Cyberattacks are on the rise while the talent to combat these is running short. Globally, there are 3.5 million open cybersecurity positions, according to Cybersecurity Ventures’ Boardroom Cybersecurity 2022 Report. And Booz Allen Hamilton, a Fortune 500 tech management consulting company, is turning a great deal of its attention to what executive vice president Brad Medairy calls a “national problem and a collective crisis”: cybersecurity.
Booz Allen starts entry-level cybersecurity staffers at up to $150,000BY Sydney LakeAugust 15, 2022, 2:31 PM
Booz Allen has about 30,000 employees, and more than half of them are in a technical role, chief people officer Betty Thompson tells Fortune. It’s difficult to say exactly how many Booz Allen employees are part of its cybersecurity business because many of them wouldn’t necessarily fall into that explicit category, Thompson says. However, Booz Allen has one of the largest cybersecurity professional service teams in the industry, according to research from management consulting firm Frost and Sullivan.
“It’s a large part of our workforce, and it’s a really important part of our workforce,” she says. “And we are on the hunt like everyone else for the talent externally at all levels.”
On par with national averages for cybersecurity jobs, Booz Allen pays its entry-level cybersecurity employees salaries that range from $95,000 to $150,000, while experienced nonexecutive employees earn between $140,000 and $240,000. Senior executives earn more than that and are eligible for bonuses, a Booz Allen spokesperson says.
Fortune sat down with Medairy and Thompson to learn more about the national cybersecurity threat, the challenges of the industry’s talent gap, and how the company is getting ahead of the curve.
The following interview has been edited for brevity and clarity.
The national cybersecurity crisis
Fortune: Why is cybersecurity such a hot topic now?
Medairy: The great power competition is alive and well. Our near peer adversaries have tremendous capabilities. If you look at messaging coming out from the national cybersecurity director, Chris Inglis, our nation is at risk. As a nation, we need to figure out how to protect not only the U.S. federal government, but also our critical infrastructure and other sectors.
If you look at the evolution of technology over the past 20 years, we started with mobile and cloud. Now when you look at an enterprise, everything is connected. There’s cloud; there’s software as a service. The enterprise boundary has expanded. We look at IOT [Internet of Things] where more and more devices are connected, but the most interesting thing, I think—and frankly, probably the most alarming thing—is the emergent intersections of cyber in the physical world.
Look at the Colonial Pipeline cyberattack. When the Colonial Pipeline was attacked with ransomware, that actually transferred from the digital world into the physical world where it shut down the pipeline and it disrupted travel on the East Coast. That was actually caused because they were worried about risk to industrial control systems, their OT [operational technology] environment, which is the facilities that actually, in that particular case, moved all the fuel and the oil across the United States.
We have a national problem and a collective crisis. We need to employ and deploy top talent to be able to build mechanisms to better secure our critical infrastructure, our federal government, and our national security systems.
Booz Allen’s cybersecurity business
Fortune: How big is Booz’s cybersecurity business?
Medairy: Frost and Sullivan, a management consulting firm, has done an annual assessment of the cybersecurity industry, and they have identified us as the largest provider, for several years in a row, of cybersecurity professional services in North America. We have a very large—based upon their assessment—one of the largest cybersecurity professional service teams in the industry. We deploy that talent across the U.S. federal government and also the commercial sector in the United States. But what’s interesting about the cyber talent, which makes it difficult to count people, is because cybersecurity is a multidisciplinary sport.
By that I mean that when you look at a cybersecurity engagement, you’re going to need SOC analysts, you’re going to need malware analysts. You’re going to need reverse engineers. You may need folks with embedded systems experience. You may need data scientists, you may need machine learning engineers, you may need software developers.
Thompson: We have about 30,000 employees, and more than half of them are in a job family that’s technical. And that even wouldn’t give you a full picture of the cyber talent because of what Brad said. Many of them wouldn’t necessarily fall into these very explicit categories. So it’s a large part of our workforce, and it’s a really important part of our workforce. And we are on the hunt, like everyone else, for the talent externally at all levels. We look for luminaries. We look for people with experience. We’ll look for people coming out of the schools. And then we look for people with aptitude and a desire to be in this field and to learn more about it. We have an upskilling program and we work with universities in a variety of ways.
Fortune: What type of cybersecurity upskilling does Booz offer?
Thompson: We have educational benefits that our employees take advantage of called FlexEd, and it provides up to $10,000 a year for traditional academics, certifications, licenses, even attending conferences that have an educational component to it, subscriptions. There are all kinds of ways that they can qualify or build up their skills in these fields.
