For Mike McNeill, one conversation stands out from the year he decided to pivot toward a cybersecurity career.
“I shifted gears about the year before I retired from the Air Force,” he recalled. “I was like, ‘You know, this cyber thing seems to be expanding. Instead of getting out of the military and going the program manager route, maybe I should go to the cyber side.’
“I’ll never forget a conversation I had with an older gentleman who was in a neighboring program. … I said that and he said, ‘Yeah, but everybody’s doing it — the market’s going to be saturated.’ This was 2014. He said, ‘Two years tops, the market’s going to be so saturated with everybody with these cyber certs, that nobody’s going to hire any of these people anymore.’
“It is shocking how opposite that is. The numbers I’m seeing now for certain cyber certifications, they’re in the tens of thousands of positions going unfilled because there are just not enough people with the certs, because the need for cyber has exploded — in everything.”
Needless to say, McNeill didn’t take that bit of unsolicited advice. Today he’s a defensive cyberspace operations analyst for Manufacturing Technical Solutions Inc., where he’s the lead Air Force Space Command point of contact for Air Force Cyber Ranges.
This week he spoke with the Business Journal about his path to the Springs, and rapid changes in the cyber landscape.
What drew you to cybersecurity?
I got into the field because I saw there was a massive expansion — and I wish I’d got into it a little earlier. I became excited about cybersecurity because I saw it in action, especially when I started studying up on the hacks — the Bitcoin hacks, the major company hacks, the government hacks — and it got me involved. … It took something that everyone, for many years, had considered to be ‘nerdy and boring,’ and kind of made it exciting.
What was your path to the Springs?
I came here through the Air Force — I’ve been almost nine years in the Springs. I grew up in Mississippi and Tennessee and I joined the Air Force after college and started off as an intelligence officer. That let me travel the world. The Air Force had commissioned me with a special program where they wanted their acquisition officers (which is what I really was) to do something operational first. So you either started off as missiles, maintenance or intel. I was intel, and I knew at the four-year point I was going to magically become an acquisition officer. After four years they said, ‘Hey, you worked top secret stuff as an intel officer; for your next assignment we’re going to put you in Space because you already have the clearance.’ So I got moved into the Space program and I did that for the next 15 years for the Air Force — and even though I wasn’t stationed here I was flying out all the time because of all the Space activity. I really wanted to come here to live. Fortunately [for me] and unfortunately for the Air Force, around 2010 a lot of officers were doing Space — and that transitioned well to high-paying jobs outside the military. A lot of folks jumped ship and took the large severance bonus the military was giving. That left a serious hole for folks who were at my rank and specialty code. So when I called the personnel people and said, ‘Hey, I really want to go to Colorado Springs,’ they said, ‘Guess what, you don’t have a choice. We’re sending you to Colorado Springs.’ About 2012, after about two years into my job here, cyber and cybersecurity started getting really big. Big companies were starting to get hacked, and the Department of Defense got hacked around that time. It wasn’t that important until around 2012; then it got a lot of attention.
What’s your role now?
What I do right now is work on cyber ranges and training. There’s a large gap in the military, in our ability to train in cyberspace. The Army has been made what we call the executive agent to take on this problem — and it was identified years ago — of connecting all of the different training ranges. … One way to think of cyber ranges is like a playground or sandbox — somewhere you’ve got some servers and hard disk space, and you can build up a virtual environment, and then you attack or defend it. You have attackers and defenders — real people — in a fake representative environment. … In the military we really didn’t have these ranges set aside, so everyone started building them on their own. Everyone has their own little pockets. But now that cyber has literally exploded in the Department of Defense, and the need for trained cyber folks has exploded, there weren’t enough of those little cyber playgrounds. … I’m in the group in the Air Force that helps to try and stitch all the virtual ranges we’ve built everywhere into this DoD Persistent Cyber Training Environment, or PCTE. It’s just a way to train better.
How is the cyber landscape changing?
Cybersecurity is on the forefront of our culture now and our media, because top news stories now show that companies have been getting hacked for years and years. … But it’s become much easier for hacker rings to not have to use so much of the technical approach. If they can just worm their way in by crafting a good phishing email, worm someone’s password out of them, they really don’t have to use a whole lot of hacker skills anymore — and that’s the scary part. …
I think the misconception the public may have is that cybersecurity is a bunch of hard-core computer geeks doing code. I can’t code. I’m trying to learn, but I never learned to code and there are high-paying jobs where you never really have to learn to code. If you know the rules and regulations, the laws, everyone needs that because they need a cybersecurity plan, so it’s a team effort. Just like running a major business, there are multiple levels. So when you say someone works in cyber, there’s a myriad of things you can do.
What’s your advice for anyone entering the field?
If I could do it over again, I would tell a young kid not to go to college. I’d say go down the street to SecureSet … go do that and come out, get a job. They spit people out knowing how to do cyber. They have those skills. You may have to start at a lower level … but you get a couple of years under your belt doing that, you get a Security+ and a CISSP cert and you’ve got some hands-on experience, then you can go work for some of the big names and make a huge amount of money as a 22-year-old — without $100,000 of college debt. …
Looking back, anything you’d change?
I was a computer science major and I dropped out. I was studying Fortran and COBOL, the internet was just starting to happen, … I was in my second year and I hated it. The instructor came up behind me in a lab one night — I was having a tough time getting a Fortran program to work, I’d been there for a long time — and he came up and said, ‘You’re going to make a great programmer. You sit for looooooong hours.’ I went and dropped the next day, because I thought, ‘I don’t want to spend my life in front of a computer’ — which is exactly what I do right now. Not knowing about the internet … I thought sitting in front of a computer was staring at the black screen with the cyan cursor and typing code — because that’s kind of what it was up to the ’90s. I dropped it, and I wish I hadn’t done that. Because if I’d started back then, I would have the knowledge base to be a CISO for a major company right now: the network administration, background, knowing how to fix techy problems and then knowing the policy as well. So I would encourage young folks to get into cyber stuff now.
I’m going to be working for Army NETCOM. That’s Army’s network command on their CNOC program — Communications Network Operations Center. So it’s somewhat analogous to what I do here in the Air Force, but I think it’s going to be a little more cybersecurity intensive. …
I would love to do actual penetration testing someday, be it white hat hacking cyber or social engineering pen tests. There’s a well-paying niche business of folks who get hired by big companies to physically penetrate their companies (no badge or clearance, but walk into the CEO office) and it takes a bit of social engineering know-how, a bit of hacking and a bit of James Bond-type work. Sounds exciting.