[00:00:00] CS: Welcome to this week’s episode of the Cyber Work with Infosec podcast. For 12 days in November Cyber Work is releasing a new episode every single day. In these dozen episodes we’ll discuss employee engagement, team building, career strategies, security awareness essentials, the importance of storytelling in cyber security and answer questions from actual cyber security professionals and newcomers. For our fifth episode entitled Building Stronger Teams, we welcome Katie Boswell, director of KPMG Cyber; and Jason Jury, lead associate at Booz Allen Hamilton.
Katie and Jason take you behind the scenes of KPMGs cyber academy and Booz Allen Hamilton’s CyberCore programs respectively to share inspiration and strategies for building security talent internally and providing their staff with progressive career path opportunities. We hope you enjoy this 30-minute discussion between Katie and Jason along with moderator Jeff Peters. And if you want to learn cyber security, all Cyber Work listeners can get a free month of access to hundreds of courses and hands-on cyber ranges with Infosec Skills, which is allied to the work roles, knowledge and skill statements in the NICE workforce framework. Be sure to use the code cyberwork when signing up. Details can be found in the episode description below. Catch new episodes of Cyber Work every Monday at 1PM Central Time on our YouTube channel or wherever you get your podcasts. And now let’s start the show.
[00:01:28] JP: So to kick things off, let’s have each of you quickly share your role within your organization and just a 30,000-foot view of the training and development program that you manage. Katie, we can start with you.
[00:01:41] KB: Awesome, Thanks so much, Jeff. As Jeff said, I’m Katie Boswell. I work at KPMG. I’m a director here in cyber security. And one of my roles is also that I lead our learning and development of all of our cyber practitioners. We do that primarily through something that we call Cyber Academy. I’m sure I’ll be referencing that as we speak today. And also a combination of other learning and development tools.
[00:02:09] JP: Awesome. And then you, Jason?
[00:02:12] JJ: Hi. So Jason Jury. I work at Booz Allen Hamilton. I’m the corporate cyber security training and development manager. I would say majority of my time is spent working with leaders from the firm to really create different learning experiences that help us bridge the gap between our business market and talent development strategies. In addition to that, I would say anything soup to nuts that has to do with cyber security training, whether that’s getting certified or staying certified. That’s all in my wheelhouse.
[00:02:47] JP: Awesome. Yeah. And let’s just talk real briefly about the participant profiles of those who are involved in those two different programs, the Cyber Academy and CyberCore. Who is it primarily that you guys are focusing on in terms of that training? If you want to go first, Jason?
[00:03:03] JJ: Sure. So Cyber Corps is one program that we offer at Booz Allen Hamilton, and that’s really helping individuals assimilate into a cybersecurity role. In addition to that, we also have many other programs that are more intermediate or advanced in that respect. So really broad range, but definitely –Yeah, those would probably be the points I would touch on.
[00:03:34] KB: Yeah. It’s very similar for us at KPMG. So we have our Cyber Academy program. Really touches on our full range of professionals. So we’re talking about those who are joining us maybe straight out of college or a technical school to those individuals who are very senior in their careers. It’s really important for us that we have a mix of training that’s going to span those various levels and needs. And also supports people’s really individual career paths and the things that maybe they’re passionate about that align with the business needs that we’re seeing and the needs of the clients that we’re working with.
[00:04:17] JP: Yeah, awesome. So let’s talk a little bit about those new recruits. It sounds like you’re training some new recruits with limited experience. So given this, are you doing anything to assess those candidates to ensure that they’re a fit for the program and they get started off on the right foot? You can go ahead, Jason.
[00:04:34] JJ: Sure. So there are two things that we’re doing. One, we have skill assessments, which are really just helping us assess where they’re at. And so this is really more IT cyber foundation skill assessments. And then something else that we introduced last year was the aptitude assessment, which is really helping us determine whether or not they’re a good fit. And so that really just covers everything from personality. What motivates that individual? The adaptability, situational judgment. How they you know uh evaluate you know different sets of data? So it’s really a combination of the two, and it’s for their benefit as well. We want to make sure that while they raise their hand and say, “I want to get into cyber,” that it truly is a good fit for them and also for our organization.
[00:05:29] JP: Yeah. And how about Cyber Academy? Is there a barometer that you use there, Katie, to assess program fit?
