By Gary Hayslip, CISO for City of San Diego
Cybersecurity is a community of people who love technology and there is room for everyone. Some of us enjoy coding and creating new software, applications, cloud platforms or 3-D worlds – the possibilities are endless. Some of us in the community love to build things and are fascinated by how technology, in its many forms, can be intertwined to build networks as small as a server and a couple of desktops or as massive as international entities made of up thousands of endpoints that span the globe. Then there are some of us who have a passion to protect what is created, we love researching how our networks can be breached or how enterprises were compromised by malicious intruders.
To veterans transitioning, I like to say the cyber community is another opportunity to serve. It is a community of people driven to learn new skills, protect, and enable their organizations to be innovative and give back to new members mentoring them on how to deploy cybersecurity and reduce the risk exposure to their companies.
In support of successful transitions into infosec, I answered a few questions for the team at ITSPmagazine.
What groups would you recommend veterans get involved with to help them transition into commercial infosec?
I always recommend that they research the jobs in their field of interest and get involved with the commercial infosec community. I would suggest veterans join professional infosec organizations so they can start networking with their peers. I would also suggest they look at non-profits and startups in their area to increase their knowledge of the industry and look at educational institutions (online or local) where they can seek to get training on some of the first basic certifications they will need for a career in the cybersecurity industry.
Some examples of sites I would recommend:
Employment Research Sites:
1. Glassdoor: This is one website I like to use. You can do research on companies you are looking to apply to and see what previous employees are saying about it, pay ranges of a specific job title, and even what the companies’ interviews are like. What I would recommend is you search in your area and look at the jobs that you can do currently, and then look for something that you would like to do in the future. With the “future” job listed, look at the education/skills/certifications required for the position. This will give you an idea of what education and skills you need to work on so you can be a viable candidate for that “future” job.
2. LinkedIn: If you are looking at a career in the IT field and don’t have a profile here, you are seriously hamstringing yourself. Just understand, this is not Facebook. LinkedIn is a professional site for career-minded individuals. I would recommend you setup your profile with a good picture, get active in your selected forums, and use it as a foundation to start building your professional network. Another tool you will like on this site is the “Jobs” tab. You can use this tool together with Glassdoor.com: Look up a job posted on LinkedIn and then use Glassdoors to research the company.
1. San Diego Tech Scene: This is an event calendar of many local tech-oriented groups; it lists things happening daily in the San Diego area. Note this site is managed by the San Diego Tech Scene, which is a local Tech entrepreneurial organization, so there is tons of stuff going on for tech startups. I go to many of these events to network and see new types of technologies. Another site linked to them that is tied into the tech scene is Startup San Diego. The reason I go to startup events is I want to stay fresh with what is going on in technology. You may think this is not related to cybersecurity, but you would be wrong. Many a new technology turns into tomorrow’s zero-day. Educate yourself, enjoy a beer, and see some really cool technology by visiting organizations like this in your community.
2. Network After Work: This is the “Network after Work” site for San Diego. These events are held in many cities around the world and typically have monthly networking gatherings at some of the best hot spots in your area. People typically go to them to practice their networking skills and meet new people, and yep you guessed it, to look for a new job! I would recommend you at least check one out, sit back, and watch people network. It can be quite educational, and along the way you will learn a lot about human nature and how to approach a stranger and strike up a conversation. Have fun and don’t forget your business cards.
3. Meetup: This is an awesome site. Right now there are thousands of Meetups here in San Diego going on all the time, and all you need to do is set up an account and start searching for groups that are meeting on things that you find interesting. It can be groups for professional networking, IT/Tech events, or specific subject-focused groups, like hacking, big data, drones, bitcoin, etc.
4. ISSA: This is the San Diego chapter of ISSA (Information Systems Security Association), a good place to network and get involved in your local Cyber Community. They typically will have monthly luncheons with speakers who cross the field of IT and cybersecurity. I have been a member for over 10 years and actively go to these luncheons when my schedule permits. I even present at the San Diego chapter on occasion. The main thing to remember here is, if you are starting out in the field of IT or cybersecurity you will meet many people in both fields at these gatherings. It is here that you can collect information to fine tune where you want to start your career in the cybersecurity community.
5. ISACA: This is the San Diego chapter of ISACA (Information Systems Audit and Control Association). If you are into Network Audit and Risk Management this organization is for you. I have found they have great presentations at the monthly meetings. Many of these presentations are given by very knowledgeable people within the field of IT and cybersecurity. This is a very good organization to get involved with if it is available in your area, and I would highly recommend it.
