Industry insights

Collaboration is key: IBM and Booz Allen Hamilton weigh in on attracting and retaining cyber talent

Christine McKenzie
February 14, 2022 by
Christine McKenzie

For the organizations on the front lines of cyber defense, defeating cybercriminals isn’t the only challenge; it’s hiring and retaining the very people who do the defeating. Companies in all industries struggle to attract and retain cybersecurity professionals between the skills gap and the difficulty of finding qualified candidates. A whopping 3.5 million cybersecurity jobs were predicted to be unfilled in 2021 alone. 

What can organizations do to attract and retain talent? And how can partnering with human resources and learning and development teams help? To answer these questions, industry experts Garrettson Blight, Director of Dark Labs at Booz Allen Hamilton, and Eric Jeffery, Sr. Security Solutions Architect at IBM Security and podcast host of the Cybersecurity Grey Beard, shared their experience with Infosec. 


Closing the skills gap with learning and development


By now, we’re all too familiar with the dreaded skills gap that’s been plaguing cybersecurity hiring and retention for more than a decade. Both Garrettson and Eric agree that one of the best ways to attract new cybersecurity talent — and retain them for many years to come — is to commit to meeting their educational needs. And that commitment should be communicated on day one of the recruitment processes. 

Eric explains that benefits like educational stipends and access to educational resources can be a make-or-break decision factor for many cybersecurity professionals. He advises hiring managers to “understand that education in some ways is more important than healthcare.” This is especially true for early career recruits and military veterans looking to re-skill. Eric is adamant that educational benefits need to be at the forefront of the conversation during the hiring process. 

Garrettson adds to this by advising management to look ahead and anticipate what skills the organization will need in the future. Management should be able to say with confidence, “This is where I see the business going, and so this is where I see our hires needing to be. Therefore, we’re going to need future L&D programs in these new technologies.” Keeping L&D in the loop is one of Booz Allen’s strategies for attracting new talent and boosting employee retention in the long run. And it worked wonders when Garrettson realized that Booz Allen’s operations research staff would need to upskill into artificial intelligence and machine learning. “We held a Data Science 5k, as we called it, which was a kitschy name for a program where we could train a lot of people across the firm with challenges.”  


For training and career pathing, collaboration is key


When an organization signals to an employee that it truly cares about its long-term growth, the employee is less likely to leave for greener employment pastures. Investing in an employee’s training and career pathing is one of the best ways to send that message. Booz Allen and IBM have unique training and career pathing, which we’ll explore below. But despite these differences, one thing remains consistent: ongoing communication between cybersecurity teams, L&D and HR. 

At Booz Allen, the bedrock of their career pathing program is a system of job families. Every role at the company is grouped within a job family based on core skills and responsibilities. Employees join a job family when they’re first hired and can change families if they gain new skills or select a new career path. Depending on what family someone falls into, they’ll go through different training routes. For example, new hires from non-cybersecurity backgrounds go through a five-week Technical Excellence program. Hires with more technical backgrounds will receive advanced hands-on training and labs handled by the L&D team. The goal is to ensure that all staff can hit the ground running on day one of their jobs and continuously update their skills during their tenure. 

Garrettson builds on this by adding, “If you can’t meet the intentions and motivations of the people, they’re gonna move on. It’s a lot more costly to invest in somebody new than to retain someone who is already a quality contributor and performer.” 

IBM takes a different approach to employee learning and development. Their employees have access to a learning platform called Think 40. Everyone at the company is encouraged to have at least 40 hours a year of ongoing learning, and Friday afternoons are blocked off for self-improvement. Training is self-guided and cross-functional, so someone in finance can take a cybersecurity course. 

But employees need more than a massive library of training materials to succeed. Since the sheer amount of options can be overwhelming to choose from, Eric suggests mentoring employees to help them narrow down which resources are best based on their career goals. This is just one example of how management and L&D can work together to help staff get the most out of their professional development activities.


Best practices for collaborating with internal partners 


Start building connections with L&D and HR sooner than later — even if you don’t have a specific project on the horizon just yet. Garrettson explains that you should be familiar with these departments long before you start pitching projects or making requests. With good rapport comes trust, which is a key ingredient to getting the support and buy-in you need to succeed in your training program. 

He also advises that everyone involved, regardless of their department, should feel like an equal stakeholder. “Just treating everyone as equal partners across the organization has been very helpful. We have routine working sessions when we’re trying to evolve a new training program, or just think about how else can we evolve what we’re doing today?” 

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.


A word of advice to early career cybersecurity professionals 


For Garrettson, the best thing someone can do at the start of their career is communicate their needs. “If you don’t say something, nobody knows what your needs are.” And for professionals who are further along in their careers, he emphasizes the importance of consistency. He explains that when managers are inconsistent with their expectations, it’s confusing to staff. Maintaining clear, consistent expectations with staff will help them understand their goals and feel confident that they’re achieving them. 

Eric has this message for managers working with trainees. “When you’re teaching somebody or learning with somebody, find out what’s best for them. Find out what they want.” He recommends different formats for different learning styles, like podcasts for audio learners, YouTube for visual learners, Amazon web service for hands-on learners.

Ultimately, the best way to attract new talent and retain existing workers is by investing in ongoing training and development. And rather than being something a manager has to tackle alone, it’s most effective when done in tandem with Human Resources and Learning and Development. 

Want more content like this? Check out upcoming events at webinars here.





Christine McKenzie
Christine McKenzie

Christine McKenzie is a professional writer with a Master of Science in International Relations. She enjoys writing about career and professional development topics in the Information Security discipline. She has also produced academic research about the influence of disruptive Information and Communication Technologies on human rights in China. Previously, she was a university Career Advisor where she worked extensively with students in the Information Technology and Computer Programming fields.