Threat Vector 4.4.24
Ep 19 | 4.4.24

Mission-Driven Security: From Marine Corps to Silicon Valley with Donnie Hasseltine


Donnie Hasseltine: The one thing that it mostly surprises people when I bring it up is, I actually play the bagpipes. So that's one of the weird hidden talents I have. [ Music ]

David Moulton: Welcome to "Threat Vector," a podcast where Unit 42 shares unique threat intelligence insights, new threat actor TTPs and real-world case studies. Unit 42 has a global team of threat intelligence experts, incident responders, and proactive security consultants, dedicated to safeguarding our digital world. I'm your host, David Moulton, director of thought leadership for Unit 42. [ Music ] Today I have a truly inspiring guest, Donnie Hasseltine, Vice-President of security at Second Front and a former recon Marine who successfully navigated the transition from military leadership to steering cybersecurity in a fast-paced world of Silicon Valley. Today I'll share our conversation, which covers Donnie's unique perspectives on what military experience brings to cybersecurity, the critical importance of foundational security practices for startups, and how to cultivate the security mindset essential for today's digital defenders. If you're a veteran looking to pivot into tech, Donnie shares some advice for you toward the end. If you're a startup founder seeking to embed security into your DNA, or just fascinated by the intersection of technology and security, this conversation is for you. So let's dive in. [ Music ] Donnie, talk to me about your journey from being the recon Marine to leading security efforts in the tech industry, and specifically within a startup.

Donnie Hasseltine: Yes, no. It was a fairly interesting journey. I mean, I spend over 22 years in the Marine Corps. I was in infantry and combat arms in recon as a battalion commander in the later stages of my career. And you know, I was thinking that I was going to get a stay-in, and go down that road, but two things kind of impacted that. A little bit of some family decisions, but second of all, my last duty station, I was up here in Silicon Valley. So in doing that, I got involved in Hacking for Defense, which is a Stanford-run program. It's in multiple universities now. It takes the lean launchpad and applies DoD/IC problems. And I started seeing areas where some of the problems I saw in the military, right, were actually going to be solved through commercial tech or creative MVPs, minimum viable products. And in doing that, I started looking at what are the things we can do on the military side? That led me to start digging a little deeper into cybersecurity because, you know, in my time both in exercises and combat, the further we've gone along in my career and even now, you've seen how it may be great if you can maneuver on the battle field and use combined arms and things like that, but you have to control the electromagnetic spectrum. I mean you got to integrate that into your more physical and kinetic approaches in combat. And I found that in a lot of cases, the senior leaders just didn't have that exact background to be able to integrate that. So I went and did a master's in cybersecurity through Brown University. And in doing that, started exploring that further and further, which led me to get out and step in the private sector. And when I did, my first role in the private sector was a small PE firm that was doing B2B SAAS turnarounds. And as you can imagine, if you're taking a SAAS company that's, you know, has flatlined or struggled, has other issues there, if there are issues on the business side they also have issues on the security side. So built out a cybersecurity program. Helped run some of those companies for that firm. And then speed into where I'm at now at Second Front Systems.

David Moulton: And when you and I were talking before the show, you mentioned the way that you went from your moment in the military into those programs, I thought it was really interesting and I want to call it out here. Can you tell the audience what caught your eye? What caught your ear?

Donnie Hasseltine: Yes, so obviously the thing that pushed me towards that master's in cybersecurity was an NPR ad. I was driving home from work with NPR, and there was an advertisement from Brown's Executive Master's in Cybersecurity program. Like, maybe I should give that a shot. And applied, got in, and that kind of was the first step that took me down those path. So.

David Moulton: Shout out to the folks at Brown who figured out that they needed to run their cybersecurity program ads on NPR, to reach out to my friend and yours, Donnie, to get him into that program. You're in startup world now. You're working as the lead for security for the business. And I'm wondering how did your military background prepare you for that role? They're very different, but I expect there's some sort of overlaps.

