The veteran's guide to a career in cybersecurity

May 30, 2022 Laura Reid

Veteran becomes a penetration testing

The wealth of free and paid training on offer (and the fact that courses get booked up many months in advance) is reflective of how popular the cybersecurity industry is as a place to work. It’s become a popular industry of choice, especially for countless veterans. Many of the skills and traits of ex-military candidates are incredibly attractive to cybersecurity employers. Likewise, for candidates ready to move on whilst retaining the best bits of their military roles, cybersecurity is a great bet.

We sat down with one of our pentesting team – an ex noncommissioned (NCO) officer – to get his take on how veterans can get into a career in cybersecurity. It includes references to his own personal story as well as tips to help your own transition.

Which military personnel are best suited for a career in cybersecurity?

This industry is especially suitable for anyone from a technical background (signals, intelligence, and anything IT-related), but that doesn’t mean everyone else need not apply. If you’re coming from an infantry or combat engineering background, there are still relevant roles for your experience.

About 18 months ago, one of my friends was a member of the Household Cavalry, guarding the Royal Family and maintaining the unit’s Horses. Now, he’s 6 months into a penetration testing career with a leading cybersecurity firm and on his way to completing his Offensive Security Certified Professional (OSCP) certification.

I’ve met Royal Marines, vehicle mechanics, and drivers who’ve also made successful transitions into pentesting, threat hunting, security analysis, and more. If you have the aptitude to learn and the determination to stick with the training, it’s possible no matter what your background.

What qualifications do you need?

If you’re still in your armed forces job now, I’d recommend getting a few qualifications under your belt before leaving. This is to make sure you can leave your current job landing on both feet and have more options open to you.

That being said, it’s not unheard of to secure a pentesting job without any qualifications or on-the-job experience. I know three people who got their foot in the door just by practicing in their spare time and confidently showing what they had learned once they got to the interview. It all depends on what an employer is after. Some will take a chance and invest in a candidate they believe has potential, while others will be looking for industry qualifications no matter what.

I chose to take 8 weeks of classroom-based courses for free, both via The Career Transition Partnership (CTP)and by looking online to see what was out there for others in my position. First, I chose a 4-week Offensive Cyber Security Course. The prerequisites for this were CompTIA Network+ and Security+ certifications, which are both great starting points to get a grasp of cybersecurity basics. This is especially for anyone who isn’t from a networking background. They are also well-recognised and there’s now even a CompTIA Pentest+ is now even offered by CTP.

I also selected the 4-week Amazon AWS course from QA. This was great for beginners and packed with loads of learning useful for anyone from any specialism (despite being aimed more at those wanting to go into a DevOps career).

Other relevant courses include:

  • CREST CPSA

  • CREST CRT

  • QSTM/TigerScheme

Courses often fill up fast, so my advice would be to book them as soon as possible once you know which are suitable.

What security clearance level do I need?

It would be advantageous to have Security Check (SC) clearance or above. If you've left the armed forces already, consider joining a reserve unit to maintain this so you’re cleared and ready when the time comes to apply for cybersecurity jobs.

How can you provide evidence of relevant experience without specific qualifications or certifications?

One of the main things cybersecurity employers are looking for is a desire to learn and a curiosity for problem-solving. In the absence of qualifications/certifications, make use of free learning resources and virtual machine (VM) training like:

These can go a long way, especially if you’re able to explain what you’ve learnt in the context of a real-world penetration testing scenario.

It doesn’t all have to be so specifically cybersecurity-focused either. When it comes to the problem-solving aspect, demonstrating ways that you understand how technologies work (and can be broken), how to test theories, how to investigate, and so on, can be done creatively.

What are the best cybersecurity events and conferences for candidates to attend?

If you want to boost your knowledge, meet potential employers, and network with other candidates (from a mix of backgrounds), these events are perfect: 

How do you make your military experience relevant?

A big part of this is knowing how to “civilianise” your CV. I didn’t realise until after months of applying for jobs that not all recruiters know what the dozens of three-letter acronyms on an ex-military CV mean! Armed forces terminology can be niche, so it helps to do a bit of explaining. Many candidates from the armed forces have loads of transferable skills but fail to realise and then verbalise how they can be applied in a civilian context.

Going back to my comrade from the cavalry, here’s how his military skills and training could be described more appropriately in civilian terms: 

  • Bowman Radio Operator > Custodian and Operator of secure government cryptographic equipment and material 

  • Troop Lance Corporal > Junior manager directly responsible for the training and development of 4 colleagues 

  • Delivering orders > Preparing and delivering mission-critical presentations to colleagues and senior management

You can do the same with your own skills by looking at what your military trade involves, how you’d best describe those skills to an employer, and how that relates to specific cybersecurity roles.

