SANS Cyber Defense Initiative® 2020 Live Online: 30+ Interactive Courses | Virtual NetWars Tournaments. Save $300 thru 11/18

Best Places to Work for Cybersecurity Ninjas

Best Places to Work for Cybersecurity Ninjas

Question: Why do some employers do a better job of attracting and retaining a critical mass of highly-skilled cybersecurity "ninjas?"

Government System Integrators Where Cybersecurity Ninjas Most Want To Work

Four Cybersecurity Experts Explain Why They Prefer These Employers

Government System Integrators Where Cybersecurity Ninjas Most Want To Work

May 2017
Executive Summary

Using a metric identified in the 2016 Center for Strategic and International Studies (CSIS) report Recruiting and Retaining Cybersecurity Ninjas, we identified 57 large government IT system integrators that have built teams of cybersecurity ninjas at rates ahead of their peers and eight of those firms that have had remarkable success in recruiting and retaining ninjas. Many of these firms also lead their peers in ensuring that their employees' cybersecurity skills are kept up to date. Employer-supported training to maintain the currency of skills was one of the two highest-rated factors that impact retention of highly technical cybersecurity professionals, according to the CSIS study.

To validate and further illuminate the findings of the CSIS Cybersecurity Ninja report, we asked each of the top-rated firms to identify employees who had very technical cybersecurity jobs. The first four of those interviews with those employees are posted below:

Booz Allen Hamilton

Northrop Grumman

In these interviews, the ninjas reinforce the findings of the CSIS Cybersecurity Ninja report and show the human side of the factors that the CSIS identified as most critical for recruiting and retention. Said differently, the interviews show the "how and why" of effective recruiting and retention through the eyes of the employees. Both Booz Allen and Northrop Grumman were among the top-rated companies on both rankings. Over the next few months we will add interviews with ninjas from other successful firms on this site.



1. Ranking employers on their ability to hire and retain cybersecurity ninjas.

2. Ranking employers on their support for training to ensure that their cyber professionals' technical skills are continually up to date.


Booz Allen Hamilton

Northrop Grumman

Interview with Andrew Payne, Booz Allen Hamilton
Interviewed February 8, 2017
Malware analysis and reverse engineering
SANS Great Places for Cybersecurity Ninjas to Work

Q: What do you do at Booz Allen?

What I do on a daily basis is malware analysis and reverse engineering, going deep into the malware and trying to determine what it is doing and what is going wrong and how defensive measures could be integrated into the malware. I've been doing it for about five and a half years.

Q: Having looked at the CSIS report on what cybersecurity ninjas want, did any of their "wants" especially resonate with you?

A lot of them resonated with me, specifically the ability to maintain and progress in what I am learning and what I am capable of doing.

Q: How does Booz Allen help you do that?

They invest in my skills. They allow me to attend external conferences and encourage me to take SANS courses; that really helps a lot. They also allow and sometimes encourage me to work on side projects separate from what my day to day responsibilities are, and being able to work part-time on side projects really makes things interesting and allows me to get exposure to more than just what I am dealing with regularly.

Q: Are you unique in getting to work on side projects for your company?

It's a regular part of the work and usually available to most of our team. If the company has a side project, they will come to our team manager who picks people who can work effectively on it. Our manager makes sure the customer is comfortable with our working on the side project part time.

The customer has been very receptive to our working in these side projects both because they recognize the importance -all the projects are for the same large customer - but also because the projects help us develop better skills that make us more effective in our work for that customer.

Q: Is it comfortable to look to move to other technical areas.

They are very supportive in encouraging me to take on projects in new areas in those part-time projects.

Q: What about flexibility in schedule?

Our customer is very flexible. We have a set of core hours (10-2) when we are expected to be available, but we can set our hours other than that. I personally work from 5-5:30 in the morning to 2 pm every day.

Q: Sounds like this is a pretty good place to work; what would cause you to consider leaving?

It wouldn't be money. In this field people are making very comfortable salaries. So we look for an extra dimension that makes things more well-rounded and enjoyable. The only thing that might motivate me to move to a different company would be even greater flexibility in hours that would allow me to work from home more.