Donnie Hasseltine: One of the things I noticed from the military to cybersecurity is really the mindset. So we talk a lot of times about the security mindset and things like that. And how you look at problems, essentially. And you know, in my Brown class I remember there was a great time where I was watching how people react to things that were being presented out there. And you know, even to take a very acute example like we had a physical security portion, obviously. And at one point we were talking about different locks and structures and passes around all my colleagues. I look over and she's picking the lock. I was like, are they passing lock-picking kits around? She was like, no I just have one. I'm like, why do you carry that? I'm like, why not? Right? And it stuck me that even though nobody really in the class had a military background -- a few did -- they all had the same mindset which was, every time I look at something, I can break that, I can get around that. That kind of hacking mindset. And I think that's incredibly valuable in cybersecurity and really hard to teach. The technical skills can be taught. The specifics of how you do things can be taught. But that mindset of where you just kind of have a slightly paranoid look at everything you see. And you question, like, how do I break that or how do can that be done? That's a key mindset that we actively try to teach in our Marines and how to achieve mission, how to they get through obstacles? And I think that is really the most immediately transferable skill, when you take veterans, and you put them in a cybersecurity space.

David Moulton: So how to break things, where its weaknesses are. Understanding that just because you were told something works in a particular way isn't entirely true and isn't the end of the story. Yes, that's fascinating. It's certainly one of the things that I've heard from some of the berates here at Palo Alto that have transferred over from, you know, service in the private sector. That gives them a leg up. Where does that come from? You said train into the Marines. But I wonder, you know, is there a particular culture person, and do you have any observations on that?

Donnie Hasseltine: Yes. I don't know. I think it's difficult, because I do think, you know, I kind of -- I guess I contradicted myself. I said it's hard to train, but we do train in there. I think part of it is how are you living it, essentially. When you talk about, like, individuals in the military, they're constantly given very difficult, challenging situations or no-win situations. They have to find a way through those, right? And I think that especially if you're talking about combat situations where people's lives depending on it, it really activates, you know, your mind and your survival instincts in a different way that's not really activated on a day-to-day basis. And I think as that occurs, you start to -- it pushes you to think about things in a different way. I think that environment where there's constantly a very high pressure, there's constantly a perspective of there's obstacles in front of you and you have no choice but to get around them. You don't have the home of well, I'll deal with that tomorrow. You have to do it now. I think that's the piece that kind of, you know, crystallizes and catalyzes that mindset in the military. And I think that, you know, not to say it doesn't exist in the private sector. Some of my best, you know, security teammates have no military experience, but they have that kind of specific, you know, je ne said quois-like quality about it, where they think about it in that same way, of addressing problems and obstacles.

David Moulton: So I hear you saying that there's this idea of seeing somebody that's both urgent and important, right, upper right-hand quadrant on a two-up. And how do you find those people? How do you interview for them? You know, maybe part of it is that you shortcut by looking are they a veteran? Are there other ways that you can suss that out when you're looking for a good security team?

Donnie Hasseltine: Yes. I think one, you can look at like, what their background was. That's a basic thing. But I think in interviews, when you're talking to them, in interviews you can sometimes figure that out by giving them technical challenges to see how they think about things. and I'm also a big fan of scenario-based things like give me an example, walk me through how you saw something like that from your background. Because a lot of cases, what is on the resume and what is, like, in the actually job description may not be a [inaudible 00:08:59] anywhere, right? So is there a story you can give me where you had a challenge it seemed people thought was an obstacle couldn't be made, and you and your team kind of went around, and how did you do it. And really I think the key thing you're trying to get at is like, where's the thought process? What's the logic you used to kind of break that down into chunks that can be actually managed by you and your team?

David Moulton: I have a mentor that talks about your resume as a marketing document, and your interview as your sales opportunity. So --

Donnie Hasseltine: Spot on.

