Close this search box.
Cybersecurity Hiring Manager Handbook

EP 102: Cybersecurity Hiring Manager Handbook

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode


Episode Transcript

Speaker 1: Welcome to the Cyber Risk Management podcast. Our mission is to help executives thrive as cyber risk managers. Your host are Kip Boyle, virtual chief information security officer at Cyber Risk Opportunities, and Jake Bernstein, partner at the Law Firm of K&L Gates. Visit them at and

Jake Bernstein: So Kip, what are we going to talk about today in episode 102 of the Cyber Risk Management podcast?

Kip Boyle: Episode 1002. This is so cool to be in triple digits. Thank you for reminding everybody. Listen, today we're going to take a look at something, it's a resource that I think is going to help people. It's called the Cybersecurity Hiring Manager Handbook, and it's been released as a new open source project.

Jake Bernstein: Well, that is certainly interesting. I think that's great. That's a little different than things we often talk about here. So I think the first question is what does this have to do with cyber risk management? And then who should be really paying attention to this?

Kip Boyle: Yeah. Okay. So, we've always been saying how cyber risk management is something that is more than just a tech stack, it's more than just blinky lights. And I think for anybody who's responsible for building a team of people who are going to be defenders, blue team, anybody who's going to build a team that's actually going to operate that blinky light solution or whatever they're going to do, they have to build a team, they have to find people and they have to find the right people, and then they have to bring them on their team. It's a whole separate discipline here that we really haven't talked very much about before.

Jake Bernstein: But you'd say that it's an absolutely key part of cyber risk management. I mean, how can you manage your cyber risk without the right people to assist?

Kip Boyle: Exactly. Exactly.

Jake Bernstein: And I think we need to have a brief aside. You said blue team. And I've heard red team, I've even heard purple team. Can you just maybe briefly tell us what is with the colored teams?

Kip Boyle: Absolutely. In my experience, it all sort of started from the red team label. All right. So a red team, and this is a label that goes back a long ways, a red team is a group of people that tries to break in. They are playing the adversary. And during the Cold War, in fact, red teaming was something that was done in the military. And red meant the red of Soviet Russia. So you're playing the red team. And you're the pretend adversary, you're going to use the tactics of the adversary. And then we're going to send our team against you, the blue team, the blue of red, white, and blue. And so we're going to practice. We're going to practice out in the deserts of the American Southwest, or you've seen Top Gun, the movie, we're going to practice in the air, flying over the deserts of the American Southwest.

And we're going to have an aggressor who's going to fly a different aircraft with different performance capabilities. And this is how we're going to train our military people. Well, red team is how we train in the digital world. We have people who pose as an adversary. And that can be an outside consultant or that can actually be an internal team whose purposes to test the blue team. So that's red, blue.

Jake Bernstein: Okay. But there's also, I have heard purple. Is that a combination?

Kip Boyle: Yes. Red plus blue makes purple. So they're the idea is that I've got people who do both. Now, whether purple teaming is really a good idea or not, I think is a separate episode, because I think you can make the case that purple teaming is just what happens when you don't have enough money to buy a red team, and so you just mix in some red on your blue and you get purple. And does that really work? Does it not work? I mean, how can you have the people defending also be the people who are attacking. It's a little murky, but there you go, that's purple.

Jake Bernstein: So, okay. Now, obviously this immediately brings us to this question of hiring folks. And maybe we'll stick with the blue and red for a moment just because I think it raises a really interesting question. Do you need to look for different types of people on the red team versus the blue team? And gosh, Kip, is this maybe perhaps what the cybersecurity hiring manager handbook is about?

Kip Boyle: Well, so you have to approach the work differently when you're on the red team. You're trying to figure out how to break things. You're trying to test stuff. You're not building things. The quintessential blue team function is to build defenses, and the red team is trying to disable those defenses. So you do have to think differently, you have to use crosstalk-

Jake Bernstein: Or evade them.

