Booz Allen Hamilton Holding Corporation (BAH) Earnings Call Transcript & Summary

Good afternoon, everyone. This is Sheila Kahyaoglu at the Jefferies Aerospace and Defense Equity Research team, and thank you so much for being here for our Virtual IT Services Summit. Next up, we have the Booz team here. Well, we have Brad Medairy actually here. And this is our intro to Brad, which is great. He's an EVP at Booz Allen and a 25-year veteran. He focuses on technology and leads Booz's national cyber platform account, which we don't get to hear about a lot. So I'm excited to dig into it, Brad. A little bit about what you do and the agencies you focus on. You focus on the FBI, Department of Homeland Security, Cybersecurity & Infrastructure Security Agencies, CISA and of course, the DoD. In this role, you're focused on addressing some of the top national Cybersecurity challenges that the government faces, including protecting critical infrastructure, securing the supply chain, protecting emerging platforms and defending the extended federal enterprise against cyberattacks. So super, super exciting. And you were named the 2021 Federal 100 Award Winner. So I won't go through all your awards and accolades, but it's certainly impressive. So thanks for being here and introducing yourself to the investor community.

So with that, Brad, what is sort of cyber consists of? Because the way I describe it to folks is Booz Allen's cyber Snowden. So what is cyber look like at Booz Allen? Can you frame it? What business does it fall into when we think about it?

Yes, Sheila, thanks for the introduction and the kind words and look forward to the conversation today. Cybersecurity is a really broad industry term at its fundamental, it's the practice of defending computer systems and electronic devices from malicious attacks. What's been interesting with cybersecurity, and we've been in this game for many, many years, is how it's evolved. In the early days, cybersecurity was something that was very much of a compliance-based exercise. Ten years ago, we saw a flood of activity against the financial services community, across the retail community and across the federal government that really kind of changed the landscape of cybersecurity. Today, we've moved beyond compliance and cybersecurity is very much about active defense. We have sophisticated nation states, we have criminal organizations that are targeting our clients. And our role in cybersecurity is to develop strategies and solutions to protect and defend them against some of the most sophisticated threats. The other thing that has been interesting to watch in the evolution of cybersecurity, it's gone from targeting traditional servers and computers, traditional devices into a much more complex environment, meaning cyber now intersects very closely with the physical world. And so whether you're talking industrial control systems, think about the Colonial Pipeline incident. When the Colonial Pipeline cyber event happened via ransomware, it directly impacted the physical world. We shut down the supply chain. And all along the East Coast, it affected travel. I look at -- there was a meat processing plant that was hit in the Midwest about a year or 2 ago. And I remember, I couldn't get a quesadilla at the [ Chipotle and the rest ]. And so the world has evolved from traditional attacks against computers to causing real damage and physical effect with industrial control systems, with many processing facilities and other things. So we are -- when Booz Allen looks at cyber, we tend to focus on the top end solutions, active defense, unlocking our trade craft from the defense and the intelligence community to develop differentiated solutions to really proactively defend our clients.

And when we think about cyber for Booz, who are your biggest competitors and what really differentiates you all?

It's interesting when you look at the competitive landscape, our Booz Allen business really has an established footprint across the dot gov domain, where we support clients like CISA and the FBI and the Department of Veterans Affairs, where we have an established footprint in the defense and in the intelligence community. And so it's hard to really pinpoint a single competitor, given the breadth of our footprint. Now when we look at our differentiators in cybersecurity, I would say that it really comes down to -- we had teams that are doing direct engagement with the adversary on a daily basis, defending our clients' most critical assets. We understand the adversary, we understand their TTPs, tactics, techniques and procedures. And we're able to take that understanding of that insight and develop solutions that's really tailored to our clients' environment. I would say that's at the heart of our differentiation.

And then if you could talk about maybe your 2 or 3 cyber-focused contracts to provide practical examples aside from giving us the quesadillas, like what actually do you guys do? What sort of level of expertise does it involve? How is it different than the rest of your business? And how is that customer interaction different as well?