David Moulton: Very different things. So let's talk about your unique perspective coming from that recon background, and then thinking about what cybersecurity threats do you believe are underestimated from startups today? You know, maybe it's AI, maybe it's something else, and maybe recommendations on how you would address those or how you would think about those threats?

Donnie Hasseltine: I think it's easy, and I think right now, a lot of things immediately jump to like, quantum AI and things like that. But honestly, I think the answers much more mundane than that, right? I think that what I've found more likely to startups is they have a great idea, and they sort of build that great idea and they start to sell that great idea, but they don't always think about securing it, right? And I think that in many cases, the basic foundational aspects of it, like, are you given basic security training to your teammates? Are you, you know, making sure they're not clicking on things? Stuff like that. You know, do you have endpoint protection on the devices that are touching and open to the internet, right? Are you putting multi-factor authentication on everything. Just getting some of those super simple basics knock out knows out a significant threat portion. And I think what I've seen a lot of times in startups is perspective of, like, oh I'm too small. I don't have to worry about this. Or like oh, we'll get to that at a certain point. You know, when you think more broadly about startups, right, you think three things. You have to build to sell. You have to secure. And I think if that ultimately ends to be made into a concentric circle. I think the more often the challenge is it's -- in the startups, it's more heavily on the build phase. and that sell and tat secure part is kind of a stretched chain Venn diagram that isn't quite a line. And I'd encourage startup founders to think about, like, from the start, how do I make that one circle and one approach? And really just getting the foundational pieces right is really critical and nocks out 80% of the threats.

David Moulton: Yes, so that hygiene, and doing the basics sounds like it shrinks the attack surface a bit. And it certainly makes it less of an easy target. You know, you're never too small to be attacked.

Donnie Hasseltine: Yes, and I think the way you said it -- "attack surface" is the right way to think about it, right? Every time you add a new feature, piece, like you know, like I think General Cartwright once said, if there's an aperture, it's a target, right? If you think about, like, how the military moves. So you know, if you have a sensor on the battlefield that is collecting information, that is an actual vector that is an attack surface. It may not be able to like, be able to drop malware into it, but you can manipulate that. You can send information in there, and that's a version of a cyberattack, right? So being aware of what that attack surface is, and as you add features in, understanding how that attack surface is changing, honestly just turning things into known unknowns vice unknown unknowns is a critical step when you're evaluating your next steps as a startup.

David Moulton: So do you ever turn that sort of thinking, where you say, like, what are the apertures that we've added? And come back at your own business, red-team it a bit, and help educate the startup founders that you're working with on that concentric circle that are maybe thinking build and sell, and you're responsible for the secure portion and bring them along as a partner to see, like, this is what the outside world would see when they're going to attack us.

Donnie Hasseltine: THat's a great, great point. I think the epic that you know, with some of the startups I work with, trying to do exactly that, right? I think security does itself a disservice when it becomes antagonistic, or like the police, internal police for the organizations. It's just like when you run a phishing campaign and one clicks. How you respond to that is really a critical thing, right? Like you can see it as an education opportunity. You engage them in a positive manner. Or is it some type of like, you know, stick-based punishment piece. It's always better to go with the incentive, right? And then show them why. But I think also from a security standpoint, you have to be mindful of the business issues, you know? I think I've had cases in startups where we've found an issue and a concern. But when we evaluated the cost associated with remediation or even transferring that risk, the decision was, like, okay, we know about it, but we're going to accept it. We have no choice based on the circumstances. And I think as as security professional, you have to be smart about how you categorize that to leadership and then take them along as best they can so they're making the best decisions. I think most of the cases where there's been failure there is because you didn't educate people right on the decision-making process and give them the information they need. I mean, I saw this in the military, right?

