Veteran Valor: Fortifying Cybersecurity

Welcome to Dark Reading’s “Heard it From a CISO” video series, showcasing advice from CISOs and other cybersecurity professionals.

In our latest installment, Dark Reading associate editor Kristina Beek interviews three professionals to talk about their journey from military to the field of cybersecurity. Here she talks to Bruce Jenkins, chief information security officer at BlackDuck; Jeff Liford, associate director at Fenix24; and Frankie Sclafani, director of Cybersecurity Enablement at Deepwatch about the unique combination of skills and mindset that makes them well-suited for careers in cybersecurity.

The discipline, attention to detail, and leadership capabilities developed through military service translate directly into the high-stakes world of cyber defense. Veterans understand the importance of mission-critical operations and can maintain focus under pressure — qualities that are essential when protecting organizations from cyber threats that don’t wait for business hours.

The cybersecurity field welcomes veterans from all military backgrounds, not just those with technical experience. Whether someone served as a surface warfare officer, intelligence analyst, or avionics technician, the core military values of teamwork, problem-solving, and adaptability provide a strong foundation for cybersecurity roles. Many successful cybersecurity professionals have transitioned from completely different military specialties, proving that technical skills can be learned while the military mindset remains invaluable.

Related:AI Security Agents Get Persona Makeovers

Also, check out our other installments in this series: “From Chef to CISO: An Empathy-First Approach to Cybersecurity Leadership” with Myke Lyons, CISO at data-processing SaaS company Cribl; “Fastly CISO: Using Major Incidents as Career Catalysts” with Marshall Erwin, CISO at Fastly; “From FBI to CISO: Unconventional Paths to Cybersecurity Success” with Kaseya CISO Jason Manar; “Cyber Career Opportunities: Weighing Certifications vs. Degrees” with longtime CISO Melina Scotto; and “Male-Dominated Cyber Industry Still Holds Space for Women With Resilience” with Weave Communications CISO Jessica Sica.

Introduction: Full Video Transcript

Kristina Beek: Hi, everyone. My name is Kristina Beek and I’m an associate editor at Dark Reading, and today I’m here for another episode of Heard It from a CISO. Today, instead of hearing from a CISO, we’re actually going to be hearing from three cybersecurity professionals who are also veterans.

Today, they’re going to talk to us about how they transitioned from military to cybersecurity, everything they learned, and everything they expect to come within the cybersecurity field. Let’s get started.

Related:Closing the AI Execution Gap in Cybersecurity — A CISO Framework

In Conversation with Bruce Jenkins, CISO at BlackDuck: Full Video Transcript

This transcript has been edited for clarity.

Kristina Beek: Hi, Bruce. Thanks so much for taking the time to talk with Dark Reading today. I so appreciate it. So, let’s just start at the beginning. Why don’t you tell us about your background in your career in the military and how you transitioned into working in cybersecurity?

Bruce Jenkins: Sure. I’ll try to keep it short because it’s long. Back in 1979, it was June, I think I had graduated high school and in high school I excelled at underperforming. Had no plan for what I was going to do with my life. I was lying on the couch. The phone rang. A recruiter called, asked me if I wanted to come downtown and talk to him about joining the US Air Force. I had nothing else in my agenda, so I said sure. I went down and talked to an Air Force recruiter. He administered an aptitude test to me. It did a great job lying, telling me that I should be a brain surgeon. I was so smart and talked me into joining the electronics career field more precisely to be an avionics technician on the F4, so a Vietnam era fighter aircraft. Went to Minneapolis later that summer, raised my right hand, got on a plane to Texas, went through basic training and then ended up at my first assignment at George Air Force Base in California. Spent that time in electronics for a number of years. I end up spending 10 years in Germany as part of that tour. Learned a lot about leadership and management. Learned a lot about myself. I completed my degrees. I’d mentioned in high school I wasn’t too enthralled with the idea of learning. But I quickly realized the value and benefit of an education. Got my associate’s degree from the Community College of the Air Force, which is very common. Went on, spent 10 years getting a bachelor’s degree. It took me 10 years for many reasons, one of which was we were in the middle of some European campaign, Southwest Asia campaigns, and I had a lot of 12 hour shifts, but completed a degree in 10 years, rotated back to the United States, spent some time supporting NORAD through by way of Cheyenne Mountain and Peterson Air Force Base in Colorado Springs. And decided I want to be an officer. And in 1995 I was commissioned as an officer in the Air Force in the communications and computer field. So basically IT and cybersecurity. I went on to eventually become a commander in Southwest Asia. And after rotating back to the United States in 2004 and working in IT security and compliance, the US Air Force had a breach of its personnel system, its HR system called Assignment Management System. And I was in the middle of that again doing IT security and compliance and it turned out this was an application security issue. It was something called an SQL injection. We don’t need to get into the technical details, but nevertheless someone was able to break into a web application using this injection capability based on a software flaw.