[00:05:35] KB: Yeah. So we do it a little bit differently. We rely on the strong relationships that we have between our performance managers, transitional coaches, which is a role specific that we have helping professionals who are straight out of school come into the firm and really just help understand like what they’ve been passionate about. What they really focused in on school, right? So we can identify a learning path for someone who really is well-adapted to, let’s say, programming, right? And that’s something that they really love to do. Going to be different from somebody where maybe that wasn’t their strongest to, right? And so instead of having a formal program, we’re relying on really getting to know our professionals and having those professionals be really well-versed in the different areas of training that are available and the different learning paths.
And then we do have formalized learning paths that will help those more senior team members really help them align and understand where they would fit in. But it is very important for us to make sure that they do have those uh really strong foundational cyber skills. So that’s something that we try to cover broadly for all of our new professionals who come into the firm that we’re giving them that opportunity to either build or strengthen that strong cyber security foundational base.
[00:07:00] JP: Yeah, that’s really good to hear. I’d like to dig into those actual – I’m sorry. I guess, different phases and steps of your training program. So can we get into the first phase? And you mentioned some of it is formal. Some of it’s a little more informal. But what are sort of the first program elements for Cyber Academy in terms of like curriculum or roles or things that they’re going to be working on?
[00:07:25] KB: Yeah. So we hope that when our professionals come in that we have had an opportunity through getting to know them perhaps through an internship program or just through the interviewing process, right? That we have a good understanding of what they’ve learned at school. What they’re interested in doing. We want to get into that in greater detail. But we have a pretty good idea of where within our communities within cyber they’re going to fit. And so then we have a baseline training for each one of those areas.
So for instance if you’re somebody who’s come into a community where the majority of your work is going to be around something like identity and access management, that we have a course that’s specifically built to enable you to get that really foundational knowledge. So we have an identity and access management fundamentals course. And then we’ve paired up with vendors and partners that we work with to make sure that we have the opportunity to then build on that. So we’re giving you the fundamentals. Then we’re going to give you the background about how we deliver that out to our clients. What are our methodologies? What are the enablers that we use that we’ve built that are specific to our organization? And then we build and layer on top of that additionally with any tool-specific or vendor-specific. So if you’re going to use an identity and access management tool, we’re working with a vendor and partner to make sure that they have a base understanding of that tool. What it needs to implement it? How we do that out in the field? So that when they walk away from that initial training, first coming into the firm, they can leave there feeling like they have a really strong understanding of the key areas that they’re going to work in from a fundamental view. But also that they’ve got some hands-on experience that they’re going to be comfortable doing these base implementations. And I know we’re going to get into this, but there’s also that aspect of mentorship that comes in to really kind of tie it off and make sure that they have that core fundamentals and also a path to be successful doing that, but they’re not kind of thrown out on their own, and that they leave that training with an expectation that they have the support that they need.
[00:09:47] JP: Yeah. Yeah. That sounds really comprehensive. Jason, is it a similar approach with CyberCore in terms of how you look at it?
[00:09:55] JJ: Yeah. So definitely a lot of commonalities. I would say you our communications really start at the recruiting phase. So we partner with the different recruiting teams. And so at the recruiting events, either I or one of my colleagues will go there and actually present to the candidates about the CyberCore program. So it’s a, “Hey, if you decide to join Booz Allen, here’s what your first 4 or 12 weeks are going to look like all depending on the cohort.” Once they actually join the firm and start the program, one of the first things that we do after onboarding is really just pair them up with a mentor. And I will also talk a little bit more about that as well. But throughout the program, it’s a combination. It’s really a curated experience where we’re taking them through the introductory cyber courses. We’re also helping them understand what cyber means in the industry, but also at Booz Allen as well, because we want to make sure that they understand our mission. What we do. Why we do it.
In addition to that, we also walk them through things like risk management framework, which is essential for any one working in the cyber security space. Other things that we do I would say is we really help them prepare on how to study for exams. Good note taking, things like that, because many of the individuals that are coming in did not have a cyber or IT background. So we’re really building talent. And so we want to make sure that we prepare them in a way where the day they sit for the exam they’re not going to have a panic attack because this is a really difficult thing and I didn’t know what to expect. So we take all those things into consideration.
Some of the other things that we do, we have a springboard course that really covers the essentials of all the different networking areas that map to Security+ and some of the other areas that they need to be spun up on. In addition to that, we also – Last year we started simulations. So gamifying the actual experience. And so we have quizzes. We have all different types of ways to actually study in a very interactive way, in a gamified way. And the simulations that we incorporated are actually pretty fun. We have them team up with a group and they are now the CIO of a specific organization. And maybe they have to stop a ransomware attack or something to that effect. And we give them a certain amount of budget and they can only make certain amount of decisions. It’s really a real-life-based scenario, but they have a lot of fun. And the overall goal is to help them really assimilate well into the actual program. And then the last thing is really just prepping for CompTIA Security+. So while we are working towards the Security+ certification, we also want to make sure that they learn everything else that’s essential for them before they start a career in cyber.