David Moulton: Absolutely. So it sounds to me like it's a communication as much as anything. You know, right here along with the education, you don't want to go and name and shame. And you certainly want to give somebody the ability to make the tradeoff right? Speed, security, where we're going to focus or not focus at a given moment. There's no such thing as 100% pure security anytime.

Donnie Hasseltine: And if it is 100% secure, it's totally unusable, right? I mean I think that's the whole thing. YOu're -- you know, I think if you come in as a security leader and try to crank that rheostat all the way to security, it's going to kill the business, right? But if you're -- the business is all the way on the other side of convenience, then it's also super dangerous. It's like, everything you're kind of constantly trying to dial that in to be as secure as you can, but while maintaining that. I mean, we had a very recent case in our company where something was brought up and the security perspective was that needs to be shut down. And that's fine. But like, you need to ask before you turn that off, what is the use case? What is the erosion for that first, and make sure you're doing supplementary pieces. I mean I can give you a great example from when I was on military recruiting where there was -- many years ago, there was a threat, which was transmitted through, you know, USB drives. And the decision was made from the DoD, turn off all USB drives and -- in the shut down auto-run. Can't use external drives or external devices. And totally understand that from a security standpoint. Totally legitimate call. But in recruiting duty, we had the need to, like, have applicants sign documents. We had to upload pictures of their tattoos. So very quickly, you had this case where a recruiter has to get this contract signed to meet his or her mission by the end of the month, and so they were taking personal cameras and putting it on their own devices and then emailing it to a side thing, and then burning it to a disc and sticking it into a standalone computer and then transferring it. So they were taking, like, seven or eight steps, but still getting the data back onto the military network. Like is that more secure or less secure than just --

David Moulton: It sounds like they opened up the attack surface just a smidge.

Donnie Hasseltine: Yes. Just a smidge. So I think you would always ask, like, why are you using this in the first place before you turn it off, right?

David Moulton: Yes. Eight years ago, I was talking to Roland Cloutier when he was with ADP, and he was describing security as an ingredient in the business, right? And security was a quality ingredient. But it -- I think from a chef point of view, if you put too much of any quality ingredient in it, all of a sudden it just tastes like a spice, right? You've got to get that mix just right so that you've got a quality ingredient in there, but it doesn't overpower as a flavor. So Donnie, let's transition for a second to thinking about the contrast between military and private sector. You know, you went from military. It's maybe a touch more hierarchy and then you're in a tech startup. I'm wondering how you navigated the culture differences, the operational differences, and then you know, what is your leadership approach in those two environments? What did you take from the military and apply to the startup space?

Donnie Hasseltine: The problem -- I don't want to belie the culture difference, because there are significant culture differences, right? But I think in many ways there are more similarities than people realize. Because I think there's initial perspective of like, oh yes, the military's very hierarchical. The commanding officer just says "do this," and everybody follows those orders. But in practice, it's very different. That hierarchical structure is for one specific goal, which is ruthless efficiency in a combat situation where people's lives are on the line. Where you don't have time to explain the why, you don't have time to explain the conversation. You just have to execute. But you know, if you're in a garrison environment, a non-critical environment, people's lives aren't on the line, and you lead with that approach, you're kind of just a jerk, right? And it plays out very quickly in the military, right? So I think that when we were in combat, certainly there were points where we just had to say shut up and color we're doing this. But when you were in that high-pressure situation, it was really critical as a leader to actually sit down and talk to the whole range of individuals in your command, and hear their perspectives, and understand their perspectives, and integrate that into your decision-making. I think I lucked out a little bit on the cultural transition, because I had several roles which were very different than the standard piece. I mentioned the recruiting already, where you were very distributed, like remote, before remote was really a thing. Where you would have an individual recruiter who's by himself, a sergeant seated in a mall by himself, four hours away from his boss who's another two hours away from me. And how do you manage that type of leadership where you're not seeing everybody on an everyday basis? Recon is a similar thing, where you're leading very small highly capable teams, and even as the commander, I was not the expert in everything they did. So I had to be very cautious and very engaged to understand what their experiences were, and what they needed on the ground. Because if you think about it like what a normal military organization needs, as opposed to like, a six-man team, it has to be out of radio comms. It's only doing communications windows. Is going to have to make decisions without ever being able to ask for permission or guidance, how do you communicate the left and right lateral limits for that team to operate freely and engage?

