By Adam Tyra, Contributing Editor
Many government and military cybersecurity professionals have felt the pull of the private sector in recent years. According to industry observers at Cybersecurity Ventures, the shortfall of available cybersecurity professionals compared to the number of available cybersecurity jobs worldwide is expected to reach 1.5 million by 2019.1 The cybersecurity labor market, as with other markets, responds to the law of supply and demand. This means professionals can expect strong salaries and low unemployment for the foreseeable future. Cybersecurity professionals working in the public space have never been faced with a greater variety of opportunities than they have right now, and many of this magazine’s readers are undoubtedly considering a career change in the near future.
While the opportunities are undeniable, your readiness to capitalize on them might not be. The military has been described as a “culture within a culture” in the ways that it simultaneously mirrors and diverges significantly from American civilian life. This will never be more apparent to you than while you’re searching for your first position after the military. While I have insights to share from my own experience making the transition and building my career, I have another set of experiences that I’d like to share- interviewing and evaluating candidates just like you. In the past three years, I have conducted in-person interviews for well over 100 cybersecurity professionals, mostly veterans, and I have also conducted resume reviews and phone screens for more than 500 additional professionals. I gained this experience while helping build the team at the world’s second largest cybersecurity consulting firm. This article will discuss a few of the things that I learned and hopefully prepare a few readers for success when they decide to make their own transition.
Unless you are referred by an acquaintance or get spotted at a career fair, your first contact with a potential employer will likely occur online after submitting your resume. Gone are the days of snail mailing your resume on high quality paper directly to a hiring manager. Instead, you’ll need to attract a computer’s attention first. Indeed, a human will probably never see your resume unless it contains one or more keywords associated with an open position. Potential search terms include certification names, security tool names, skills such as “reverse engineering”, and previous job titles. If it was in the job description, it needs to be in your resume.
Once you get to the human review phase, brevity is key. You want all killer and no filler. Plan on one page per four years of experience and no more than two pages total. Why? How many eight-year-old technologies / skills are still relevant to you in your current job? If you think two pages isn’t enough space, carefully read what you wrote. Is it all killer with no filler? No? Slim it down. Reading other people’s resumes is neither interesting nor a treasure hunt. If a recruiter needs more than ten seconds to decide whether someone is worth a phone conversation, then the answer is probably no.
So, what should you put in your two-page resume to make it all killer? First and foremost, you need to make it about the employer and not about you. There is only one reason to hire anyone ever – a belief that the person in question will help solve a problem. If you’re wondering what problems businesses need solved, just read the descriptions for the jobs that they have available. Most job seekers have heard that they should tailor their resume to the job they want, but service members have a terrible track record actioning this advice. For example, here are a few things that you should not include in your civilian resume: combat experience, training courses dealing with combat skills, words like “terrorism”, “war”, “deployment”, a listing of military awards earned (more on this in a moment), a listing of the dollar values of property owned in various roles, and military jargon of any type.
Keep in mind that, statistically speaking, the person reading your resume almost certainly has never served in the military. They will have great difficulty making the mental leap between “person who was successful in battle” and “person who will get the job done for me.” In some cases, you might even intimidate the person and you will definitely cause doubts about your cultural fit – and maybe even your mental stability (really). Awards present a similar challenge. Your resume doesn’t include any information about what you did to get them, so a hiring manager doesn’t know how to value them.
Instead of using up valuable real estate talking about the counterinsurgency school you attended, list the college courses you took where you learned programming and network engineering. Don’t say that you’re an expert on “WIN-T”, say that you’re an expert on satellite communications. Instead of discussing “DIACAP”, explain that you have experience with cybersecurity compliance and governance. If you aren’t sure how to describe your skills, get help, because resume writing is a no-fail portion of the job hunt.
You need to civilianize job titles. This is easier said than done, though, because commonly used job titles mean different things in different companies. A director might be a senior leader in one place and a first line supervisor at another. Regardless of the exact titles you select as equivalents to your military job, you should convey progression, a steady increase in responsibilities over time, and rough equivalence. Here are a few examples. Mix them with functional areas as necessary (e.g. malware analysis shift supervisor, etc.).
· Security Analyst. You routinely put your hands on the keyboard and work with tools to get your job done. You might be a penetration tester or conduct security monitoring. 0-2 years of experience.
· Team Lead / Shift Supervisor. You have several analysts working for you to perform a specific function like incident response. Most of your day still consists of analyst work. 2-5 years of experience.
