EPISODE 56
CYBERSECURITY CAREERS IN THE DEFENSE SECTOR

CYBERSECURITY CAREERS IN THE DEFENSE SECTOR

About this episode

In this episode, we provided an introduction to cybersecurity careers in the defense sector within the United States. This discussion can provide you with a great starting point for understanding how to get a cybersecurity position within this sector of the industry. 

The defense sector consists of three main categories of positions: military members, government civilians, and government contractors. The defense sector is a huge area of growth in the cybersecurity industry, with over 50% of all federal government cybersecurity spending being dedicated to the Department of Defense’s budget for digital security in the United States. This equates to a lot of cybersecurity work and positions being made available within the industry for qualified and cleared individuals. 

As we went through the episode, we covered all three areas and types of positions available in the defense industry. We discussed the advantages and disadvantages of joining the military or the reserve forces in order to get a cybersecurity position. For example, if you join the military, they will provide you with all of the training and qualifications necessary to become a talented cyber defense professional. We also covered the role of government civilians and the lengthy application process they undergo to land one of these positions. There is usually a lot of competition for these positions and a lot of “preference factors” that they use in determining who to hire for these positions. Finally, we covered the work of government contractors, which consists of the commercial companies involved with conducting business for the government.

For many defense sector cybersecurity positions, it is important to maintain a Secret or Top-Secret security clearance. This is another lengthy process, unfortunately, and can take between 6 to 18 months to finalize your investigation and get awarded a clearance. Due to this, those that have already received a validated security clearance have a significant advantage in getting hired those who are waiting for one or simply do not have one yet. The requirements for the Cyber Security Workforce (CSWF) requirements and certifications were also discussed. 

As we discussed in the episode, there are a lot of other differences between applying for a civilian or contractor job inside of the defense industry, especially in terms of the position description and the way you will write your resume. If you want to land a contract position, you should visit the company’s website or any of the major job boards like LinkedIn, Monster, etc. If you want to land a government civilian position, then you should visit their central repository at USA Jobs.

What you’ll learn

  • Why certifications are important in the cybersecurity industry?
  • Are certifications or experience more important to a hiring manager?
  • Are certifications or college degrees more important to a hiring manager?
  • Which certifications should you be getting to advance in your career?
 

Relevant websites for this episode


Episode Transcript

Kip Boyle:

                    Hi, this is your Cyber Path. We’re the podcast that helps you get your dream cybersecurity job. I’m Kip Boyle, and I’m here with Jason Dion. Hey, we’re experienced hiring managers of cybersecurity professionals. We’re here to help you. Today, what we’re going to do is we’re going to give you a complete introduction to cybersecurity careers in the defense sector in the United States.

Jason knows all about this. I love the fact that he’s bringing all this information to us. Let me just pitch a question at Jason. Jason, what is this thing called the defense sector?

Jason Dion:

                    Yeah. When we talk about the defense sector here in the United States, we’re really talking about three main parts. The first one is pretty obvious. When you think about defense, you think about military. These are the guys in uniform, the guys and gals who go all over the world and do things for our military. It’s Army, Air Force, Navy, Marines, we can even include the Coast Guard in there, even though they’re Department of Homeland Security, and then of course, our new Space Force.

All of those are military members. That’s one of the big parts of the defense sector. Now, the second big part is that there’s a bunch of government civilians, which we call GSs. These government civilians are ones who work for the different branches of the military. They’re going to be working alongside these military members. If you go to the Pentagon, for instance, for every one guy in uniform, or one gal in uniform, you’re going to find two or three government civilians.

Then in addition to that, we have this third area, which is our government contractors. When I think about government contractors, I think about all the big names out there, places like General Dynamics, Booz Allen Hamilton, SAIC, Raytheon, Lockheed Martin, the list goes on and on. All of these make up our defense sector.

Kip Boyle:

                    Okay. You know what? This is completely making sense to me, even though I haven’t been involved in the defense sector for a long time. When I was on active duty in the Air Force, I was absolutely in ground zero of all of this because I was working first on an air-to-air weapons testing program. Then later on, I went and worked for F-22. That was all in the systems acquisition and development space.

Yeah. I was working with all those names that you mentioned and more, including Boeing. Turns out, some things don’t change.

Jason Dion:

                    Yeah. The big government contractors over the last 20, 30, 40 years are the same ones that have been popular for the last 20, 30, 40 years. They keep going forward. There’s a lot of smaller government contractors as well, that we call subcontractors that work for these larger ones. For instance, my small little company, Dion Training, we might be able to get a contract underneath Lockheed Martin to do all of the idle training for all their service desks that are supporting the military.

That would make us a subcontractor under them, who is the prime contractor.

Kip Boyle:

                    Right, right, right. What this is evoking for me right now is there’s a whole new initiative, which we’re not going to talk about today, to help secure sensitive but unclassified information that’s being held by these subcontractors. But that’s another topic for another day.

Jason Dion:

                    Most definitely. That’s a big barrel of fish, folks, we can unpack another day, for sure. The reason why I think that the defense sector is important for us to consider, especially as cybersecurity professionals, is a lot of the money that goes out for cybersecurity positions are either done through the military, through the government, or through these government contractors.

If you look at the cybersecurity spending, back in 2020, there was $16.2 billion, B, billion, that was spent on cybersecurity. Now out of that, in 2021, there is $19 billion being spent by the US government alone in cybersecurity. We are just exploding in the amount of money that’s being spent in cybersecurity. A lot of that is coming through the US government, specifically through the Department of Defense. When you look at …

Kip Boyle:

                    Man, when I got out of the Air Force, I don’t think there was a line item for cybersecurity spending.

Jason Dion:

                    Yeah.

Kip Boyle:

                    That’s amazing.

