Making the Transition to Commercial Penetration Testing
The following article is a discussion helping you to best utilize your military skills to successfully transition into the commercial space. Join the discussion below or reach out to Redbot Security for Cybersecurity Services.
Author: Conner Buell, Sr. Penetration Testing Engineer
Do You Have What it Takes?
I am proud of my military service. I was able to serve my nation and earned a plethora of great opportunities and skills because of it. That being said….. I couldn’t wait to get out of the military! In the months leading up to my final day, I grew increasingly excited, but lurking anxiety began to crawl up. “Will I be able to find a job? Do I have the right skills to work in a commercial environment? Maybe I should stay in the military or be a defense contractor. That way, I won’t have to relearn everything I know and look like a fool.” As I drew nearer to fulfilling my contract, these questions and thoughts popped into my head. Doubts like these are not exclusive to me; nearly every veteran goes through a similar bought of self-doubt and worry. So, to any veteran or transitioning service member reading this, I would like to reassure you that you have all the tools at your disposal necessary to make this transition, and though you may not know it yet, you are primed to thrive.
Yes, You Have the Skills!
Whether you would like to admit it or not, the military equipped you with some useful habits and social tools. Your uncanny ability to always be on time, the resolve to maintain bearing in the most absurd circumstances, and mastery of courtesy will arm you well in the commercial world. Leaders and peers alike notice and respect these traits. In fact, during my interview process here at Redbot Security, I remember my first virtual meeting with CEO Brian Stearns. The first thing he said was, “Thank you for being on time” I remember thinking, “Wow, can I be thanked for that? ”. The hiring team quickly took notice of my timeliness and qlear communication. At the time, I believed anyone seeking a job would be just as timely. Apparently, that is not the case. This is where a veteran has the advantage. These traits don’t just help with getting hired but with the daily tasks of a Pen Tester. Clear, timely, and respectful communication with clients and coworkers can work wonders. The only tricky part is fighting the incessant urge to say “Roger That” or “Too Easy”. Besides filtering out the jargon, your military social training will help you to thrive in a commercial environment. So use and maintain those traits; you may be excited to leave the military but let’s not throw the baby out with the bathwater.
Adapt and Overcome
Another useful trait you have likely developed through your time in the military is adaptability. Many service members in the field of Cyber Warfare, myself included, have been thrown around a hundred different work roles and been expected to simply “figure it out.” While frustrating at the time, this certainly makes an individual quick to pick up new skills and an effective problem solver. It also provides you with a wide breadth of knowledge across the many domains of cyber security. All of which will come in handy. To succeed, penetration testing requires a diverse knowledge of many different environments, systems, toolsets, and technologies. Rely on your generalist mindset, incorporate strategies and techniques from your various experiences and adapt them to your new environment. You may test the wireless security of a law firm one week, an internal test on an ICS/SCADA system another week, and a web application test for a bank the following week. The number of skills necessary to succeed across all these domains is incredible, so having a wide area of knowledge and the ability to adapt quickly is essential. Your ability to adapt and overcome in any environment will be a game changer and allow you to excel in the ever-evolving field of penetration testing.
Military Cyber Gives You a Hiring Advantage
When speaking with fellow veterans and service members involved in cyber, a theme that is commonly brought up is that they feel they do not have the knowledge or experience to successfully make the transition to the commercial sector. I certainly understand these feelings as I myself struggled with them during my transition to commercial penetration testing as well. Some service members believe their skills are too specific to the military, that they use different tools than the commercial sector, or even that their training was inadequate, and they do not have much of the requisite knowledge to move to commercial pen testing or similar fields. Many of these fears can be chalked up to imposter syndrome or simply doubt. Very few cyber-related work roles are so specific to the military that you cannot find a commercial use case. In fact, you may find that you are one of a select few people with the knowledge and experience to do some of the rarer types of penetration testing, including satellite or cellular testing. Many companies would be eager to hire anyone with experience with these technologies, which are often less common among testers with a civilian background. If you have a specialized or unique set of skills, investigate the commercial applicability before simply writing it off and shooting yourself in the foot without exploring an opportunity to succeed.
You Understand the Fundamentals
The next common fear is that most of a service member’s experience is with toolsets specific to the military or federal agencies. Again, I sympathize with this fear, but it is not something that should hold you back. You will be surprised to find that many of the technologies you used during your military service have very similar commercial alternatives that require only a minimal adjustment to become proficient. To prepare yourself, do some research on common penetration tools and their functions. You will be surprised that many of the tools you used in your early training are the same tools used in commercial Pen Testing environments. Familiarize yourself with these tools to make life easier on yourself both during the hiring phase and after you have secured a job. Even if there is not a similar commercial tool to what you are accustomed to, the important part is that you understand the fundamentals of how certain scans, attacks, systems, exploits, and payloads function.
Your Training is Superb
Many service members feel as though their training or knowledge is inadequate. From my experience, the training, especially early on in your career, is superb. It was just so long ago you forgot how much you learned. At the very beginning of most cyber warfare service members’ time-in-service, they attend a grueling cyber security course. Those who have participated in this course will remember that this is a six-month course, eight hours a day, every day, learning cyber security and computer science fundamentals. This provides many cyber warfare service members with a profound understanding of foundational knowledge about computing, cyber security, and more. A course that can provide someone with such an in-depth yet broad knowledge of cyber security is difficult to come by in the civilian world. With the exception of certain university programs, you will be unlikely to find a course that will better educate you on the prerequisite knowledge necessary for working as a Pen Tester or other related cyber security field.
Check Out these “Cool” Programs
If you are a service member that still has some time in service and is thinking about transitioning to Pen Testing but do not feel knowledgeable enough, then use one of the many military training programs you have access to. The Army has the COOL ( Credentialing Opportunities On-line) program. This program will provide you with a system to find and pay for certification programs. Assess what skills you feel you lack the most and use the program to educate yourself. Other branches have similar credentialing assistance programs as well. Many Commands will also have vouchers available for various certifications, talk to your supervisors to see how you can claim one of these vouchers. Additionally, the Department of Defense (DOD) has the Skill-Bridge program. This program is designed specifically for the purpose of assisting you in transitioning to the commercial sector. The program allows a service member to work as an intern for a civilian company for up to six months; all while still being paid by the DOD.
You will Soar!
By no means is this post meant to convince service members to leave the military. The intent here is to clear up some doubt and properly explain the opportunities available to service members who would already like to separate. In fact, I would say to those wishing to start a cyber-security or Pen Testing career but have no experience or means to educate or certify themselves that the military can be a wonderful way to break into the field while serving your nation. You can enter the military with almost no computing or security knowledge whatsoever, and leave with all the essential knowledge, traits, and social habits necessary to enter the cyber security field and thrive. So to all the service members reading this. You have a professional appearance, demeanor, and manner of speech. You have timeliness, sensibility, and adaptability. You have excellent cyber security knowledge, training, and certifications. You have many military programs you can leverage to round out any skills you are missing. You are prepared, ready, and able to make this transition. Get after it!