The cybersecurity sector is turning to ex-military personnel, writes Simon West, pictured, Director of Customer Engagement at Resilience Cybersecurity.
The “cybersecurity skills gap” is now a hot-button issue in the cybersecurity sector. While cyberattacks on organisations are becoming more frequent, serious, technically sophisticated, and, in many cases, backed by the state, the industry is finding it challenging to secure the personnel it needs to meet these threats. One element of this is simply headcount. The World Economic Forum (WEF) has recently estimated that the cybersecurity sector is short of 3.4 million personnel.
Cyber risk is, to a large extent, now an assumed cost of doing business. Technical prowess, then, is no longer sufficient in the cybersecurity profession. The evolving cyber threat means that cybersecurity professionals must be able to draw on a broader range of skills – such as strong leadership, active management, problem-solving, and, crucially, the ability to arrive at sound judgements quickly in difficult circumstances.
To meet these personnel needs, cybersecurity firms and departments are now drawing on ex-military members. During my years as a Royal Marine commando, the essence of my role was to come to quick and sound judgements under pressure. This is something that required me to make quick and accurate risk assessments on the ground: identifying risks; assessing their scale and immediacy; and factoring in the safety of my colleagues.
And so, when it comes to cybersecurity, ex-service people have the right skills to help the sector respond to the changing nature of cybercrime, and to help close the sector’s skill gap.
New threats demand a new approach
The changing nature of cyber risk demands, above all, a more holistic approach to risk – one that lends itself to military expertise. In combat and other military situations, some kind of loss is unavoidable. And so, the essential task for decision-makers is to gauge risk and the potential losses accurately, so that a plan to minimise and recoup these losses can be decided on.
Businesses should adopt the same basic approach when it comes to cyber risk in 2024. Rather than trying to protect against any and all attacks, which is chimerical, businesses and other organisations should instead prioritise assessing and limiting material losses.
This is Resilience’s approach. It focuses on minimising risk, by building up a business’ resilience to attack through better risk management. One aspect of this fresh approach is risk quantification. In an environment where attacks are now to a large extent a fact of life, the old method of attempting to stop all attacks is simply no longer viable. The cybersecurity sector needs to be able to provide businesses with an actionable monetary value of the cyber risk that they face, which can then inform C-suite decisions on investment into security and insurance. Still, most cyber insurance providers are deriving their policy terms from self-survey data provided by the client that doesn’t take into account the ground truth of a client’s actual cyber security posture.
Conversely, concrete risk quantification enables cybersecurity firms to advise businesses on cost-effective solutions that are appropriate to their particular needs. The drive for cost-efficiency is especially important now, given that many organisations’ cybersecurity budgets are tight. The cyber risk industry needs to be able to make these sound judgements on potential losses: boiling down all the elements of cyber risk management – from security to insurance – into an actionable figure.
The cyber risk advisory sector is placing a new emphasis on proactive threat monitoring, advising clients the threats that can be tolerated, and which present a more immediate and pressing danger to the business. One example of this is the digitalisation of the economy, and how this creates new avenues of attack. Most businesses now have their IT systems connected to a large number of third-party vendors, and this can expose them to weaknesses in these vendors’ cybersecurity.
But these networks are of course a critical part of today’s economy, and so total cybersecurity is simply not realistic under these conditions. Again, in 2024 cybersecurity is a matter of trade-offs. Navigating these trade-offs requires sound judgement about what is best overall for a particular business. Therefore, cybersecurity professionals will have to offer sound holistic judgements that, for example, balance a client’s need for connection with vendors with the cybersecurity problem that this entails. In other words, cybersecurity firms will now need more than technical know-how among their staff to make these judgement calls.
Those with military experience are well-placed to meet this challenge, bringing a suite of pertinent transferable skills to roles in the cybersecurity industry. For one, these people tend to be very technically savvy. Someone with military experience will have had to master a variety of complex situations; gaining new skills and know-how quickly as they’re cycled from role to role. It’s an experience that makes veterans almost highly adaptable, and fast learners. Indeed, the private sector has noted that veterans tend to master new technical skills faster than those from other career backgrounds.
This is a very valuable skill in a cybersecurity sector that is increasingly focused on judgement calls rather than on the search for complete security. In this new cyber risk environment, ex-military personnel are well-placed to decide on appropriate responses to breaches and attacks; and to give sound advice about the risk a business faces and what they must do to mitigate its effects. Military personnel have honed these essential skills on the job, and can bring them to cybersecurity roles on day one. This also means fewer resources spent by cybersecurity companies on training and retraining.
Military-like decision-making for threat response
The cyber risk environment in 2024 also demands fast decision-making from cybersecurity teams. Those with military experience are well-placed to meet this need.
In a combat environment, the high stakes involved lead to the creation of simple chains of command that can formulate decisions quickly with limited information available. Those with command experience have been trained to draw together different branches of the armed services, each with different roles and capabilities, to work together effectively during operations. For people with military command experience, this effective management of multiple actors under pressure is very much their bread-and-butter. This experience transfers well into the cybersecurity industry, which also involves many different moving parts: from analysts and security managers to IT professionals and insurance.
In an era where cyberattacks are becoming ever frequent for businesses, the cybersecurity industry needs to ensure that it has dynamic, adaptable, and effective teams that can make sound judgement calls quickly and under pressure. To meet the changing nature of the cybersecurity threat, and to start to fill the personnel and skills gap in the sector, firms would be well-advised to turn to those who have already developed this broader skill set.
