CISOs struggling to fill their vacancies should take a closer look at the opportunities afforded by military veterans
While the cyber skills gap is not a new problem, it is persistent. CISOs are forced to be determined and imaginative in their approach to finding and recruiting new cybersecurity talent, and it is very hard. But there is a skills resource that remains largely underutilized: the military veteran.
This is the view of Jordan Mauriello, CSO at MDR firm Critical Start, and his CEO Rob Davis. Both are vets – and around 30% of the staff at Critical Start are also vets. “Being vets ourselves,” Mauriello told SecurityWeek, “doesn’t simply give us a greater proclivity to employ vets, it gives us an understanding of the value that a lot of vets can bring to cyber.”
He is critical of much of the current system of cyber training. “A lot of the universities and training organizations are deficient in providing the skills, and especially the real-world experience, that makes the difference between a security technician and a security theorist.” He believes both skills and experience can be found among the ranks of vets.
The military lifestyle
The military’s involvement with information technology and information warfare dates to before the internet, so it has acquired a lot of knowledge and skills over the years. Military roles are defined – for the army – in a Military Occupation Specialties (MOS) list. Many roles involve the maintenance, use and security of computer and communications equipment.
Modern military life involves three key tenets: learning, flexibility and adaptability. Learning is intense, typically involving 16-to-24-week training courses of ten hours per day, six days per week. Some of this training, continued Mauriello, “can produce some very specific skills that translate immediately – so, you could leave the military, and with the exception of adapting to a different command, benefits and life structure in general, you could walk into a civilian position knowing what you are doing from day one.”
The training might be followed by a deployment – sometimes at a moment’s notice. On completion of the deployment, it’s back for more training. Unlike a university, you cannot skip classes or drop out without the military consequence of going AWOL. When you join the military, you generally sign a four-year contract that commits you to those four years.
Flexibility and adaptability are part of the modern military. “The U.S. has effectively been on a war footing for more than 20 years,” explained Mauriello. This is no longer one army against another army (as in Stormin’ Norman’s Desert Storm campaign in 1991) but is fundamentally a counterinsurgency war. The military must now have the flexibility and adaptability to respond instantly to an incident and then return to base.
The parallels between military and cyber
Vets are immediately at home in cyberspace. “Insurgency is asymmetric warfare,” said Mauriello, “and cyber is often described as an asymmetric battleground.”
Cyber defenders have defense in depth against thousands of potential attackers, but it takes just one attacker to breach them just once. Just like the military must be on guard and effective without knowing where or how an insurgent might strike, so must a cyber defender do the same. In fact, it’s worse in cyber. If an insurgent fails against the military, there is usually a cost. In cyber, the attacker can continually try and fail until he succeeds with effectively no cost.
The ability and willingness to learn new skills is also common to both spheres. “A fundamental part of military life is continuous training,” said Mauriello. “You are always training, and it never stops. You train, you deploy, and then you come back and start training for the next deployment. That’s the military lifecycle. In security where it is constantly changing and the attackers are always doing something new, you must always be learning those new things. That’s just normal life for the military, which vets have been doing for years. Already, they’re jumping into a lifestyle and work ethic they understand. It’s just new knowledge and new skills they must learn.”
There are other advantages to employing vets, such as the military’s rules of engagement. Vets understand exactly what they can and cannot do. In an age of continuous hack back debate, this is a valuable check. And they also know and understand that attackers don’t constrain themselves to a 9-till-5 operational period. Vets are likely to be more ready to respond to an incident at any time than the newly graduated university student.
Mauriello believes that vets – especially technician vets – are an underused resource for obtaining cybersecurity talent. But he doesn’t limit himself to vet technicians. “I have a few guys,” he told SecurityWeek, “who were in Special Ops – SEALs and Marine Recon. All of them have adapted incredibly well to cybersecurity.”
The sweet spot for recruitment would appear to be that period when one four-year military contract is ending, when future options are being considered, and before a new four-year contract is signed.
But without being a vet yourself, it is difficult to understand military terminology. It might not be obvious that an MOS 350F is actually an ‘All Source Intelligence Technician’ who is ‘is responsible for combining and organizing intelligence information from different source into a single finished product.’
Mauriello recommends reaching out to the several organizations that can help with who is available and who might be relevant – such as HIRE Vets and Hire Heroes USA. The one thing that seems clear is that CISOs struggling to fill their vacancies should take a closer look at the opportunities afforded by military veterans.
Critical Start is a ten-year-old MDR company that focuses on security operations. “Our job is to detect and respond to threats on our customer networks to prevent them from being compromised and breached,” said Mauriello. “Our vets help us do that.”
Related: Gaining and Retaining Security Staff in The Age of the Great Resignation
Related: Mismanagement Driving Cybersecurity Skills Gap: Research
Related: 3 Steps Security Leaders Can Take Toward Closing the Skills Gap
Related: Personal Information of 46,000 U.S. Veterans Exposed in Data Breach