Cybersecurity Hiring Manager Handbook

Your team’s culture and diversity

Defining Your Team’s Culture

Your team’s culture (i.e., the way you do things every day) is important to success in your mission. And, it will strongly influence your success as a hiring manager. For example, are you able to attract people who could work anywhere, but choose to work for you because of the way your team does things?

As a leader, you can influence some of the ideals you want your team to have, but it is who you hire, retain, and promote, who largely influence how the culture is shaped. Your actions around addressing situations, how you conduct yourself, or the environment of the company can also positively or negatively contribute to your efforts.

To begin defining your team’s culture, let’s ask ourselves some questions that can gauge our current posture, and identify points of improvement. These questions can also be a good exercise to perform with existing team members to see whether their answers align to yours.

After you’ve completed the exercise of answering these questions, you should have a good idea of what you want and need in your next candidate. Just be sure that you not only look for those who are a “culture fit”, but also someone who can contribute positively toward your culture. Avoid looking for people only identical in nearly every way to your existing team, as this can enforce biases and lead to homogenization of the team, blunting its potential.

Whenever a member of your team reports a concern, it’s important to listen and do what you can to resolve it in alignment with the values you want your team to maintain, because it may be the only opportunity you may have to address it before an impact occurs. Depending on the concerns, maybe only one employee will feel comfortable to signal that something is going on while others wait to see the response. Should this occur, it’s important to take it in context, and not personally. Even the leaders who are most versed in open door policies can find themselves in situations with concerns they were never made aware of, because at the end of the day, a power dynamic exists between you and your team.

Sometimes the issues we face relate to a particular team member who may be causing a negative contribution to our culture. In these cases, we will want to work with them to understand what is going on so we can address what is leading to problems. Though, if we’ve exhausted all our options, we may find ourselves at a crossroad with the employee where our only option is dismissal. Whenever we change our team’s composition whether through dismissal or hiring, it is an opportunity to influence our team, so it’s important we are consistent with those decisions.

Developing and maintaining team culture is a continuous process of improvement, and not a single destination. Consistency and being open to change are key in ensuring your success around a healthy culture.

Unconventional Talent is Everywhere

Just like how good information security programs don’t just happen, good security teams don’t just happen. Good Information Security teams, like good Information Security programs, are intentionally built and nurtured. And teams, like programs, are forever evolving to fit the ever-changing needs of the business. And the best way to meet the evolving needs of the business is to build a team with a diverse set of talents.

The reason is simple. Multiple studies have shown that the most successful teams are also the most diverse. Teams of people with different backgrounds, including cultural, educational, and socio-economic backgrounds, are the most successful because their members think differently from one another. Diverse teams don’t exist in an echo chamber, where everyone thinks the same way. Diverse teams exist outside the echo chamber. They use their different ways of thinking in order to find the best solution to any given problem.

If we want to increase diversity, we need to look for talent in unconventional places. It’s easy: see potential in everyone, everywhere you go. One thing that I like to do whenever I meet someone new, I ask myself, “How is this person smart?”. Notice, I didn’t say “IS this person smart?”. I said, “HOW is this person smart?”

I love this method of discovering unconventional talent. When I started doing this, I started seeing the world in an entirely different way. I started to see potential in everyone, even those with non-technical backgrounds or degrees. I gave them chances in interviews and projects. I hired some of them. And each time, my expectations were blown out of the water.

After a while, I started to realize that diversity truly is a super power. My teams are successful because they are able to think differently from one another and challenge each other with different ways of approaching problems.

Unfortunately, the way we’ve hired in the past is NOT working. We’re hiring people just like ourselves - people who think and act like us, people who have the same technical backgrounds, and people with the same degrees. If we are serious about winning against cybercrime, we need to start hiring differently, and hire people that don’t think, act, or talk like us.

Expand the Talent Pool and Quality of Your Team Using Diversity, Equity, and Inclusion

Diversity, Equity, and Inclusion or DE&I for short, has become an increasingly important subject for both employees and employers as reports show organizations with strong profiles in DE&I are more profitable and more successful. It’s something potential employees are even considering when choosing a future employer and they expect those that interview them, can speak to the organization’s efforts. Though before we approach the subject further, let’s take a moment to define DE&I:

It comes down to the reality that employees who feel accepted and valued, and feel that their coworkers are, will perform better and stay longer at an employer. Employers with diverse teams gain competitive advantage as the variety of ideas and increases in productivity lead them to being able to solve more complex or difficult problems.

What’s the Current State of DE&I at Your Organization?

As a hiring manager, you are essentially an ambassador for your organization. So, whether your organization has been on the journey or is just starting, it’s important to understand the current programs and efforts around DE&I. By doing so, you’ll be able to answer prospective candidates’ questions around the subject, keep expectations in alignment, and ensure you are positively contributing to an important effort.