David Moulton: Inside the military, it's like really mission-driven and one of those things that can actually bring people together. I have felt that same sense of mission inside of cybersecurity. It's in service of something greater than, you know, my next achievement professionally and/or a paycheck. And I'm wondering how you brought that sense of service from the military into your current role, or if it's something that's just naturally there across our industry?

Donnie Hasseltine: Yes, I think it's certainly more naturally there in cybersecurity as opposed to other industries. And I think certainly if you look at my time when I was running startups, I struggled a little bit culturally with that, right? Because the real goal was like, drive product to make a profit. And that just does not appeal a lot of time to folks leaving the military. I think what got me up every day in those roles is you know, just what you said. In the cybersecurity side, look, I'm protecting my team. I'm protecting our customers. And even you take a look at a product, it was like I could get in behind that, because when I talk to developers who are using that product, it was making their lives significantly better, and allowing them to focus on the things they wanted to focus on. So I think you have to figure out what is that aspect and mission that you can get behind and it often relies on, are you protecting that person? Are you making their lives better? I think in cybersecurity that's a lot easier to wrap your head around. In our current world, Second Front because we're a public benefit corporation, we can kind of look at that very clearly. Mission means a lot more and a lot deeper than just making the profit, right? We're focused on how we actually take care of war fighters down the road. But totally agree and I think that's a cultural thing in the military is, where are you going to find that kind of mission satisfaction? I think my experience is you do find that in cybersecurity for exactly the reasons you said.

David Moulton: It's a really interesting thread. Like it's an unintended consequence, and I find that sometimes government policies have these unintended consequences.

Donnie Hasseltine: Yes, no. That's a good point. And when you look at the overall aspects of these cybersecurity rules, the intent is good, right? It's to make things safer and secure and hold people accountable. I think the challenge is exactly kind of what you kind of hit upon, is there's multigenerational consequences that impacts that, that I think are not always considered. And it's hard to forecast, to be fair. So you know, what a lot of CISOs are concerned about now is, okay, how does that impact me? Also how is my company working with me to protect me if we do have a breach, we do have an issue? Which in the security world, we just kind of accept that that's kind of a natural course of doing business. Like we're going to do our best. We're going to defend as hard as we can, but we're dealing with pretty significant threats out there, and someone may get in. And if that happens, like, is that going to impact my family and my livelihood long-term, because I'm going to be going into court over it. And I think there's certainly aspects, and iz don't want to get into specific cases, where maybe someone did certain things wrong and all, but you know, it's driving a very different experience for CISOs applying for jobs. Asking questions about, you know, am I on the company's, you know, insurance policy? Like am I officially an officer of the company? Like who's responsible for these things? And think those questions were not asked as directly, certainly in more S and B CISO roles. But I think we've had a lot of experienced CISOs now that are having to step back and I've seen roles stand out there for major companies go unfilled for months on end. And I have to kind of do the math and say on the backside I know there are some people that would apply for those. But they're kind of skeptical. Like if I step into this role, where this company just had an incident, just fired their CISO, like is that really something I want to walk into, and how is that going to impact me long-term? And I think some are using that as negotiating leverage on how they approach these jobs. But I think others are, I want to sit it out a little bit and just see how these roles and these court cases kind of settle, so better sense of how to approach it.

David Moulton: Yes, so maybe unintended consequence of the SEC cyber rule would be that some folks are taking a step back or slow-rolling it, but I also wonder if maybe it's foreseeing a maturation to the role. Where you're asking more business-oriented questions.

