12 Days of PtaaS
You're not going to want to miss this celebration!

How to Build Resilience in Cybersecurity: 4 Lessons Learned From Military Experience

What better group to turn to for advice than security leaders who have worked on the front lines of risk and uncertainty?

Before we begin, we'd like to take a moment to honor the memory of Allan J. McDonald, who was our keynote speaker for SecTalks 2021. Allan was the director of the Space Shuttle Solid Rocket Motor Project at the time of the Challenger tragedy. He refused to sign the launch recommendation due to safety concerns and fought to bring to light the real reasons for the tragedy. His relentless pursuit of ethics has inspired many. We encourage our readers to learn more about his story either through his website, or through his published literature — "Truth, Lies, and O-rings: Inside the Space Shuttle Challenger Disaster".

We are honored to have had Allan speak at our event and extend our condolences to his family and friends.

This year our SecTalks virtual conference zeroed in on leadership. While the past 12 months have tested cybersecurity in many ways, our industry has always been in a constant state of change. Whether it’s because of a pandemic, new technologies, or unexpected threats, cybersecurity practitioners lead with grit every day to defend their organizations.

We invited seasoned industry experts to share their experiences, learnings and stories throughout the conference, from the most trying times in their careers to the small “aha!” moments that have shifted their perspectives. Over March and April we’ll be publishing recaps of the sessions.

This week we’ll begin with our panel of cybersecurity leaders whose backgrounds include roles in the US military. What better group to turn to for advice than security leaders who have worked on the front lines of risk and uncertainty?

The panelists were:

  • Andy Ellis, recipient of the US Air Force Commendation Medal, and the former Chief Security Officer at Akamai Technologies
  • Nicole Ford, who served in multiple roles within the US Navy and Federal Government, currently the VP and CISO at Carrier
  • David Cross, who served five years active duty in the aviation electronic warfare community of the US Navy, currently the Senior VP and CISO at Oracle
  • Britney Hommertzheim, who spent the first decade of her cybersecurity career in the US Army and is currently the Director of Cyber Threat Operations at Cardinal Health

We asked what learnings from their military roles they can share with our audience, how they apply them to the cybersecurity space, and how they develop resilience within themselves and their teams.

Here are the four key takeaways from their discussion.

#1. Key lessons from military experience: train every day and learn to be adaptable.

One of the defining features of military experience is the emphasis placed on training and preparation. As David Cross put it, “you start using playbooks, you build muscle memory and constantly practice.” When there’s a crisis, you can apply these skills to your team to maintain calm and composure and help colleagues with less training or experience weather the storm.

The moment you stop training and learning is the moment when you become stale.

Nicole Ford added to that point by sharing how being a daughter of two veterans taught her to learn as quickly as possible in new environments. Constantly moving to different duty stations pushed her to be open and flexible about her experiences — or in other words, to be adaptable to change. These qualities have helped her at many critical points throughout her career.

And to wrap up this point, Britney Hommertzheim — an avid fan of jigsaw puzzles — shared an interesting analogy a commander had told her back in her army days: making plans should be like putting together the outline of the puzzle. Not the middle, not the whole puzzle, only the outline. Because plans shift, they will inevitably change. If you have all of the pieces tightly woven together when you have to adapt to new circumstances, your puzzle is going to break.

#2. Resilience and strength is fueled by diversity.

Military experience taught the panelists an appreciation for diversity. The US military brings together people from all walks of life, not just diverse in gender or race, but also in backgrounds, experiences, and histories. Panelists agreed that this was the time when they learned how valuable it is to be able to pull ideas from different points of view to solve a problem, especially when facing a crisis.

As Chris put it, differences in perspective complement each other and translate to strength and resilience within your team. To move towards diversity, Nicole makes the intentional choice to make 50% of her team minority hires, which translates to representation in different skills and expertise.

#3. Resilience in teams takes trust and transparency.

Even when you have the right people, a leader’s job isn’t done — you need to make the team click by encouraging trust, teamwork and open communication. As remote work loomed ahead, Nicole had to ensure that all Carrier employees were able to work from home — one example of what that meant was VPN capacity for more than 55,000 people. So she and her team set up a war room and for nine days straight tackled problems together, met with executives and worked hard to get people set up. While stressful, the experience helped her team bond.

While Nicole had been with her team for some time, Britney joined Cardinal Health in September 2020 and had to build rapport with her colleagues virtually. So she tried the following: she’d spontaneously call team members to introduce herself and get to know them better — it was her equivalent of stopping by someone’s desk. What she discovered, however, was that it was not as easy going as watercooler chats at the office.

People would worry that if they weren’t on the other end when she called, it would seem like they weren’t working. They felt this underlying pressure to be glued to their desks at all times. But the truth is, when people are at the office, they get up, use the bathroom, hang out in the kitchen, or grab lunch with someone.

So Britney pulled her team together and discussed this always-on mentality, making sure that expectations were clear and no one interpreted a missed call from her as a catastrophe. The lesson she pulled from the experience is that it’s even more important now to address uncomfortable topics openly — having these can build trust, help people open up to one another, respect each other and grow.

#4. When you take care of your squad, it can rally around a common mission in times of crisis and uncertainty.

Finally, panelists emphasized that your team cannot be resilient to crises without attention to their health and wellbeing. Much like how the drill sergeant will come around and say “Take off your boots so I can make sure your feet are still healthy,” cybersecurity leaders should check in on their team members. People have started to work 12 hours a day, sometimes longer, so Nicole prioritizes conversations with her teammates to ask them how they’re doing and what’s going on with them.

Despite finding virtual happy hours cheesy at first, she started organizing them to bring people together. She soon found that talking over coffee online still helps to connect with her people, touch on some areas they can work on or help them through something.

At the end of the day, people just want to be heard.

Video: Building Resilience in InfoSec: Lessons Learned from Military Experience

Back to Blog
About Cobalt
Cobalt provides a Pentest as a Service (PtaaS) platform that is modernizing the traditional, static penetration testing model by providing streamlined processes, developer integrations, and on-demand pentesters. Our blog is where we provide industry best practices, showcase some of our top-tier talent, and share information that's of interest to the cybersecurity community. More By Cobalt
Partner Spotlight: Tugboat Logic
Compliance can be expensive, time-consuming and needlessly confusing. Tugboat Logic changes that.
Feb 2, 2022
The Human Side of Security: CISOs Share Their Stories
Three CISOs share how they started, what challenges they faced, and what others can learn from their experiences.
May 16, 2022
Awkward Handshakes and Free T-Shirts. Security Conferences Are Back!
This week we visited InfoSec EU in London, which for many of the team was the first physical security conference in a while. Here are our biggest takeaways!
Jun 23, 2022