6. AITP: This is San Diego’s chapter of AITP (Association of IT Professionals), an organization that focuses on IT education for professionals. They are active and have members that range across the IT and cybersecurity spectrum. Here in San Diego their meetings are typically in a dinner format, featuring great speakers. Going to these events is all about broadening your view of IT and cybersecurity and giving you context of how technology fits into the career path you are building.
7. OWASP: This is the San Diego chapter of OWASP (Open Web Application Security Project), a worldwide organization dedicated to improving the security of software. I have gone to several of their chapter meetings and even presented at one. There is an incredible amount of information and training that is available through an OWASP chapter, and if your career path involves software development I would definitely recommend joining this organization. The main organization website is here. I have used it to educate myself on software security and provide training to my developers.
1. San Diego Continuing Education: For the San Diego area, this site is an example of a great community college system with excellent training for the transitioning veteran. Under the Jobs Training/Certificate Programs tab they have programs for “Interactive Media,” CCNA, A+, CCNA – Security, and Web Server Maintenance and Security. Under the Programs tab select “Business, Computers and IT” and you will get the full list of courses that are free and available for you to take. I would recommend if you are starting out to take some of the beginning computer classes to get your feet wet. What is nice about schools like these is that they are a very inexpensive way to get your basic certifications completed and get you into an entry level position as you continue with your education to get that “future job”.
2. U.C. San Diego Extension: This is an example of a four year universities extension program. The web page is for the University of California San Diego (UCSD) extension program. These courses cost money but they are relatively cheap compared to paying for a full college class. Many colleges now offer extension-type courses or certification tracks that include multiple courses covering a specific area. It is a good way to get some quality education and training to beef up a skillset you need for that future job.
4. Coursera: This is another site for some free or low cost training, however, you may need to purchase your books. There also are some courses that can count toward college credit if you pay a fee. I have done classes in cybersecurity, cryptography and mobile cloud apps. One school on this site, the University of Maryland, is offering a group of courses that result in a cybersecurity certificate. I would recommend this site if you enjoy doing classes online at your own pace and don’t mind the challenging curriculums. Just remember to keep up with your assignments and enjoy talking with your classmates.
5. edX: This is another education site I keep an eye on as I have noticed they have recently added more computer science courses. I am always looking to increase my knowledge in the field we work in so I like to see what they have available. This site is very similar to Coursera. The classes are free, but if you want them to count for college credit there is a minimal fee.
6. Lynda.com: Hands down one of the best training sites on the web. For $30 a month you get full access to all of the curriculum and files so you can train and learn numerous skills. I use this site all the time to brush up on skills when I am doing presentations. I would highly recommend this site if learning in an online format works for you. Again, there are numerous classes in coding and software development, plus they are adding new curriculum, including business classes and soft skill courses that are necessary for those transitioning to a new management environment.
7. Treehouse: This is a fairly new site and the curriculum is still being developed. What I find intriguing on this site is you select a specific track you want to learn, which is made up of sequential courses, and by the end you will have learned a specific skill. Very nice, but it costs $25 per month for a basic subscription and $49 per month for the pro subscription, which includes extra content. It is definitely a site to watch as they add new content.
8. Top 100+ Cyber Security Blogs & Infosec Resources: This website is actually an article. It lists the Top 100+ Cyber Security Blogs, and to a surprising degree, it is fairly accurate. I list it as a tool to help educate you on the various professionals that work in cybersecurity. I actually make my way down the list each week, checking out many of the sites for new information to educate myself on new threats or technologies that are becoming prevalent in the business world. Several I would recommend to start with are:
- Nige The Security Guy
- Security Current
- Cloud Security Alliance
- Krebs On Security
- Dark Reading
- Electronic Frontier Foundation (EFF)
- Security Week
- The Hacker News
- and, of course, ITSPmagazine
9. DistroWatch.com: As you pursue a career in cybersecurity, eventually you will need to learn the Linux operating system. This site has information about hundreds of different Linux distributions. This site is important because if you want experience Linux, it’s time to roll up your sleeves and start learning how to download and install your first distribution. This site also has links to weekly newsletters and can keep you up to date on Linux. Just don’t get overwhelmed. Pick a flavor of Linux like CentOS or Ubuntu that is mature and enjoy!
10. SecTools.org: This site lists links to many of the best network security tools available. It tells if the tools have costs associated with them, and you can see if they run on Windows, Mac or Linux. For someone starting out in cybersecurity this is a good website to bookmark, because I guarantee you will be coming back to it on occasion to find a tool or a link for more in-depth information.
What skills learned and/or traits enhanced in the military can apply to the commercial infosec space? How should employers open their eyes to find these highly skilled candidates?
