Assembling, leading, and managing a team of people to achieve cybersecurity (and information security) program goals is difficult, even under the best of circumstances. In my experience, the circumstances are rarely “best”.
Sure, hiring managers across all disciplines search endlessly to find and retain the best people. They have to equip, train, and support them every day. And figure out how to nurture each person according to their unique abilities.
But, as you know, there are unique hiring challenges facing cybersecurity managers. Because cyber is a dynamic risk, our work is done in a continuously evolving problem space. So we need an endless training budget and time away from the daily grind to actually learn. And then do stuff.
And, the pace of technological change seems to quicken every day. So even if cyber criminals were less innovative, and regulators less demanding, there’s still so much to learn all the time.
Because our discipline is relatively new, we lack highly structured and clearly defined career paths. And an “entry level job” isn’t really entry level because even the newest of us have to understand how various network protocols and systems work before you can secure them. And our Human Resource departments don’t really know how to support us.
Despite all this, there are plenty of eager candidates, both qualified and unqualified, who are searching for the right job. But where to find them? How to get them on your team? How to keep them around and productive?
So, yeah, we need a Cybersecurity Hiring Manager Handbook.
But this handbook isn’t just for hiring. As you’ll see, it covers the entire “lifecycle” of a teammate:
- Setting the foundation for team building
- Preparing to hire the next person
- Selection to identify, screen, and negotiate compensation for a great candidate
- Retaining your team members
- Gracefully handling the transition of a team member who is departing for greener pastures
We want you to be the employer for people who could work anywhere, but choose to work on your team because of the “unique and attractive” ways you do things.
But our vision for you is even bigger than mastering the full lifecycle of a team member. By building the team of your dreams, you can not only achieve your program goals, you can set yourself up to be an influencer with your senior decision makers.
What does this mean?
You become an influencer when the other senior decision makers and top influencers of your organization seek you out before they make major decisions that have cybersecurity implications. Instead of finding out about the newest system just prior to rollout into production, the people who first thought up that system start talking with you about it before they submit their business case to get it approved for development.
And you become an influencer when your senior decision makers stop seeing your program as an unavoidable cost of doing business. And instead, they see you as sales enablement or reputation enhancement.
How do you make that massive shift?
By having a team that works “in your program” so you can work “on your program.”
This means delegating the actual work of your program to your team members and supporting them. When you succeed at this, you have time to spend with the managers of other departments and your most senior decision makers. To get to know them and show them the business value your program can bring to their goals. Like increased sales, larger revenue, more profit, entry into a new industry vertical, or reduced cost to please and support your customers.
As an influencer, your goal is to deliver real business value and increase internal cybersecurity policy compliance and general cooperation between your department and the other departments.
But that’s very difficult (impossible?) to do when you are “in the trenches” all day, every day.
In addition to improving your situation, we want to have a positive, long-lasting impact on our cybersecurity community. So we’re releasing the Handbook as an open source project under Creative Commons “Attribution 4.0 International” license.
And, to keep the Handbook relevant as time goes by, as we’re going to accept your enhancements via our repo on GitHub.
https://github.com/CyberRiskOp/CHMH
Everyone is welcome to use this handbook, including job hunters. But our primary audience is line supervisors who have to build teams to meet cybersecurity program goals. (Note: We define a “line supervisor” as any member of the management team who has people reporting to them, at all levels.)
This Handbook could also be useful for managers of consulting or security services teams, although we realize the business context of these teams is different.
The secondary audience for this Handbook is anyone who helps supervisors build teams, like our friends in Human Resources, and our team members who know where to find amazing new candidates and help them succeed once they become teammates.
Finally, we wanted to make this Handbook useful to 90% of the hiring managers, 90% of the time. So here are two key assumptions:
- You are hiring in the United States, Canada, or similar countries.
- The Ideals we espouse in the Handbook are a good fit for your specific situation.
However, we recognize that there is so much variability in the situations cybersecurity hiring managers find themselves working in (e.g., industry, mission, organization size, etc.) that we may not be able to consistently hit that target.
So tell us when we don’t hit the mark so we can do better with the next release.
Now go build the team of your dreams, so you can start working “on” your program instead of “in” your program, and become the influencer you’ve always wanted to be!
Kip Boyle
Seattle, WA
September 2021