Related:AI App Spending Report: Where Are the Security Tools?

KB: OK.

BJ: And I didn’t know how to spell Appsec, but I knew a lot of things about leadership and teaming. I co-led the Crisis Action Team that investigated the event, the incident, and then led a pilot program around application security, trying to understand what the US Air Force could do to bolster its defenses around Appsec, so this sort of thing wouldn’t happen again in the future. My activities came on the radar of a private equity firm. It was a startup in software security and I was recruited and subsequently retired from the Air Force in 2007 after a 28-year career: 16 enlisted and the remaining as an officer and ran a professional services organization at this startup software company in application security. And that sort of took me down this path to where I am today through a series of mergers and acquisitions with multiple companies over time and doing various roles in application security strategy, working with customers, working with sales teams and ultimately ending landing at Synopsis. And then of course we were carved out our business unit, the Software Integrity group carved out last year from Synopsis and we are today as Black Duck. And I was promoted to the position of chief information security officer Dec. 1 of last year.

KB: Awesome. Well, thank you so much for sharing that with us. Do you feel as though your military background allows you to sort of separate yourself and succeed in the cybersecurity field or sort of differentiate yourself from your peers?

BJ: So, I can’t say that my military background and skills help differentiate me from others. I will say that I think what I learned around leadership, teaming, camaraderie, the indispensable nature of having people work for you that believe in what you’re doing, believe in your mission has helped me in my role, including leadership roles, as I progressed through my non-military career. So I think it’s helped me and one might argue that it has been indispensable. I would say it’s indispensable for me. Whether it distinguishes me from others, I don’t know. But I would argue that I do have a very unique background in the way I traverse my career and then ended up today as a chief information security officer with a cybersecurity or a security company.

KB: Is cybersecurity a field you would recommend to other veterans or soon to be veterans looking to join the workforce?

BJ: I would recommend cybersecurity to everyone, and I say that because we do have somewhat of a skills shortage. This is a specialized field in that as an example, there are team members of my team who have backgrounds in software development. That is an essential skill for the kinds of things that we do in cybersecurity, because having an understanding of the ways that an adversary might break your software system becomes a critical element of how we analyze risk in what we do. So broadly speaking, I would say we are open to all comers from various fields. I interviewed someone a couple of years ago who had a degree in psychology. And that person felt perhaps that they weren’t qualified. And I said, when you’re talking about psychology, you’re talking about dealing with people and circumstances and relationships. And that’s everything that we do in cybersecurity is about understanding context of people and systems and how those interact with each other. So even a degree in psychology would lend itself to what we do in cybersecurity. So yes, to answer your question, if you’re in the military considering a career, you should consider cybersecurity, even if you believe you have a background that doesn’t directly lend itself to a role in cybersecurity.

KB: So, with people coming from various backgrounds, are there any resources they could utilize that in terms of becoming more familiar with cybersecurity or maybe becoming more familiar with technology in general?

BJ: Yeah, I would say there are a lot of professional organizations that one could consider joining or at least perusing the materials they have available. ISC 2. This is an international organization. I know ISACA. SANS Institute. So those are three are good, not the only resources, but three very good resources for gaining an understanding of the types of knowledge that is required to be successful in a career such as cybersecurity.

KB: Awesome. And this is just my last question, but what does the future of cybersecurity look like to you?

BJ: Well, I’ll say very directly that the future of cybersecurity to me still includes a lot of people, humans. And I say that in the context of artificial intelligence. And in fact, I would argue that at least where we are today with artificial intelligence, we need smart people in cybersecurity to understand, again, the context. The use of those solutions and then more critically, I would argue the use of AI solutions by adversaries who would try to do us harm. Today we have adversaries, of course, that are humans and a lot of automation is leveraged to again, do harm to those who are simply trying to go about their business. AI adds leverage to those who want to do bad things to us. So we need human beings on the good side, as it were, to help understand that landscape and then even use AI to counter that threat. So in the future, I see a lot of the use of AI kind of indirect reference there about those capabilities. But more importantly, I believe that we still have a lot of very smart technical people that are engaged in this particular career field.

