2021
Cyber Risk Opportunities
draft – v1.0.0
Assembling, leading, and managing a team of people to achieve cybersecurity (and information security) program goals is difficult, even under the best of circumstances. In my experience, the circumstances are rarely “best”.
Sure, hiring managers across all disciplines search endlessly to find and retain the best people. They have to equip, train, and support them every day. And figure out how to nurture each person according to their unique abilities.
But, as you know, there are unique hiring challenges facing cybersecurity managers. Because cyber is a dynamic risk, our work is done in a continuously evolving problem space. So we need an endless training budget and time away from the daily grind to actually learn. And then do stuff.
And, the pace of technological change seems to quicken every day. So even if cyber criminals were less innovative, and regulators less demanding, there’s still so much to learn all the time.
Because our discipline is relatively new, we lack highly structured and clearly defined career paths. And an “entry level job” isn’t really entry level because even the newest of us have to understand how various network protocols and systems work before you can secure them. And our Human Resource departments don’t really know how to support us.
Despite all this, there are plenty of eager candidates, both qualified and unqualified, who are searching for the right job. But where to find them? How to get them on your team? How to keep them around and productive?
So, yeah, we need a Cybersecurity Hiring Manager Handbook.
But this handbook isn’t just for hiring. As you’ll see, it covers the entire “lifecycle” of a teammate:
We want you to be the employer for people who could work anywhere, but choose to work on your team because of the “unique and attractive” ways you do things.
But our vision for you is even bigger than mastering the full lifecycle of a team member. By building the team of your dreams, you can not only achieve your program goals, you can set yourself up to be an influencer with your senior decision makers.
What does this mean?
You become an influencer when the other senior decision makers and top influencers of your organization seek you out before they make major decisions that have cybersecurity implications. Instead of finding out about the newest system just prior to rollout into production, the people who first thought up that system start talking with you about it before they submit their business case to get it approved for development.
And you become an influencer when your senior decision makers stop seeing your program as an unavoidable cost of doing business. And instead, they see you as sales enablement or reputation enhancement.
How do you make that massive shift?
By having a team that works “in your program” so you can work “on your program.”
This means delegating the actual work of your program to your team members and supporting them. When you succeed at this, you have time to spend with the managers of other departments and your most senior decision makers. To get to know them and show them the business value your program can bring to their goals. Like increased sales, larger revenue, more profit, entry into a new industry vertical, or reduced cost to please and support your customers.
As an influencer, your goal is to deliver real business value and increase internal cybersecurity policy compliance and general cooperation between your department and the other departments.
But that’s very difficult (impossible?) to do when you are “in the trenches” all day, every day.
In addition to improving your situation, we want to have a positive, long-lasting impact on our cybersecurity community. So we’re releasing the Handbook as an open source project under Creative Commons “Attribution 4.0 International” license.
And, to keep the Handbook relevant as time goes by, as we’re going to accept your enhancements via our repo on GitHub.
https://github.com/CyberRiskOp/CHMH
Everyone is welcome to use this handbook, including job hunters. But our primary audience is line supervisors who have to build teams to meet cybersecurity program goals. (Note: We define a “line supervisor” as any member of the management team who has people reporting to them, at all levels.)
This Handbook could also be useful for managers of consulting or security services teams, although we realize the business context of these teams is different.
The secondary audience for this Handbook is anyone who helps supervisors build teams, like our friends in Human Resources, and our team members who know where to find amazing new candidates and help them succeed once they become teammates.
Finally, we wanted to make this Handbook useful to 90% of the hiring managers, 90% of the time. So here are two key assumptions:
However, we recognize that there is so much variability in the situations cybersecurity hiring managers find themselves working in (e.g., industry, mission, organization size, etc.) that we may not be able to consistently hit that target.
So tell us when we don’t hit the mark so we can do better with the next release.
Now go build the team of your dreams, so you can start working “on” your program instead of “in” your program, and become the influencer you’ve always wanted to be!
Kip Boyle
Seattle, WA
September 2021
Just as we create cybersecurity systems according to Design and Engineering Principles, the Handbook authors believed we should offer something similar to our audience of practitioners.
However, we realized that this work is too people-intensive to expect Principles to be practical. So, instead, we are offering a set of “Ideals”.
You should operate according to these Ideals as much as you practically can. But we know that’s not always possible. Sometimes you need to deviate from an Ideal in a particular case. Other times, you will only be able to operate ideally during exceptional circumstances.
We’ve kept these Ideals broad in description because there is so much variability from organization to organization.
Finally, we don’t expect that everyone will be able to uphold every Ideal every time. Rather, like us, we recognize you will strive to operate ideally as much as possible. In many cases, we describe less-than-ideal practices in this Handbook, but we call ourselves out when we do and challenge you to do better.
Foundation
Preparation
Selection
Retention
Departure
Appendix 1
Et quia Montius inter dilancinantium manus spiritum efflaturus Epigonum et Eusebium nec professionem nec dignitatem ostendens aliquotiens increpabat, qui sint hi magna quaerebatur industria
Alios autem dicere aiunt multo etiam inhumanius (quem locum breviter paulo ante perstrinxi) praesidii adiumentique causa, non benevolentiae neque caritatis, amicitias esse expetendas.
What You See Is What You Get, erat autem diritatis eius hoc quoque indicium nec obscurum nec latens, quod ludicris cruentis delectabatur et in circo sex vel septem aliquotiens vetitis certaminibus pugilum vicissim se concidentium perfusorumque sanguine specie ut lucratus ingentia laetabatur.
What You See Is What You Mean, ce que vous voyez est ce que vous signifiez en français. Il s’agit de l’approche alternative au WYSIWYG redonnant du sens à l’acte d’inscription en indiquant clairement la structure du document et en se focalisant moins sur les aspects graphiques.
