How I Got Here: How AJ Nash brought military intelligence to private cyber

It takes all kinds to build a tech company. Not everyone needs to know Python or C# to make an impact and have a tech career. An expert in one industry can be an expert in another — it’s just a matter of finding the right way to apply the expertise.

“I’m not a computer scientist or a software engineer or network engineer or anything of the sort,” AJ Nash, VP of intelligence at Baltimore-anchored cybersecurity company ZeroFox, told Technical.ly. “I’m a traditional intel guy working in cyber.”

Nash got his start in the United States Air Force and worked in intelligence for nine years. He was stationed at the National Security Agency for most of his military career. He then spent another nine years using the skills he learned in the private sector as a defense contractor.

Finding his skills relevant in the tech world was a happy accident.

Defense contractor SAIC recruited Nash in 2007. During the interview, there was a lot of talk about computer science and operations research he knew nothing about. He thought he was in the wrong interview, but the company had the people they needed for the technical aspects of the job. What it needed was someone with experience as an intelligence analyst to validate the effectiveness of a cybersecurity product it had in development.

Nash’s start in tech shows that you don’t need to be a computer wizard or have an affinity for tech to find a career in the field. It’s possible to have desirable expertise and leverage the tech career application of it.

“That became my niche in the private sector: trying to translate government knowledge and standards on how to build intel programs and how to conduct intelligence,” said Nash.

Nash applies the same intelligence standards, tradecraft and concepts he learned in the military to cybercriminals. He said that his current job, besides the virtual environment of cyber intelligence, is similar to the military because people are people. His job is about understanding the motivations behind threats and that motivation remains the same: money.

A cyber intelligence analyst’s goal is to understand threats before they hit a company’s cyber environment and provide people with the materials they need to make informed decisions at the right time. In an ideal world, knowing the risk is just preventative and the attack doesn’t happen. When the ransomware attack does hit, the intelligence analyst is the one letting a company know if paying the ransom attack will get a company’s data back — or if it’s already been sold on the dark web.

An executive flight

Nash since made his way to ZeroFox, which recently went public and is trying to turn its $1 billion valuation into $10 billion. This is far flung from where he thought he’d be growing up. He had plans to be a police officer, and then an attorney, until he joined the Air Force. From there, he kept choosing jobs that he found interesting, challenging and valuable.

At an executive level, Nash’s job is as much about making other executives understand the value proposition of good intelligence as building a strong intelligence program. It’s one of the biggest differences between the government and the private sector: the government printed money and he didn’t have to discuss a return on investment.

He now constantly has to solve the riddle of how, when a job’s done right, it looks like you’ve done nothing at all.

“We understand how to be proactive, but how do we do it in a way that is justifiable from a financial standpoint?” Nash said.  “So that organizations can spend the right amount of money to get the right level of security, and own the right amount of risk and understand what that risk is. [That’s] a challenge right now.”

He faces this challenge every day because he believes there’s real value in building up the private sector’s cyber defenses. In 2021, IBM reported that data breaches cost companies an average of $4.24 million. It’s often said, in local government at least, that the public sector is behind the private sector technology-wise. It is, however, more attuned to security needs than the private economy.

“No matter what we plan in life, life sometimes has its own plan,” said Nash about the roads he took to get where he is today. “I’m a big believer in going with that to a point, as long as you’re doing good things. The overall plan is just trying to be useful and successful.”

Here are some of the tips and advice Nash learned along his tech journey:

• For anyone transferring from three-letter agencies to the tech industry, you need to be able to speak to all people, from the nontechnical executive to the highly technical security operations center analyst.
• You don’t need technical expertise, but you do need a working knowledge: “Intelligence teams are generally matrix teams built of many different skill sets. You don’t have to be a unicorn who can do everything.”
• “You have to be somebody who’s willing to continue to learn. The technology is ever-changing.”
• “You have to be very flexible. Cybersecurity is a 24/7 job. Adversaries don’t take holidays. If you’re looking for a 9-to-5 lifestyle, this isn’t going to be a great career for a lot of folks.”
• “Intelligence is about words. It’s really important to be able to communicate at the level of the audience you’re working with. You can’t have a highly technical conversation with a senior executive who just wants to understand what they should be doing for the next six months in terms of their hiring strategy.”

Donte Kirby is a 2020-2022 corps member for Report for America, an initiative of The Groundtruth Project that pairs young journalists with local newsrooms. This position is supported by the Robert W. Deutsch Foundation.