Don't give in to any pressure to embellish your experience, because you’ll get caught out. A course instructor once put me on the spot by asking me to explain a tricky technical topic that I’d included on my CV to an audience of other candidates. Thankfully, I knew my stuff and hadn’t lied, but you can imagine the awkwardness if that wasn’t the case.

What were the most useful skills from my own military experience?

It was my technical training and my work within the Intelligence community. These both developed my report writing and presentation skills and gave me competence in several software packages that could be applied to pentesting. Many other skills can be relevant, and a good employer will recognise the value of these – so long as you bring them up. Have a think. What skills have other people found interesting that you could use as a talking point? Which demonstrate things about your approach like your versatility, collaboration, or leadership qualities. Here are a few examples: 

  • Junior/senior NCO management experience 

  • Any positions of responsibility (which may not be evident from the job title) 

  • Physical training instructor/sports coaching skills and qualifications 

  • Work with charities 

  • Military leadership courses 

  • Presentations, training, and report writing 

  • Technical and/or engineering and mechanics experience

What was the hardest thing about transitioning to a pentesting job?

I decided to pursue a career in cybersecurity several months into my 1-year notice period. For me, the hardest thing was the amount of new knowledge I needed to acquire within that timeframe to be good enough even for an entry-level role. It’s a lot, but it’s not impossible if you plan. It’s also important to remember that everyone feels this way and has to make the jump, regardless of their background, so don’t let it put you off. I would advise that you start studying and practicing the necessary skills early to give yourself as much time to practice as possible.

What was the best thing about transitioning to a pentesting job?

I now have a great work/life balance in my pentesting job, which wasn’t the case in the Army. This is a game-changer.

My learning was also levelling out and I was beginning to stagnate in my Army job. Now I’m constantly evolving and improving my skills because there’s so much to learn in my role and from the wider security community.

Finally, if you’re a junior NCO, the pay and progression can also be greater than the military equivalent.

What I wish I had known before I started

As you might have already guessed, I wish I’d started learning earlier! I had no idea what I wanted to do once I’d committed to leaving the Army, but a colleague suggested I look at cybersecurity after seeing lots of veterans go on to pursue careers there. I started researching in my own time, practicing on VMs, and completing courses. Further into my notice period, my boss even let me study during work time, which helped massively. Take advantage of this if you can.

What’s the top networking resource you’d recommend?

For me, Linkedin was great at enabling me in two ways:

1. To be proactive

I took it upon myself to approach employers and leads directly. Doing so makes your CV stand out in the big pile that employers are forced to sift through and may fast track you to be shortlisted. For me, this approach included everything from identifying and contacting the specific recruiting manager in a company, to approaching employers via the email they left on job ads. I even contacted junior pentesters working at the companies I was applying to for advice.

You don’t need to act overly keen. Just be yourself and find the relevant people to explain your interest, demonstrate you’ve learned about their company, and talk about what you can offer them. It shows confidence, enthusiasm, and proactiveness, and can pay dividends down the line. 90% of those people I approached were keen to interact once they could see I’d done my research.

2. To network and help others

Many pentesters and other security professionals from military backgrounds dedicate time to helping other veterans get into the industry. It's easy to come across these individuals in forums and on Linkedin. Spend some time polishing your social media profiles (especially Linkedin) and start getting to know other people in the same position as you, as well as those who’ve made the transition. This mutual assistance will help people remember you for all the right reasons.

What communities are there to help transition?

I’ve already mentioned CTP, who helped me. In its own words, CTP “provides resettlement services for those leaving the Royal Navy, Army, Royal Air Force and Marines”. It’s the official provider of resettlement training and career advice for the Ministry of Defence (MOD) and offers free (government-funded) courses and others that you need to pay for.

I also found support from TechVets. TechVets is a community of over 700 IT and associated professionals providing knowledge and support for ex-military personnel aiming to get into IT/technology roles. A large part of its work is aimed at aspiring pentesters. The community offers free courses, practice VMs, job leads, contacts, introductions to employers, and much more. It also has a very active Discord group where you can find free training material and guidance. Check out the TechVets Linkedin page here.

Hopefully, this article has provided you with more of the answers you were looking for. There are so many cybersecurity specialisms and so many roles in-house or with cybersecurity consultancies and managed security services providers (MSSPs) like Claranet. If you want to see what cybersecurity jobs we’re currently hiring for, visit our jobs page and filter by 'cybersecurity'.

Launch your career into cybersecurity

Previous Article
NotSoCereal-Lab: A Deserialization exploit playground
NotSoCereal-Lab: A Deserialization exploit playground

Deserialization issues are the newest trend in information security. They rose to fame with the infamous Ja...

Next Video
Demystifying EDR | A deep dive into Endpoint Protection systems and their key capabilities
Demystifying EDR | A deep dive into Endpoint Protection systems and their key capabilities

Endpoint Detection and Response helps you protect what matters by fortifying every edge of your network wit...