Kip Boyle: Or evade them. Go over them, under them, around them, through them, whatever it takes. You're trying to test controls. I mean, that's really, at the bottom line, a red team is a set of ethical hackers and their testing the controls of the defenders. So yeah, you got to come at it differently. But the handbook and the reason why I want to talk about the handbook today is because it's not just about red team versus blue team or purple team, it really is below that, or you might say it's above that. But it's abstracted. In other words, whether you have to hire red teamers, blue teamers or purple teamers, the point is, is that you have to hire people. And hiring people is a difficult thing to do. Even in the best of circumstances, even in industries where there's an excess of qualified people that you could hire, you still need to go through a lot of work to find the best people of the available people, get them on board, and get them productive and then retain them.

So there's a whole life cycle here. And so that's in the best case. Now, in the case of information security and cybersecurity teaming, as far back as 20 years ago, when I first started building my own teams, I faced a labor shortage, a talent shortage. And I don't remember in my whole career ever being in a situation where I felt like I had more people to choose from than I had positions to fill. That just didn't happen very much. So it's really tough when you want to build teams, especially in this environment. And the statistics point that out. I mean, we keep hearing over and over again how there are more open funded jobs than there are people to fill them. So what do we do?

Jake Bernstein: Exactly. So, I mean, I think we've actually answered my first question, which was why do cybersecurity hiring managers need a handbook? And the answer is it's super complicated. But why don't you go ahead and more formally answer that question and let's kind of see where we go as we do on this podcast.

Kip Boyle: Yeah, absolutely. Okay. So again, there's this very big gap between people who want to employ cybersecurity professionals and people who want to get those jobs. Now, the reason how I got involved in this handbook is that, and I think you know this, and I may have mentioned this on the podcast before, for the past two years, I've actually been formally helping job seekers. And I've been doing that through a podcast. So I hope I've told you, I'm too timing you with another podcast, Jake.

Jake Bernstein: No, I know. I'm aware. It's okay. I've gone to counseling and I've dealt with that.

Kip Boyle: So I'm seeing another podcast on the side. And it's called Your Cyber Path. And I have a different podcast host over there, his name is Jason Deon. Anybody who's taken-

Jake Bernstein: Well, at least he's got a good first name, because people don't know this, but my first name legally is also Jason.

Kip Boyle: So I got the two Jason's.

Jake Bernstein: You do.

Kip Boyle: It's great. And so Jason Deon, so if you've ever gotten your security plus, your network plus, or any one of a dozen certifications in IT or cybersecurity, you may have heard of Jason, you may have even taken one of his certification preparation courses. So Jason and I have teamed up and we are over there helping people get cybersecurity jobs. Now I've been doing this for a lot of years, and so it was very straightforward for me to turn my experiences and what I know another podcast and another place to kind of work in this other problem space. Well, so as we were doing that, and I got a whole other explanation for how I got into that, but I'll hit the pause button on that, well, as we were doing that, what we figured out was that hiring managers are having a lot of problems too.

So we've got people trying to get into cybersecurity who can't figure out how to do it. That's who we're serving over there. But then we were seeing hiring managers make all these silly mistakes and we couldn't figure it out. And it was pervasive. These are pervasive problems that we were encountering as we were helping people try to get these jobs that were being advertised. And so that's when the light bulb kind of went on and I was like, holy crud, there's a whole other side to this problem space that needs to be addressed. And so while we were helping candidates build great resumes, and figure out how to ac their interviews, and negotiate the salaries and start off on the right foot, I realized that I needed to help, somebody needed to help hiring managers.

So as I did with your cyber path, I went looking. I was looking for books or classes, podcasts, any resource that would help me understand what's going on in the hiring manager side, broadly speaking. I know what's going on from my perspective anecdotally, but it's like, does anybody out there have an answer, what's going on? And I couldn't find anything, or at least nothing of substance, nothing that really told me like, this is what's going on and this is the answer. So I said, all right, we need to create something for hiring managers. And now we have the handbook.

