Why Veterans are Built for Zero Trust Cybersecurity

Blog
Written By Aquia
Kalid Tarapolsi
Chief Growth Officer
Mackenzie Wartenberger
Senior Security Architect

If you're struggling with zero trust adoption, you might be hiring the wrong people.

In the federal government contracting space, we spend an enormous amount of time dissecting executive orders, analyzing National Institute of Standards and Technology (NIST) frameworks, and debating the merits of various cloud architectures. When Executive Order 14028 mandated a move toward zero trust architecture, the industry responded predictably: we looked for tools. We looked for software-defined perimeters, identity governance solutions, and automated policy engines.

At Aquia, our perspective is shaped by our identity as a service-disabled, Veteran-owned small business (SDVOSB). As we’ve been helping government agencies with their adoption of zero trust, we’ve noticed a pattern that has nothing to do with software and everything to do with human psychology.

The hardest part of zero trust isn’t the technology — it’s the cultural shift. 

Zero trust requires moving an organization from a mindset of "implicit trust" (once you’re in the building, you’re safe) to "continuous verification" (trust nothing, verify everything). Applying that level of granularity is daunting, even for heavily regulated federal systems. 

For the average civilian or commercial engineer, the shift to zero trust can feel restrictive, paranoid, or overly bureaucratic. But for military Veterans, this isn’t a new requirement at all: it’s a foundational survival skill.

FOBs Prepared Veterans for "Assume Breach"

The overlap between military doctrine and modern DevSecOps is tighter than you may think. For decades, cybersecurity relied on a "castle and moat" defense. If you were on the VPN or physically in the office, you were trusted. This is 20th-century thinking.

Veterans who have deployed in the last twenty years understand intuitively why the "castle and moat" concept is dead. In modern asymmetric warfare, there are no front lines. The threat isn't just "over there"; it can be inside the wire. It can be a drone, an insider threat, or a blurred line between combatant and civilian.

When we explain to a Veteran engineer that a network perimeter is porous and that we must assume the adversary is already inside the network, they don't panic. They recognize the scenario. They have lived in forward operating bases (FOBs) or conducted urban operations where situational awareness, not just a physical wall, kept them safe.

This translates perfectly to the "assume breach" pillar of zero trust. While some engineers struggle with the pessimistic nature of assuming a system is compromised, a Veteran views it as standard operational prudence. They build systems that are resilient despite the presence of threats, rather than brittle systems that rely on the absence of them.

From "Need-to-Know" to "Least Privilege"

One of the primary sources of friction in implementing zero trust is identity and access management (IAM). In a mature zero trust environment, identity is the new perimeter; authentication and authorization are confirmed with every transaction.

In a startup or a loose commercial environment, developers often have admin rights to everything "just in case" they need to fix a bug. Revoking those rights to enforce the principle of least privilege usually results in grumbling about bureaucracy and slowed velocity.

However, anyone who has held a security clearance understands the concept of "need-to-know."

In the military, having a top secret clearance doesn't mean you get to read every top secret document as many times as you wish. You gain access to the specific intelligence required to execute your mission for the duration of that mission. Access to the data is a privilege, based on a specific set of requirements and permissions that are checked and verified with each use and revoked when they are no longer needed.

This is the exact philosophy behind just-in-time (JIT) access and ephemeral credentials in cloud computing.

  • Military: You get the mission briefing when the operation starts; you turn it in when it ends.

  • Cloud: You get the API token when the script runs; it expires when the script finishes.

Veterans don’t view these access controls as an insult to their trustworthiness. They view them as operational security (OPSEC). They understand that if their credentials are compromised, the blast radius must be contained. They accept that they will work on teams with varying levels of access, and that compartmentalization is key to reducing team and personal risk. This cultural buy-in makes them incredible advocates for security compliance within a team. They become the champions of "locking the doors," not because the rulebook says so, but because they understand the stakes.

The OODA Loop Mirrors Incident Response

In cybersecurity, speed is the currency of survival. The time between an attacker entering a network and the defenders detecting them (dwell time) determines the severity of the breach.