Once you understand the current programs or policies around DE&I, it can be beneficial to take the temperature of your existing team, or the organization to see how the current culture stacks up to those current efforts. This can help you in better representing things should questions be made regarding it. For example, if minority women are leaving the organization at a higher rate than non-minority women, the organization may not be living up to its efforts and you’ll want to consider how you can avoid that from happening in your team, should your intended hire be a minority woman.

If your organization does not have a current program, you can still develop one around your team which comes from your culture, addressing biases, and working toward ensuring all members of your team feel and contribute toward the concepts of DE&I mentioned in this section. For security, diversity is a core component of defense in depth so being able to have a diverse team, means you’ll be more successful.

Challenges of Managing a Diverse Team

People tend to hang out with people who are like they are. It’s hard-wired into human beings to do this. We are naturally biased in this way.

So it’s no surprise that hiring managers tend to hire people who are like them.

In cybersecurity that’s not ideal because the amount of problem solving we have to do every day is enormous and we’ll get better quality solutions if we bring many different perspectives on the problem.

Unfortunately, even under the best conditions, it’s very difficult to assemble a diverse team and it’s even more difficult to lead and manage that team. When the team manager and/or team members are close-minded about the benefits of diversity, it can be nearly impossible to maintain team integrity and productivity.

Proceed with caution!

Dealing with Our Biases

Once you understand the status of your organization’s posture around DE&I, and your team’s culture, it’s time to look inward for a moment to identify and understand the biases that can influence our decisions, specifically, unconscious bias. Unconscious bias is the learned associations or experiences we have that contribute toward our attitudes and stereotypes towards others that we often exhibit without realizing.

Bias is something we all develop through our lives, and everyone would benefit from better understanding their own biases. Taking proactive steps in identifying where ours lie both conscious and unconscious, helps us become better leaders. Through our recognition of them, we can develop an action plan by which we disrupt those biases which could influence our decisions around a candidate or for that matter, anything else.

To grow toward better understanding of bias, Microsoft offers a series of free courses now that discuss topics around inclusion, bias, allyship, and privilege. These can be a good start for better understanding and learning how to improve: https://www.microsoft.com/en-us/diversity/beyond-microsoft/default.aspx

There are also Implicit Association Tests (IAT)s, that can help you identify biases. Harvard’s Project Implicit is one good resource, which allows you to understand your implicit associations in social and health related topics. You can find that here: https://implicit.harvard.edu/implicit/

How Job Postings Influence Candidate Diversity

One way we can improve the diversity of our candidate pool is in our job postings. These are often the first interaction a prospective employee has with an organization. Their composition can largely influence how the position is perceived and whether they would be a good fit. There are six ways we can improve them.

1. Avoid use of gender-specific pronouns. By describing our jobs using gendered pronouns like he/she, we are signaling to potential candidates that if they don’t fit that gender, it won’t be a viable option for them. Instead, use non-gendered pronouns such as “you” or “candidate” which often signal an inclusive culture is present and better allows a candidate to imagine themselves in the role.

2. Remove gender-charged language. Adjectives or words often related to stereotypes around a particular gender can subtly convey a bias which also influences applicants. Use tools such as the Gender Decoder or Textio to help you balance the language.

3. Get realistic about requirements. Often job postings are often more like a wish list when in reality we will often take someone who meets most of the requirements. Though, only certain types of people are willing to take the chance. Those who have faced adversity, or who treat job descriptions as being similarly rigid as the systems requirements for the latest video game, will often only apply to jobs where they meet 100% of the requirements. Instead of losing out on those potential candidates, reconsider what is really “required” as part of the job, and what can be taught, and reflect that in your job postings instead.

4. Drop the superlatives. Avoid using terms that rely on the applicant’s perception of their own abilities. Terms like “best”, “expert”, or “first-class” can discourage qualified applicants who may be more modest about their skillset and they generally offer very little to the job description overall.

5. Reconsider education. Especially in the Security field, there are many routes in which someone can gain experience to be a valuable member of your team. They could be self-taught, go to a bootcamp, learn on the job, gain certifications, go to a formal institution for a degree, or any combination of these. For example, don’t limit your candidate pool to requiring a Degree in Computer Science when you could have a candidate that meets your needs that has a Degree in Library Sciences but has security certifications. Leave the opportunity for a variety of experiences to apply.

6. Showcase your DE&I Efforts. If your organization is actively working on DE&I, make sure it’s detailed in the job posting, and in the Equal Employment Opportunity (EEO) statement. I like Microsoft’s as a reference, which states:

All qualified applicants will receive consideration for employment without regard to age, ancestry, color, family or medical care leave, gender identity or expression, genetic information, marital status, medical condition, national origin, physical or mental disability, political affiliation, protected veteran status, race, religion, sex (including pregnancy), sexual orientation, or any other characteristic protected by applicable laws, regulations and ordinances.