Jason Dion:

                    That’s one of the interesting things is that the timelines associated with cybersecurity and with spending in the government sector is so long, that when you have an incident today, the money you’re spending on that to solve that is money you had to allocate three or four years ago. It’s one of the things you really have to be future looking in this world.

As you look at the Department of Defense and the money they’re spending, if you look at the US government, half of the money being spent is in the defense sector, the other half is things like Department of Homeland Security, Department of Treasury, FBI, and things like that. But half of all the money being spent is in this Department of Defense budget, whether that’s on military members, contractors, or government civilians.

For that reason, it’s important to understand what these jobs are, and where you might be getting one of these jobs as you’re breaking into the industry.

Kip Boyle:

                    Yeah, absolutely. I mean, I think, it’s this old aphorism. Follow the money in order to find out what you want to know. If you’re listening to our podcast, you’re quite naturally wanting to know where can I get a cybersecurity job. Well, here you go. Follow the money. Let’s go ahead and start to unpack this. What positions might be available to help Uncle Sam spent all this money and get good value for that spend? I think you mentioned them already, Jason. But let’s go through them in a little bit more detail.

Jason Dion:

                    Yeah. Let’s start out with the big categories. I mentioned military, government civilians, and contractors. When I talk about military, there are going to be some requirements to be a member of the military. You have to be relatively young. You have to be healthy. You have to have no bad items in your history. That means you can’t have drug use. You can’t have bankruptcies and financial issues, because you won’t be able to get a security clearance.

There’s a lot of great things about going and joining the military. In fact, they’re going to train you and they’re going to pay you to get trained. They’re going to give you a place to live. They’re going to feed you. They’re going to clothe you. They’re going to teach you everything you need to know. They are one of the few places that will take somebody with zero knowledge and make them into a cybersecurity expert over the next four to six years.

Now, that’s a great deal. But you’re also giving them four to six years of your life as payback for that good deal. It’s one of those things that the military is not just a job, it is a lifestyle, and it’s not for everybody. But it is a good way to do it if you’re going to start out from ground zero, and maybe you’re 18 to 25 or 30, you’re relatively young, and you want to go that route.

Kip Boyle:

                    Right. One of the things I want people to realize, too, though, is there is going to be a check on your aptitude. If you think, “Hey, I’m going to join the military, and I’m going to get all this great cybersecurity training.” Well, they are going to test you coming in the door. I don’t have any insight into what the tests are, or anything like that. But I just do know that they test everybody who comes in the door.

No matter what training you’re going to get, they want to make sure that you have the aptitude, that you’re actually going to be able to learn what they’re training you to do, and that you’re going to be able to graduate on time. Because the government says, for example, if we’re going to create a communications and computer systems communications officer, that’s a six-week program, and this is what you learn.

They’re not going to send you there until they’re pretty confident that you’re going to be able to pass that. I just want to throw that caveat out there. Nobody’s surprised.

Jason Dion:

                    Yeah. It’s a great caveat. In the military, there’s two sides of it. There’s the enlisted side and the officer side. As an enlisted member, you don’t need a college degree. You can come in straight out of high school or at any point thereafter. To get in on the enlisted side, you basically have to pass the medical check, the financial check. They have you take an exam called the ASVAB, the A-S-V-A-B, which is basically a very broad test that test your aptitude in lots of different areas.

Based on how you score on that ASVAB, that’s going to open up certain career fields to you. For example, if you want to become a CTN in the Navy, which is a Cryptographic Network Technician, those are basically government hackers and government defenders, you need to have about a 90% or higher on the ASVAB. That is a really high class of person that’s going to go into that career field based on their test scores.

If you only scored a 70, you can’t be a CTN. But you can go be an IT, which is somebody who owns and operates the IT gear and the networks and servers. It’s not the cybersecurity side, but it’s more the operation side. There’s a lower requirement for that.

Kip Boyle:

                    That will set you up, because once you learn that stuff, then it’s a pretty good bet that you can then extend yourself to learn the cybersecurity stuff.

Jason Dion:

                    Yeah, definitely. You can definitely use that and leverage that. Once you decide to get out of the military later, you’re still going to get a lot of your certifications, your A plus, your net plus, your security plus, but they’re not going to teach you the hands-on penetration testing that they teach the CTNs. There is a difference in what you get put into. That’s just the Navy.

There’s lots of different branches of service, as I mentioned, and each one has their own requirements for what they want based on their career fields. The other thing is that …

Kip Boyle:

                    It’s almost like a salad bar. If you go to one and you’re not getting what you want, go to another one and see if they’ll give it to you.

Jason Dion:

                    The other thing that’s important to know is when you decide to join the military, if you decide to join the military, talk to all four branches to find out which one’s right for you. Each branch has its own culture and its own way of working. Back when I joined the military back in 2002, it was right after 9/11. If you joined the army, you know you were going immediately to Iraq or Afghanistan. If you joined the Marines, you’re going right to Iraq or Afghanistan.

If you joined the Air Force or the Navy, that wasn’t necessarily the case yet. They had a different culture about it. They have a different way of treating their members. Some organizations, some militaries will actually tell you what job you’re going to get before you join. The Navy is one of those. They will sign a contract that says, “You will be a CTN, a computer hacker,” or “You will be the guy who paints the ship.”

They tell you that up front. The Army and the Marines, back when I looked at it in 2002, they didn’t do that. There was no guarantee. You went off to boot camp, and at the end of boot camp, they say, “Great. We need some radio guys. You’re going to be a radio guy. We need some guys to shoot guns, you’re going to go out and shoot guns.” You don’t have nearly as much control, at least back in the time back then. I don’t know how it is now in 2021, 2022. But back in 2002, you didn’t really get a choice.

