How Booz Allen Hamilton keeps their security team secure and compliant in a hybrid world
Before the pandemic, many organizations experimented with hybrid or fully remote working environments. The onset of the pandemic only accelerated that transition. Cybersecurity jobs are no different, but the need to maintain a high standard of information security poses some challenges in a hybrid environment. One company that pioneered hybrid work for security teams is Booz Allen Hamilton.
Vice President of Booz Allen Becky Robertson has been managing security teams in a hybrid environment for many years, and she's well-versed in how to hire, train and retain Booz Allen's security talent.
Phishing simulations & training
What's the hybrid work situation like at Booz Allen?
"We've been working in what I would call cyber-savvy environments for a long time," Robertson explains — but even with that groundwork, fast pivots are sometimes necessary. "We started with a pretty strong foundation prior to the past 19 months, but we really had to think differently for a lot of reasons."
Of course, what she's referring to is the huge and unplanned changes caused by the Covid-19 pandemic and subsequent lockdowns.
"Some of our staff continued to work every day in controlled spaces [...] and that, of course, had its own challenges in a pandemic," Robertson said. "But then we did have some clients who were ready to start thinking a little bit differently, and that meant we had to quickly adapt — not just from a resources perspective [...] but back to security."
Robertson makes an important distinction here that your company's internal stance on remote work may differ from your clients'. That makes it beneficial to have the organizational flexibility to adapt to the client's specific needs and requirements.
"Having that mindset change of what does [my job] mean if I'm doing it in a different place? What do I need to think about that maybe I hadn't thought about before?"
Even though the pandemic posed its challenges, Booz Allen already had a hybrid work structure that meant the company could land on its feet. "I think that foundation of a cybersecurity-savvy culture really helped us there, that people were ready to adapt pretty quickly to it," Robertson said.
How can an organization's workforce stay cyber aware while working remotely?
Remote work introduces a whole new set of challenges in maintaining a high data security and privacy level. Unlike working in a secure office environment, remote workers typically use their internet connections, networks and devices to complete work-related tasks. This creates a ton of risk in terms of cybersecurity. Luckily, Robertson has some great ideas for keeping your remote workforce cyber aware.
First, Robertson recommends having constant training in place. That means throwing out the quarterly cybersecurity presentation in favor of hands-on security awareness training on a more regular basis. Keeping the training content fresh will prevent your staff from becoming bored and disengaged. Instead, they'll constantly be presented with new and ever-evolving challenges that keep them on their toes.
In addition to a rigorous training program, Robertson explains that it's essential to have reinforcement from leaders in the organization. This top-down reinforcement will ensure that all leaders — even those from non-technical departments — will make cybersecurity an everyday priority.
How do you personally build a cyber-aware culture into a remote workforce from a leadership perspective?
A cyber-aware culture starts from the top of the organization. For Robertson, this means getting serious buy-in from senior leadership.
"They are likely viewed, right or wrong, as the culture owners. So they need to help establish that culture." Robertson adds, "They also need to be ready to do this for the long haul. Right? It can't just be a bandaid. You've got to get some commitment from them that this is something that is going to be perpetual and not just a one-time event."
Don't be afraid to inject some fun into cybersecurity training. "We are famous for food as a motivator around Booz Allen," Robertson laughs. "We have lots of competitive people around here, so we love to say whoever gets to a hundred percent participation first gets a pizza party."
What's the best "cadence" for providing successful remote training?
At Booz Allen, cybersecurity is baked into the company's culture, meaning that pieces of training are frequent and regular. Robertson's team approaches the training from various angles to keep the training fresh and engaging. One format they use is a small group session led by a trained facilitator. They also use web-based training that employees can complete from home.
Robertson likes to inject training into the workplace with automated lessons and activities to keep training exciting. "We do some mock phishing testing where folks will get an email, and they have an opportunity to send it to our [IT] team. Or if they happen to click a link in it and it's not something they should be doing, they say, 'Oh, you've been caught!'"
Injecting the training into daily life also boosts knowledge retention.
"We find that to be most effective because I think all of us have probably suffered through learning something, and then you don't use it for several months, and it just evaporates. So really injecting it into the workspace is one of the most effective ways you can do it."
Phishing simulations & training
Be creative in your training
Ultimately, Robertson thinks it's important to implement a remote program that meets your organization's unique needs. In other words, what works for some security teams may not work for others. She advises to always "think about it creatively and pick your cadence around that."
ChatGPT training
In this Series
- How Booz Allen Hamilton keeps their security team secure and compliant in a hybrid world
- Digital identity management: Balancing usability, security and privacy
- Why aren’t more women in cybersecurity, and how can we fix it?
- ChatGPT and the strengths and limitations of cognitive AI
- Cybersecurity automation: Tips to do it right in your organization
- Advancements in online safety: Combating cyberbullying and protecting vulnerable communities
- How small and medium businesses (SMBs) can fast-track a disaster recovery plan
- What it takes to qualify for the US Cyber Games team
- The changing role of a ransomware negotiator
- Protecting K-12 schools from cyber threats: The case of Vice Society
- A deep dive into GitHub's security strategies
- Data storage security isn't working: Here are 5 ways to improve
- Protect your data with zero-trust networks
- 3 cybersecurity automation tools that your IT department needs now
- One phishing attack could expose your entire hospitality network
- Privacy compliance and security: Are you collecting too much data?
- API security best practices: What you need to know
- Considerations when using open source to build an identity system
- Security as a service: 11 categories you should know
- The impact of open source on cybersecurity
- Cybersecurity jobs are in demand. C-level IT executives needed!
- 6 cybersecurity truisms the industry needs to rethink
- 2022 cybersecurity spending trends: Where are organizations investing?
- Will corporate support for Fast ID Online [FIDO] mean mass adoption? If so, what does that mean for security and identity?
- Twitter’s cybersecurity whistleblower: What it means for the community
- Top 5 cybersecurity questions for small businesses answered
- What Is zero-trust security, and should your business adopt it?
- What’s next in cybersecurity: Predictions from Andrew Howard
- How training employees about ransomware can mitigate cyber risk
- Today’s IT job market: Beyond fear, uncertainty and doubt
- Third-party authentication (OAuth): Good or bad for security?
- Two basic actions that reduce enterprise cyber risk by 60%
- 4 key takeaways from the 2022 Verizon DBIR report
- Four examples of human error in cybersecurity — and how to fix them
- Five ethical decisions cybersecurity pros face: What would you do?
- How to become an ethical hacker: Tips from Offensive Security CEO Ning Wang
- Shaking up security awareness: How one organization is building a culture of security
- Security Culture: TikTok CISO says this trend is here to stay
- IT skills advice from IDC's IT education and certifications expert
- Managing a security awareness program: Carrots, sticks, and repeat offenders
- Reducing IT’s carbon footprint: Good for business as well as the environment
- 5 tactics to improve cybersecurity hiring results
- Top 9 effective vulnerability management tips and tricks
- SOC integration: Creating a well-built portfolio vs. a frankenstack
- Cybersecurity hiring: Why employer and higher ed collaboration is key
- After certification: Investing in employees' cybersecurity career pathways
- Where do ransomware, cyber education and cyber insurance intersect?
- Could psychology be the key to cybersecurity awareness? Research points to yes
- How IT pros can keep their organization on the cutting edge
- Cyber talent diversity: It's time to redefine the face of security
- Cybersecurity and Windows 11: What you need to know
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
Industry insights
Digital identity management: Balancing usability, security and privacy
Industry insights
Why aren’t more women in cybersecurity, and how can we fix it?
Industry insights
Industry insights
Cybersecurity automation: Tips to do it right in your organization