Why are former military folks disproportionately represented in cybersecurity?

This is been my experience. I would not just limit it to just IT - I would say other areas of operations also have a higher percentage of military people.

Military folks are trained in operational security and communications security, data classification, handling confidential information, etc.  And many today (and for the past several years) have also received training while in the service in cybersecurity as well.  In addition they are serious, dedicated, understand directions and take them to heart as well know how to assess risks, find vulnerabilities, defend against threats and hunt for adversaries.  They make great information security people!

I was a former Navy officer for four years, with degrees in business and computer science. I started my career in IT doing computer programming, then managing several teams of folks doing IT programming, then six months on the networking team before joining an effort to deploy a common operating environment within the company.  That blossomed into managing our desktop team (30,000 endpoints worldwide).  But then our security team of 11 was replaced by 3 new security folks, including myself; I just was pushed into the role of cybersecurity and never looked back.  

As to why former military folks are disproportionally represented in cybersecurity would seem to be driven by behavior, motivation and mind-set.  The behavior comes from a regimented view on "how things really get done".  The motivation is a self-driven purpose and natural curiosity about learning, since there is something new in security (good or bad) every day.  The mind-set is one akin to riddle solving or working 1000-piece jigsaw puzzles; we seek to figure things out and put forward solutions - good, better or best.  Comradery and a shared history help build teams.  

As former military myself, I think there are some definitely overlaps in certain areas of cybersecurity that are a natural fit for retired military. A huge part of the SOC is about incident response, training, and process driven actions. This is also something that the military does quite well and trains their service members to do quite well. In addition, the level of discipline is something that is required for a SOC to be successful. There is no room for error when reviewing data and incidents. The responsibilities are to be taken seriously.

I also think military helps to breed a certain level of professionalism that makes for good leaders in a crisis. This is the kind of person that helps deliver solid results without some of the emotional baggage that can cause mistakes in judgement. 

I would say that there are many other areas that align nicely with former military as well - police, fire, healthcare, etc. Kind of the same reasons as above...

I’m also not ex-military.

I would imagine there are a number of reasons for this:
1. The military was amongst the first to develop and use the internet via DARPA. As such it would make sense that it would have embedded cybersecurity into the culture in the same way any advances in technology would be integrated as was the case with ground vehicles, aviation, etc.
2. NIST, as least in North America, is the defacto standard, which comes from the defense industry.
3. Military infrastructure has always been critical and thus an attractive attack vector for APTs from nation-states and like actors. As command-and-control increasingly relies on network infrastructure and is one, if not the first thing, to try and eliminate in an attack, it makes sense that cybersecurity works in tandem with physical security.
4. Intellectual property theft, intelligence gathering, etc. all have a large cyber component. As such people in this space are trained to do it and protect against it. While protecting against cyber attacks is increasingly valued in the private sector in many cases there are still firms that lack basic controls such as PAM, MFA, etc. that are embedded in high security military processes such as two-keys for nuclear weapons (MFA) or access control to secure facilities. A lot of cybersecurity is simply taking processes that are best practice for physical security and adapting them for a virtual perimeter.
5. A lot of cybersecurity is about thinking how someone can compromise systems from attack. People who migrate to a field where protecting things from attack would likely have a high degree of overlap for these types of roles in the private sector.