Veterans Day is a very important holiday at Reveal Risk. We recognize that this day is a great reminder of how fortunate we are to work with some highly skilled and talented vets. To celebrate their time bravely serving our country, I thought I’d ask Max Thibodeaux, Aaron West and Michael Milroy to reflect and share what their careers in the military were like and their journey to cybersecurity.
Q: What was your title in the military and how long were you in service?
Max: My first title in the military was “Cadet Thibodeaux.” Over the course of 33 years, I went from being a cadet to Colonel Thibodeaux before my retirement.
Aaron: I was in the military for 21 years and retired as Army Lieutenant Colonel.
Michael: I was in the military for five years when I retired as Sergeant. I was working as a Signals Intelligence Operator/Analyst.
Q: What did you do throughout your time there? You can give a general description or pick a few things you accomplished that you’re particularly proud of.
Max: After serving with a mechanized infantry unit as the tactical communications officer, my first active-duty assignment was to South Korea. There I was in a unit that did strategic-level communications. Our unit ran a mainframe computer, Linux servers, a world-wide message center, maintained the fiber optic lines, and we also taught computer courses. We were proud of the 30 computers in a unit with over 500 members. I remember installing Windows 2.0 onto my desktop at the time. No more formatting new disk drives from the command line!
After commanding a detachment in Korea and returning home to get married, I went on to a recruiting assignment in New York City. Afterward, I ended up going to grad school and teaching at West Point from 1999 through 2001. There I coordinating with the Engineering and Computer Science Department and the Social Sciences Department on information security and the ethics of teaching cadets how to hack. We all were squinting into the future to see how the information age would turn out. I learned a lot about Electronic Warfare, Social Engineering, Hacking, and avoiding physical security measures when I was in command of the Army’s Red Team. I finished my career at the Joint Information Operations Warfare Center where we supported the Joint Staff and Combatant Commands for missions taking place around the globe. I’m particularly proud of supporting the Joint Staff and the highest-ranking uniformed officer—the Chairman of the Joint Chiefs.
Aaron: I served in various leadership and staff positions. In the first half of my career, I held jobs where I was either in charge of “technical delivery” in the artillery or led artillery organizations that were responsible for supporting the combat forces on the ground. In the second half of my career, I served in higher-level headquarters where I conducted strategic planning or led units responsible for preparing other units for deployment overseas. The last job that I had [in the military] was in Camp Atterbury where I commanded a unit that advised units to enable the training of 12,000+ soldiers for deployment overseas. Those soldiers were sent to various missions in Africa, Afghanistan, Europe, and the Middle East. I also took part in evaluating the training for emergency preparedness units within the U.S.
Michael: I dealt with multiple communication mediums and the collection of them for analysis. I worked on the geolocation of targets and did some wireless network offensive efforts. I spent 10 months flying over various countries doing this and loved every minute of it.
Q: How and why did you transition to cybersecurity?
Max: I’ve been doing cybersecurity from the very beginning— for example making sure in the 1990s that all of my battalion’s radios were communicating through crypto devices. So, I guess I transitioned to cybersecurity gradually and throughout my military career. There are other security facets to attend to such as cognitive security (resisting social engineering and deception), and physical security (ensuring that you remain out of sight or reach). I don’t see myself necessarily as a cybersecurity specialist with a narrow specialty since I’ve been expanding my knowledge of information security all along. What I enjoy is working to make security easier for people and companies despite how complex and broad the issues are.
Aaron: Cybersecurity was not my career field in the army, but I certainly was exposed to it on a regular basis and my own personal interest in technology helped me to build a base of knowledge in information security over the years. After I left the Army, I took a job working for a cybersecurity company in a sales role. That experience helped me realize that I had a lot of valuable skills useful in the delivery of cybersecurity needs.
Michael: I grew up in IT and networking. I did cyber[security] in the Marine Corps. This industry was a natural “transition” for me. I actually left cyber for project management and came running back after five years.
Q: What were some challenges you experienced transitioning to cyber security?
Max: My most challenging assignment was supporting a commanding general in a theater of war. In 2009 I deployed to Iraq and worked in Victory Palace. That was a challenging time because the president had ordered all combat troops out of Iraq. So, we were shutting down bases and moving a lot of people and equipment back to the United States. It wasn’t all drudgery, though. I got to see Stephen Colbert perform from a stage just below my office. I still have his challenge coin.
Aaron: It’s very difficult for those transitioning out of the military to understand… what skills are transferrable, what needs to be the same [and] what needs to be changed. There are some skills that are immediately transferrable because they’re almost exactly the same in the military world as in the civilian world. For example, an attorney in the military would not be markedly different working as an attorney in the business world. Whereas someone like me who came from combat arms [struggled with] the lack of direct equivalence. You have to figure out what value you bring into the civilian world. I had to do my own research. Not being from the local area and the lack of an active-duty military base in Indiana was challenging at times. Today there are better resources in Indiana (and other states) like INVets.
Michael: The biggest challenge for me is dealing with how much technology and methodologies changed in those years. Basically, I had to review everything from networking fundamentals back up to penetration testing and all the tools and tactics used to stay up-to-date.
Q: What military skills are you using in your career in the cybersecurity industry that have been helpful and valuable in your work?
Max: When people think about military skills, I think they envision shooting and moving tactically on a battlefield— staying alive under fire and beating back an enemy or foe… But being in the military causes you to develop all of your life skills, from leadership to teamwork to knowledge of your competitors. I believe I bring those skills and abilities everywhere I go. Whether it’s at work or in civic life, generally I believe those are the things that help me to be productive.
Aaron: The most important is an understanding of risk management. Cybersecurity is simply one of many risks that need to be managed within an enterprise and the models and methods used to manage that risk are similar to the models we learn in the military. I already had some training in IT and an affinity for technology that allowed me to make my military experience more relevant. I followed it up with additional training (M.S. Cybersecurity Risk Management, Certified ScrumMaster (CSM), and a Graduate Certificate in Business Management, as well as the CISSP. Consulting has afforded me the opportunity to see how large numbers of businesses approach cybersecurity and how to best help them.
Michael: The technical acumen I developed over five very strenuous years on active duty. How to learn a lot of dense material very quickly and retain it for operations years later. I also learned about leadership and how to effectively communicate with senior officials within an organization. The ability to convey my (or my team’s) capabilities effectively without seeming overly confident to a fault was another valuable skill that I continue to use in my work.
Q: What advice do you have for those leaving the military and starting a career in the civilian world?
Max: Leverage all of your best experiences in the military but avoid comparing everything you do in the civilian workforce to the “military way” of doing things. The touchpoints that you recognize as similar can be a huge help but understand the context that you’re working in is now different.
Aaron: Reconnaissance. You don’t know what you don’t know. You need to ask a lot of questions and to talk to as many people as you can — get on the ground. You can’t do everything remotely. Understand what criteria to use for your decision-making and which is more important than another: Location, Work Environment, Your boss, Salary, Culture, Work Enjoyment.
Michael: Maintain your network of fellow troops. Keep in touch with those leaders you have through the years as well as those other service members you meet in various classes/trainings. Be confident to go for exactly what you want, but humble enough to know your limitations and tactical gaps. Don’t be afraid to ask others for help or introductions.