I’m Getting Out Soon So What Should I Do NOW To Get Ready? — Cyber Focus

Military career coming to a close

I get this question all the time: “ I will be transitioning out of the {service} in a couple months. Any advice on transitioning?” I’m a former Army Cyber guy myself and I started a Veteran-focused cyber recruiting company (now acquired) so my advice is almost always focused along those lines.

Step 1: Reading. First, you need to inventory yourself. Start here. I can’t tell you how important this will be to your happiness. Read Strengths Finder 2.0 and do the associated assessment. Crazy important. Then read The First 90 Days. This is the go-to book for moving into a new company. You’ll wish more of your military leaders had read it. We have a deeper reading list available here. This is also the time to learning some cloud fundamentals if you haven’t already. Consider AWS Cloud Practitioner which has the most market penetration in developer-focused organization, Azure Fundamentals which is used more widely outside of developer-focused organizations, or Google Associate Cloud Engineer.

Step 1.5: Join VetSec. Join Operation Code.

Step 2: If you’re 24+ months out from the workplace, does it make sense to work on a degree? Maybe, maybe not. The hard news: most Masters of Cybersecurity degrees are half MBA and half prep for CISSP and we haven’t found them to be super useful for people break into cyber so far UNLESS you have deep experience in an adjacent field or want to go into a non-technical role. Hopefully they become more useful.

• If a degree makes sense for you, go with a technical degree at the most technically deep you can handle. The closer you can get to pure math, the better. Look at applied degree programs, not conceptual programs. There’s a big difference between the two.
• If you are junior or a mid looking to transition to cyber, take a look at the NICCS Cyber Career Pathways Tool after you finished your StrengthsFinder. Pick a pathway that makes sense based on you because, you know, happiness is important. Once you know which “cyber” pathway makes the most sense for you, align any degree, certification, home lab, CTF efforts towards that work role.
• Pick a geography that makes sense. Yes, there’s family and medical requirements you need to and absolutely should consider. There’s also job availability and progression. Bottom line: the national capitol region has the most opportunity for security practitioners. No map is perfect because no data is perfect, but take a look at the Cyber Seek Heat Map because it does tell a fairly accurate story.
• If you are headed to the National Capitol Region and have a TS or higher, you should probably focus on leveraging your clearance in some way. Get technical. Look here if you want to become a tool developer or reverse engineer. Especially because you can always go back and get something less technical later. Learn C programming (not C#, maybe a little C++), and start learning to write low-level code. Rainier Cyber (now StrataCore) published a cheat sheet and code examples to help out with your learning process. Read Learn C The Hard Way and The Art of Exploitation. Then, the University of Cincinnati has a great course on malware reverse engineering which is modern and has a great Ghidra focus. So does Malware Unicorn.

The University of Cincinnati’s RE course

• If you don’t have a TS or if you want to go into a purely remote or 100% private industry role, then maybe a degree DOES makes sense with 24 months to go, but which one and from where is another article entirely. I still recommend going as technical as possible. Learning a language like C and/or Golang AND getting some cloud experience is a great, great option to breaking into cyber. Georgia Tech has a great remote computer science Masters if you decided to head down that route.
• If you’re within six months of separation, consider applying for SANS VetSuccess.

Step 3: Start working on your resume and LinkedIn. After reading/writing/reviewing 1000s of resumes and reading almost every resume book and article on the market, I wrote it all down. Read the guidance and just use this template. It’s designed to be ATS-friendly (don’t get me started on applicant tracking systems!). Almost everyone hates resumes. It’s hard. We get it. No matter what template you use, some recruiter will tell you you’re wrong. It’s all about being the least wrong. Follow all the other normal resume advice like crafting it towards the job role.

Step 4: What certification should I do next? Well, that depends on what direction you want to head down. To that end, read an APT case study, figure out how to overlay the APT’s actions on the MITRE ATT&CK Framework, and learn how to prioritize protection with the Essential Eight Maturity Model. That’s not just A great place to start, it’s THE place to start. You can learn all of that in this article here: How to Learn Cyber Over the Weekend: An Orientation in 48 Hours.

• The goal with that article is to not only give you the foundation and macro level view of the domain so you can speak intelligently, but also give advanced practitioners an opportunity to review.
• The goal for someone relatively new to the industry with the APT case study is to identify potential focus areas within the domain that are interesting to you personally. For example, if you really like cloud, go with a cert like AWS Cloud Practitioner.
• If you’re still really cert-focused, just read this article on Cyber Certs. FedVTE training is now available to all Vets as well! Syracuse University’s Onward to Opportunity program also has access to a number of industry certs such as CISSP and PMP.
• Note: we haven’t seen PMP to be incredibly useful in the cyber domain as of yet. Doesn’t mean that it’s not, we just haven’t seen it. We also haven’t seen SEC+ or CEH to be particularly valuable unless you a) require them for 8570, b) are scared of starting with CISSP which you totally can still do, or c) someone else is paying for it.

Some of the courses on FedVTE. Notice the en vogue Defense Against Dark Arts

Step 5. Consider other programs like…

• A Hiring Our Heroes Fellowship through the Department of Labor. This is the most structured program and lasts 12 weeks.
• DoD SkillBridge 180 days of OTJ on Permissive TDY. Need O4 approval.
• A Career Skills Program. Up to 180 days on “Administrative absence/leave of absence is authorized for specific circumstances.” This is the most FLEXIBLE option and allows for one-off internships/fellowships, job shadowing opportunities, and apprenticeships. Usually this requires O6 approval. Note: this used to be called Permissive TDY or PTDY. Someone needed a promotion so they changed the name. This is why we can’t have nice things.

Step 6. Network until the soles of your shoes fall off. Go to events in the geography where you plan on moving after you get out. Talk to other Vets. Find a mentor and there are a bunch of different organizations that will help with finding a mentor. Look at job postings. Identify your gaps. Fill the gaps. Start going to Capture the Flag events and competing. Find a recruiter you can trust that has deep experience in your desired field.

Step 6. Get on Twitter. The InfoSec community lives on Twitter. Get on LinkedIn. Professional opportunities live on LinkedIn.