have hired very few veterans and I can tell you the root causes as to why. This is based on literally hundreds of interviews with veterans for Accenture, PwC, Denim Group and my own company after I left Philips.

Specialization. In the military we specialize. We put someone behind a console and put them into a role. They become a consummate professional on one little piece of a broad area of cybersecurity. So when they move into the commercial world where they need utility fielders if you will, people who can do lots of different skills around security, they can’t adapt. Unfortunately the veterans are one trick ponies and they don’t really offer what the organizations need. Only the very large organizations where they have teams of hundreds of security professionals have the liberty and flexibility to say okay I just need a firewall jockey or I just need someone who manages the intrusion detection capability.

So we see the resumes for almost everyone who comes out of Security Hill and we interview quite a number. Time after time, they know one thing and one thing only. Based on this we have only hired a couple of veterans and the ones that we have hired have such gaps in their knowledge that it makes it very difficult for them to first be a consultant and second to understand that budgets are not unlimited, that commercial organizations have finite funding and they have to work within a budget. It is really frustrating for them.

In fact a few years ago we did a security assessment for a financial services company. They had a veteran who had taken over the role of their security manager and he was still trying to run the commercial enterprise as a government organization. Necessarily the organization said to him you do not quite understand what we do as a business and we think you should move on.

So this is my frustration right up front. Overspecialization is the number one, and number two is that we see people are very comfortable in the military. After they have completed their training and gone on a few assignments they get with the flow, they know what to say, what not to say, how to comport themselves but they are not really good about standing up and saying, “Hey boss that is not a very good idea.”

They are much more passive, much more reserved and more cooperating. But sometimes in information security you have to call the baby ugly. This is another thing that limits our veterans. They need to be able to think independently and be able to voice their concerns and understand that they need to sometimes take the blowback associated with that.

And the last thing our military professionals talk a different language and this is regardless if they are in security, or a heavy machinery operator. They speak in acronyms, jargon and terms that business professionals just don’t get, which alienates them. It is even more pronounced in security than anywhere else.

 Cybersecurity professional in San Antonio? Register for the April 23 Cyber Job Fair.

Do Veterans Have Unique Qualifications for Careers in Cybersecurity

Veterans do possess experience that uniquely qualifies them for careers in security because they have been exposed to real world threats and they have been exposed in many cases to advanced technology. Commercial organizations are hungry for that kind of expertise. So in this respect, veterans are very qualified.

What Do You Recommend for Veterans Considering a Cybersecurity Career

Veterans need to be able to think wide and broad and become a security generalist because that is what the world needs today. Learn how to talk more business and less military jargon.

It is imperative that they get certified in at least one area of security as that is just the ticket today to enter into the market.

 

This entry was posted on Monday, March 16, 2015 8:14 am

7 thoughts on “Veterans are Both Uniquely Qualified and Completely Unprepared for Civilian Cybersecurity Careers”

  1. Security generalists are not what businesses are looking for, they want specialists in the different Common Body of Knowledge (CBK) areas. You have to specialize in the InfoSec field, it is only after someone like yourself with 40+ years of experience can honestly say they are a jack of all trades so-to-speak. Veterans have a distinct advantage over non-vets because they have proven they are trainable, punctual, disciplined, can take orders, hardworking, and able to accomplish goal-oriented projects. Many veterans also exit active duty with active government clearances, thereby saving companies thousands of dollars on expensive background checks. Failing to adapt is an individual trait, not a general stereotype of military veterans. Many are more than capable of adapting as long as they are given a chance and “properly” motivated to do so. Private sector employers have these high expectations of any new employee (veteran or not), they want experience which many people just plain don’t have. It is unrealistic to expect career crossovers like many leaving the military with fresh college degrees in Information Security/Cybersecurity to already possess 1-3 years of experience for an “entry-level” job. Please, employers need to be more realistic…

  2. As a military ‘cyber veteran’, I completely agree with Mr. Krull’s sentiments. Appreciative of the suggestions to mitigate the veteran employment vulnerabilities. 😉

  3. Joe,

    Thank you for your opinion. It is refreshing to see someone really hit the nail on the head as to why civilian employers biases are reinforced by people who were once part of the federal system. “Those guys are inflexible, but not me!” You said yourself in your post that you had difficulty adjusting when you transitioned (a pejorative term) from the intelligence community but you also did so during a period where change was still occurring at “ye-old” pace.

    If people are over specialized, fine. However, I can hardly see how this is encouraging to people. You mentioned simulated fishing attacks or the like on your customers. Fortunately, we haven’t trained our military to attack English speaking countries for quite some time but this concept would make a great deal of sense, even seem like child’s play. “No translators? Just gullible people who are trying to please customers? Awesome.”

    It is admirable that you have been engaged in information security since 1975. You’ve had nearly four decades to change and adapt with your industry. Why is it that you were able to navigate these troubled waters but you seem convinced that all but a handful of veterans aren’t worth the trouble to give a second look?

    If these professionals speak a different language, give them feedback about the interview (no pity hiring, please). Do you listen to podcasts about your industry? What’s your secret sauce? People can learn to quack like a duck – they did it for our country. Once you’ve left the information security community, your blog post will not endure; recognizing talent and guiding an enthusiastic person to hidden open doors will.

    Brian Cox

  4. It sounds like the supervisors and managers of our military cybersecurity forces need to do a better job getting their troops broader experience within their field so they are ready to see the big picture — how the different pieces fit together — whether they stay in or get out.

  5. I understand Joe’s point of view about “…almost everyone who comes out of Security Hill…” I was stationed in San Antonio and I know the career fields he is referring to but Joe has to understand the Air Force is a highly specialized branch. However not all career fields are like those coming out of Security Hill. I recently retired from the Air Force and I was a cop. I have had literally a dozen different additional duties that were outside my career field such as information security manager, small computer help desk technician, and contracting representative to name a few. Recently I successfully transitioned into the IT world and I agree with Joe concerning certifications. I am currently working on my CompTIA A+, Net+ and MCP certifications. It would have been nice if I could have earned the certifications while on active duty. I might not have been working two minimum wage, part-time jobs trying to make ends meet for six months after retiring.

  6. All I read is that he doesn’t value veterans and doesn’t want to hire any, regardless of his throw away statement at the end. We are specialists by trade. We learn it after formal training and as you get up in rank, you get farther away from the main portions of your job. You’ll never know everything about a career field. It takes a good company to work through a limitation and give that person an opportunity to shine.

  7. So, if I read this right, I am too specific, dependent, can’t adapt, and too stupid to figure out what a budget is or that there is a difference between Business and Government.

    I also somehow have created my own cyber-military jargon despite the fact that cyber is mostly a COTs game and the military have inherited the terms like PKI, FISMA and the like from the larger civilian culture.

    To top it off, I am too much of a wimp to speak up and stand up for myself.

    This is the most offensive series of cliches about veterans I think I have ever read. Don’t come knocking on my door for a consulting gig, pal.

    Randy Carlson, CISSP-ISSEP, PMP, MBA, MS

Leave a Reply to Brian Cox Cancel reply

Your email address will not be published. Required fields are marked *

Notify me of updates to this conversation