· Manager. The individuals who report to you have people who report to them as well. You’re involved with interviewing and hiring entry-level personnel. Managing consumes the majority of your workday, and your opportunities to use your technical skills are declining. 5-8 years of experience.
· Director. You’re responsible for an entire department, facility, or a sizable team. You are responsible for a budget that you spend according to an approved plan. You’re involved with interviewing and hiring supervisors and managers. Management consumes your entire workday, and you only deploy your technical skills to conceptualize solutions. 8-12 years of experience.
· Executive. Your decisions affect the entire organization, and you have the ability to set strategic direction for large parts of the enterprise. You have a budget that you spend on your own authority. You may hire and fire employees on your own authority. You make procurement decisions on your own authority. You rarely do anything now that your entry-level or junior management self would have recognized as work. Overseeing and approving the work of others now consumes your entire workday.
Be careful not to appropriate prestigious titles as equivalents unless you’re sure that they’re a good fit. I have seen multiple resumes of senior O3 and junior O4 officers who identified themselves as the “CISO” of their unit. Unless you were involved in hiring and firing employees, settings strategy, conducting procurement, budgeting, etc., you were not the equivalent of a C-level anything. This type of title inflation sounds as absurd to a civilian hiring manager as your friend who is a help desk manager would sound to you if he told you he was, “basically equivalent to a General.”
You’ve gotten an interview. Nice work. Remember that the labor market for cybersecurity skills is strong, and your skills are in demand. While the employer is learning about you, be sure you’re learning everything that you need to know about them as well. Think of job interviews like dates. You definitely don’t want to marry everyone that you date, so you need to quickly determine whether a position is worth pursuing to avoid wasting your time (and theirs). Here are a few other tidbits to help you make the right match.
Don’t be too agreeable. Playing the good Soldier by affirming your willingness to undergo any hardship is not the right play at this point. You need to get what you want, and not just be what the employer wants. In my current career, travel is a significant requirement. We typically inform candidates that they will be required to travel up to 80% of the time and verify that this won’t be a problem. For candidates that indicate that they can’t (or don’t want to) travel, the interview ends pretty much immediately. This is better for both sides. Remember, the company has to fit your culture just as you have to fit theirs. Talking your way into a position you’ll hate and eventually quit only means stress for you and significant disruption for the employer. So, if you think that something about the position isn’t right, say so and look elsewhere.
Don’t talk about or around classified information. In fact, don’t mention or allude to it at all. I’ve interviewed multiple candidates who claimed that they were with the NSA, CIA, TAO, Delta, the Space Marines, etc. but couldn’t reveal any details about the work that would support my decision about them. If, at any point, you are forced to deflect a question about your background with the claim that, “It’s classified,” you will definitely irritate most interviewers. If you have relevant experiences that are sensitive, leverage your respective organization’s resume review process to make sure that you understand where the lines are. Then, figure out what you can say that’s both meaningful and acceptable. If you can’t do this, then don’t waste the space on your resume or the interviewer’s time.
Be honest with the employer (and yourself) about the nature of your skills. Remember that your organization (unit, agency, etc.) wasn’t your role. Making coffee at CIA headquarters doesn’t make you a Clandestine Service member any more than making briefing slides at Cyber Command makes you an elite super hacker. Many service members lose sight of this, and some overestimate their own level of expertise because of it. I’ve seen former watch officers, shift supervisors, and staff members from various impressive-sounding organizations fail technical phone screens, because they equated talking the talk of cybersecurity with walking the walk. Think about the top three tools that you use in your daily work. Are they Word, PowerPoint, and Excel? If so, you probably aren’t suited for an engineering role. Similarly, if the list includes Ida Pro, gcc, and gdb, then you shouldn’t go after a sales manager position.
You’re getting a written offer. Congratulations! Compensation is one of the main reasons why cybersecurity professionals decide to make career changes, and it will probably be among your primary selection criteria when you evaluate opportunities. It’s true that there is usually a significant pay gap between what you’re currently getting as a government employee and what the civilian equivalent for your position can command in the job market. According to CIO magazine, the average salary earned by a cybersecurity worker in the United States in 2013 was $116,000.2 However, you need to calibrate your expectations before beginning your job search to ensure that you’re prepared to negotiate compensation effectively. The following are a few points you should consider.
You should have some idea what a job pays before applying. Research the average pay for a role before submitting your resume. My favorite source for this type of data is glassdoor.com. For large companies, you can find a wealth of information on the average salary and bonus structure for a range of positions offered by your employers of choice. You can also search by city to see, for example, what an average cybersecurity manager makes in Fresno, California if you’re evaluating an offer from a nearby company that isn’t well represented in glassdoor.