Q: Is there a job progression in your field at Booz Allen? A long term career path?

Booz Allen has recently reevaluated how they approach seniority - we no longer are required to enter management. We have more technical tracks and within those technical tracks they allow you to become a subject matter expert in the field you choose.

Q. What seems to be important to the candidates you interview?

They often ask about the work - what types of problems they might work on. They seem to want to know if they can see themselves continuing to do that for an extended period of time. That is a great strength here at Booz Allen because our work is constantly seeing new problem sets and we are always learning and the bad guys are changing the problem.

Q: What makes a great candidate?

Most of the candidates don't have reverse engineering malware skills, but what they do have and what is most important to us is their having the basics of networking, operating systems, strong programming background. People cannot really succeed in our field if they don't have the basics.

We have seen that the colleges spend a lot of time on managerial and policy issues in security and what is really needed is the deep technical foundations of operating systems, networking, and programming. We can build on those.

Interview with Patrick Jones, Booz Allen & Hamilton
Interviewed February 8, 2017
Reverse software engineering
SANS Great Places for Cybersecurity Ninjas to Work

Patrick has been doing reverse software engineering for eight years. Though he manages the technical work of four people and helps shape their careers, his professional goal is not to move into management but rather to continue to master more advanced techniques in reverse engineering and to expand the scope of technologies in which he is competent. His next goal is to master SCADA and other industrial control systems.

Before coming to Booz Allen, Patrick had worked for another large government system integrator where he was told his only option for advancement was to move into management. He had seen many technical people lose their skills when they moved to management so, instead, he took a position with Booz Allen where he can have a role that is not quite managerial, although it carries a lot of responsibility - and he can continue to build his technical skills.

Q: Would a smaller company have given you the same opportunity?

When I was looking at a new job, I interviewed with several small companies. What I found was that they offered to pay me more and, importantly for me, they offered more vacation time, but they also had so few projects that I would have been put in one position and have to live with it or leave the company. When I look for an employer, I look for stability, long-term goals, and the ability to grow. I am not what someone would consider a "job hopper".

Q: Was the only thing that frustrated you at the other company the problem of being pushed to move to management?

Actually I really liked the work there and the fact that the other firm allowed me to do a lot of my work from home. However there was another problem. In addition to the push to become management, there was a money problem. They would hire new employees whom I would mentor and lead, but who were paid substantially more than I was earning. The company just didn't compensate long-term technical employees very well.

Q: Is the opportunity to change projects and learn new areas of security real at Booz Allen?

It is real. Booz is so big - you can do pen testing or reverse engineering or lots of other very technical jobs in cybersecurity. Booz is everywhere within client spaces - I am free to go over to new projects and try something. So far I haven't seen anything as much fun and challenging as the reverse engineering work I do.

Q: What is it you like most about reverse engineering?

The cat and mouse nature of the job - that's what I love.

Q: What other aspects of the work do you like?

Being a mentor is fun. I typically will not just give someone the answer but rather point them in the general direction of the solution to enable them to learn for themselves. It's great when they come back excited to have found the solution on their own.

Q: Is there anything you would like to change about your job at Booz?

I get only 3 weeks of vacation including sick leave. I really appreciated the 4-5 weeks of vacation at the other employer. But you cannot have everything.

Q: What do you tell job candidates you really want to hire?

I tell them about the work. That it's very challenging, that you see different malware every day - you can see all types - and that we have a team of people who can help you learn and that we do invest in you to help you grow your skills.

Interview with Jack Baker, Northrop Grumman
Interviewed March 1, 2017
Red teaming and software security assessments
Great Places for Cybersecurity Ninjas to Work

Jack is a member of Northrop Grumman's (NGC) cyber assessment tiger team - a group of technical red teamers that assesses programs and services within Northrop Grumman to protect its network. The team proactively assesses company products and services to identify potential cyber vulnerabilities that could potentially be exploited, the associated risks, and how best to mitigate any potential vulnerabilities versus evolving threats. In other words, we pen test our own products to identify what could go wrong and mitigate the issue before unauthorized hackers find it.