Jake Bernstein: So did you write this handbook yourself?

Kip Boyle: I didn't, no. For a number of different reasons. crosstalk

Jake Bernstein: But you are involved.

Kip Boyle: I am.

Jake Bernstein: This is you are involved in this handbook.

Kip Boyle: I'm very involved in it. I instigated it. Yeah. So this time last year I was doing a survey of hiring managers. I just kind of did an open and survey, whoever responded. I advertised it on social media, other hiring managers that I know. And I just said, what's your number one problem that you're having? Because I was just trying to figure out what was going on. There's no real primary research available or secondary research available. So I just did my own. And so based on that, it snowballed. So a lot of people responded and the problems they were having made sense to me. And so it's kind of snowballed from there.

So I gave a brief talk at Wild West Hacking Fest, and then I did another couple of talks for them. And as we went along, what I found out was that this was really resonating for hiring managers, that they were struggling. And so I said, well, let's put all our efforts together and write something. The handbook we wished that we had is kind of was the vision here. And so I raised a set of volunteers. About 50 people said they'd help. And as these things always crosstalk-

Jake Bernstein: Wow, that's a lot of people.

Kip Boyle: Yep. You get a lot of people. And then a subset of those people actively contributed. And so over the last summer we created a detailed outline, which we then vetted with a new group of hiring managers that we went out and recruited. And then we started converting that detailed outline into pros. Now, the outline is not completely converted yet to pros, but a lot of it is. And so we went ahead and published it. So I spent all of over the course of 2021 crosstalk-

Jake Bernstein: It's a beta release or early access. This is very common these days.

Kip Boyle: It is. It is. And so we released it. Now, we want people to read this thing. And so not only is it filled with the best thinking of the best people that I could find who would be willing to contribute to this thing, it's also free. And that's why we did it as ... We did it as an open source project in part, because we wanted people to read it. We want people to use this thing and we want it to get better. And publishing it as a traditional book through a traditional publisher or self-publishing it wasn't going to give it that ability to grow and to change as the situation demanded. And so we said, all right, let's go ahead and just release this under the creative commons attribution for international license, so that way anybody can use it for any reason, as long as they give us credit. And yeah, so now it's out there.

Jake Bernstein: That's amazing. That's very cool. We can add in a piece of encryption, the theory here is that it's an open source, you don't want to use an encryption algorithm that hasn't been crowd tested and beaten upon repeatedly. And I think for something like the Cybersecurity Hiring Manager Handbook, it's the same idea. You don't want one person's opinion, you want the wisdom of the crowd. And I think this is a really good way of doing it. So I love that it's an open source project. People oftentimes think about that as only for software, but it's really not. I mean, anything could be open source. It really has to do with more of the copyright or the so-called, in this case, copy left is what you're using. And so, yeah, that makes perfect sense. And I think, have you said this yet? But where is it located? Is it on GitHub? Please tell me it's on GitHub, because that'd be awesome.

Kip Boyle: It is on GitHub. Of course.

Jake Bernstein: That's amazing. I love it.

Kip Boyle: Yeah. So you can go out to GitHub and you can access it. And I'm going to do something that we often talk about, but I've only recently started to do, I'll actually make show notes and I'll actually put the links to the handbook in the show notes. crosstalk-

Jake Bernstein: ... Kip, speaking of show notes, there's also something that maybe we should tease for our listeners, something that's coming in 2022.

Kip Boyle: Something that's coming in 2022 having to do with show notes. Oh yes. Yes. Well, yes. Thank you for prompting me. So we have a brand new website and development specifically to elevate the usefulness of the Cyber Risk Management podcast. And I don't want to disclose too much, but there's your tease. It's on the way.

Jake Bernstein: Plus now that we have done it publicly, we eventually, now we're beholden to get it done.