KB: Awesome. Well, I’m so glad to hear that. Thank you so much for taking the time to talk with Dark Reading. I so appreciate it, and I know this will be so helpful to so many people. So, thank you.

BJ: Thanks for the opportunity.

In Conversation with Jeff Liford, associate director at Fenix24: Full Video Transcript

This transcript has been edited for clarity.

Kristina Beek: You can introduce yourself and then we’ll get started.

Jeff Liford: Sure. My name is Jeff Lyford. I’m an associate director of incident response and recovery at Phoenix 24. Prior to my employment at Phoenix 24, I worked in a variety of positions for the US Department of Defense and Department of the Army in a number of classified and unclassified system engineering contacts. And then before that I was a member of the US Army Intelligence Community.

KB: Awesome. Well, thank you so much for taking the time to talk with Dark Reading today. So, can you just talk about your background a little bit more in depth of what it was like transitioning from the military to cybersecurity?

JL: Sure. So, it happened kind of by accident. It wasn’t my intent in the military. I worked in the intelligence community and as I transitioned away from doing that work into IT, which was the direction I wanted to go career wise. Because of my connections and having that background, I was able to kind of parlay that into a position doing system engineering for the exact same office. I used to be an Intel guy and that opened a lot of doors to various opportunities with contracting and everything else to participate in some really neat system engineering challenges and the longer you stay with the DoD, particularly over the last 10 to 15 years, everybody who is an administrator has to have a security context. DoD is really big on that and so what started as an interest in system engineering, reliability, redundancy. That’s a key tenant of security in a by way of availability that slowly transitioned to now. Well, now let’s talk about doing vulnerability management and let’s talk about doing incident response and let’s talk about doing cryptography and some of the advanced things that DoD does with some of their proprietary networks where it just kind of opened a lot of doors. And then I had the opportunity to come to Phoenix where it was like, let’s take all of that and let’s do that full time for people who have been impacted. So, everything already know how to do, critical uptime, break, fix in a hurry. Understand a whole system very quickly, put it back together. Now let’s go do that for people who are the victims of ransomware. And there was something about that mission set that just really appealed to me. And I ended up in this by accident, but it was, I feel like it’s absolutely where I was supposed to be.

KB: Awesome. Do you feel as though your military background allows you to succeed in the cybersecurity field, or even differentiate yourself from your peers who maybe don’t have that kind of background?

JL: I think it plays a part. It makes a difference. So, one of the things in the military, the military is very big on the ability to operate under pressure with imperfect information. So, in a crisis situation, we don’t have time to wait for all of the information. We get pushed into a decision whether we want to make the decision or not and not making a decision is a decision in the incident response framework. It’s the same situation. A company has suffered some catastrophic ransomware event. They’re now down, and we could spend six months doing exhaustive recovery efforts, figuring everything out, trying to get the perfect information, but the company could go out of business in the interim and that doesn’t serve anybody. So, we have to be comfortable with the idea of I’m not going to answer all of my questions. I have 100 questions about what happened here and I might only get answers to 10 of them and that has to be good enough to function and I think the people who come from a military background that teaches to operate under that stress naturally succeed in this role, where they’re forced to operate with imperfect information and make decisions with the best available. And sometimes wrong, and that’s OK. We’ll deal with it. Whatever comes of that being wrong, that’s just another decision for later to deal with. The obstacle, and that’s another obstacle to overcome. We want to minimize and avoid that, obviously. But when it happens, it’s the cost of doing business with imperfect information, and have to be comfortable with that. And a lot of people are not, but most veterans are.

KB: Awesome. So, would you say that, I mean, I know you talk about how you kind of fell into this field, but for veterans looking to sort of find their purpose, find a field in which they can succeed and grow professionally, is cybersecurity something would recommend to them?

JL: For many, many folks, I would say yes. So, there’s a unique challenge in cybersecurity that the high stress, high stakes, the willingness like there. I don’t want to go on a tangent of work-life balance and everything else. It’s important, but there are elements of cybersecurity in the things that we do where the mission matters now. It doesn’t wait for Monday morning. And so that veteran population understands how to get attached to that mission, how to take ownership over that mission. And if that’s the stakes or something that enjoy working in, this is a great place to have the same stakes. And if can translate skill set into how it matters to those things, it makes a big difference helping people understand why the candidate for that type of position. Even though might not have the most technically specific background or technically specific qualifications, that mentality is enormous. I’ve met plenty of people who are super technically proficient but can’t bring themselves to make decisions and risk situations where have other people who are comfortable making risk decisions and maybe don’t have all that technical background. Let’s marry those two people up and there’s a place for veterans in this space.