How to Target Diverse Cybersecurity Talent

If you’ve reviewed and worked on your job postings to help encourage a wider pool of applicants, you have already put yourself on good footing for developing a more diverse talent pool. Now, you just need to find the right places to target your postings. While there are plenty of job aggregator sites, there are also ways we can form a partially curated pipeline that could amplify our efforts.

Networking is one of your greatest resources to find more diverse hires next to word-of-mouth referrals from prior or current employees. This is something you can grow over time through conferences, events, and local groups. On sites like meetup.com, you can end up with many local user groups, or industry-specific groups that can be beneficial to making connections at. Research and attend the local branches of professional organizations that align to security such as CompTIA, ISACA, ISSA, InfraGard, The League of Professional System Administrators (LOPSA), Women in Technology International (WITI), and others. Even if a particular group doesn’t directly allow solicitation of jobs, remember that you are an ambassador to your company. Your attendance and contributions can still influence people to look at your company, and even apply to open positions.

Consider reaching out to your local colleges and universities to find out if they have a job posting resource such as Handshake.

https://joinhandshake.com/employers/

This can help you reach many entry-level candidates. Building rapport with professors who teach in the Cybersecurity field can help bolster your efforts in this area. Sometimes, these connections can also refer you to more senior candidates if the professors maintain contact with them or through promotion via their own social networks.

If you have employee resource groups (ERG)s that support minority groups within the business, especially if your team is lacking membership of that minority, consider asking them for help in soliciting the postings or finding where you can post them to improve visibility for people in that group, along with any feedback they have on the job posting. They may often have resources you or your HR are unaware of.

Above all, consider that your efforts to target diverse hires requires effort in providing a space for their success and ensuring that your team, if not even your organization, maintains its values around ensuring equitable and inclusive opportunities.

Addressing DE&I with Candidates

Organizations that have robust programs around DE&I often want to promote it to their prospective candidates. Whether your organization is one that has a robust program, or you are leading the charge, you should be honest about the DE&I posture and your efforts. The last thing you want is to lose someone you recently hired because they feel things were misrepresented. Such a result can further harm your ability to hire diverse candidates if they share such experiences.

Candidates can also be a good resource to know where things could improve based on their experiences and what you share. Should they share those concerns, listen and consider how you can turn them into improvement opportunities, even if you don’t hire them.

Difficulty with Finding Qualified Diverse Hires

Even if you have followed everything detailed in this section, there may be situations in which you find yourselves with a lack of a diverse talent pool or those that have applied, are not qualified. In these situations, there are several tactics you can consider in attempt to change the tide:

- Extend your search. If you are able, extend your search by reaching any sites, or groups you may have missed. Renew the window for applications and see what different candidates you gain.
- Ask your competitors. Cybersecurity is about collaboration, not just within your organization, but industry wide. If you are in a more collaborative business community, talk with your competitors on their efforts around finding diverse hires and see what you can learn from each other.
- Evaluate your existing talent pool. Re-evaluate your choices in your last round of hiring and verify that your decisions were within your values and that you avoided biases in those decisions.
- Perform market research. Are you undervaluing the position, or has the organization gained a negative reputation? If so, try to change what you can. If you can’t extend your search, you may have to choose what pool you have.
- Review your requirements. Make sure your requirements are not excluding potential candidates and that they align with the job description. Are they reasonable for a part time or full-time employee? Job descriptions that sound insurmountable, will lead candidates to self-exclude.

If the above is just not possible, you may be forced to hire from the talent pool you have.

If you are forced to choose between a candidate who has all the qualifications but wouldn’t fit the team versus someone who would fit the team but needs more education, choose the latter. Most every technical skill can be taught to a person with aptitude, but finding people with the right soft skills or mindset that positively contributes to our culture, can often only be curated.

First Who, then What: The first step in strategy and tactics is having the right people “on the bus”

One of the key findings from Good to Great research (Jim Collins) is that before a great leader focuses on direction for the team they need to first focus on assembling the right team.

https://www.youtube.com/watch?v=EzIzEJq7caI

6 Core Competencies for Hiring a Great Team

Accoring to Good to Great research by Jim Collins, the right people:

  1. Have a pre-disposition to share the core values of the enterprise
    • Create a culture that systematically reinforces those core values
  2. Understand that they don’t have a job, they have responsibilities
    • E.g. An Air traffic controller has a responsibility to keep the airplane safe. Not just a job.
  3. Do what they say they’re going to do.
    • 100% hit rate at fulfilling commitments
  4. Don’t need to be tightly managed
    • Self-disciplined, self-motivated, self-managed, self-obsessively driven to make great results, self-learners
    • Tremendous passion for what the enterprise is doing
  5. Display a window and mirror maturity
    • When things go well – very comfortable pointing out the window to other people
    • When things go badly – very comfortable looking in the mirror and saying I’m responsible

https://www.youtube.com/watch?v=ax4zsUhPia4