It's interesting. When I think of cybersecurity and our engagements, we do a lot of work in operations, and we do a lot of work in the solution space. In the solution space, one of the programs that I'd like to highlight is a program out of DISA called Thunderdome. And Thunderdome is their -- DISA's prototype implementation of a Zero Trust architecture. And there, we're working with the commercial software vendors. We are working to integrate a solution and deploy it in support of the Defense Information Systems Agency, DISA. And there, we're developing solutions around Zero Trust. We're developing capabilities that implement software-defined wide area networks, secure access service edge. And it's really about providing enhanced security all the way to the edge of the network, but also to include cloud-based services. One of the things that we've seen with our client that as the IT world has evolved over the years is our clients' boundary, their network is not just contained within their legacy boundaries. Our clients now are heavily using the cloud, heavily using SaaS, Software as a Service. And their attack surface has expanded. And so our work with DISA on the Zero Trust implementation helps put in place that new security architecture using best-of-breed commercial products to protect and defend the dot ml domain. So that's kind of a good representative sample of some of the work that we're engaged in.

I have to ask. So when Leidos comes in with their Defense Enclave services contract and the intranet for DISA, does that sort of -- are you a software on top of that? Or how does that change your work with DISA? Or completely unrelated?

Yes. We're a solution provider. The Thunderdome program is a prototype solution that we're looking to prove out the Zero Trust architecture. And what we see in a lot of our engagement is we go into very heterogeneous environments, lots of tools and technologies, lots of other providers. And we work to integrate into the entire ecosystem.

Sorry, I always have to click the mute button when there's police cars passing by. Not for me luckily, but what do you think about the risks to your business, if any, or bottlenecks?

From a risk perspective, we see a tremendous focus around our clients looking to understand their risk posture and build solutions that help them to be more resilient. I think in terms of our particular business, we are a professional services company, and we recruit and retain what we feel is the best talent in the industry. And so for us, a risk is just around talent. And we have a tremendous track record of recruiting and retaining the best talent. We put a lot of programs in place that provide an enhanced value -- employee value proposition, and we have an excellent track record in terms of staffing and scaling programs. And so I think that the risk and the threat continue to change. I think we need to continually evolve our talent and evolve our capabilities. The other thing, early on when I started talking about the early days of cybersecurity, when you were looking at the traditional security of networks, that was a very defined skill set. Today, I think that cyber is also what I think of as a very multidisciplinary sort. And so for an engagement, you may need a controls engineer, you may need a machine learning engineer or a data scientist, you may need a malware reverse engineer. And so the other piece I think that we do a really good job of is blending these multidisciplinary skill sets and building the bench and the pool of talent to really solve the problems today but to be ready for the problems tomorrow.

That's great. And then if you could talk about maybe labor and mix of labor for your business, how does that sort of work and in terms of a product offering as well?

We're certainly not a product company. It was interesting. Last year, there was a tremendous amount of investment in cybersecurity products in Silicon Valley. There's probably over 3,000 cybersecurity products in the open market space. And so for us, it's about existing in that product ecosystem. And our value proposition is we're embedded with the client in their mission, we understand their environment, we're deeply plugged into the product and vendor landscape and we work to integrate best-of-breed solutions. I talked about Thunderdome. That's a great example. And then we look at taking our tradecraft and codifying that into our differentiated IP and IC that can live and exist within that broader product ecosystem. So it could be a series of threat models that we plug in -- or threat analytics that we plug into a commercial SIM tool. It could be rule sets that we plug into another commercial security appliance. And so we take our IP, IC and tradecraft, codify that and then we exist in that broader commercial ecosystem as an integrator.

And then maybe if you could talk about integrating commercial technologies versus developing our proprietary technology for a government client. Like how does that work?

Yes. I mean, I think what we've seen is a much closer tie between the U.S. Federal Government and Silicon Valley. We've seen a lot of -- a rise in OTAs. OTA is Other Transactional Authority and the government is looking for ways to bring differentiated tech and prototype it, accelerate its adoption. We've seen DoD standup elements in Silicon Valley, like DIU, the Defense Innovation Unit. And so the government is really focused around the adoption of commercial innovation and commercial tech. Frankly, I think that's what sets our country apart, our roots in innovation and entrepreneurship. We live in that ecosystem. We will adopt and integrate best-of-breed commercial solutions. At times when there may be a gap in what's available in the commercial market, we may get engaged with the -- with our government clients to help them develop gap filler solutions. And then we work to integrate them holistically.