Extensible Markup Language, dilancinantium manus spiritum efflaturus Epigonum et Eusebium nec professionem nec dignitatem ostendens aliquotiens increpabat, qui sint hi magna quaerebatur industria.
TEI, for Text Encoding Initiative omitto iuris dictionem in libera civitate contra leges senatusque consulta; caedes relinquo; libidines praetereo, quarum acerbissimum extat indicium et ad insignem memoriam turpitudinis et paene ad iustum odium imperii nostri, quod constat nobilissimas virgines se.
YAML, for YAML Ain’t Markup Language, certaminibus pugilum vicissim se concidentium.
Index
The belief in individual freedom over arbitrary authority extended to school as well. Two years ahead of his classmates by age 11, Stallman endured all the usual frustrations of a gifted public-school student. It wasn’t long after the puzzle incident that his mother attended the first in what would become a long string of parent-teacher conferences.
Thirty years later, Breidbart remembers the moment clearly. As soon as Stallman broke the news that he, too, would be attending Harvard University in the fall, an awkward silence filled the room. Almost as if on cue, the corners of Stallman’s mouth slowly turned upward into a self-satisfied smile.
A kind of Batman of contemporary letters.Philip Larkin on Anthony Burgess
Assembling, leading, and managing a team of people to achieve cybersecurity (and information security) program goals is difficult, even under the best of circumstances. In my experience, the circumstances are rarely “best”.
Sure, hiring managers across all disciplines search endlessly to find and retain the best people. They have to equip, train, and support them every day. And figure out how to nurture each person according to their unique abilities.
But, as you know, there are unique hiring challenges facing cybersecurity managers. Because cyber is a dynamic risk, our work is done
in a continuously evolving problem space. So we need an endless training budget and time away from the daily grind to actually learn. And then do stuff.
And, the pace of technological change seems to quicken every day. So even if cyber criminals were less innovative, and regulators less demanding, there’s still so much to learn all the time.
Because our discipline is relatively new, we lack highly structured and clearly defined career paths. And an “entry level job” isn’t really entry level because even the newest of us have to understand how various network protocols and systems work before you can secure them. And our Human Resource departments don’t really know how to support us.
Despite all this, there are plenty of eager candidates, both qualified and unqualified, who are searching for the right job. But where to find them?
How to get them on your team? How to keep them around and productive?
So, yeah, we need a Cybersecurity Hiring Manager Handbook.
But this handbook isn’t just for hiring. As you’ll see, it covers the entire “lifecycle” of a teammate:
We want you to be the employer for people who could work anywhere, but choose to work on your team because of the “unique and attractive” ways you do things.
But our vision for you is even bigger than mastering the full lifecycle of a team member. By building the team of your dreams, you can not only achieve your program goals, you can set yourself up to be an influencer with your senior decision makers.
What does this mean?
You become an influencer when the other senior decision makers and top influencers of your organization seek you out before they make major decisions that have cybersecurity implications. Instead of finding out about the newest system just prior to rollout into production, the people who first thought up that system start talking with you about it before they submit their business case to get it approved for development.
And you become an influencer when your senior decision makers stop seeing your program as an unavoidable cost of doing business. And instead,
they see you as sales enablement or reputation enhancement.
How do you make that massive shift?
By having a team that works “in your program” so you can work “on your program.”
This means delegating the actual work of your program to your team members and supporting them. When you succeed at this, you have time to spend with the managers of other departments and your most senior decision makers. To get to know them and show them the business value your program can bring to their goals. Like increased sales, larger revenue, more profit, entry into a new industry vertical, or reduced cost to please and support your customers.
As an influencer, your goal is to deliver real business value and increase internal cybersecurity policy compliance and general cooperation
between your department and the other departments.
But that’s very difficult (impossible?) to do when you are “in the trenches” all day, every day.
In addition to improving your situation, we want to have a positive, long-lasting impact on our cybersecurity community. So we’re releasing the Handbook as an open source project under Creative Commons “Attribution 4.0 International” license.
And, to keep the Handbook relevant as time goes by, as we’re going to accept your enhancements via our repo on GitHub.
https://github.com/CyberRiskOp/CHMH
Everyone is welcome to use this handbook, including job hunters. But our primary audience is line supervisors who have to build teams to meet cybersecurity program goals. (Note: We define a “line supervisor” as any member of the
management team who has people reporting to them, at all levels.)
This Handbook could also be useful for managers of consulting or security services teams, although we realize the business context of these teams is different.
The secondary audience for this Handbook is anyone who helps supervisors build teams, like our friends in Human Resources, and our team members who know where to find amazing new candidates and help them succeed once they become teammates.
Finally, we wanted to make this Handbook useful to 90% of the hiring managers, 90% of the time. So here are two key assumptions:
However, we recognize that there is so much variability in the situations cybersecurity hiring managers find themselves working in (e.g., industry, mission, organization size, etc.) that we may not be able to consistently hit that target.
So tell us when we don’t hit the mark so we can do better with the next release.
Now go build the team of your dreams, so you can start working “on” your program instead of “in” your program, and become the influencer you’ve always wanted to be!
Kip Boyle
Seattle, WA
September 2021
Just as we create cybersecurity systems according to Design and Engineering Principles, the Handbook authors believed we should offer something similar to our audience of practitioners.
However, we realized that this work is too people-intensive to expect Principles to be practical. So, instead, we are offering a set of “Ideals”.
You should operate according to these Ideals as much as you practically can. But we know that’s not always possible. Sometimes you need to deviate from an Ideal in a particular case. Other times, you will only be able to operate ideally during exceptional circumstances.