[00:13:10] JP: Yeah. It sounds like you guys both brought up mentorships a few times, and I would imagine that really helps when you talk about making them, I guess, feel at home and part of the culture. So could you talk a little bit more about the peer-to-peer programs and the impact that you think that they have? Maybe we could start with you, Katie.
[00:13:30] KB: Yeah. Absolutely so we tried used to have – Well, we do have structured mentorship programs that align also to kind of those key communities that I was talking about. And it’s important to us to make sure that that mentorship exists throughout all levels of our communities. So again using the example within identity and access management. You’re getting that training. And then you’re also getting somebody who is going to help you really understand, right? I mean, it’s one thing to take a training. It’s another thing to actually be able to feel like you’ve walked away and you’re able to apply it to your day-to-day job. That’s where I think that mentorship is really important. It also acts as a lifeline, right? So if you’re out working with a particular client and you’re up against a problem, you have somebody that you feel comfortable with and have a relationship with that you can call up and say, “Hey, this is something that I don’t really feel prepared to respond to,” which of course we hope doesn’t happen, but sometimes does. And so giving them somebody that can help them with that. And then we pair that up with our community approach, right? So we also give those people at all aspects of the mentorship program an opportunity to join in with community calls where they are able to see presentations from other teams so that they can learn about what’s happening with other groups. What other people’s experiences are, and also give them an opportunity to present, which is also a great way to work on personal presentation skills in a safe place. Be able to kind of present and talk about some of the things that they’re doing, that they’re excited about. And that to me has been really successful for us, right? And it also gives our senior team members and our very technical staff an opportunity to help us grow our professional talent and really sort of the next generation of technical specialists. And that really plays into some of these areas within cyber security. Well, most of them, they can be very niche, right? They’re very specific. When we go in to help a client around identity and access management, we really need to make sure we’re sending in people that have that deep expertise. And so that’s about growing and sort of passing on that baton and raising each other up. That’s really become a deep part of our culture here.
[00:15:45] JP: Yeah. Is it similar with you, Jason?
[00:15:49] JJ: Yeah. Again, a lot of similarities. We definitely have cyber leadership at the firm come to. And I’ll talk specifically about our CyberCore program. So we have different practitioners. And so our cyber leadership team come and actually meet with the participants of the program. In addition to that, we have folks who have graduated from our program who are now working maybe in a SOC or NOC or as an incident responder come back and talk about how they’re applying the skills that they learned through the program in their job on a day-to-day basis.
In addition to that, at the beginning of every single cohort one of the first things that I do is plant the seed of once you’ve graduated from this program, we would love for you to come back and participate as a mentor. And every single individual that goes through a program has a mentor assigned. And the beauty of that is really we’re building a community, but also they’re assigned a mentor that literally just went through the same program. So they feel their pain. They understand the process, the ecosystem that we’re using. So yeah, we definitely focus on providing different mentoring opportunities.
In addition to that, the firm as a whole outside of the CyberCore program, we have tons of cyber engagement activities, events, info sessions, sessions with leaders where they talk about some of their best practices. How they actually found cyber or if cyber found them and so on. So definitely a lot of mentoring opportunities for our employees.
[00:17:39] JP: Awesome. Awesome. I’d like to switch gears and spend a few minutes now talking about career development beyond the initial onboarding programs. One of the interesting statistics that I found is we did a research study last year with nearly 800 information security professionals. And not surprisingly, about 90% said that they’re learning new skills every single month. But what really surprised me was that 62% of them indicated that they weren’t really sure that they were learning the right things or what it is that they should be learning. I mean, they knew they should be learning, but they weren’t sure what.
And in that survey there was people with three years’ experience, five years’ experience, ten years’ experience. So it wasn’t just entry level folks that maybe needed a little more clarity around their career progression or skill development. So I’m curious if you guys find similar things in your organization with your IT and security folks and how you approach that. So maybe we can start with you, Jason.
[00:18:34] JJ: Sure. I’ll preface this with there’s no silver bullet, right? There’s no one solution that fits all or even fits most in some cases. So something that I learned throughout my career and especially here at Booz Allen is that while we used to focus really on role-based learning plans and curating experiences specifically for a role, the roles will vary from company to company. And it could be based on the size of your organization. So we’ve really shifted gears and we’re focusing more on the top skills that are in demand versus prescriptive career paths.
