Header image

Why cyber firms are hiring military vets to plug the skills gap

At a time of serious cyber security skills shortages, there is one source of highly capable people you may be overlooking. SC Media examines the strengths offered by people with military experience


“There are clear parallels between the two disciplines – both apply structured methodologies in highly regulated and rigorous environments underpinned by strong governance, process and procedures,” says Chris Brown, principal lead consultant at Bridewell, who served for 14 years in the British Armed Forces before becoming a security and counter intelligence advisor.

“Cyber security also requires intensive analysis of threats and vulnerabilities, and ex-service personnel can be relied on to provide an accurate, honest appraisal of the situation to aid decision-making,” he adds.

“Veterans have a number of personal and professional qualities that naturally lend themselves to infosec, such as adaptability, a commitment to training and development, lateral thinking, and a strong team ethos. Not only do they live and breathe security, but they are also self-starters who are always prepared to get stuck into challenging tasks.”

Specific skills
There may be specific skills, qualifications and experience from which potential employers can benefit.

Tom Kidwell, co-founder and director of Ecliptic Dynamics worked for the Ministry of Defence as an intelligence analyst for several years. He says it is, “easy to see the skills transfer and how they cross over from organisations such as GCHQ, NCSC, the National Cyber force, Strategic Commands Cyber into a private sector business."

Kidwell says these veterans will have a deep understanding of threat actors, their capabilities and attack vectors. This deep level of threat understanding can provide an immediate impact and uplift to any private sector business.

Some veterans will also have existing security clearances, something that can take significant time and effort for civilians to acquire.

However, that doesn’t mean that you should expect someone to cast off a uniform and get straight to work as your infosec expert.

“Some will be leaving the military with all the IT and cyber security qualifications that mean that they can simply walk into a new role,” says James Griffiths, co-founder and technical director at Cyber Security Associates.

“Others will have all the same experience but not the certificate to prove it. These are the people that normally have a wealth of experience and knowledge to bring to a company, but have just not had the time or opportunity to sit the certifications.”

Right mindset
But there’s more, because it can be a mistake for organisations to look only at ex-service people with existing skills.

“Organisations should be careful about limiting themselves in this way and only looking to recruit based on certifications and qualifications listed on a CV,” says Benjamin Full, a cyber security consultant at PA Consulting who served for 17 years as an aerosystems engineer officer in the RAF.

“Recruiting based on identified potential, and being able to see and understand the inherent qualities and soft (transferrable) skills that a service leaver or veteran brings will reap rewards for the hiring organisation.”

There are organisations that specialise in helping organisations match their needs with the qualities that veterans offer. James Murphy is CEO of TechVets and he points to a report by Mckinsey & Company that lists the 56 top skills people need for the workplace of the future.

“Of those 56, the majority are skills demonstrated by military veterans as a common skill set due to the training and development one receives through a career in the military,” he says.

Even if they consider veterans, many organisations fall into the trap of simply focusing on ex-signals or technical trades people, he explains. “There are some incredibly talented candidates that HR teams would be missing out on.

"To add to this, there are not that many leaving the military with the exact skills and experience that hiring managers are looking for and it tends to be the professional non-technical skills or soft skills that add the real value – interpersonal skills, problem solving, security-minded, communication, leadership and team development, motivation to succeed, resilience, team work, devotion to the mission or task, and the ability to learn technical skills quickly."

Finding veterans
So what do you do if you want to take advantage of this pool of talent?

“I would always suggest leaning on those veterans currently in the company to help advise on language and approach,” says Murphy. “Companies can also work with the likes of Defence Relationship Management to engage with the Employer Recognition Scheme.

Through this process, HR teams can work with advisors who will help them better understand how to recruit military veterans and service leavers. Additionally, they can reach out to the Career Transition Partnership which is the MOD contract in place to deliver the career transition programme for all circa 15,000 British service leavers every year.”

TechVets offers services such as CV reviews, and partners with CREST and its CV Distribution Service. It also works with private and public sector organisations to help them source candidates, creating what Murphy calls “a low-risk model in which they can tap into talent.”

But there’s work you need to do, too.

“Not everybody leaving the military knows exactly how their skills can translate into a private role,” says Anthony Young, co-CEO of Bridewell. “Therefore, organisations have a responsibility to reach out to these people, explain how their skills and experiences are of value to the infosec industry, and truly understand how to bring the best out of them.”

Text by Steve Mansfield-Devine

Upcoming Events

27
Jan

SC Unlocks: Insurance & Assurance

SC Unlocks: Insurance & Assurance aims to provide delegates with practical and business critical tools on how cybersecurity within the Insurance space works. The briefing will explore the unique challenges of the insurance sector, including how cybersecurity insurance (aka cyber liability insurance) can help reduce liability, strategies for risk management/ transfer, regulatory oversight and cyber asset valuations.