Editor’s Note: A fundamental feature of the modern multi-domain operations concept is the centrality of cyberspace. It connects and underpins activities in all other domains, making it a focal point for cross-domain opportunities and risk. Accordingly, cyberspace operators and how they integrate and perform as part of the larger force becomes an important issue to consider. Directly tied to this is the culture that forms around and shapes military cyberspace operators and their operations.
The military cyber operations community is situated on a cultural cross-roads – a strange intersection where a well-defined military culture of order and discipline meets hacker culture that, while not as discipline focused, values curiosity, creativity, and intellectual challenges. It is a hybrid culture that is still being formed, which makes now as good a time as any to ask: what should it aim for? What features should military cyber operators adopt and shape to make their own? In this article, the first of a three part series, John Myers explores cyber culture from both a military and private sector perspective, leveraging his experience to bridge the gap between both worlds.
By John Myers
“So, what are your views on security and what would you like to change about cyber security?”
This is generally the final question I ask candidates during technical interviews. For the 45 minutes prior, my Director of Engineering and I ask a myriad of questions about platform development, data structures, data pipelining, security analytics, and a lot of technical topics to ensure candidates have the chops to work for my company. I save it for last because it is unexpected and offers the chance to explore candidates beyond technical knowledge and skill. Most assume they will have to draw algorithms on a white board or complete some coding challenges. While those techniques serve many companies well, I have the extraordinary benefit to build and manage a small team of experts. Leading small teams enables me to simply have conversations with people to determine if they should come work with my team. A technical discussion is merely an introduction to a more important conversation to determine culture fit.
Culture is paramount because it ensures that everyone is working towards a common goal. Culture defines shared lines of thoughts so individuals can create decisions that are inherently in the best interest of the organization not because they are required to, but because they are inspired to. In the absence of specific tasks or direction, culture can help shape what people work on to ensure the team is always progressing towards milestones.
Culture fit is particularly important in a startup because it cannot simply be a job for the early employees. Often, it is a lifestyle, one that the employees deeply intertwine into their everyday lives. For many early employees, they chose to join the startup because it is something they are particularly passionate about, and now their new job is an extension of this passion.
During my career, I have seen the importance of culture and how it shapes the effectiveness of teams. I am currently the Chief Technical Officer (CTO) and Co-Founder of Efflux Systems, a cyber security startup based in Baltimore, Maryland. I spent just shy of nine years on active duty in the USAF. I commissioned as a 33S Communications and Information officer and continue to serve in the USAF Reserve as a 17S Cyberspace Warfare Officer. Each of these roles has shaped my thoughts on cyber culture and its relevance to multi-domain applications in military operations.
In this first of three posts, I start with a brief background on my experiences, both in the military and commercial worlds that feed my perspective on cyber culture and approach to recruiting and employing cyber professionals. In later posts I will examine the intersection of professional cyber culture and some of the more forward leaning companies in the commercial sector to reveal strategies the military could adopt to better posture itself for success in the cyber domain. This is critical, because success in the cyber domain is increasingly foundational to the success of military operations in all domains, not just in execution, but in the command and control, communication, and integration of every operational domain.
During most of my active duty time, the Department of Defense began a very drastic transition into cyber operations. United States Cyber Command was established and individual branches of service created new occupational specialties, cross-trained thousands of personnel, and started to fill out Joint teams that are now tasked with defending the nation and conducting offensive cyber operations.
I spent over half of my career in a specialized program at the National Security Agency, where I learned about intelligence community (IC) operations and had a front row seat to the genesis of US Cyber Command. My last assignment was at Nellis Air Force Base, Nevada, where I led cyber integration into the Red Flag exercise and USAF Warfare Center activities. When I first received the assignment, I thought it would not leverage the skills I had learned, but after reporting to Nellis, I quickly realized it was actually a great opportunity to use both my IC and military experience to fuse computer network operations with kinetic operations.
After 18 months, I felt the military was sprinting well before they could crawl when it came to integration of cyber operations into the kinetic world. Many of the effects-based operations that were being enabled or conducted via cyber felt forced, were not realistic, and gave a false sense of capability to the warfighter. The military cyber community lacked a solid culture to set the tone and expectations for how this extraordinary fusion between the two worlds should be conducted, central to enabling effective multi-domain operations. In the following sections, I will use my experience in the business world to describe what this culture looks like and the importance of building a core of experts to forge this culture.
Defining and Building Efflux Systems Culture
As the company progressed, the other co-founders and I started to shape what would become our internal company culture, which was firmly founded on recruiting individuals that already embody our culture and challenging them with the problems we try to solve. As former military officers, we appreciated the assertiveness and decisiveness of military culture. As former IC members, we also appreciated the art of espionage and the marathon of continuous learning and emersion into the larger culture that defines cyber professionals. Consequently, we try to blend the two in the technology we build and the people we recruit. I look for the best. I want to work with the best. I want an elite, passionate team to build really great technology to solve really challenging problems.
Culture is often defined by a set of core values, words that individuals should try to live by. I want my employees to embody our values and culture before I even meet them, the values should define the natural state of the individuals I want to hire – not a state I expect them to achieve once they join the company.