Donnie Hasseltine: I think that's also fair. I mean, I remember Royal Hansen at Google, he was an advisor to our program. And I remember, you know, years ago, when we first started the program. It was, like, 2017. He was talking to the class about cybersecurity and risk and saying, you know, we think of cybersecurity as sometimes as just this computer problem, or this IT problem, or this -- you know, protect this server problem. But really it is business risk. And I think I've seen that in a lot of companies where you talk about what is the actual risk we're dealing with? And really, you know, legal teams, finance teams, and cybersecurity teams are the only verticals in a business that truly deal with and understand risk.

David Moulton: Yes.

Donnie Hasseltine: And understand how those processes work and think about it. And I think the more we go forward, it's like you do need to integrate businesses, right? And you can't be the CISO that's crying wolf all day, but you can't be the one that misses something that sinks the business. So I think I always look at the perspective is like I never want to be caught by something that I didn't foresee. If we identified it, and we raised it, and we discussed it, and we made a decision to accept the risk, that's really the job. And then how it plays out from there, you just do your best to kind of close things out as much as you can.

David Moulton: Yes. Sometimes the best thing you can do is recover. Let's talk about those SEC cyber rules. Have you observed any significant impacts to companies' strategies for managing and reporting cyber risk?

Donnie Hasseltine: Yes. I think the real piece that I think people are struggling with is you know, obviously is really focused on public companies. You have, like, you know, 10K and 8K reporting requirements.

David Moulton: Right.

Donnie Hasseltine: I think it's really understand like, when you talk about disclosure, how do you phrase that and how do you address that, right? Because this becomes a challenge. If you say, oh we have a policy risk, there's plenty of companies and startups and other companies I've seen where they write a policy that meets maybe a SOC2 or ISO requirement, but are they actually enforcing that policy. Are they managing it? And if you're reporting it to the SEC, you better be damn sure that your employees have read that policy and you're enforcing it, managing it. The whole lifecycle of it, not just like do it in a paper drill. I think that also gets into when you start talking about one thing that I am seeing is like certainly on the cybersecurity government side is forward suddenly thinking very carefully, like, how do we bring -- and even though that wasn't a finalized role that we have to have cybersecurity experience on the board, changing how they look at that, right? Either bringing in cybersecurity experience to the board, or making sure that the board at least talks to the CISO or the representative on a quarterly basis or more. So I do think that that's one positive thing, that cybersecurity issues are being discussed now on boards much more commonly. And I think it will be increasing down the road. But I think the last thing that I think is probably the hardest piece here is the reporting requirements and the disclosure requirements around a cyber incident. How you're defining a cyber incident, and specifically the materiality of the incident. Because that's always the company's evaluation, and I think that's where you start getting a super weird risk category which we'll see down the road, where something happens. The company says that's not an incident. We don't think it has material impacts and merit reportability or disclosure. And then maybe down the road, that metastasizes and expands out and then it comes back, like, why didn't you report that? And that is a very common incident in cybersecurity.

David Moulton: Yes. You'd have a class of investors that would come back and say that they were damaged, and they have a case. And that's what the SEC's there to enforce. And yet at the time when you're looking at it from, you know, in the moment or just after, you may not have been able to anticipate the sort of knock-on effects that are there. I was talking to Jacqueline Wudyka about this and in that specific ambiguity right now, will work itself out in the courts. But it is a risk, right? It is one of those things that is tough to anticipate which of those would you say incident to events, events to incidents, is going to be material later on.

Donnie Hasseltine: Yes, and you have the risk of a company over-reporting and that having profound impacts on their company value, right? Which is a different perspective of investor concern, right? [ Multiple speakers ] So again it's where are you dialing that in at? It's a really hard decision to make.