Kip Boyle:

                    Yeah. That’s all on the enlisted side. The officer side, it’s similar, but it’s a little different. What was your experience?

Jason Dion:

                    Yeah. On the officer side, you have to have a degree to become an officer. You can go through what’s called OCS, which is Officer Candidate School. It’s basically officer boot camp. When you get picked up, again, in the Navy side, it’s going to be done based on you apply for a position, and that is going to tell you what career field you’re going to be in. You can apply to be a Surface Warfare Officer, somebody who drives ships for a living.

You can apply to be a naval flight officer, somebody who sits in the back of the airplane and navigates the airplane, for instance, Goose and Top Gun. You can apply to be a pilot, and you’d be the guy flying the plane. Each job you’re going to apply for and you’re going to get accepted, you know what you’re going to do going into it. I believe the other services are fairly similar on the officer side. But on the enlisted side, that’s where it really is different where sometimes they just put you where they want.

Kip Boyle:

                    Well, even as an officer, I can tell you that sometimes you still get told what you’re going to do once you get in there. I mean everybody in the military service at Uncle Sam’s pleasure. One way or the other Uncle gets what he wants.

Jason Dion:

                    That’s very true. I’ve had a lot of friends who were in the military. I was in the military myself. They tell you where you’re going to be and for how long you’re going to be. If you have a family, that means your family picks up and moves when the military tells you as well.

Kip Boyle:

                    Yeah.

Jason Dion:

                    Because of that I had lived all over the world in different places, throughout my time in the military. There’s a lot of things that you give up in your life, when you go that route.

Kip Boyle:

                    You might even get to go someplace and be without your family for a couple of years. That can absolutely happen.

Jason Dion:

                    Yep.

Kip Boyle:

                    Yeah. Okay. What about reservists? We hear about a reserve duty and so forth. Is that an option here?

Jason Dion:

                    Yeah. Military Reserve is a great thing to consider if you don’t want to go full-time military. Now, what a military reservist is, is there’s a commitment for them to do one week in a month and two weeks a year. But they get the exact same training as anybody does on active duty. If you joined the Navy Reserves, for instance, as a CTN, you’re going to go and get the exact same training, which is about a two-year pipeline, getting all of the training on IT, computer systems, how to do hacking, how to do penetration testing, how to do defense, all that stuff.

You get your security clearance, and all of that just like the regular person would. The only difference is you’re not a full-time Navy person. You’re going to do one week in a month, two weeks a year. You can choose to join at certain times and say, “Hey, there’s a job I want to do. It’s for a yearlong billet. I’ll go take that job for a year and be called to active duty for a yearlong period.” But it’s not like the regular military, where you are there 24/7 for all the years for 20 years until you retire.

It’s where you have one foot in the military and one foot in the civilian world. This is a great way to be able to get your security clearance, if you haven’t gotten one. It’s a great way to get some of your training. They’ll pay for college for you. There’s a lot of benefits of doing military reserves, and it is a much lower commitment than going into the military full-time.

Kip Boyle:

                    Yeah. It seems to me like the big issue. The big risk with being a reservist is that you could be called on up to active duty at a moment’s notice. I know a lot of people that happen to them in the early 2000s. I worked with several people who just all of a sudden said, “Got to go. Bye.” We didn’t see them for a year.

Jason Dion:

                    Yeah. That happened a lot, especially between 2001, go figure, and about 2010. Since 2010, it’s gotten a lot better, because there’s not nearly as much overseas mobilizations going on. What happens is, you have to remember, what is the job of the military reserves? They are there to backfill anything that’s needed for the regular military. When we were going into Iraq and Afghanistan, and we had this very long, prolonged war, we were eating up a lot of people and taking them from their normal military jobs and pushing them forward into Iraq or Afghanistan.

As that happened, we needed people to come in and take those sailors and soldiers jobs, or to go to Iraq and Afghanistan in their place so they could come home. It was a big build up. A lot of people, especially early in the war, the first 10 years, over time, it’s gotten a lot less. I have a lot of friends who are Navy reservists. I can tell you for the last two or three years, they’ve done their one week in a month, two weeks a year. They haven’t gone to those full yearlong mobilizations.

Kip Boyle:

                    Okay.

Jason Dion:

                    If you do get put in one of those full-long mobilizations, your job is protected under law. Your employer that you’re working with …

Kip Boyle:

                    Your civilian job.

Jason Dion:

                    Yes. Your civilian job is protected. They have to hold your job and let you come back. I know it’s a lot of people fear that that I’m going to lose my job. That’s not allowed. They have to hold your job.

Kip Boyle:

                    Yeah. You get actually even more protections than that. But we can’t get into that now. Thanks. That’s the military option. But now we also have government civilian and contractor. Let’s talk about government civilian. These are people who are still getting paid by Uncle Sam. They’re on the government payroll, but it’s a different experience, right?

Jason Dion:

                    Yeah. It’s completely different experience. When you’re working for the government as a government civilian, it is very much like a corporate job. But you have a lot more stability than you would with a corporate job. There’s a lot of protections for government workers. Think about unionize to the extreme, that’s really what government workers are. If you want to get a job like this, you’re going to apply just like you would for any other job.

You’re going to find a job that’s available. In the case of government jobs, they’re always on this website known as usajobs.gov. You can go to there. You can search by location, or by job category. Then you can go in through the application process. Now, one thing about government employment jobs is it takes a long time to get hired. I’ve seen it take anywhere from one month, which is very, very fast, up to 12 months, from the time you apply, to the time you’re hired, and the time you’re on boarded, especially if you’re doing an overseas job.

For instance, one of the great things about these jobs is you can say, “You know what? I want to go live in Japan for the next five years.” You can apply for a job as a cybersecurity analyst working out of Yokosuka, which is right near Tokyo, for instance. Or you might decide you want to be in Italy, or Germany, or Spain. There are jobs all over the world working for the government, either as the State Department or the Department of Defense, or many other places. It’s a pretty cool place to work if you can get in.