The people I want to hire are: inquisitive, opinionated, and selfless. These traits support our culture, because they represent individuals that act without being asked. Our culture relies heavily on this, as intrinsic motivation is paramount in achieving success. No single individual hands out tasks; rather, long-term milestones are set, and each individual knows what parts of the puzzle they are responsible for. These types of behaviors are not embodied in the military cyber force yet.
Inquisitiveness: I look for individuals that seek more effective ways to solve problems rather than try to solve a problem with the toolkit they already have. Successful candidates are always learning and never satisfied with what they know, because they always want to know more. They generally are immersed in the super-culture of the cyber community, keeping up with trends, aware of the newest threats and hungry to address the latest problems. Specifically, belonging to a super-culture is useful as the candidates I seek pursue their interests in cyber outside of the workplace, ensuring they are up to date with the most recent technologies and threats. This part of cyber culture is not supported or promoted by the military cyber community.
Opinionated: I look for individuals that hold well-reasoned and strong ideas on topics within their fields. They are passionate about certain topics and are willing to defend their stance while respecting another’s. They aren’t afraid to challenge the status quo or their coworkers on how to solve a specific problem or on what kinds of problems we should even be tackling. If we all think the same, we fail.
Selfless: Building technology, products, and a business is not a zero sum game within the company. Intense internal competition can degrade the overall team’s performance. Competition should primarily exist between “us” and “them.” Individuals should want to educate and help their team, so as whole, we are better than someone else’s team: our competition.
The ability of the individual to act within their field is also a huge factor. But it is a very tangible thing to determine and measure. Expertise in the field gets you through the gate, but that’s not enough.
The biggest difference between leading in my job now versus leading in my job within the Air Force is that I must seek individuals that instantly add value and are potentially better than others already on my team. I do not need to bring them in as junior and grow them to become senior; I must target and recruit the best. I aim to do this because I am building a solid foundation for a much larger organization down the road. Staff experts. Let experts eventually grow new experts. This means creating a strong cadre of individuals who are at the pinnacle of their careers. This will set the tone for a successful lineage of experts down the road.
As we grow, recruiting will change, we will have to hit higher recruitment numbers and bring in more junior personnel. But within these current, early stages of the company, I seek to build a cadre of experts that will set the tone for the growth stage. This cadre will groom junior individuals with the values the initial team was recruited around.
Additionally, the members of my team are part of a super-culture of security professionals. Which means, I am subordinate to the global cyber security culture and I compete to attract and retain those professionals. The best way I have found to do this is to give individuals the freedom and the responsibility – and to borrow from Netflix’s culture – to act and execute how they see fit to best solve problems. My fellow co-founders and I often yield to their advice, knowing that they are trusted experts, and we let them act with a higher degree of independence.
Implications for the Military
The primary lesson I’ve learned from building corporate culture is that when taking on a new challenge, you must ensure your initial cadre of personnel are experts in their field and experts in the challenges being tackled. This concept could be directly applied to the military, as they are very early in the stages of building a cyber corps.
Many professions in the military have no super-culture that extends outside their Service. For many, the military is the only place you can do certain jobs, and in those instances, recruiting is a matter of finding potential and growing them into the values and culture that are internally defined by the military. I have the opposite problem and in the specific instance of cyber, I think the military has the opposite problem, too. The demand for cyber professionals is high and the supply is very low. Additionally, the larger global cyber culture extends far beyond the boundaries of the military. Recruiting and retention should take that into consideration. Cyber professionals do not need the military to follow their passion. Many cyber professionals seek companies that are forward leaning and encourage the procurement and testing of new technology and techniques. The freedom to do this attracts the right talent. The military could look to have some units that act more like startups to try and keep up with the benefits the commercial sector offers.
My aforementioned strategy of building a strong cadre comes with the assumption of future growth and being able to handle the eventual need to hire those that have potential, but need to be trained, educated, or groomed. The military founded its branches on this and many military sub-cultures were founded on this too: intelligence, special operations, etc. The best of the best from certain fields were splintered off to start a new unit, new career field, or new command.
I do not see this trend happening with cyber in the military. US Cyber Command and the service component cyber commands grew too fast too soon. An initial talented cadre did not have time to set a foundation. The military was challenged with countering a cyber threat that has been around longer, is well resourced, and even worse, has the will to act regardless of consequence. The military needs to be more agile, forward leaning, and willing to take greater risks to counter this type of threat. The greater cyber community has started to adopt these traits to try and get ahead of the adversary. Operations and effects within cyber move faster than any other domain; the military needs to be more agile.
The military is firmly at the intersection of having to execute a new challenging mission, while finding and retaining the right people to do it. This is not a new story; many organizations dealt with this “explosion” of cyber in the last 5-10 years. Despite a 0% unemployment rate among cyber professionals, some companies rose to the challenge and successfully built great cyber programs by integrating great talent into their existing cultures.
My second post will take a look at some of these companies and how their forward-leaning cultures attracted, retained, and enabled small teams of talented individuals to do great things. In order to effectively integrate cyber into all facets of multi-domain operations, the military must capitalize on a similar forward-leaning mindset.
John Myers is the co-founder and Chief Technical Officer of Efflux Systems, a cybersecurity startup. Previous to this, John served in the US Air Force as a Cyberspace Operations Officer. While on active duty, he led large scale cyber training, operations, planning, and exercises. He is also a graduate of the Department of Defense’s premier cyber operations development program: the Computer Network Operations Development Program.
Disclaimer: The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.