And then maybe if you could talk about developing cyber offering for a government program versus a commercial cyber, how does that sort of work? And are there any cross-selling opportunities?

Yes. I mean, we've coined the -- we use the term a lot around, call it, one battle space. And when an adversary looks at our nation, they don't look at our nation in terms of the dot gov domain, the dot ml domain, the dot ic and the dot com, they look at The United States as a holistic attack surface. And because of that, adversaries move across different clients, across different domains at different points in time. Our strategy is to meet the adversary where they are and help our clients defend their most critical assets against those adversaries. So we think it's very strategic for us to have that holistic footprint so that we can understand what's happening in the broader threat landscape, so that we can bring and integrate those insights across our broader client set.

And switching gears a little bit, Booz has maintained AI superiority with its first mover advantage. How would you describe the relationship between cyber and AI? And what benefits do you see from your AI leadership? And maybe if you could give an example of that.

Yes, yes. We are -- our cybersecurity team and AI team work hand in hand. We look at artificial intelligence as machine learning, as a critical enabler to the cyber mission. And so when you look at a security operations center today, you have Tier 1 and Tier 2 analysts, and they sit there and triage alerts. And you have alert -- we'll see clients with millions, if not billions, of alerts coming into their security operations center. And the challenge there is how do you find the needle in the haystack, how do you really find the most important event that you need to focus on that could cause significant risk and harm to your enterprise. When we look at using machine learning to build models that automate and accelerate some of the standard cybersecurity functions such as event triage, so I see a tremendous kind of tie between cyber machine learning. We're heavily investing in the application of machine learning in the cyber domain to be able to automate and accelerate different defensive cyber functions to make our analysts more effective. We really want our analysts to spend their time not triaging rudimentary Tier 1, Tier 2 events, but really focus on the advanced analysis, the advanced hunting, finding the sophisticated adversary that's buried in a network and machine learning enables us to do that. You talked about an example of where we're applying cyber and AI and machine learning, I think probably a good example is the Joint AI Center. And there, we won a large contract several years ago, partner -- to be a strategic partner with JAIC. And there, we're actually helping them implement cybersecurity to -- excuse me, implement machine learning around a variety of different cyber defense problems to support DoD operators, be more effective and be more efficient in the defense of the domain.

And then if you could talk about core opportunities -- sorry, adjacencies to existing core capabilities, what sort of opportunities are out there?

So I think in terms of adjacencies, we see -- I kind of alluded to this earlier, just all of the intersections between cyber and the physical world. Whether it's how do you best secure an industrial control system or U.S. critical infrastructure. How do you -- with the emergence of 5G, from a telecommunications perspective, how do you secure this new 5G-enabled world? It's moving data down to the edge, there's ubiquitous connectivity. That presents a tremendous value from a mission perspective and our clients are looking to adopt 5G for things like telemedicine, for AR/VR and training. But with that new mission enablement, there's a whole new set of risks and challenges from a cybersecurity perspective. That's an adjacent area that we're very focused on. And then as you look at our DoD clients, how do you secure space and weapons-based systems. How do you build resiliency into some of these core critical components that our clients and our nation rely on. So I think from an adjacency perspective, it's really looking at industrial control systems, 5G and looking at the intersections of cyber in the physical world.

Sorry, one question I'm going to throw in there, how often does like the physical world allow Booz that opportunity? Or is it more so the OEM, the manufacturer of that product that provides that capability?

Yes. I mean -- so I mean, especially with industrial control systems, the vendors can secure their integrated pieces. But if you look at a shop floor, there's going to be lots of different connected devices, industrial control systems, there's going to be traditional workstations, there's going to be other types of devices. And so the OEM will look at just their slice of the world. I think when we go into an environment like that, we look at it from a more holistic risk perspective and adversaries live in the seams. And so by looking at it from a holistic perspective, you can get a better view of risk and build a better strategy to defend it.

