Three Reasons why Vets are uniquely suited to run your Cybersecurity Program

Travis Howard

Travis Howard,
Legislative Liaison, US Navy

Just this past Thursday a ransomware attack crippled computer networks throughout the city government of Atlanta. Over 8,000 users were affected by a criminal cyber attack that is designed to prevent access to data necessary for government functions; it's not new but it's startlingly familiar, and some organizations pay the ransom rather than investing in prevention and restoral. Paying the ransom isn't a guarantee that data will be restored (in 2017, decryption of the original data had a roughly 33 percent success rate). Leaders of afflicted organizations can hope that the criminals have enough "honor" to restore the data as promised. As we say in the military, hope is not a course of action. Whether it is outsourced, automated, or meticulously crafted in-house: an "ounce of prevention," as the saying goes, is necessary and every organization (public and private) needs a cybersecurity program.

Recently, I was asked by a colleague what my cybersecurity "dream team" would be comprised of. I ultimately settled on a core team of 6 or 7 professionals: a legal specialist (specialized in data privacy), an intelligence analyst (focused on threat prediction and government partnerships), a network security architect (who would also be the team's technical director), and 3 or 4 information security operators. I didn't go with a group of system administrators that would cause duplication and confusion with the CIO's team (or become unnecessary with the rising power of automation, artificial intelligence, and human-machine teaming), but many of my operators would probably have one trait in common: military service.

I'm biased, of course, but I can explain my rationale: military veterans know how to be a part of an efficiently operating team, they understand how to execute a defensive mission, and they are dedicated to their duties. Civilians without military service may have those qualities as well but with veterans you know these are consistently apparent -- amongst many personality and soft-skill variables, they can be reasonably expected. Additionally, mid to senior grade officers are trained in operational strategy and policy, "command by negation" techniques, and make outstanding autonomous program directors.

Beyond these, there are three unique reasons why veterans should be a part of your cybersecurity program:

Offense informs defense - War games, fleet problems, and military exercises develop a unique frame of mind in which you must constantly seek out the "voice of the adversary." Offensive cyberspace operations and detailed knowledge of how to "play offense" makes you a better defender. In the cyber domain, there are ways to get that "offensive" experience without serving on active duty (for example, becoming a hacker yourself or learning penetration testing techniques), but military veterans have unique insights into nation-state or state-sponsored cyber groups which are a big part of the threat space.

Our oath doesn't stop - Information security and defense of critical infrastructure can be interpreted as part of a military professional's oath to the United States Constitution and the American way of life. When we transition from active duty, many seek out mission-oriented organizations in which we can continue to serve. Protecting information in the digital age is akin to defending the homefront, protecting U.S.-born intellectual property from adversaries.

We know government - The U.S. federal government has made strides (you can argue how much or how effective) to strengthen public-private partnerships for national cybersecurity. Right now, the "carrot" rather than the "stick" is being employed, with the Department of Homeland Security and the FBI leading threat intelligence sharing methods with private companies. Military veterans are right at home interacting with these entities, and in turn, those agencies feel comfortable with a military-minded veteran as a liaison, to the benefit of both organizations.

There are other, clear reasons why veterans are uniquely suited to run cybersecurity programs, and I'm sure my colleagues currently serving in veteran outreach programs can articulate them better than I. The NYTimes article I linked earlier cites a puzzling fact: "Yet less than half of the local governments surveyed said they had developed a formal cybersecurity policy, and only 34 percent said they had a written strategy to recover from breaches." It's no better in the private sector, according to a 2015 Trustwave Global Security Report:

"The majority of [2015] data breach victims surveyed, 81 percent, report they had neither a system nor a managed security service in place to ensure they could self-detect data breaches, relying instead on notification from an external party."

This was the case despite the fact that self-detected breaches take just 14.5 days to contain from their intrusion date, whereas breaches detected by an external party take an average of 154 days to contain.

My vantage point is admittedly different. I am still an active duty U.S. Naval officer with no declared retirement date so far, so I write this article not to angle for a job but to advocate for the unique skill sets we are developing in the armed forces. Stated simply, I want to put the right talent to work in the right area for the benefit of the nation. I'm not an HR expert, nor a public relations professional, although I'd like to think my MBA allowed me some academic exposure to both; I lead Sailors, I run networks, and I defend information.

Subscribe to Industry Era