Kip Boyle:

                    Okay.

Jason Dion:

                    But it is hard to get in and it does take a long time.

Kip Boyle:

                    It’s not just military. You can be a government civilian employee supporting military missions. But you could also be government civilian employee supporting State Department or something else. I mean, there’s a huge wide range. It’s not just military, right?

Jason Dion:

                    Oh, yeah. Most certainly. I have a friend who used to work for Social Security. His job was he went to an office every day. He answered claims for Social Security to figure out who was getting their benefits and who wasn’t. I knew other people work and doing their systems and their IT. When you look go to usajobs.gov, It’s not just Department of Defense. It’s the entire government, IRS, Treasury, everything else.

Kip Boyle:

                    Okay. Okay. Great. Then what else did you want to make sure that our listeners knew about the government civilian job opportunities with respect to cybersecurity?

Jason Dion:

                    Yeah. One of the things that makes it tricky to get a government civilian job is that there’s a lot of competition for them, especially from those who were military and have now retired. Because once they retired from the military, they actually get this thing known as veterans’ preference. If somebody has done 20 years in the military, and they retired, they can go and apply for a government civilian job.

They’re going to have veterans’ preference over somebody who is straight out of college, or have never worked for the military. When we go and do government hiring, we have to take that into account. Then there’s another category called Disabled Veterans’ Preference. If you’re a disabled veteran, 30% or more disabled, we have to give you a preference over somebody who’s a regular veteran.

The veteran gets preference over somebody who is not a veteran. There’s this pecking order that does play into the hiring process. I had one person that we were trying to hire for a position back when I was working with the military. It was for a GS level 13. We had somebody who we thought would be perfect for this position. But unfortunately, they had never been in the military. They had done work as a contractor. They’ve been working in and around the military for about 15 to 20 years, but they never actually served in uniform.

We never even got them to the final application where we could actually give them an interview, because they didn’t have veterans’ preference. We had enough people who had veterans’ preference that filled up the site that we had to consider. It is one of those things that there is … It’s almost some game that you have to play. It doesn’t mean don’t apply, because there are jobs that will be there, and we’ll take you, because not enough veterans applied for it. But if you’re a veteran, you do have a leg up in this area.

Kip Boyle:

                    Okay. Okay. That’s something unique about government civilian jobs. When you try to go get one, something that you may not realize that you’re going to run into, that’s absolutely there and in place. I mean, in a way, it’s a super filter on applicant tracking system or something.

Jason Dion:

                    Yeah, most definitely. There’s other categories, too, that really can play into this. For instance, if you’re applying for one of those overseas jobs I was talking about, you want to go work in Japan, there’s the veterans’ preference, there’s disabled veterans’, there’s also something known as spousal privilege. What this means is if there’s a military member who’s stationed in Japan, and their spouse got moved there with them, and they apply for a job, they get put into a special category called spousal privilege.

They get considered first because we now have to find work for them, because we took them away from their job back in Kansas or California or someplace else. Or if they were working for the government over there, they’re in a different category, and they have a different level of spousal privilege, because they already a government worker that was now relocated. There’s a lot of these things that go into it.

That said, a lot of people when they apply for government civilian jobs, they apply two and three and four times, it takes a long time until they finally get in because of all these different categories and privileges that exist.

Kip Boyle:

                    Yeah. Yeah. I would imagine that trying to get a cybersecurity specific job, you might not run into as many of these preference situations. But I don’t know. What’s your take on that?

Jason Dion:

                    I’ve run into them a lot inside the cybersecurity realm, too.

Kip Boyle:

                    Okay.

Jason Dion:

                    It is one of those things that when you think about it, because of the military, most people do less than 20 years, there’s going to be a lot of veterans. The average, if you look at the military, only 18% of people actually get to 20 years and get a full retirement. More than 80% get out sometime before that 20 years.

Kip Boyle:

                    Okay.

Jason Dion:

                    All those people are considered veterans. A lot of them are considered disabled veterans. Then you also have overseas, you have a lot of the spousal privilege that happens. It doesn’t mean that it’s not a place you can go. But if you want to become a government civilian, and you have no military experience, you’re probably going to be better off starting as a contractor, working your way up inside that organization, and then moving into civilian, because there are places where you’re allowed to do what’s called a By Name Request, if it’s a low enough position.

For the GS-12, or below, and I have somebody who’s working my office as a contractor, and I now create this new GS-12 position, I can actually go and say, “Hey, this person’s been working here. I know this person, their quality work, I want that person here.” I can actually hire them directly without having to open compete that billet either. There’s a lot of different variations inside of this whole government hiring realm.

Kip Boyle:

                    Very complicated.

Jason Dion:

                    It is extremely complicated. It is highly regulated. But it is one of the things that as you start getting in and around the system, you start learning the ins and outs of it.

Kip Boyle:

                    Yeah. Yeah, for sure. Well, that’s a great segue to the third type of employment that you can get in the defense sector, which is government contractors. Tell us about that.

Jason Dion:

                    Yeah. There’s a lot of positions for government contractors out there. When we talk about government contractors, we are talking about commercial companies that are in the business of making a profit. Now the government doesn’t want to have to run all of these things themselves. They outsource a lot of this to government contractors.

Now, when you’re working for a government contractor, you’re going to be working in a couple of different places, depending on the job you get. You may be working for them in-house. Now, when it’s in house, that means you’re actually working for the contract company itself. You’re driving to Booz Allen Hamilton’s offices, and you’re working in their facility, working on their networks and their cybersecurity.