Kip Boyle: Oh, it's almost done. As we record this, it is almost done. Certainly by the time this episode's released, I expect it'll be up and running. And one of the cool things about the new website is that every episode is going to be fully transcribed and available.

Jake Bernstein: That's going to be great.

Kip Boyle: Yeah. It's going to be really, really good. It's going to look good. It's going to work well. It's going to be a wonderful step up from what we have now, which I think what we have now, I think is perfectly fine. But this is going to be much, much better. Yeah. So the handbook is out on GitHub. And so look, one of the other reasons why we want it on GitHub is because we want people to read the handbook. And as they read it, they might say, ah, they're totally missing the point of this section, or, oh, I can't believe they forgot to mention, here's another really great way to solve that problem, or whatever. Fantastic. If readers have feedback, go to GitHub and guess what? Just like a software project, submit a poll request. We would love to get a specific set of suggestions about how this handbook can be better.

Jake Bernstein: Well, and I just found it. It's at, let's see, githubcyberriskop/chmh.

Kip Boyle: Oh, you're just torturing us.

Jake Bernstein: I know I am.

Kip Boyle: You're reading URL's like that.

Jake Bernstein: Look, if I can find it in real time on the podcast without known the URL, then our listeners certainly can too.

Kip Boyle: That's a great point. But folks, don't bother to write that down. I promise I will put it in the show notes and you can just click on it. So don't worry. But yeah. So if you want to contribute to the handbook, either because you want to add something that isn't in there now, or you want to change something, or you've got a better idea for how something can be done, go there, grab it, change it and submit it. We've got some volunteers that will review any submitted change, any poll request, we'll look at it and process it.

Jake Bernstein: What's even more amazing is that you're writing this all in Markdown.

Kip Boyle: Yeah. About that. It is written in mark. It is a big collection of Markdown files. I don't know about you. No, I do know about you. You would read it in Markdown and you did enjoy it. I know not everybody would.

Jake Bernstein: Well, Markdown is, it automatically goes to HTML.

Kip Boyle: Well, so we have it also, we published the handbook also on Netlify, which therefore over there, that's exactly what happens is we take the Markdown, and we re render it in HTML and it looks really nice. And there's hyperlinks that you can click on and some graphics and stuff. So you can choose the way you want to read it.

Jake Bernstein: Well, it just so happens I have here, no one else can see it on because I'm just showing Kip on video. But I actually have a little pamphlet of GitHub flavored Markdown that I got from a friend of mine who works at GitHub.

Kip Boyle: Yeah. Okay. crosstalk

Jake Bernstein: ... You know I like the Markdown.

Kip Boyle: Oh, look, I learned Markdown from you encouraging me to do it. And I'm glad I did it. But for anybody out there in the audience who remembers Word Star or Word Perfect, and having to put in the little character codes-

Jake Bernstein: It's not that bad.

Kip Boyle: It's not that bad, but it is definitely reminiscent. It has the odor of word processes before WYSIWIG, which is something else we don't hear much lately, what you see is what you get. There was a time, ladies and gentlemen, when you couldn't see bold fonts, or italic fonts, or strike through on the screen, you had to actually put little escape characters in. You'd see it when it printed on a paper, but you'd never see it on the screen.

Jake Bernstein: So what you're say is, what's old is new again and it has come back into style. crosstalk

Kip Boyle: ... for reasons I cannot understand. It's just like bell bottom trousers. Why? Why?

Jake Bernstein: Well, I mean, yeah, that's an aside that we will not bore people with. But the simple answer is that the Markdown syntax, it goes with a script that converts it into HTML. That's the trick. That's crosstalk-

Kip Boyle: Sure. Yeah. For people who code HTML all day long, Markdown is a great relief.

Jake Bernstein: And that's what Markdown was meant. I mean, to be fair, that's what it was meant for. It was meant for writing specifically on the web where, believe me, it's easier to do the Markdown syntax than it is to do the HTML tags.