Q: Where did you work before NGC?

I worked for a few financial technology startups around Silicon Valley as I went to school part time. I was hired before I finished my degree. Northrop Grumman has supported me in finishing my Bachelor's in mathematics from Penn State.

Q. What aspect of the job is most important to you?

The most important thing to me is being able to do challenging and engaging work. The mission is a bonus - doing challenging projects for the right purpose is really great.

Q: Some people say that maintaining the security clearance is a key differentiator.

Obviously that's very valuable. For me, what matters is that I want to be doing what I am doing. I don't know where I'll be in10 years but I know I am enjoying what I am doing now; feeling that I am accomplishing something.

Q: Is career growth and a good career ladder also important?

Technical growth is VERY HIGH in my priorities. I cannot think of another place that I could honestly say is a better place for me to do what I do. It isn't a job ladder, it is constantly learning and being challenged and growing technically that matters.

I often feel like the dumbest person in the room. But I think that's a good thing. It means I have a lot to learn and that the people I work with are incredibly skilled and they are happy to teach me.

Q. What else do you enjoy about the job?

I like being able to teach others - to share what I know and help them grow. Over the time I have been here, I have had a chance to work with four young recruits who are members of the Professional Development Program. They rotate through 6 month rotations (sometimes up to a year) to learn about Northrop and what the company does. I've worked closely with a few of them, and it has been great figuring out the best way to articulate things so the new people can understand. That helps them grow, but it also allows me to understand the technology and issues better, too.

Q: It sounds like you love your current work, but do you feel like you are constrained to stay in the area you are working or can you switch to other areas that interest you?

When we go to different programs and do red team analysis, my manager has told me, "If you see something you would rather be doing, go for it. There's no benefit in someone getting bored." I think that is really cool. Northrop is working on so many different interesting challenges. There's a ton of opportunity without ever leaving the company.

Q: Does the company invest in ensuring your skills are kept current?

Yes, and that's actually another thing that sold me on the job. They provide financial support for training and certifications. In the 18 months I have been here, the company has fully supported my taking the time to attend several advanced security courses and the certification exams and my manager encouraged me to do it. They also let me attend some hacker conferences.

Q: If you were advising a new graduate with good cyber skills, what would you tell her/him to look for in a prospective employer?

I'd make sure that what they were hiring the person to do is work that he/she really wants to do. Northrop's interview process was great in that regard. I applied for a red team job and the job announcement listed needed skills: metasploit, web app pen testing, and more. In the Northrop interview, they had me do a mock pen test so I could get a feel for what they are actually doing. Then they had me do a mock "out brief" as if the hiring managers were system admins and program managers whose systems I had tested through red teaming.

That told me that this is where I want to be. They proved they were interested in knowing that I could do the job and that it was the work I wanted to do, and they made the interview FUN. Our team still does that in our interviews of potential new staff members.

Interview with Lauren Mazzoli, Northrop Grumman
Interviewed February 20, 2017
Cyber software engineering
SANS Great Places for Cybersecurity Ninjas to Work

Lauren graduated from UMBC 2 years ago after majoring in Mathematics and Computer Science and gaining hands-on cyber forensic skills working on the UMBC IT Security staff. At Northrop Grumman she is a cyber software engineer working on a team that builds smart software to aid in the DoD's analytic modernization effort. She is also pursuing her master's in Computer Science with a focus in Cyber Security at UMBC.

Q. When you think about what makes an employer the right place to work for someone with important cyber skills, what stands out in your mind?

The first thing, the most important thing, is helping employees stay up to date with their technical skills. For example, Northrop Grumman is supporting my master's degree in Computer Science at UMBC. They even helped me come up with research projects for my courses that would be beneficial for Northrop Grumman and my education as well. They also offer flexible hours, so I was able to leave in the middle of the day to attend one my required graduate classes.