Or they may have you working for a government agency. You’re working as a government contractor for them. You might get hired by Booz Allen Hamilton or General Dynamics, and they’re going to go put you to work in the NSA, or the CIA, or the Department of the Air Force. You’re working in that government agency, alongside all the military members and the civilians. Either one, it’s both considered government contracting at that point.

Kip Boyle:

                    Got it. Yeah. Yeah. I remember on F-22, for example, we had government civilians, we had military members, and we had government contractors. One of the strangest things when I was in uniform, about working with contractors was, I mean, they had a completely different system for human resources. They had a completely different benefits package, the days off that they got was totally different than ours.

Most of the time, you didn’t know. But sometimes, there would be a very strange thing that would happen where, for example, we would get time off as military members, and then that would extend to the government employees, because we’re all working on basically the same payroll. But then the contractors would stop to come to work, because they’re working for a for profit organization, and they weren’t going to grant them that time off.

I distinctly remember one time poking my head into an office and saying, “Hey, George, we’re out of here. Why are you still sitting there logged on?” He’s like, “Yeah. I’m not allowed to leave yet.” Like, “I’m sorry.”

Jason Dion:

                    Yeah. I’ve seen that a lot. One of the things that’s really great about the government is when they have federal holidays, you get paid for the day off. Usually the federal holidays, the contractors get that off, too. Some organizations take a federal holiday, a three-day weekend for Labor Day, and turn it into a four-day weekend. They’ll give you the Friday off and the Monday off.

As a military or civilian, they can just give them that time off, and they’ll still get paid. But the contractors don’t. If they want to take that extra day off, they have to take a vacation day, or a personal day, or they’ve got to show up for work. I think that’s what you’re talking about there where there is those differences. The other thing and unique about contractors is you are almost a second class citizen inside the organization.

What I mean by that is, let’s say you go to a meeting, and you’re at this meeting, and somebody is talking about some cybersecurity thing like, “What should we do next?” If Lieutenant so and so says something, it holds a certain amount of weight, because he’s in uniform, and he’s military. If government civilian so and so says something, that also holds a certain amount of weight, because he can speak on behalf of the government.

But the contractors are not allowed to speak on behalf of the government. They can make recommendations, but they can’t make decisions. You’ll always see in these situations, if you’re working in cybersecurity as a contractor, you may be the smartest person in the room, but you still got to whisper in the military guy’s ear, or the civilian’s ear, and they’re going to have to say it.

Then they can move forward with making that decision, because contractors cannot sign the government up for things, because they’re not a representative of the government, they’re just a subject matter expert, who’s there to recommend something.

Kip Boyle:

                    I’m really glad that we’re able to unpack this on the episode here, because you and I have seen this firsthand over and over and over again. We’re used to that. But I think people who are on the outside looking in have no idea that these kinds of dynamics are in play. We’re not trying to say you shouldn’t be a government contractor. We’re just trying to give you some heads up as to what you can expect to experience.

Jason Dion:

                    Yeah. The other thing about government contracts versus civilian is that there’s not the stability that you have as being a government civilian or a military member. If we think about the government, in general, the government always pays its bills, sometimes they’re a little late. We just went through the possible government shutdown that was diverted at the last four hours. But in general, they always pay their bills.

The problem with contracts is contracts run year-to-year, or sometimes they’re up to a five-year contract. If your company that’s hiring you on, let’s say, General Dynamics, has a contract with the NSA to provide 20 people for a certain mission. That contract is for a year and it expires on October 1st. Well, at the end of that year, you’re an employee of General Dynamics in that case.

If Booz Allen Hamilton got that contract, you’re either going to need to jump over to them and get hired by them to continue your job, or you’re going to be out of a job, or General Dynamics needs to find someplace else to put you. What you’ll see with contractors is they tend to be someplace for one, two, three years, and then jump someplace else, or they’re constantly changing companies, because they love the job, and they love where they’re working. But that job will often go between two or three or four contracting companies over a four, five, or 10-year period.

You’re constantly going to be restarting your 401(k), restarting your benefits plan, offboarding and onboarding again. It’s just a different world in that government contracting area.

Kip Boyle:

                    That’s right.

Jason Dion:

                    One of things I always tell people, if you’re going to be hiring … or excuse me. If you’re going to be interviewing for a contract job, when they say, “Do you have any questions for me?” One of the big questions you need to ask them is, “How long is our contract good for?” Because they may be hiring for a position that they only have for another four months, but they need to put somebody’s butt in that seat because they don’t get paid unless there’s a butt in the seat.

Even if they’re going to hire you and promise you the world, in four months, you may be out of a job if you didn’t realize their contract was ending on October 1st.

Kip Boyle:

                    Yeah. Or maybe at the very least, you’re changing employers, because maybe somebody else is going to get that contract, and they’re willing to bring you with them. But okay, now, you’re new employee all over again. Whatever accruals you have made over the first four months are wiped out, possibly. You’re back to ground zero again. Yeah.

Jason Dion:

                    The other piece with that that’s important to realize is if another company is getting that contract, it’s usually because they underbid the incumbent. If I have Kip’s contracting company working for me for $100,000 a year, and now Jason’s contracting company says, “I’ll come in and do it for $80,000.” I hire Jason’s contracting company, great. Well, now Jason’s company comes to you and says, “Employee, I’d like for you to come work for us. But I can’t afford to pay you the $100,000 you’re. I’ll pay you $80,000.”

I’ve seen this time and time again with contractors, especially overseas, where they come in and say, “Hey, you got to make a decision? Are you going to move to the new contracting company, or you’re going to pick up and move your entire family back to United States, because you’re over here in Japan, Italy, Korea, Greece, wherever it happens to be.” It’s hugely disruptive. But they’ve really got you. I’ve seen people take 10%, 15%, 20% pay cuts, because they didn’t want to move back to the United States.