Kip Boyle: I believe that. I believe that. But now I'm being forced to buy record players in vinyl again because it's cool.

Jake Bernstein: Well, that's a different issue. I can't help you with that.

Kip Boyle: No, no. Everything old is new again, right?

Jake Bernstein: Yeah. No, I agree. I agree with that. But I just, that is a different issue. There's a good reason for the way that Markdown is the way it is. And it's not just because it's cool.

Kip Boyle: I know. But people who don't write in HTML are now starting to write in Markdown because it's cool. No, that is happening. That is absolutely happening.

Jake Bernstein: You know what? It is cool. crosstalk ... I write in Markdown every single day.

Kip Boyle: I know. I knew you were on the cool bandwagon. Okay. So let's get off the Markdown topic.

Jake Bernstein: Okay. So is it reasonable to expect every hiring manager to follow every ideal?

Kip Boyle: Okay. So in the handbook, we do have this idea of ideals. But let me back up for a moment, because I want to tell you that the handbook has a particular vision that we're trying to achieve, and the ideals are how we are trying to achieve the vision. Okay. So there's really two goals vision wise for the handbook. One is we want hiring managers to be able to build the team of their dreams. Whatever size of team that is, whether you're building a blue team, or a red team, or whatever, we want to help them build the team of their dreams. And that typically means attracting and retaining top tier talent. That's what everybody would really like. All A players. We think that's the ideal there.

Now, the second thing is, is that when you can build your dream team, oh, that does amazing things for the hiring manager. It allows them to actually fulfill, I think the true purpose of their team, which is to build relationships with other business leaders in the organization so that they will come to know you, like you and trust you. And then they will bring their cybersecurity, data security problems to you rather than throw them over the wall way, way, way, way downstream after things have been coded. And so we want hiring managers to be influencers in their organization. And I think that that is really the very definition of a great chief inform security officer ultimately, is that you are an influencer and people seek out your advice on matters of data protection, and system protection, and business enablement and all that stuff.

And so believe it or not, that is the lofty vision of the handbook. And we have some ideals that we say, to the extent that you can follow ideals, the more of them you can follow, the better you're going to be able to achieve your vision.

Jake Bernstein: Which is true. So, okay. So we're not going to force ... I mean, obviously we're not going to have everyone follow every ideal. But now that begs the question of what are the ideals and how did you come to them?

Kip Boyle: So when we first started writing the handbook, we were thinking about the work that information security people do, which is that we design and engineer systems. That's a lot of the work. And when we design and engineer security systems, we have principles of design and principles of engineering that we follow. And we've talked about these principles a lot on this podcast. There'd be things like defense in depth and diversity of defense. And you even opened up the whole show with a design principle, which is called an open design. So public heat crypto and crypto algorithms should be open so that they can be tested and vetted, and that the strength of the encryption does not depend on the opacity of the design. Although, I will also say that obscurity can be a useful principle sometimes. But in any event. So we thought about principles and we said, you know what? Principles of hiring seems too rigid.

We just, in our own experience, felt like that if people couldn't follow a principle, that didn't mean that their hiring was dangerous, it just meant that they were working in circumstances that were less than optimal. So we transitioned to this concept of an ideal, and we encourage them like, you want to operate according to these ideals as much as you practically can. We also acknowledge in the handbook that that's not always possible, that sometimes you need to deviate from an ideal either in a particular situation, or sometimes just systemically there's just some things you can't do because you're part of a larger organization, and there's maybe policies or real limitations and guardrails based on who you are and what your business model is. And you're just not going to be able to do everything. And we didn't want people to feel like if they couldn't do everything, then there's no way they could achieve their vision, because that's just not the case.

Jake Bernstein: So I'm looking, now I now have found on my own, because it was not provided to me, the actual book, the link to the Netlify version of it. And your chapter titles are suspicious. I see five of them and they're all single words, foundation, preparation, execution, retention, departure. That sounds a little bit like identify, detect, protect, respond and recover. Was there some kind of cybersecurity framework idea going on here? Because if so, that just makes it even better.