The U.S. military has a framework for this: the OODA loop (observe, orient, decide, act). Developed by Air Force Colonel John Boyd, the OODA loop is about processing chaos faster than your adversary. If you can cycle through these four steps faster than the enemy, you win.

This is strikingly similar to the metrics we use in modern DevSecOps: mean time to detect (MTTD) and mean time to respond (MTTR). In a zero trust environment, the OODA loop is the engine of survival. Because we "assume breach," we rely on continuous monitoring and automated responses to outpace the adversary. We build systems that cycle through observation (logging), orientation (heuristics), and action (blocking/remediation) faster than an attacker can move laterally.

Veterans are the ideal practitioners to oversee these automated systems because they possess the discipline to handle the exceptions. When a complex attack bypasses the automated loop and the "fog of war" sets in, Veterans don't panic. They are trained to:

  1. Observe: What do the logs say? (situation report)

  2. Orient: Is this a false positive or a real attack? (threat assessment)

  3. Decide: Do we shut it down, isolate it, or monitor it? (course of action)

  4. Act: Execute the fix. (engagement)

We’ve seen Veteran engineers lead incident response calls with a level of calm that unnerves people who aren't used to it. That emotional resilience, the ability to keep the OODA loop spinning while alarms are blaring, is a soft skill that no certification course can teach.

Mission Command Enables Agile Thinking

Finally, there is a misconception that military service breeds rigid, robotic thinking. The stereotype is that soldiers wait for orders.

The reality of modern military doctrine is mission command. Leaders provide the "commander's intent" (AKA the goal of the operation) and rely on their subordinates to figure out the "how" based on the changing dynamics on the ground.

This is functionally identical to agile software development, and in zero trust terms, the Veteran acts as the policy decision point (PDP). They take the high-level policy (intent) and enforce it dynamically against real-world constraints, incorporating real-time data and analytics, rather than blindly following a brittle rule set.

In a government contract, the "commander's intent" might be: "We need a secure way for citizens to upload tax documents by next month." The "how" (Kubernetes, AWS Lambda, Python vs. Go, etc.) is left to the team.

Veterans thrive in this environment because they are mission-oriented, not task-oriented. If a blocker appears (a technical debt issue, a legacy firewall rule), a task-oriented employee might throw up their hands and wait for a ticket. A mission-oriented employee looks for a flank. They look for a workaround. They are focused on the outcome, not the process.

The Bottom Line: Values Over Verification

As Aquia grows, we naturally seek technical excellence. We need people who know Python, Terraform, and NIST 800-53. But technical skills have a half-life; what is relevant today will be obsolete in five years.

Character, however, does not have a half-life.

The government’s shift to zero trust is, at its core, a shift toward higher standards of vigilance, accountability, and resilience. As we build the teams that will secure the nation’s digital infrastructure, we are finding that the people best equipped to build the future are often the ones who spent their past defending it.

They know that security isn't a product you buy. It’s a discipline you practice. And they’ve been practicing for a long time.

Aquia helps large federal agencies establish zero trust native architecture solutions. If you are interested in learning more about how Aquia can help your agency modernize its systems and processes, contact us at federal@aquia.us.

Aquia

Securing The Digital Transformation ®

Aquia is a cloud and cybersecurity digital services firm and “2024 Service-Disabled, Veteran-Owned Small Business (SDVOSB) of the Year” awardee. We empower mission owners in the U.S. government and public sector to achieve secure, efficient, and compliant digital transformation.

As strategic advisors and engineers, we help our customers develop and deploy innovative cloud and cybersecurity technologies quickly, adopt and implement digital transformation initiatives effectively, and navigate complex regulatory landscapes expertly. We provide multi-cloud engineering and advisory expertise for secure software delivery; security automation; SaaS security; cloud-native architecture; and governance, risk, and compliance (GRC) innovation.

Founded in 2021 by United States veterans, we are passionate about making our country digitally capable and secure, and driving transformational change across the public and private sectors. Aquia is an Amazon Web Services (AWS) Advanced Tier partner and member of the Google Cloud Partner Advantage Program.

Next

Importance of a Trauma-Informed Approach in UX Research