The new contracting company said, “If you want to keep your job, you’re going to take a big pay cut.” You got to keep those things in mind as well.

Kip Boyle:

                    Yeah. Wow. Okay. Those are the three big areas of opportunity in terms of joining the defense sector. All right. I hope all that makes sense. You guys, gals in the audience, feel free to send us follow up questions on any of that. But we have more than we want to cover. Let’s move on. I think the next thing we want to talk about is what requirements do you have to meet as a potential employee in order to be able to get one of these jobs?

Jason Dion:

                    Yeah. One of the biggest things that’s going to give you a leg up inside of this defense world is having an active security clearance. I’m sure you guys have talked about this before on the podcast many times, the security clearances are gold inside this world.

Kip Boyle:

                    That’s because it comes to a lot of gold to get.

Jason Dion:

                    They do. The average security clearance cost a company between $10,000 and $20,000 to get their employees certified.

Kip Boyle:

                    There’s no guarantee that it’s going to pass. The person can go through that entire process and be denied.

Jason Dion:

                    Exactly. It’s a big risk for the contracting company. Because I have you on payroll for three, six, 10, 12, 18 months, waiting for your clearance to go through. If it doesn’t go through, I’ve now wasted all that time and money. It is something that does take a long time. Once you get that, it really does open up a lot of doors for you. Because every contracting company would much rather hire somebody with a clearance than somebody without a clearance to fill that position.

Contract companies really love it when you have this clearance, because it’s a lot easier for them to train you in cyber, because I can teach anybody how to be a cybersecurity analyst in 30 to 90 days. But to get your clearance might take you 6 to 18 months. In that case, they’re really going to hire somebody who has the clearance over somebody who doesn’t, most of the time in this world. You really have to find someone who’s willing to take the chance and get you your first clearance.

For this reason, there’s a lot of contract companies that will hire people with the clearance over those who don’t, because it expedites that onboarding. As I said before, butts and seats is where we get paid for.

Kip Boyle:

                    Right, right, right. Now, can you think of a way to shortcut that process? I mean, you don’t have a security clearance, but you’d like to find an employer who’d be willing to take the risk on you. I can’t think of any obvious way to shortcut that process you just described. But did you ever see anything?

Jason Dion:

                    Yeah. There’s a couple of ways you can do this. It’s hard. Because, again, it’s really expensive to get a clearance.

Kip Boyle:

                    Yeah.

Jason Dion:

                    I’ll tell you. Two organizations that don’t care about costs are the military and the government. They will hire somebody without a clearance and put them through that process. Again, if you join the military, you’re going to get a clearance. If you join the reserves, you’re going to get a clearance. That’s one way I’ve seen people do it is they join the military reserves. They do their one week in a month or two weeks a year. Now they’re getting some free training, and they’re getting a security clearance.

Kip Boyle:

                    Okay.

Jason Dion:

                    Second thing, if you get hired on one of those government civilian jobs, they do not take into account whether or not you have a clearance. If the job requires a clearance, they’ll put you in for one. They do not look at it as a cost to them. Because in the government, they don’t factor in cost, they factor in are you worth it for this job. Contract companies will sometimes take a chance on you if you go for a bigger company.

We talked about the fact there’s primes and there’s subs. Primes are the really big companies, Booz Allen Hamilton, General Dynamics …

Kip Boyle:

                    Lockheed Martin. Yeah. Boeing. Yeah.

Jason Dion:

                    Subs are going to be people like Kip’s Consulting Group, and things like that. The subs, they may have 5, 10, 50 people. They can’t afford to sponsor your clearance. But the primes, they can afford to put you on payroll, and keep you there for 12 months working internally until they get your clearance and then push you into the CIA, NSA, FBI, military, wherever it is they’re going to put you.

Kip Boyle:

                    Yeah. I would imagine that a prime … Yeah. Okay. The prime contractor is much more likely to do that. If you’ve got a stunning resume, with fantastic experience, working on really great projects, highly relevant, because then they’re going to think, “Well, even if this guy or gal’s clearance doesn’t come in, these are still really well qualified people. We’re sure we can find them other things to do.”

Jason Dion:

                    Yeah, most definitely. I mean, if you have zero experience, and all you have is a security plus certification. You’ve been talking cyber for all of five minutes. They’re not going to take the chance of spending the money on you. They’re just not. Because it’d be better for me as an employer to take somebody who has the clearance and put you through two months of school to make you a cyber expert, and then put you into that job.

Kip Boyle:

                    Right.

Jason Dion:

                    That is the trade off you have. The other place that I’ve seen people get their security clearance is something that a lot of people just aren’t willing to do. When I used to work up in Maryland, when I worked at the community college, one of the places we got our students into all the time was working as janitors. They would work as janitors in places like the CIA, FBI headquarters, NSA headquarters.

If you’re going to be a janitor in NSA headquarters, you have to have a top secret clearance, because you’re going to be taking out the trash. You’re going to be cleaning the bathrooms, and people are talking that stuff at that level all over the building. That was one of the ways that I saw a lot of people when I was teaching in the classroom, and we’re teaching people to get their A plus, net plus, security plus, and CCNA, while they’re going to school for that four quarters for a year, they would be working as a janitor at NSA.

When they got out of school, they now had their certifications. They had a TS clearance. Guess what? Those guys were getting hired left and right.

Kip Boyle:

                    Amazing, amazing. I’m thinking of goodwill hunting now. You’re the smarty pants janitor, emptying trash at the MIT, waiting for your turn to graduate and get the job you really want. Well, one of the things I want to add here for folks about security clearances, and then I think we should probably talk about the cybersecurity workforce requirement.

But just before we do that, if you’ve never applied for a government security clearance before, you are in for a rude shock, because it’s not a form, it’s a booklet. You have to tell Uncle Sam everything, everything, everything.