Because diversity in our population is really important to us, we look for ways to bring more diversity into that particular skill set and workforce. What’s really helpful is when we have diversity in leadership, so that people can see people like them that are successful, whether it’s the women in data science, or the women engineers, or Black women engineers.
The cybersecurity talent crisis
Fortune: What’s making it so challenging to fill cybersecurity positions?
Thompson: It has just exploded in terms of how great the need is. There’s also a marketing component to it in terms of how great and fulfilling these careers can be. I think sometimes people think you’ve got to be a computer geek, as opposed to people who like to figure out puzzles, people that are really innovative people that are creative. There’s some of what we need to work on is how to really market this field as a great and interesting place to work, not just that it’s going to pay well, and that you’re going to be on a mission that’s important because that certainly appeals to people as well.
Medairy: Demand is high, supply is low, and there’s a gap. The other thing that I’ve seen a lot is because the demand is so high, it presents a tremendous amount of mobility for talent in the space. We see a lot of across the industry folks that will move jobs every couple years. There’s so much opportunity. One of the things that we’ve really focused on as a firm is providing a longer runway and a career journey. That’s opposed to going to this other entity to do something different. They have mobility within our firm so that they could spend a couple years on a federal engagement, they could move into the commercial sector. They could move into a different mission segment.
We’ve seen in our national cyber platform that our attrition is well below industry average. I think what makes it so hard is there’s tremendous demand. There’s tremendous opportunity that makes it hard to find people, but it also makes it hard to retain people. We spend a tremendous amount of effort on the employee value proposition and that holistic experience for our talent.
Cybersecurity careers at Booz Allen
Fortune: What does a cybersecurity career trajectory look like at Booz?
Medairy: What’s really promising is the universities now are really producing amazing talent. We tend to invest really early in their university journey. We have an amazing internship program called the Summer Games. We have hundreds of interns a year. By investing early in their careers while they’re still in the university, we give them the opportunity to really get hands-on experience in cybersecurity very early.
The cybersecurity field requires—more so than any field that I’ve seen—continuous learning. It requires an investment in them to continue to upskill them. So upskilling is a big part of what we do. It’s apprenticeships. We do hackathons; we do hacker trivia. We invest heavily in training, in graduate programs, to continue to sharpen their skill sets.
Thompson: We have a way of connecting individuals to future opportunities and then identifying what skills they might need to acquire in order to qualify for those. They can identify opportunities that we’re looking for that are open and internally managers can find them based on the skill sets that they’re looking for. There’s a lot of opportunity there for people to do different things and have the resources that they need with our FlexEd program.
We have more than 12,000 employees that possess cyber certifications in a variety of forms, so there’s a lot of skills that we can tap into. And in fact, about 1,500 of our externally posted positions were filled internally last year. There’s a lot of opportunity in our firm, just based on the huge amount of work that we have in this space.
Fortune: What’s next for the cybersecurity business at Booz Allen?
Medairy: Some big areas that we’re focusing on are the impacts of quantum in the cyber domain. How does that impact our client security posture? 5G is going to become pervasive worldwide. What are the security impacts of 5G as everything starts to be connected and everything starts to move out to the edge?
The talent problem is not going to go away anytime soon, and that presents a tremendous opportunity to bring automation and machine learning to our clients. How do we apply our AI/ML [artificial intelligence/machine learning] practitioners into the cyber domain to be able to accelerate our client’s ability to automate and to use machines to help combat these emerging threads?
There’s also a tremendous amount of investment in cyber technology. If you look at Silicon Valley, there’s north of $10 billion worth of investment in cybersecurity tools and technologies. The one thing that we’re focused on is how do we feel like we’re the best bridge between our clients and the commercial product space, and how can we apply emerging and commercial technologies in a practical way to support our client’s mission?
Thompson: On the talent front, what we’re looking at is finding those populations that are underleveraged or underutilized as it relates to this type of work. Partnering with diverse organizations, the military tech workforce initiative is a key one for us. We have a large veteran population. They have basic skills and sophisticated skills that we can leverage and then continue to invest in them in terms of their training. We also have a lot of university partnerships including HBCUs. We’ve also worked closely with and will continue to invest in the CyberPatriot, which is a national youth cyber education program created by the Air Force. It’s intended to inspire kindergarten through 12th-grade students toward careers in cybersecurity as well as other STEM disciplines.
We’re trying to get all the dimensions of the talent that’s out there, but with a particular emphasis on ensuring that we continue to have a diverse workforce by tapping into these populations.
See how the schools you’re considering fared in Fortune’s rankings of the best master’s degree programs in nursing, computer science, cybersecurity, psychology, public health, business analytics, and data science, as well as the best doctorate in education programs, and part-time, executive, full-time, and online MBA programs.