Great. And then when we think about the level of cyber funding, how do you think about it right now versus the current need? What level it's growing at? And where do you think the biggest areas of unmet customer demand are?

We're seeing a lot of focus around continuing to move from -- in our federal clients, more active defense. We've seen emerging guidance from the administration around something called endpoint detection and response. What that means is as opposed to waiting for events to show up in a security operations center, how can you proactively look across your network across all the devices for signs of malicious activity. That is a journey that our clients are on, that they're looking to accelerate. And that's also going to be, we believe, a force multiplier in terms of enhancing the security posture as well. So those are just some examples that we're at least -- that's an example of things that we see where there's an emergent need. There's emergent policy guidance and our clients are really focused in those areas.

I feel silly asking this, but how do you think about the durability of demand? Seems incessant, to be honest.

I think that we're -- with cybersecurity, I think that we're in a forever war. The problem is not going to go away. We're at -- there's been an exponential increase in connected devices. We have new and emerging technologies like 5G coming online. Quantum computing is going to play a bigger factor in the midterm. And so I don't see the problem getting smaller. I think that I see the problem getting larger. The other piece is I talked earlier, the attack surface. Our clients are rapidly moving to the cloud. They're rapidly looking at SaaS. Individually, each one of those is a hard problem. But then collectively, when you have an agency using multiple cloud providers, multiple SaaS providers, bringing on 5G technologies, connecting their physical devices in a way that they haven't, that attack surface continues to expand, the problem gets bigger and our adversaries aren't going to go away.

And can we talk about a contract that you recently won. I believe it was a 5-year $622 million award for NASA cybersecurity and privacy program. What sort of the scope of that program? Is it on new work? How does this advance your potential position with NASA?

Yes. The NASA CyPrESS contract, that was a 5-year contract, and it's basically supporting NASA's cybersecurity and privacy program. This contract really marks the first time that NASA is bringing all aspects of cybersecurity across the enterprise under a single vehicle. And so we're going to be focused on traditional IT systems, the [ OT ] technologies, industrial control systems and mission systems. And so it's a pretty broad scope. It's pretty all-encompassing across their enterprise. And as NASA makes this strategic move to centralize those cybersecurity functions, it's a great opportunity for us to partner with them and strengthening their end-to-end cybersecurity posture.

And how do you think about some of the smaller programs? In the beginning of the year, you received a 6-month prototype contract from DISA for $7 million. I think that was the one you were referencing before?

Yeah.

Is that Thunderdome? Or is that...

Yes. That is -- yes, that's Thunderdome. We love the small sort of incubator type projects. Thunderdome is an OTA, it was a small award. But it's an opportunity for DoD to be really progressive in looking at best-of-breed tools and solutions and figuring out how to modernize the dot ml security architecture to embrace Zero Trust principles. And so it's certainly not the size of something like NASA CyPrESS. But from a strategic impact perspective, it gives us the opportunity to partner with DISA to really implement and prototype a best-of-breed solution that kind of paves the way for a future security architecture.

What does progressive mean when you said the government? It paves the way for the government to be more progressive?

Well, to implement next-generation security architectures, Zero Trust has become a pretty broad buzzword in the industry. But what does that really mean? How do you implement it? How do you operationalize it? How do you take an agency or an organization from point A to point B? And so when I talk about progressive, it's really a practical application in the Zero Trust principles that makes a meaningful and demonstrable impact in their agency and their mission.

Okay. Thanks for clarifying, I just wanted to ask. And then in terms of pace of awards and opportunities, how do you think about that renewed urgency, just given some of the recent high-profile intrusions as you referenced earlier? Has the market shifted? When have you noticed the market shifting? Or does it shift after a big event like Colonial Pipeline [ when it ] dives down 6 months later?