Jason Dion:

                    It’s about 100 to 150 pages that you fill out.

Kip Boyle:

                    Yeah. It’s a small book. Uncle wants to know every place you’ve ever lived. Every school you’ve ever attended. Names of neighbors in the different places where you’ve lived. Yes, they will contact these people and ask them about you. Uncle’s also going to ask you for all your dirty little secrets, anything that could be used as blackmail against you. Guess what? If you lie on this application, and they find out either during the clearing process or even later on, maybe you go through a renewal, and they figure out that you’ve lied, holy moly, I would not want to be in that situation.

Again, not trying to scare you from doing this, but just trying to make sure you understand that you’re going into this with your eyes completely open as to what this means. Don’t just have dollar signs in your eyes. Okay. Because there’s a real other side to this that’s super, super serious. Okay.

Jason Dion:

                    Yeah. If you’re interested in seeing what that process looks like, you can just go to Google right now, type in S-F, which stands for Standard Form, dash, eight, six, Standard Form 86 is the document. It’s like I said, about 100 to 150 pages, and it will go into everywhere you’ve lived as Kip said. It’s going to know all about any speeding ticket you got, anytime you’ve talked to a police officer, anytime you’ve talked with a foreign national that you have a close contact with.

For instance, if you dated somebody who was not an American, or you’re married to somebody who wasn’t an American, or you yourself are dual citizenship, all of those things go into this form. It doesn’t mean you’re not going to get a clearance. But this is something that all that stuff gets factored into it. To get a clearance, though, you must be an American citizen. That is an important thing as well. If you are just a Green Card resident, that’s not going to be good enough. You have to be an American citizen.

Kip Boyle:

                    Okay. Okay. Time is of the essence. Let’s move on. What is cybersecurity workforce requirements? What’s that?

Jason Dion:

                    Yeah. The CSWF or the Cybersecurity Workforce is a set of requirements that’s used in the DoD. This is held for both military and civilian and contractors. Regardless of what you are, if you are working for the military, you have to meet certain levels. Every job they have out there is going to be classified as either an IAT, or IAM. IAT is an Information Assurance Technician. That’d be something like a system administrator. You’re going to be doing more of the down and dirty network router configuration, doing system administration and things like that.

Kip Boyle:

                    Okay.

Jason Dion:

                    The other side is the managers, IAMs, Information Assurance Managers. Then further we take those, we categorize them down as IAT level one, two, or three, and IAM level one, two, or three. Now, why this is important is because if you go to Google, and you Google cybersecurity workforce, or 8570, you’re going to see these six categories, and each one has certain certifications you need to get.

For instance, if you’re an IAT level one, you need an A plus, or a network plus. If you’re going to be an IAT level two, you need to have a security plus. If you’re going to be at level three, you need a [CAS] plus. If you’re going to be IAM level one, you need security plus. IAM level two or three, you need a CISSP. There’s other ones you can get. But these are the generic ones that people usually get for those certification levels.

Now, the thing that makes us important is that as a military member or a government civilian, you’ve got six months from the time you get that position to get qualified for that certification. As a contractor, you usually have to have it before they will hire you for that position. If you want to work for something that’s listed as an IAM level three, you have to have that CISSP. Not that you had it before you let it lapse, it has to be active right now.

Kip Boyle:

                    Well, okay, I guess I know what I will not be doing in the future, because my CISSP is not active anymore. I have great reasons for that. I don’t know if I’ve ever explained why. But maybe one day. Oh, wow. Okay. That’s really interesting. Okay. Let’s recap. You can be a member of the military in uniform. You can be a government employee. You can be a civilian contractor. However you do it, you’re probably going to need a security clearance.

Then beyond that, you’re going to need a cybersecurity workforce. You’re going to meet those requirements. Holy moly. We haven’t even talked about the kinds of jobs that you might do yet. I mean, not really.

Jason Dion:

                    Yeah. I mean, when we think about jobs in the defense sector, it’s pretty much everything that you can imagine. Everything from a tier one helpdesk up to a security operations center analysts, to a penetration tester, to secure developers and more. I know, in this podcast, you spent several episodes, I think about 10 episodes, going through all the positions in a large organization. All those positions, they exist in the government world, too.

It’s the exact same thing. Mirrors very, very closely. I will say the one thing that we can do on the government side that you can’t do on the commercial side is we can hack and we can attack. If you’re working for the DoD, the Department of Defense, they have the authority to attack other people using cyber assets. Now, to do that, they have to get permission at very high levels. But we do train people to actually do not just penetration testing, but actually doing cyber attacks.

That’s probably the one difference between military work and everybody else is they have the ability to do that where everybody else is not allowed to because it’s illegal.

Kip Boyle:

                    Yeah. Okay. Then just to be clear about that. You don’t just go off and do offensive cyber at the drop of a hat, or whenever you feel like it.

Jason Dion:

                    That’d be great. Yeah. Oh, yeah. I just feel like it to jump on and hack somebody. No.

Kip Boyle:

                    Yeah.

Jason Dion:

                    Yeah. This changes all the time on where the approval is. The last time I looked into it, the approval was held at the presidential level. I think it got delegated down to the Secretary of Defense. It’s like number one, number two.

Kip Boyle:

                    Yeah.

Jason Dion:

                    Even a four-star general can’t just say, “I feel like hacking Russia today and go off and do it.” It’s not going to work that way.

Kip Boyle:

                    It’s like the release of nuclear weapons, right?

Jason Dion:

                    Yes.

Kip Boyle:

                    I mean, in terms of approvals, and who can say “yes.” Even preparing to do offensive takes weeks or months just to prepare. I mean, it’s like getting ready for the big game. I mean, you’re going to do drills. You’re going to script stuff. I mean, it’s not a casual affair. That’s all I’m going to say.