Veterans are trained to approach obstacles as something that is not impossible. Rather they’re challenges that can be analyzed, broken into smaller pieces, and then solved as a team. This ability to assess, triage, and focus on mission and work in teams should be valued by organizations that may be working in a dynamic environment where they must be flexible and respond quickly to change.
What can employers do to bring on veterans, even if they’re missing skills they might need?
One of the quickest ways you can bring on veterans is to pair them up with a teammate within an established cybersecurity program. Military personnel are trained to work in teams and to be good teammates. I have in the past paired up wounded warrior interns with staff members to help accelerate the learning curve. This lets me quickly assess what skills they possess and then put together a training plan for them. The big thing is you want to do this at the beginning so they know they are part of the team and you want them to succeed.
What are some of the must-have soft skills veterans possess that would benefit the industry?
Critical thinking skills
Intellectually disciplined methodology to gather information, evaluate it, analyze how it applies to the issue currently under consideration, and provide recommendations.
Ability to work alone or work in teams
Working in cybersecurity you will find yourself working in teams. If you know how to manage team dynamics and work with different people you will be sought after by organizations.
Systems thinking and problem solving
Cybersecurity is made up of millions of pieces of technology, data, and processes, and they are all tied together. If you can look at disparate technologies and networks and see the components and data flows and understand the relationships needed to make them work then, this field is for you.
Tenacity, ability to take hardship and failure, but still push through to complete a goal
Cybersecurity is not an easy field to work. You will at times find you break more things than you fix. That is how you learn, that is how you gain experience, so own it and get back to work.
If you thrive on challenges and you are a self-actualizer, you take responsibility for your assignments and hold yourself accountable for what is assigned to yourself and your team, then this field will welcome you.
What do you look for in candidates when you hire them? Are there things veterans bring that “no other” candidates can even touch?
Some of the things I look for when I review candidates are their timelines. Have they continually pushed forward for positions of more authority, technical challenge or working in more diverse technology environments? If I review a resume and see the candidate has been a network engineer for the last 10 years and all the technologies and positions he/her filled were basically the same – its screams to me, “No initiative.” I very rarely see that in veterans; they typically are self-starters and demonstrate initiative, which is huge for me. I manage an environment of over 40k+ endpoints across 24 diverse networks that are under constant attack. There is no time to baby-sit. I need to know a candidate can handle some chaos in their daily work environment and still be successful. Vets tend to be chaos tested. I like that in them.
Is it possible to map military skills to specific roles within infosec?
Many of the positions in cybersecurity require critical-thinking skills. As a security engineer or network engineer you are looking at data flows, cyber incident traces, and network vulnerability scans – and all of these require you to have a strategic picture, but also an understanding of the context of the smaller pieces that link up to create that picture.
When I look at my networks, I see living, breathing digital entities that at times are under attack or have severe operational issues due to misconfigured technologies or malfunctioning legacy equipment. It’s the ability to see the connected technologies around you as a flowing system, triage where there are issues, and remediate how to correct problems to reduce impact to your organization. Then reassess all over again. This demonstrates how veterans can be viable candidates for network engineering and cybersecurity roles. It’s the veteran’s ability to stand in the middle of instability and find a baseline to build on and break the available data into small manageable pieces and keep moving forward.
I believe these critical-thinking soft skills are crucial for security and network analyst roles and security and network engineering roles – and for those veterans who can manage teams and keep the big organizational picture coupled with the moving threat landscape, the role of security manager or network operations manager would be an ideal fit.
In closing, for those of you transitioning and looking for a new start, I would highly recommend a career in cybersecurity. Just understand you are starting on a path that will take time; you will not be a cybersecurity professional overnight.
As I mentioned above, look at this as a challenge and break it up into manageable pieces so you get hired for that first job. Once you are hired, always look to educate yourself and add certificates when you can to demonstrate the achievement of new skillsets.
Please make sure to volunteer for projects and assignments of greater responsibility to increase your knowledge and value to your organization. For those of us who have served, we know the drill, so let’s get busy.
Come join me in a new career, because my community – cybersecurity – needs you.
About Gary Hayslip
Gary Hayslip is Deputy Director, Chief Information Security Officer (CISO) for the City of San Diego, California. As CISO he is responsible for developing and executing citywide cyber security strategy and leading teams focused on Enterprise Risk Management, Security Engineering, Application Security, Cyber Security Operations, & Cyber Security Resiliency. Prior to joining the City of San Diego, Mr. Hayslip was the Command Information Security Officer of multiple U.S. Navy commands where he has led operational teams responsible for security engineering, operations, security compliance and policy, and cyber-security threat management.