In terms of what we have, definitely we have websites, internal websites that employees have access to. And the way that our cyber learning website is structured is in a way where we really touch on the top categories. And when I say categories that could be offensive cyber, that could be defensive cyber, cyber engineering, or risk management framework, you name it. And then once you actually go into one of those sites, we introduce you to the overall definition of that space. So if it was defensive cyber, we would talk about what is a blue team. And then in addition to that, we also do still have some role-based recommendations, but it’s not a checklist, right?
So an individual can go in there and self-select which courses or articles or resources make the most sense. Something else that we’ve also added to most of our skill areas and even in some of the role areas are day in the life of videos, right? So if it was for an individual that’s working in a network operations center, it could be a day. Or in their case it could be a night, because that’s a 24×7 operation. But really we want to make sure that they understand the area. They get a perspective from different individuals. Not just from Booz Allen, but in the industry as a whole. And then we start to narrow down on some of the really specific skills. And so that could be cloud security. It could be threat hunting. It could be identity access management. Something that Katie referenced earlier. But yeah, it’s really evolved to more skill-focused versus role-focused.
[00:21:17] JP: Yeah. And then over to you, Katie, for kind of how you approach that ongoing skill development.
[00:21:23] KB: Yeah, absolutely. Jason, you’re absolutely right. There’s no silver bullet for this, and it’s very different for each individual what’s going to be helpful to them. So I think we try and make sure, one, that we’re giving people a number of options, right? It’s not just only point in time in-person training, but also providing them tools that are available on demand, which also help keep people busy if they have down time in a way that’s going to ensure that they feel productive and that they’re using that time to grow their careers.
We also make it a part of our program to really involve leaders at different levels within our various service areas. We’re very oriented around the different services we deliver. So for instance we know that building privacy professionals is going to be important to us. And so in order to do that, we make sure that we have some of our most senior privacy professionals involved in the building of our learning paths and the content of those courses, especially the ones that we’re building internally. Because as I said before, it’s really a mix between the things that we build internally that are very specific to the way that we deliver in our methodologies, as well as industry best practices or common tools that our clients are going to be looking for us to be a part of bringing into their organization.
And so by having those professionals be involved from the ground-up and part of that content, it’s another way of help building that next generation of professionals. And they also contribute to recommendations for different tools and things that they’re seeing out in the field or that their clients are using or that their friends are using maybe and bring that back. And so we have a really open door policy with people being able to kind of contribute to what ends up being a pretty curated path. And then again we have those kind of third-party on-demand opportunities for learning at all times.
[00:23:28] JP: Yeah. That’s really interesting. I wanted to follow up about in terms of mentorship you mentioned that a lot of those maybe more senior people are involved in the learning paths and some of the tools and things like that. Once you get past that initial onboarding phase where you obviously have that mentorship, is that an ongoing thing? Is that something you guys think about or focus on is making sure that you’re still providing opportunities for additional mentorship? Even kind of once they’re past that early phase of their career? Go ahead, Katie.
[00:23:58] KB: Yeah, mentorship is definitely not just like a new joiner type level. It’s something that exists up through our most senior professionals in different service areas. And then we have a really strong leadership team to support our most senior professionals, right? So maybe they come out of a very formal mentorship program, but they still have a lot of one-on-one time with those senior professionals, and they’re going to help them with questions that a prescriptive learning path just is never going to provide, right? It’s because, let’s face it, there’s technical training. This is very important. And then there’s soft skills training and direction. And we also make sure that that plays into our offerings.
Our organization as a whole is really strong about offering training up through all levels on those communications, for example, right? How to present? How to talk to clients? How to develop other professionals, right? There’re all types of trainings from that. So really it’s a – Throughout every level, there’s sort of that balance between those two things all the way up from new joiner to our most senior professionals and partners in the firm.
[00:25:25] JP: Great. Is this similar with you, Jason?
[00:25:28] JJ: Yeah. So I would say um beyond our program, so mentoring really applies to all. So regardless of your level, your tenure, your proficiency level. I was referring to employee level at first, but we have cyber engagement programs. And we also offer continuous support for employees. At one point in time we actually had what we call the cyber talent ambassador, and this was an individual, in their sole job was to help employees really navigate through their career and identify different opportunities. So whether that was somebody that was raising their hand and saying, “I want to get into cyber.” Or an individual that was maybe working in one specific field but really had a desire to explore other options but didn’t understand where to start.