Jason Dion:

                    Oh, yeah. I mean, it’s funny, because you watch these movies and TV shows, and they make it look like you just jump on the keyboard, hit a couple of keys, and off you go. You now have access to everybody’s systems. It doesn’t work like that. Preparation takes time, months, and years of effort. If we think back to the SolarWinds attack, that is, according to Open Source Media, they believe Russia was behind that.

That was a form of doing their preprogramming and being into all those systems, so that when they needed to turn them off or do something, they were in a position to do it. But that took months and years, 9 to 12 months of preplanned attack before they ever were going to do the real attack.

Kip Boyle:

                    Yeah, absolutely. Anyway, just wanted you to know that, yes, that is a difference. It’s a key difference. But it’s tightly controlled, and not everybody gets to do it. But, hey, maybe you would be able to get to do it. Okay. We’ve established that pretty much any type of a role that you would get it in the commercial sector or the private sector would be available within the defense sector. That’s good. Okay. Let’s do one more thing, which is making your application.

All right. Whenever you go to get a job, you fill out an application. Is there any big difference between doing that for a government civilian job that you’d like to get versus a contractor job?

Jason Dion:

                    Oh, yeah. Big difference. Both of these are definitely going to be different than what you’re seeing on the commercial sector. We talked about on the commercial sector. We usually try to get our resume down to one to two pages.

Kip Boyle:

                    Right.

Jason Dion:

                    For a contractor position, it’s pretty similar to that. It’s getting hired for any other bank or school or something like that.

Kip Boyle:

                    Okay.

Jason Dion:

                    But when you start doing a government application to be a government civilian through USA Jobs, this starts getting to be 15 to 20 pages of data. It’s everything you’ve ever done. They want to know about every job you’ve had in the last 10 to 20 years. It’s not just a sentence on it. But it’s paragraphs on each one. It’s a very long in-depth application process.

It uses a lot of keyword filtering through their application tracking system to be able to figure out who is going to be a good fit, versus what’s in the resume, versus what’s in the job description. If you’re applying for government civilian position, you definitely need to work with somebody who has done government hiring before to make sure you’re doing the resume right, because it is a completely different world than what you’re going to see.

Kip has an awesome, perfect resume template for contractors or for civilian hiring, but not for government civilian hiring. If you want to work for a bank, you want to work for one of the contract companies, his resume and his template is perfect. But if you’re going to be going for I want to go work as a GS civilian, and I work for the Department of the Army, or I want to work for the NSA, you need to get with somebody who does that on a daily basis, because it is just a different environment.

Kip Boyle:

                    Right. Okay. Good. Now you are forewarned that it’s going to be much different, much more time consuming. Any piece of paper that you do for Uncle Sam has to be exactly correct. You’re not going to get punctuation out of order, misspellings, it’s all going to get kicked back to you if it’s not exactly correct. Just put on your little green eyeshade, get your light going, sharpen your pencils, because it’s going to be a bit of a drill.

Well, okay. That brings us to the end of the episode. Jason, is there any final words on all that we’ve covered?

Jason Dion:

                    Yeah. I know I made this sound like it’s a horrible, long, tedious process. But I will tell you that 50% to 60% of the cyber jobs out there are tied to the defense industry. It is something you should definitely look into. One of the things that makes it hard is a lot of these little steps that are in place that you have to get through. There’s a long application for security clearance. There’s a long timeline for security clearance. There’s a long application if you want to be a government civilian.

But because there is this higher barrier to entry, you do have a little bit less competition because a lot of people aren’t willing to do it. Additionally, if you’re a foreign national, most of these positions are not going to be available to you. Again, these are positions just for American citizens. The applicant pool is going to be less as well. The government and the contractors are fighting for the same cybersecurity applicants that most other companies are as well.

Especially right now, with the lack of enough qualified cyber professionals for all these jobs, there are chances with some of these contract companies will sponsor your clearance to get you in, as long as you have the chops in the background to support that.

Kip Boyle:

                    Yeah. Yeah. You never know. Well, check it out. I hope the information that we’ve shared with you on the episode today is going to help you do that. Check it out and see if it’s a good fit for you. But that’s going to wrap up our episode. If you want to check shownotes, we’ve got those available. The way you access them is point your web browser at your cyberpath.com/56. That’s the number five, the number six.

Now if you like our podcast, you like the information that we’re sharing with you, we’ve got a free quiz that you might want to take advantage of. It’s a really simple survey. We created it specifically to help you figure out where are you getting the most … where are you struggling the most in the hiring process? If you’re trying to get a job, and you’re struggling, and you’re not sure what’s going wrong, our quiz can help you.

Okay. It could be your resume. It could be your interviewing skills. It could be the way you negotiate for a job. It could be due to the number or types of certifications or degrees you have, whatever. There’s a lot of things that could be going wrong. It may be very difficult for you to diagnose it. But if you take our free quiz, then you’re going to get some insight.

If you want to do that, just go over to www.hiredin21days.com and go ahead and check it out. Hope that helps you. Remember you’re just one path away from your dream cybersecurity job. We’ll see you next time.

Jason Dion:

                    See you next time.

 

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle serves as virtual chief information security officer for many customers, including a professional sports team and fast-growing FinTech and AdTech companies. Over the years, Kip has built teams by interviewing hundreds of cybersecurity professionals. And now, he’s sharing his insider’s perspective with you!

Headshot of Jason DionYOUR CO-HOST:

Jason Dion
Dion Training Solutions

Jason Dion is the lead instructor at Dion Training Solutions. Jason has been the Director of a Network and Security Operations Center and an Information Systems Officer for large organizations around the globe. He is an experienced hiring manager in the government and defense sectors.