Kip Boyle: Yeah, yeah, yeah, yeah. So I'm geeking out about that too. So yeah. And this cybersecurity framework is organized around this idea that incidents have life cycles. They have a beginning and they have an end. And yeah, we did that here too. We took that inspiration from that and we said, building teams also, there's a life cycle to your talent. You are going to find people who are talented, who are good fit. You're going to want to bring them on. But eventually for whatever reason, they'll leave. And maybe they'll come back or maybe they'll leave and they'll stay gone. But there's absolutely a life cycle approach here for the handbook.

Jake Bernstein: And something I'm confronting is that the best people, even if they stay, they change and they grow. And you want them to yep. And they're not going to be in the same position. I mean, the ultimate goal for me is to hire an associate who's going to become one of my partners someday. But as they change and they become a partner, our relationship changes and they do different things in the organization. But that's a good thing. But the same thing is true for all hiring, and I think that's a really good point. I mean, this is a great way of thinking about it. And I'm guessing that at least between retention and departure, sometimes you do retain them. But even if they are retained at the company, everyone is always going to depart a role. Someone who doesn't depart a role is crosstalk-

Kip Boyle: Even if it's just retirement. Even if it's just retirement.

Jake Bernstein: Yeah, or retirement. Even if it's just retirement. Exactly. So, no, this is really great. So, okay. So those are the kind of titles of the ideals one. I mean, give us an example of some of the ideals that are within these functions, Kip, of hiring.

Kip Boyle: Yeah, absolutely.

Jake Bernstein: Actually, that's what they are, isn't it?

Kip Boyle: Yeah.

Jake Bernstein: I mean, these are functions, right?

Kip Boyle: Yeah, they are functions. Yeah. And so one of the things, one of the first big corners that a hiring manager needs to turn is the idea that hiring isn't something you do in the way that you work a ticket. So when something breaks, somebody submits a ticket and then you fix it. So like, oh, this website's been hacked. Okay. So we have an incident, so we're going to respond and recover, and then we're going to close the ticket. So a lot of hiring managers in cybersecurity, and probably IT in general, kind of think of hiring as a break, fix function. What we are trying to say is, no, don't be so reactive. You want to take a life cycle approach to this. You should be thinking about hiring all the time, whether you have an open position or not.

Jake Bernstein: And to be fair, that's probably true of almost every hiring manager in most industries. I mean, certainly it's true of lawyers and looking at associates. I mean, you always have to be on the lookout. Even when you're not hiring, you have to be thinking about hiring, because you never know what's going to happen.

Kip Boyle: Yeah. That's right.

Jake Bernstein: I think one of the things that I want to just really drive home here is that this is part of cyber risk management, because what happens if you're carefully created and crafted team loses someone? Suddenly your entire cyber risk management plan could fail, because you suddenly don't have one of the people that was integral to it. So this is a big deal.

Kip Boyle: It is a big deal. We talk about people, process, technology and policy. Well, this is the people part. And normally we talk about the people as in the folks on the frontline. We talk about the desk level people who are actually doing work. We talk about how can we get them to do work more securely? Now we're talking about the brain trust of the strategies.

Jake Bernstein: And just to clarify, when normally when we say people, we're not referring to the subset of people who are actually in the cybersecurity org. We're talking about, when we say it's your people on the front lines, we mean all of the workers, everyone with access to a machine. The workforce. The overall workforce. But it's important to differentiate the overall workforce from the cybersecurity workforce, which is always a subset. But obviously that's really quite important.