Employees in the Professional Development Program (PDP), a rotational program offered to all college hires, are given training hours to attend intense training programs like SANS and conferences to learn more about key technologies and capabilities that can be integrated into our applications. Northrop Grumman also has a great program called the Software Engineering Coaching Program. Several Northrop Grumman employees located in offices across the country are enrolled in the program. Once a month we listen to a talk regarding software development best practices, and then we later discuss different scenarios and how it applies to our projects with a smaller group.

Q. Are there other organized professional development programs?

Employees in the Professional Development Program (PDP) give recent graduates an opportunity to explore different careers by rotating to new positions once a year for three years. Last year my PDP assignment was with a very small team as a Cyber Software Developer. I had just graduated college and it was a great experience because I was able to work on the entire web application, from front-end webpage design to back-end database management.

For my second PDP rotation, I joined a very large program with several sub-teams that have 5-7 people per team. During this rotation, I switched roles to be a Cyber Software Test Engineer. I learned about automated build and deploy processes, different levels of testing, and had fun trying to exploit the application in order to find vulnerabilities.

Q: That seems like a lot of change - is it valuable?

When I was in college I learned new things every day; I was used to learning new programming languages and completing programming projects on a biweekly basis. Young cyber engineers really appreciate working in an environment that constantly challenges them with new problems, which is something teams that follow the Agile Scrum Methodology typically experience.

Q: Is part of the support they give you a mentoring program?

Northrop Grumman has several different mentoring programs. A mentor is assigned to every new employee to help him or her get adjusted to the company and answer basic questions like how to fill out timesheets. New employees are also paired with technical mentors who are technical employees who have worked at the company for at least 2 years. Northrop Grumman also has an informal open-door policy, so it's really easy to find your own informal mentors and advocates by setting up information interviews and attending internal networking events.

However, everyone on my team is willing to help one another - whenever I have a question, a concern, or just want someone to validate my thought process, there are always people willing and capable of helping.

Q: How is your job experience different from what your friends are experiencing?

While some of my friends at other companies may have rotation programs, they don't have the same supportive teams with great people wiling to jump in and help you when they have a question. Or they may have supportive teams, but they don't receive support to take external training courses or graduate courses. It's the combination of working with a supportive team, a company dedicated to training their employees, and a company that recognizes employees who work hard that makes my experience different from my friends.

Q: What about schedule flexibility. Other than your courses, do you need to be there 9 to 5?

Mandatory meetings are typically scheduled between 10am and 2pm. As long as you are in the office to attend those mandatory meetings, you can be as flexible as you want with your hours. Some employees on my team come in as early as 4am and others stay as late as 7pm, but we still maintain a high level of communication and collaboration with each other.

Q: What else do you especially like?

Pursuing a degree in Computer Science, a major where the number of males in a classroom has traditionally far exceeded that of females, was particularly challenging. There were numerous times where I could have felt overwhelmed or defeated by this statistic, but instead I was driven to change it. I started volunteering for outreach programs with the Center for Women in Technology (CWIT) at the UMBC, reaching out to young female high school students and showing them the basics of computer science. Once I graduated and started to work for Northrop Grumman, I realized how much more I could do with the resources presented to me at my new place of work. With the support of Northrop Grumman, I was able to design, organize and lead a semester-long Raspberry Pi competition for students at the University of Maryland and UMBC. I also get to support Northrop Grumman in events like NCWIT Aspirations in Computing Awards, which gives awards to women in high school who have made achievements in computer science and computer engineering.

Q: Last question. If you were advising someone how to assess a potential employer what should they want to know and what would you tell that young woman or man to ask the people who work at that potential employer?

Look at their leadership - you want to see diversity, technical experience, and leaders who engage with their employees for constant feedback. You want to know the organization is made up of people who are willing and able to help you, support you, and get you where you want to go. You want to know that they will support you even if you want to move from web development to cyber intelligence. Some of the questions I would suggest asking potential employers include: How often do you meet with your manager? How often do team members ask how you are doing? Do they offer training courses? If you don't get answers you like - keep looking.