And so I would work with that individual. And it was really a combination of having an expert, somebody with the human capital background and then really mapping opportunities with training or events based on the KSA. So definitely that is something that we continue to do. We no longer have the cyber talent ambassador. We realized that we needed more than one person, right? And so now I have a group of trusted advisors that I work with that are always willing to help the employees out. And really, it’s a three-legged race for me. I go and I meet with them, because I myself am not a cyber practitioner, right? I know enough to basically fool you, but at the end of the day, that’s not my space. But I work with them to really help identify those opportunities.
In addition to that, we have the – I mentioned the cyber engagement events. And we have one of those every month. And it’s really just a really diverse set of events, right? So one month there might be cyber jeopardy, right? And so you have everybody from the firm participating. You’re set up in teams. It’s very fun. The next month you might have one of our senior VPs talking about a new contract and what they’re looking for and what makes the most sense for us. And then we have other events. Like we hosted an event that was called Are You Interested in Starting a Career in Cyber? And we had 300 people from the firm that were not working in cyber raise their hands saying, “Yes, I want to get into cyber,” which is a good problem to have. But definitely, again, no silver bullet, right? Every single individual has a unique set of skills. And so we have to work with them to help them identify what makes the most sense. So which roles would be the easiest for them to transition to.
And then also in addition to that, what are some of the more challenging roles for them? But yeah, I mean, when it comes to mentoring, I would just say it’s an ongoing thing. Our employees also use our social platform as well to ask questions and really reach out or connect with other individuals. So we have different groups. One is like pipeline to cyber. Another one is the introduction to pen testing. So we have all different types of vehicles to really help the employees. My role is really helping them navigate through all those tools and find the right people and then identify the right training at that point in time.
[00:29:17] JP: Awesome. We’re nearly out of time. Just have a couple of minutes left. So I wanted to make sure we for sure touched on how you measure the impact and results. So maybe briefly, do you have any key metrics that you suggest other people with training programs focus on when it comes to these types of programs? Let me start with you, Jason.
[00:29:37] JJ: Sure. So I would say the first thing that people think of is pass rates, right? If it’s a certification, it’s pass rate. And we do measure pass rates, but we also measure things like the overall employee satisfaction of the individuals that go through our program versus the employees as a whole. And we do the same thing for retention rates, right? So the retention of graduates from our program. And then one of the other things that’s really interesting is we track the job placement. So time to billability, right? Upon completion of the program, how long is it taking them? Does it take them a month? Is it taking them two months? And so we track all of these different metrics to really identify or validate the success of the program. But then, again, it really boils down to the employee and their experience as well, which is the most important for us.
[00:30:32] JP: Awesome. Yeah. And then, Katie, any thoughts there? Any final words either on measuring the impact or anything else to take away?
[00:30:41] KB: No. No. I think they are very similar to what Jason was talking about for us. So I probably don’t have anything to add there. I think just that it’s very important that learning and development play into the larger journey that somebody’s career is going to take. It should be an enabler of them and their success, and then that’s going to play into their employees’ satisfaction, having a healthy work environment. All of these things are linked together. So I just think it’s really important that you not forget that this is not just a way for us to go out and make money for our business But without our people, we don’t have a business, right? So it’s important that they have what they need to be successful in their careers.
[00:31:25] CS: Thanks for checking out Building Stronger Teams with Katie and Jason. Join us tomorrow for our second ask us anything session. Katie and Jason from today’s episode are joined by Jessica Amato of Raytheon technologies, and Romy Ricafort of comcast Business who you met in yesterday’s episode. The four will discuss technologies for finding and recruiting cyber talent, diversity in cyber security and the best ways to transition between different cyber security career tracks. This ask me anything we’ll take what you’ve learned so far and applied even further into the practical world. So I hope you’ll join us tomorrow for the next episode and the progression of the thoughts we’ve been hearing about today.
Cyber Work with Infosec is produced weekly by Infosec and is aimed at cyber security professionals and those who wish to enter the cyber security field. New episodes of Cyber Work are released every Monday on our YouTube channel and on all podcast platforms. To claim one free month of our Infosec Skills platform, please visit infosecinstitute.com/skills and enter the promo code cyberwork, all one word, all small letters for a free month of security courses, hands-on cyber ranges, skills assessments and certification practice exams for you to try.
Thank you for listening and we will see you back here tomorrow for an ask me anything and more cyber work.