David Moulton: Yes. That's an interesting perspective, of like if you over-report, and you drive down your share price or the value of the company, is that actually as big of a concern of, you know, you had an event and underreported it, either way, investor is looking at where's my value, and did you, you know, as an officer, as you put out earlier, did you drive that right? Let's wrap up with a couple of questions that I have about transitioning from being a veteran into security or tech. We'll maybe make this one the lightning round. So veterans aspire to entering into the cybersecurity field, what foundational skills do you recommend developing first?

Donnie Hasseltine: I would say beyond skills, I would say qualities and specific pieces and I would specifically say curiosity. Right? You have to come in and be curious about it. Because if you're the type of person that's going to be curious about something, ask a question, and pull a string, that's going to take you down roads that you would not have guessed otherwise. And I mean, for me, I could order something on Amazon. I had no idea what happened when I pressed that button. So I wanted to know. Like where does that how does that all work in the background? If you're willing to ask that question, identify an answer and just pull the string and take it all the way down to the root, and do that a few times, you're going to quickly start identifying things you're interesting in, you're excited about. And that's going to really drive what skills or certification you could develop around that curiosity.

David Moulton: I imagine that when you pulled on that, you found some bubble gum, some duct tape, and some real human ingenuity on bringing those systems together.

Donnie Hasseltine: Yes. I mean, I'll just say briefly, like, that old XKCD cartoon about, like, dependencies and frameworks and a house of cards. Like, I think that's the biggest learning when you get into cybersecurity and software is, you realize, like, how it really is a house of cards, whereas before I didn't know. Everything looks so shiny and beautiful on the front end. Like, the back end is very, very different, right?

David Moulton: Yes. Front end UI's gorgeous. Back end, wow. Can you recommend any specific programs, certs, resources that helped you transition from military to tech-based career?

Donnie Hasseltine: Yes. I mean, I think there's several of them out there. And I think, you know, when you talk certifications, Syracuse University has a spectacular veterans program called Onward to Opportunity, O2O. What that allows people to do is, pick a certification they're interested in and they will fund a -- they'll fund the training course, the certification costs for one certification for every veteran, right? So identify and once you pull that string, you say, you know what? Everyone who's in that role has CISSP, or like a specific thing like that, you can pull that string and actually, like, get that funded. There's a number of other bespoke programs. I think the biggest thing I would say is, like, go out and find another thing out there. Because the base transition program the military offers is very, very basic. It only gets you the basic foundations. So things like Hire our Heroes fellowships, the DoD SkillBridge program. I went through a program through the COMMIT Foundation which talked about, you know, transitioning and thinking really deeply about what is your why, and what is behind what you're thinking, up to kind of want to talk about mission. But I'd encourage you to find a program out there. There are a lot of military programs. And then try to identify, like, if you identify where you want to go, find an individual in the private sector to be a mentor, and like look at what their career, their certifications, their skills look like. The odds are you can find a path to get those in that transition period. But I think the danger sometimes is you get out and you're like oh, I'm going to get an MBA. I'm going to get a PNP. I'm going to do this. Like, don't go down that road until you've actually gotten data to show it lines up to what you want to aspire to.

David Moulton: Transitioning, I got to imagine that's a bit daunting. Motivational advice for veterans that are interested in tech, but are still deciding whether to take that first step.

Donnie Hasseltine: I think I'd tie this to the networking aspect, right? It is -- when you leave the military, like, you only have a very narrow window of what is out there. And I always tell people, like, there is a role that is at the right comp level, and works for your family and balance, and the right location. It's the perfect role for you. You just don't know where it is and how to get there yet. And the only way you do that is to talk to people. And I think that my experience in that was that I often found roles or companies that I absolutely did not want to do. That was easier to find than ones I did want to do. So I think that what I would say is, oh I want to be a project manager. Like, do you know what that means? Go on LinkedIn, go find a former Marine or former veteran who is in project management, and call them out, and say hey, I'm a fellow veteran, or I'm a fellow graduate of such-and-such university. Like, could we have a virtual coffee? I just want you to tell me about what your job is like. Because if you do that, you'll quickly find like, you know what, maybe I didn't want to do that. Or wait, that sounds really cool. Let me see if I can pull that string a little more.

