Just as we create cybersecurity systems according to Design and Engineering Principles, the Handbook authors believed we should offer something similar to our audience of practitioners.

However, we realized that this work is too people-intensive to expect Principles to be practical. So, instead, we are offering a set of “Ideals”.

You should operate according to these Ideals as much as you practically can. But we know that’s not always possible. Sometimes you need to deviate from an Ideal in a particular case. Other times, you will only be able to operate ideally during exceptional circumstances.

We’ve kept these Ideals broad in description because there is so much variability from organization to organization.

Finally, we don’t expect that everyone will be able to uphold every Ideal every time. Rather, like us, we recognize you will strive to operate ideally as much as possible. In many cases, we describe less-than-ideal practices in this Handbook, but we call ourselves out when we do and challenge you to do better.

Foundation

• Take enjoyment from building teams and helping people excel in their careers while achieving your program goals.
• Treat hiring as one of the most important duties you perform in support of your organization.
• Before you reflexively hire to replace someone, ask “is there a better way to get this work done?”
• Better to delay hiring than to mis-hire, because no one wins when that happens.

Preparation

• Put similar skills into the same job description so people don’t have to be rule makers and rule breakers, nor be the incident responder and the compliance person in the same week.
• Attract people who could work anywhere, but choose to work for us because of the way we do things.
• Widen your talent pool by growing your own talent and finding talented people that you’ve previously overlooked.
• Define “diversity” among your team as using the differences people have in their life experiences to bring unique perspectives to creatively solving problems.

Selection

• Hire in a way that builds relationships with candidates, even when the decision is not to hire someone.
• Choose a person with a growth mindset, a great attitude, and strong aptitude for the work, over a person who is highly skilled but is only in it for the money or often treats others badly.
• “Fit” is 40% technical skills and 60% culture.
• Consider how the candidate will represent your team, as well as build and spend political capital.
• Don’t look for strengths as a primary justification to hire someone; instead look for big reasons why they won’t be a good fit.
• Either make a great partner out of Human Resources or minimize their involvement.

Retention

• Make leading and managing your people easier by setting a high bar for choosing which candidate to hire.
• Create psychological safety among your team members so they feel free to say what’s on their minds.
• Insist on an atmosphere of candid, respectful collaboration with each other.
• Aggressively create learning and growth opportunities for your people by sending them to training, giving them a learning stipend, and sharing your network with them.
• If an employee appears with an offer for a new employer, don’t use it as an opportunity to attempt to retain them. Instead, congratulate them on their new opportunity.

Departure

• Celebrate the people who move on to another opportunity as graduates who will support you in the future.
• Request feedback to understand their perspective on how things were for them, and their thoughts around improvement.