No. There's been a couple of big events commercially -- commercial -- excuse me, commercial. Colonial Pipeline was obviously a big event as well as the meat packing facility. Within the U.S. Federal Government, I think 2 of the [ marquee ] events, one was SolarWinds and the other was [indiscernible]. And so in each of those events, we saw our clients rapidly look at how to respond, how to protect the core assets. And then based upon the lessons learned from that, what needs to be changed in the future? We've seen a pretty steady tempo in terms of our clients looking at bringing on new capabilities and really focusing on kind of the continued implementation of guidance coming out from the new National Cyber Security Director of Chris Inglis, and the administration. So it's been pretty steady for us.

And then if you could talk a little bit about the concept of scalable cyber solutions. What does that mean to go to a market strategy? And how do you foresee that applying to advanced cyber capabilities?

Yes. I mean when we think about scalable cyber solutions, and so we've been in this game for many, many years. And we are looking at how do we package our IP and IC. Some of the core fabric of our differentiation could be threat analytics, it could be threat models. And how do we arm and equip our analysts and our staff with those on their client engagements. And so we have this broad footprint across the domains across the federal government, across the Department of Defense. And so how do we codify some of those insights, some of those best practices, some of those lessons learned. And then how do we equip our workforce with that to enable them to bring those into their clients' base at scale. And so we are really focused on codifying that IP and IC and really bringing these differentiated solutions to bear at scale for our clients.

And then can you talk about the talent pool a little bit versus your peers? Is it a traditional IT services name? How does it sort of work for recruiting these folks versus the rest of Booz? And I guess, how important is that to executing your strategy?

Yes. I mean from a talent perspective, we really focus on creating an environment that becomes -- that is a talent destination. We're supporting some of the most amazing cyber missions in the world. And the talent pool recognizes that and wants to be part of our team. That being said, it's also really important for us to create an environment where our staff can continue to grow their skill sets. I love the term, iron sharpens iron, where we do Hackathons, we do other types of events where we challenge our staff and we help them build new skill sets. We help them work -- junior staff work with more seasoned practitioners to get mentorship and we take our best practitioners and get them really, really hard problems and push them to be the best. And so in terms of when we look at the talent, one is about creating a destination; two, earlier I talked about really kind of a multidisciplinary skill set; and then three, once they're part of our team, creating an environment that they're energized, that they want to be part of and that where they feel they continue to grow in their careers. And I talked about my journey -- you introduced me. Thanks for reminding me that I've been at Booz Allen for 25 years, but that's a long time to be at one company. And I'm often asked, why do you stay 25 years at Booz Allen. And I've had the opportunity to work across defense, commercial, civilian, international engagements. So I've had mobility. I've always had the ability to work on some of the hardest technical problems. And I've always thought my skills have continued to grow and expand. And at Booz Allen, we're really passionate about providing that opportunity to our employees. And I think it's a tremendous value proposition.

Maybe one last one to wrap it all up, Brad. How do you think about all the work that you're doing and how it ties into the national cyber strategy? If you could just give us an overall picture of it?

Yes. With Chris Inglis, I think I did a fireside chat with him last year, and he was just named as the National Cyber Director. Chris is really implementing a good strategy. He's building the right team. He talks about his team of Jen Easterly and Rob Joyce as the Cyber Security Director and the FBI. And when we look at our engagement, we're supporting each of those clients in their missions on a daily basis. In terms of supporting the national cyber mission, we want to work on our clients' hardest problems. We want to be in the fight, in the mission, day in and day out. And I think Chris is bringing those players together. And he's also implementing the public private partnership, because Chris recognizes that it's one battle space. We're supporting that one battle space concept because we're also engaged across each one of those missions and bring those perspectives to bear to our clients. Our clients see tremendous value in our ability to understand the entire ecosystem, the product landscapes, the different sectors, whether it's critical infrastructure or the dot gov domain and be able to kind of fuse that into a tangible set of recommendations that will help them. So those are -- that's -- our passion is this national cyber mission. We're passionate about the clients and the problem sets. And just tying it back to talent, our talent want to work the hardest problems. And so we're creating an environment that's good for our clients and good for our people.

Awesome. Well, thank you, Brad, for all of that and an intro to Booz's cyber strategy. We appreciate it. Thank you, operator. That concludes our call. And Brad and Booz, the whole Booz team, thanks for participating today.

Thank you.