KB: Awesome. And my last question is, is kind of broad, but what is the future of cybersecurity look like to?

JL: In the last several years, we’ve seen the onset of large-scale enterprise ransomware events that are not a traditional incident where a thing has happened with a limited subset of computers. And so, we’re going to just contain that. Everybody else is going to behave like nothing happened and we’re going to deal with this problem in isolation. Increasingly, we’re unable to deal with the problem in isolation, because the scope of the event is everything, and I think that that probably continues and intensifies in the coming years. We talk about it as the age of cyber warfare because it’s not malware, it’s not a virus. That’s not the problem. The problem is a person or an AI who is deterministically fighting against in own environment, using tooling, own tooling against using own accounts against. And that’s an entirely different class of type of threat and it requires a different attitude to combat. So, I think we’re going to see higher intensity conflict of that nature over the coming years.

KB: Got it. Well, thank so much for taking the time to speak with Dark Reading today. I really appreciate it.

JL: For sure. Thank so much.

In Conversation with Frankie Sclafani, director of Cybersecurity Enablement at Deepwatch: Full Video Transcript

This transcript has been edited for clarity.

Kristina Beek: Hi, Frankie. Thank you so much for taking the time to talk with Dark Reading today. I so appreciate it. So let’s just start off at the beginning. Could you tell me about your military background, how you got into that and then how you kind of transitioned into working in cybersecurity?

Frankie Sclafani: Yeah, great question. So I guess my career first started in college. I joined the Air Force College ROTC program at the university I was going to and I was taking some computer courses, digital forensics courses, things of that nature, and I had a few influential professors that steered me down the cybersecurity track throughout that career, throughout that path. I was trying to figure out what to do with my life, like most other college kids.

So when I first joined the military, I think I was really lucky enough to get into a cyber-specific career field, which was kind of brand new at the time. It used to be just old radio communications career field, but when I was first entering that, I was one of the first few people to get trained up on cybersecurity, both offensive and defensive. So I received my education in computer science and computer engineering, and then I got trained by the Air Force on how to do cybersecurity. And then I went straight. My first assignment after training was at the NSA at Fort Meade in Maryland and I was supporting incident response engagements there at the NSA. So I was going on site and doing insider threat assessments and doing IR engagements and then I’ve transitioned over to the offensive side of the cyber portion of the NSA. There was a group called Terror Access Operations TAO and I was a part of that group for a while and we conducted cyber intelligence through SIGIT missions. So we did a lot of fun secret classified operations there. And then at that point in my career I decided, let me try the civilian world. So I left active duty and I joined Fire Eye as a senior SOC analyst at that time, but I wasn’t quite done serving so my commander at the time encouraged me to join the Air National Guard, which is where you mobilize and can go on missions. And my guard unit was aligned to Cyber Command. So while I was doing my civilian career and starting that, getting that started, I was also back in the military. And I had a few different mobilizations where I supported cyber commands. I did one at Fort Meade again. I did another one in Germany at Rammstein Air Force Base where I was training all the cyber troops in Europe at a few other missions as well. And I was growing my civilian career at Fire Eye, then Mandiant and then at Google. And then that eventually led me here at Deepwatch where I started leading the team here of fiber advisors as the director of cyber enablement. So it’s been a fun, interesting career, that’s for sure.

KB: Yeah. Thanks so much for sharing that with us. So how would you describe the transition from military to civilian work? Do you feel like you had a lot of support? Was it kind of seamless or not so much?

FS: It was smooth and rocky at the same time. The reason I think it helped be a little bit smoother for me: there’s two reasons. Number one, my career field was in cybersecurity in the Air Force and in the military, so I was very lucky that I had already a lot of training and skills and experience that directly translated to a career field that I wanted to do in the civilian world. So that was amazing. It was rocky in the sense that there is a lot of things that you miss about the military. You obviously miss the people that you worked with. You miss the camaraderie. You miss the sense of purpose that you get from doing a mission that shows a lot of value and provides a lot of service to our country, so you do deal with a lot of those losses when you get out of the military, and it’s hard, I think, for a lot of members, even if you have a plan to figure out what exactly it is you want to do and how you fit into this world without a lot of direction. So I think having a community and having friends that have gone through this before or reaching out to veteran communities makes a big difference and can help that transition be less difficult.