David Moulton: I think that put your hand out there, people will want to help. And then you've got a good sense of whether it's your jam or not. And if it is, that person is likely in a position to help recommend you or connect you to -- maybe they don't have that job, but they know where another one is at.

Donnie Hasseltine: They know someone.

David Moulton: Yes. Yes, I know. That's --

Donnie Hasseltine: I throw that VC advice, right? You ask for advice, you get money. You ask for money, you get advice. It's the same sort of thing, right?

David Moulton: Yes. What's the most important thing that our listeners should remember from our conversation?

Donnie Hasseltine: What I would pull out is what we just talked about. Focus -- I think it applies much broader than to veteran transitions. Like, nurture your curiosity, right? Because if you're in a cybersecurity role right now, and something doesn't make sense, and you're curious about it, you're going to dig into it and you're going to find things that illicit business risk that you didn't know about. If you are searching for a role, find something you're interested in, you're curious about and pull that string and see where it leads you. Because you'll get critical information about whether you want to do that or not. And I think more broadly, just when you think about the constant problems and constant changes we have in the cybersecurity industry, every day's different. There's always a new challenge. There's always something else out there. If you're trying to like, just maintain the perimeter based on what you know right now, you're going to fail. So be open-minded. Draw on information. Listen. Be curious. Because I think by doing that, it helps you solve a lot of the things we've spoken about.

David Moulton: So Donnie, a couple takeaways that I had -- and I want to thank you for the conversation. This has been fascinating. And once again, here I am getting paid to learn and talk to people that are infinitely smarter than I am. But stay curious. Talk to people. And remember that security is all about finding the right balance between things that are secure and what your business needs. And it's an opportunity to educate and then accelerate, rather than clamp down.

Donnie Hasseltine: Yes. Spot on.

David Moulton: Donnie, thanks. Appreciate you. And maybe we'll have you back on the "Threat Vector" soon. I really enjoyed the conversation.

Donnie Hasseltine: Thanks, David. Yes, it was great to be here. Thanks so much. [ Music ]

David Moulton: As I close out today's episode, I'm struck by Donnie's journey. He went from recon in the Marine Corps to cybersecurity in the Valley. Today's conversation reinforced the need our industry has for disciplined leadership, strategic thinking, and a security mindset. Something that seemed to show up in those who've served. One of the most impactful moments in the conversation came when Donnie discussed the importance of nurturing a security-first mindset. Not as an afterthought, but as a foundational principle for those in security. This approach isn't just about safeguarding data or infrastructure. It's about fostering an environment where security is integral to the product development process from Day 1. And it's a reminder that in the digital age, where the threats are ever-evolving, a proactive security stance on security isn't just beneficial. It's essential for survival and success. I absolutely love the fact that Donnie highlighted the role that curiosity plays in security. This resonated deeply with me. This field is constantly shifting. And that requires us to be inquisitive. To question assumptions. And to push boundaries. In reflecting on Donnie's insights, it's clear that the intersection of military discipline and cybersecurity expertise is not just about the transfer of tactical skills. It's about a mindset that views security as the mission-critical priority, a commitment to safeguarding the digital frontiers where our modern battles are increasingly being fought. If you're a lister, whether you're a veteran looking to transition into cybersecurity, a startup founders navigating the complexities of security in your venture, or already a cybersecurity professional, I hope Donnie's journey inspired you. To close this episode, I want to thank the "Threat Vector" team. Our executive producer is Michael Heller. Content and product by Sheida Azimi, Sheila Droski, Tanya Wilkins, and Danny Milrad. I edit the show, and Elliott Pelzman is our audio engineer. We'll be back in two weeks. Until then, stay secure, stay vigilant. Goodbye for now. [ Music ]