Addressing the Cyber Security Skills Gap with Veterans

“The most difficult thing is the decision to act, the rest is merely tenacity. The fears are paper tigers. You can do anything you decide to do. You can act to change and control your life; and the procedure, the process is its own reward.”

– Amelia Earhart

About 550 service members a day leave military service, and 250,000 military members are expected to leave each year for the next five years. Many of these veterans are returning from service that included combat, and they are returning to a job market that most likely requires different work skills. The age ranges vary, but a majority of the veterans who will separate from military service are of working age. Transition is inevitable throughout life, and through change comes growth.

One way for military veterans to successfully transition may be related to choosing a career field that is growing each day. A cybersecurity career can offer transitioning veterans a chance to meaningful employment, and that field is experiencing a remarkable shortfall that presents organizations with a challenge to find trustworthy qualified applicants.

Veterans have aligned skills with cybersecurity fields although they may or may not have the technical skills. Currently, veterans have been conditioned to learn while in the military from on the job training and specialized training that offers intensive immersion into the trained topic. Additionally, military veterans possess attributes that could be attractive to employers that other workers may not possess such as understanding of need to know, intelligence gathering, planning and security clearances. Security Clearances are currently backlogged, sometimes taking as long as 18 months to complete, while also being very expensive for private organizations to obtain and maintain. In addition to possessing complimentary skills, veterans have been known throughout the workforce to possess planning and leadership skills that are needed in any position.

Furthermore, physical and cybersecurity disciplines are converging. The danger from insider threats and other threats that can be addressed by physical security programs must be addressed by cybersecurity programs to eliminate gaps in overall enterprise security management.

For example, Byers and Lowe conducted a study that captured that the majority of attacks on systems where from exterior sources between 1982 and 2003. As time went on the margin between internal and external attacks became more even. Often, insider threats are more dangerous since the threat actors have access to physical systems and critical information. Many military members have experience in physical security, in conjunction with complementary skills such as intelligence gathering and analysis, vulnerability assessments and the understanding of risk models. These skills make them valuable once they are trained on the technical aspects of cybersecurity protection. And in contrast to their civilian counterparts, military members have demonstrated trustworthiness over time by maintaining a security clearance with periodic investigations to demonstrate reliability.

To illustrate the importance of training qualified cybersecurity practitioners, the Department of Homeland Security has established the Initiative Cyber Security Careers and Studies. To date this program has generated partnerships with universities and has concentrated on eLearning. Additionally, the “National Cybersecurity Workforce Framework (NICE)” provides a blueprint to categorize, organize and describe cybersecurity work into specialty areas, tasks, and knowledge, skills and abilities (KSAs). This initiative allows interested learners to target courses by interest and by proficiently level. Once this task is complete, training is tracked and individualized by the learner, allowing them to store all training and progress into a profile. Furthermore, work is being done to target scenario-based training to further emphasize teamwork and real-world applications.

The increase of dependence on computer systems and connectedness has brought significance to cybersecurity across all sectors of industry. Crucial information including customer data, trade secrets and other information that is key to all organizations survival is protected by cybersecurity measures. Based on a UK Department of Business, Innovation & Skills 2015 Security survey, and reported by TrustWave, 90 percent of large enterprises and 74 percent of small organizations today suffer from security breaches of different types. By 2020, according to NIST, there will be a 1.5 to 1.8 million global shortfall in qualified cybersecurity professionals that is compounded by the fact that most senior cybersecurity professionals will reach retirement age. This presents a unique challenge to staff these highly technical positions. Current efforts are mostly centered on a bottom-up approach that attempts to spur cybersecurity curiosity and excitement at the high school and collegiate levels, NIST says. Although this is a much needed step to avoid a long-term shortage, it is important to fill the gap in the short term. Veterans should transition well into organizations within a cybersecurity role with a similar mission of protection that they experienced in the military.

Yet, the current cybersecurity adult learning method must be addressed. The training options consists of universities with traditional four-year degrees, certification programs and full-time intensive skills training at a cyber boot camp. Four-year degreed programs are expensive, geographically limited and are lengthy to complete. Mississippi State has a program funded by the Department of Justice that trains law enforcement in forensic skills needed for cybersecurity investigation, and has extended those services to wounded veterans. Certifications are designed for current practitioners with a minimum year experience level requirement. For instance, a Certified Information Systems Security Professional (CISSP) requires 10 years of verifiable information technology security (IT) experience to even sit for the exam. Yet, while advantageous to those with current skills, they do not address the need for transitioning workers. The cybersecurity boot camp model is a high-intensity program that can be complete in as less as 20 weeks. One such program is currently offered by SecureSet in Colorado and Florida that addresses the emerging need for professionals, and is consistent with training methods that military members are familiar with. Another option is for host organizations to develop apprentices or an internal cybersecurity boot camp. Overall, creativity is needed to solve a vulnerability that exists in virtually every enterprise.

Cybersecurity fields will continue to grow and require skilled workers to protect against attack and ensure the United States economy is not at risk. Military veterans are solid and qualified candidates to retrain, as they already possess complimentary skills and understanding of key areas within a cybersecurity program. Transitioning veterans need support in addition to dedicated programs once they are hired to maximize the opportunity for retention after hire. All organizations need to think outside of the box to solve the cybersecurity skills gap. One of the largest qualified candidate pools is transitioning military members who have the mindset and specific skills that help them to make instant contributions within enterprises.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.