Transitioning from the military to a career in infosec can be challenging, especially if you didn’t have a dedicated infosec job while in the military. I navigated this challenge six years ago, and so can you. While this post is mainly for transitioning military members, it also contains advice that I wish I would have known about when I started in infosec.
In 2007 I joined the Navy with the hope of working with electronics and computers, as I had very little experience with either at that point. I was accepted into the Submarine Electronics Computer Field and began training. A portion of my training involved slide decks of A+ and Network+ computer-based training that I was rushed through (1 month for both courses), followed by electronics and radio equipment training. I served on submarines for five years as a Radioman, doing stuff with satellite communications and the occasional IT task. It was a taste of IT and a taste of security, and I had a feeling that I would want to do something in IT security when I got out of the Navy.
I started focusing on security with a couple years left in the Navy. I got my Security+, and tried to learn as much as I could about general IT and infosec. When I got out of the Navy (and after a few months of going unemployed) I was able to leverage my Security+ and clearance and land a job in a SOC, reviewing AV and HIPS logs and escalating tickets. I was intrigued by the malware and intrusion attempts, and immediately turned my focus to learning more about attacking stuff. Luckily, as a SOC analyst I only had a finite amount of work to do each shift, so after I reviewed logs across my servers of responsibility I was able to take infosec training (free training available to veterans) and study for what I considered a super elite hacking cert in 2013, the CEH. Despite the cert’s reputation, I found some value in the training, obtained the cert, and was quickly offered a job performing a mixture of audit, vulnerability assessment, and web application pentesting.
This was a very busy time in my life, and I would continue to stay very busy with continuing education for several years. When I left the Navy I also enrolled in an MBA program (probably should have done infosec but I convinced myself an MBA would make me more well-rounded…more on this later), so between the dayjob, school, infosec training (I immediately started CISSP training after getting the CEH), and life in general (having children, etc.), I was extremely busy. After I got my MBA, I kept my foot on the pedal. SANS Technology Institute had come out with graduate certificate programs, and since I still had some GI Bill left, I quickly went through the penetration testing curriculum, and then followed that up with the cyber defense operations program and then the incident response program. SANS courses are amazing, and really helped enhance my career. During this time I was able to transition to a 100% penetration testing position, which was basically the goal.
While this story has been a happy one, there are definitely tons of things that I wish I would have done different, so here are some tips for transitioning military members that want to land a job in security.
My Top Tips for Transitioning Military Members
Start early – I know, it seems like simple and obvious advice, but a lot of transitioning service members (myself included) do not start thinking about about their next career early enough. How early is early enough? I honestly recommend to start preparing up to 18 months prior to separation.
Solicit advice from people in the industry – While the prospect of approaching a stranger and asking for advice might seem daunting, this is actually surprisingly easy. People love to give advice. It makes them feel special. Find someone (or several people) on LinkedIn or Twitter that looks like they have it together, and just send them a message asking for advice (On LinkedIn you can send an optional message during your connection request). I get these requests on occasion (which is the reason for this post), and feel free to use this polite request as a template:
Hi <person’s name>. I’m a transitioning from the <military branch> soon, and was wondering if you could share some advice about becoming a <job the person has>? I am trying to learn as much as I can about the things I can do to prepare for a career as a <job you want>. Any advice you can share is greatly appreciated.
Start building your network – If you’re not on LinkedIn or a similar social/professional network, then you may want to join. If you plan on staying where you are currently located when you separate, start attending local infosec meetups. Here are some Internet searches you can do to find some meetups :
- owasp <your city>
- <your city> hackers association
- isaca <your city> chapter
- issa <your city> chapter
- isc2 <your city> chapter
When you go to these meetups, be social. Talk to people. Speak if you can. See if there are volunteer positions available. Do anything you can to start making yourself known to the community you want to be a part of.
Take advantage of available training programs or Tuition Assistance (TA) – Each branch of service has various programs that allow service members to participate in training and in some cases earn certifications while they are still in. Unfortunately, sometimes enrollment in these courses is difficult to obtain (limited spots, reserved for non-transitioning members, etc.), but at a minimum, TA should be available. My recommendation is to use the TA on a program that include certifications as a part of the curriculum (WGU is one option).
Take advantage of DoD SkillBridge Initiative – This program allows the service member to take an apprenticeship, internship, or on the job training during the last 6 months of their service commitment. While the eligibility for the program is based on mission requirements, you can increase your chances of approval by starting the process as early as possible. This program is a win for service members and also a win for employers. The service member gets to try out the company and the company gets to try out the service member, completely risk free. The military continues to pay the service member while they work. This is an amazing program that I wish was available when I was getting out. Search for dod skillbridge or career skills program for the latest information.
Use the GI Bill wisely – If you are using the Post 9/11 GI Bill, you have 36 months of eligibility available. To use this wisely, I recommend two things:
- Take self-paced or accelerated courses (8 weeks) – Traditional 16 week, semester long courses eat up the GI Bill. Opting for shorter courses provide you more flexibility and helps you salvage your months of eligibility. This is how I was able to complete an MBA, followed by the three SANS graduate certificate program (I took 13 SANS courses with 11 months of GI Bill eligibility).
- Don’t worry about being well-rounded – Earlier I mentioned that I pursued an MBA to become more well rounded. After years of denial I’m fine with admitting that getting an MBA when compared to something else was probably a mistake. It is better to amplify your strengths than try to offset your weak areas. Don’t worry about learning skills that you won’t use. Focus your time on learning the skills that will help you excel at the job you want.
Three Tips for Anyone in InfoSec
These tips apply for anyone looking to thrive in infosec.
Establish an online presence – Whether it be a blog, code repository, portfolio, or social media account, it can be very helpful to establish yourself online. Writing articles or blog posts help you master the subject matter, provides you future reference material, gives the appearance that you know what you’re talking about, and gives hiring managers an idea of what you might be capable of. Code repositories give concrete examples of your coding ability, and posting some code that may not be perfect is better than having no public code at all. Even an active social media account can help you establish yourself in the community, which is a huge plus.
Learn to code – While you can have a wonderful and successful career in infosec without ever learning how to code, the ability to program is a huge career catalyst in my opinion. I definitely consider coding a key differentiator in my career, and place a high value on it.
Help people – Always offer to help and share knowledge. This field is too broad for any one person to know everything. Help others because it’s the right thing to do. What goes around comes around.
Hopefully this post has been helpful. I’m sure there is plenty of other good advice out there, but these tips are personal for me since they are all things that I didn’t know about or didn’t take advantage of as early as I should have. Feedback is welcome, and feel free to comment with any infosec resources for active duty, transitioning service members, or veterans.