While you should expect a healthy bump in pay when you make the transition, don’t become overwhelmed by a feeling of entitlement. Remember that the single most important factor in salary determinations is time. More professional experience generally commands a higher salary, while other factors generally don’t. For example, if the role requires a bachelor’s degree, while you have a graduate degree, don’t expect this to automatically translate to a higher salary.
When comparing offers, mind the differences between jobs. Roles that pay significantly more than other similar opportunities usually require something unpleasant from you. This unpleasant thing could be relocation to an undesirable place (deployment, maybe?) or extensive travel in general. It could also include persistent required overtime. Requirements like these may or may not change your mind about whether these jobs are worthwhile opportunities. Even they still seem worthwhile, remember that this effect on quality-of-life should be a consideration in compensation negotiations. Be sure you also consider the cost of living where the job is located: $100k in San Antonio, Texas goes a lot further than $100k in San Francisco, California. Also remember the importance of advancement opportunities, and training and education support.
As you transition into the private sector, an important parallel consideration is how you can continue your service in the government/military cybersecurity community on a part-time basis. While many uniformed personnel will transition to one of the reserve components to continue their military service, there are also other opportunities to stay involved through organizations such as the Military Cyber Professionals Association (MCPA). Each has its advantages and disadvantages. As a reservist you can continue to advance your skills through the rapidly expanding catalog of military cyber training courses. Military service also exposes you to situations and experiences that you’ll never find in the private sector, and you get a paycheck of course.
Understand that the days of “one weekend a month and two weeks in the summer” were left behind at the end of the 20th century, however. Much more will likely be expected of you as the military works to expand both its active and reserve cyber forces in the coming years. If you aren’t sure whether or not this is for you, try it out for a few months. Even if you eventually discover that the part-time military life doesn’t work for your situation, your reserve unit will serve as a type of transition support group while you adjust. At the very least, you’ll have a captive audience with whom to share your great war stories long after your significant other has grown tired of hearing them.
If continued military service isn’t for you, you can also expand your involvement in volunteer organizations like the MCPA. Volunteers willing to work are always in short supply for every non-profit organization, and the MCPA is no different. There are always leadership positions available from the local to the national level, including national officer roles. If you’ve always wanted to increase your involvement in the MCPA but didn’t have time, consider this both a reminder and a renewed invitation.
While this article focused on the transition itself, I have a few comments on preparation for those who might be a few years out from a transition. First, make sure that you have the right credentials for the jobs you want. Specifically, get certified and get educated. Many talented cybersecurity professionals feel that certifications and diplomas are mere “pieces of paper” that don’t actually prove that a person has skills. Maybe. But they’re also table stakes for most jobs. Think of these credentials as though they’re a driver’s license. Even if you’re a phenomenal driver, you’ll still be required to possess a license in order to drive legally. Get this out of the way, while the government is willing to pay for it on your behalf.
Finally, network as much as you can. I have been continuously surprised and dismayed by service members’ disinterest in or downright unwillingness to network with their civilian counterparts. In this respect, college students who have no professional experience vastly outclass veterans when it comes to job hunting. You won’t be working for the government forever, and it pays to have friends to call on when you’re ready to move. You never know who will be able to refer you or vouch for you or who will be in a position to hire you outright. And, even if your friends don’t refer you, you could still find yourself in a position to refer them. Every company that I’ve worked for since leaving active duty paid referral bonuses, and some roles carried bonuses as high as $10k.
Cybersecurity professionals today couldn’t hope for better career prospects than they’ll see for at least the next decade. Finding a position somewhere is almost a foregone conclusion for most cyber defenders leaving government service, but maximizing your outcomes after a transition takes a bit of work. By sharpening your resume, maximizing your interview skills, and ensuring you’re prepared to negotiate compensation, you’ll ensure that you’re prepared to capitalize on your skills when you decide to make the move.
About the Author
Contributing Editor Adam Tyra is a cybersecurity professional with expertise in security operations, security software development, and mobile device security. He is currently employed as a cybersecurity consultant. Adam served in the U.S. Army and continues to serve part-time as an Army reservist. He is an active member of the Military Cyber Professionals Association and is a former president of the San Antonio, Texas chapter.
Photo credits (in order of appearance): military.com, LinkedIn, Investopedia, ClipartBro.com, Breaking Defense