How Booz Allen Hamilton keeps their security team secure and compliant in a hybrid world
Before the pandemic, many organizations experimented with hybrid or fully remote working environments. The onset of the pandemic only accelerated that transition. Cybersecurity jobs are no different, but the need to maintain a high standard of information security poses some challenges in a hybrid environment. One company that pioneered hybrid work for security teams is Booz Allen Hamilton.
Vice President of Booz Allen Becky Robertson has been managing security teams in a hybrid environment for many years, and she’s well-versed in how to hire, train and retain Booz Allen’s security talent.
What’s the hybrid work situation like at Booz Allen?
“We’ve been working in what I would call cyber-savvy environments for a long time,” Robertson explains — but even with that groundwork, fast pivots are sometimes necessary. “We started with a pretty strong foundation prior to the past 19 months, but we really had to think differently for a lot of reasons.”
Of course, what she’s referring to is the huge and unplanned changes caused by the Covid-19 pandemic and subsequent lockdowns.
“Some of our staff continued to work every day in controlled spaces […] and that, of course, had its own challenges in a pandemic,” Robertson said. “But then we did have some clients who were ready to start thinking a little bit differently, and that meant we had to quickly adapt — not just from a resources perspective […] but back to security.”
Robertson makes an important distinction here that your company’s internal stance on remote work may differ from your clients’. That makes it beneficial to have the organizational flexibility to adapt to the client’s specific needs and requirements.
“Having that mindset change of what does [my job] mean if I’m doing it in a different place? What do I need to think about that maybe I hadn’t thought about before?”
Even though the pandemic posed its challenges, Booz Allen already had a hybrid work structure that meant the company could land on its feet. “I think that foundation of a cybersecurity-savvy culture really helped us there, that people were ready to adapt pretty quickly to it,” Robertson said.
How can an organization’s workforce stay cyber aware while working remotely?
Remote work introduces a whole new set of challenges in maintaining a high data security and privacy level. Unlike working in a secure office environment, remote workers typically use their internet connections, networks and devices to complete work-related tasks. This creates a ton of risk in terms of cybersecurity. Luckily, Robertson has some great ideas for keeping your remote workforce cyber aware.
First, Robertson recommends having constant training in place. That means throwing out the quarterly cybersecurity presentation in favor of hands-on security awareness training on a more regular basis. Keeping the training content fresh will prevent your staff from becoming bored and disengaged. Instead, they’ll constantly be presented with new and ever-evolving challenges that keep them on their toes.
In addition to a rigorous training program, Robertson explains that it’s essential to have reinforcement from leaders in the organization. This top-down reinforcement will ensure that all leaders — even those from non-technical departments — will make cybersecurity an everyday priority.
How do you personally build a cyber-aware culture into a remote workforce from a leadership perspective?
A cyber-aware culture starts from the top of the organization. For Robertson, this means getting serious buy-in from senior leadership.
“They are likely viewed, right or wrong, as the culture owners. So they need to help establish that culture.” Robertson adds, “They also need to be ready to do this for the long haul. Right? It can’t just be a bandaid. You’ve got to get some commitment from them that this is something that is going to be perpetual and not just a one-time event.”
Don’t be afraid to inject some fun into cybersecurity training. “We are famous for food as a motivator around Booz Allen,” Robertson laughs. “We have lots of competitive people around here, so we love to say whoever gets to a hundred percent participation first gets a pizza party.”
What’s the best “cadence” for providing successful remote training?
At Booz Allen, cybersecurity is baked into the company’s culture, meaning that pieces of training are frequent and regular. Robertson’s team approaches the training from various angles to keep the training fresh and engaging. One format they use is a small group session led by a trained facilitator. They also use web-based training that employees can complete from home.
Robertson likes to inject training into the workplace with automated lessons and activities to keep training exciting. “We do some mock phishing testing where folks will get an email, and they have an opportunity to send it to our [IT] team. Or if they happen to click a link in it and it’s not something they should be doing, they say, ‘Oh, you’ve been caught!'”
Injecting the training into daily life also boosts knowledge retention.
“We find that to be most effective because I think all of us have probably suffered through learning something, and then you don’t use it for several months, and it just evaporates. So really injecting it into the workspace is one of the most effective ways you can do it.”
Be creative in your training
Ultimately, Robertson thinks it’s important to implement a remote program that meets your organization’s unique needs. In other words, what works for some security teams may not work for others. She advises to always “think about it creatively and pick your cadence around that.”