KB: Yeah, with your military background, would you say that that’s helped you succeed in cybersecurity in the work you do now?

FS: Oh yeah, absolutely. I mean, I think there’s skill sets that every service member, regardless of branch and what they do for their career in the military, those are skills that you develop just being in the military. I think that the attention to detail that they drill into you from having your uniforms inspected every day. That’s a skill that directly translates to many career fields, but cyber specifically, just being off by one digit on an IP address or domain name or something like that can have big consequences on whether or not you stop the bad guy or not. So that attention to detail, that focus, the drive, the leadership, all of these different skill sets that you get from the military just by existing and going through your basic training are super, super important and help with cybersecurity in big ways that I think that maybe it’s not quite as helpful in some other civilian career fields.

KB: Yeah. And going back to your education, it’s clear that you had an interest in computer science, cybersecurity technology, which helped you kind of get into this field. But today, I know there are a lot of people who sort of pursue cybersecurity from a more non-traditional background. And that may be the case for some veterans who are maybe interested in going into cybersecurity, who maybe don’t have a background like yours. What would you recommend to them in terms of resources or communities to get involved with?

FS: Oh, 100%. So first of all, I love people that career change into cybersecurity. I think it’s amazing to see the diverse skill sets that someone who maybe doesn’t have just a technical or IT background can bring. I worked with people from the military who have been surface warfare officers in the Navy where their job is to lead sailors on ships. They don’t really deal with cyber on the daily basis. But one of my mentors early on in my career was a former SLO who ended up teaching himself IT and cybersecurity. And I’ve had other people in my civilian career who were former educators like elementary school teachers who became cybersecurity and many others I know that come from very diverse backgrounds. So it’s absolutely doable. It can seem intimidating, I know if you’re a veteran who maybe doesn’t have an IT background to transition into cybersecurity, but it is doable and I’ve seen lots of people succeed.

As far as resources go, there’s quite a few out there for veterans. If you’re still on active duty, one of the big ones that I wish I knew more about that’s not discussed very often if you’re an active duty member is basically a transition program called Skill Bridge, where you can apply to a 180-day internship program while you’re on active duty and transitioning out of service to go work at a company of your choosing and you can be an intern there and you still receive your military compensation and benefits. So it’s a great benefit. You get a paid internship, the employer gets basically a free intern for six months and you get some on the job training that directly translates into learning. So I wish I knew more about Skillbridge when I started. I encourage veterans that are currently serving to look at that and employers to make sure where they register for Skillbridge.

There’s a lot of other great resources out there for free. Like obviously, there’s plenty of benefits you can use with your GI Bill if you’ve served and have access to that, but there’s training from SANS that is available for veterans, which is one of the big industry leading certificate providers within tech and cybersecurity. So highly recommend if you’re a veteran to go check that out and there’s lots of other local chapters of your IT and tech and cybersecurity career fields. So check out the local BSides conferences, the local Smoocon conferences, whatever conferences you have locally. Just search cybersecurity conference, Denver or Atlanta or wherever you may be located and you’ll find plenty and start linking up with that community because cybersecurity, like any other career fields, it’s about connections and it’s about meeting people. So don’t be shy. Definitely reach out.

KB: Awesome. Yeah, for sure. And just the last question I have, and this is a question I’ve been asking everyone today, is what does the future of cybersecurity look like to you?

FS: Yeah. So we’ve had a skills gap in cybersecurity for quite a long time now and that still hasn’t gone away, which is one reason why we need more veterans to gain interest in this career field and hopefully consider making cybersecurity their career field. So that’s important to kind of build that gap and actually help mature our career field in general. But I think one of the biggest game changers that the whole world is going through at the moment is the AI evolution. And I know you’ve probably heard that every. It’s annoying how much we speak about it, but we are definitely in a major transition technology shift at the moment, and if you can embrace artificial intelligence and use it as a tool in your daily life and in your career field to basically use it as a force multiplier. I think that is going to be huge. So if you’re new to IT or cybersecurity or career field, definitely don’t shy away from playing around with as many different AI models as you can. Whether it’s, just use all of them and see what capabilities they have. Help them with your study plans, help them develop study plans for you so you can learn new skills, use it in your day-to-day job to help with coding, software development, research, everywhere it’s applicable. So just dive deep in there because it’s changing the game.

KB: For sure. Well, thank you so much for taking the time to talk with our creating today. We so appreciate your words of wisdom. So thank you so much.

FS: Yeah. No, thank you for the opportunity. Appreciate it, Kristina.