Kip Boyle: Super important. And so having said that, having told you that there's a big corner that people need to turn about thinking of this as not, I don't hire because something's broken and I want to fix it, I hire because there's a life cycle here and I have to accept the fact that eventually everybody leaves. So one of the first ideals, which is in the foundation function, is that we encourage hiring managers to treat hiring as one of the most important duties that they perform in support of their organization. And if you believe in that, then you can't take a break, fix mentality to it. You actually have to treat it as an ongoing issue.

Jake Bernstein: I completely agree. Okay. I think we've got time for one more example ideal, and then we'll have to wrap up this episode.

Kip Boyle: Yep. We can do that. And then I also want to say that the handbook not only tells you what you should be doing, but also it tells you how. How do you do that? How do you treat it as an ongoing function? Okay. So in the selection or execution function, there's an ideal in there that says hire in a way that builds relationships with candidates, even when the decision is to not hire someone.

Jake Bernstein: Interesting. Okay. So what you're saying here is don't burn bridges in the hiring process in either direction.

Kip Boyle: That's right. Don't treat candidates as cattle. Don't treat them as objects. Don't ghost them. Don't do all the awful things that we see. And remember, the Genesis us of this was me and Jason Deon helping people who want to get into cybersecurity. And what were we seeing? We are seeing people being treated like objects. We're seeing people being ghosted all the time. And these are awful behaviors on the part of employers. Now there's practical reasons why employers do this, and I get that. There's explanations. You can understand why they do it. What we are saying in the handbook is that's an awful thing to do. It's an awful practice. Because if you look at hiring as a break, fix, well, who cares? I just need a widget. I need a butt in a seat. But if you look at it as an ongoing function that you need to perform, then you should recoil in horror that people are having this experience because it kills your brand as an employer. It kills your reputation.

Jake Bernstein: It does. And that's what I was going to say, is that one thing to remember is it's bad enough to do that generally, I think it's even worse to do it to the subset of the population that might be looking for a cybersecurity job, because this is a population that is very tech ... I mean, almost by definition, this is a tech savvy, socially connected online type of community. And it is a community.

Kip Boyle: It is a community.

Jake Bernstein: If you burn people that you've chosen not to hire, you may have burned yourself for the long term.

Kip Boyle: That's right. Because maybe somebody's not a good fit for you now, but in the future they might be. And they certainly are going to talk. As you say, it's a community. They're all going to talk. They're going to be like, don't go to ABC Co because they are awful people, you get treated awfully in the hiring process. You can only imagine what it must be like to work there. And then they'll go talk to people who do work there or did work there and they'll compare notes. So you can't simultaneously treat hiring as an ongoing function. And at the same time, again, we don't think treat people as objects in the hiring process. It's counter cultural. It doesn't make sense. And the handbook talks about how you can avoid doing that. So that's another ideal. And it goes on from there. There's many ideals. I think there's like a dozen ideals sprinkled across the five ongoing functions. And the handbook talks about how do you do that? So the handbook is on GitHub. And you can read it on Netlify and I'm going to put the URL in the show notes. So, yep.

Jake Bernstein: Oh, and I see, I was supposed to say, thank you for not reading the URLs out loud just now, but I did that a long time ago.

Kip Boyle: You sure did.

Jake Bernstein: So I guess I will apologize for myself. Look, there's people who read those things out loud. It's not that bad.

Kip Boyle: Okay, look, as a guy who recorded his own audio book, my audio book was full of URLs. And after I got done recording that audio book, I was like, oh my goodness, that is painful for the person who says it and it's awful for the people who have to hear it. And so I've just, I became sensitized to it. But listen, as we wrap up, I want to tell folks that if you are a hiring manager, I want you please go check out the handbook. It costs you no money. And if you read it and you think it needs to be better, by golly, you have everything you need to make it better. You can submit a poll request and we will know right away how it could be better. You should use the handbook.

And if you want to go to deeper, if you check out the handbook and you say, wow, I want to know more, I'm going to teach two classes coming up. The first class is going to be virtual. It's going to start on April 5th. And I'll put the registration URL in the show notes. And then the second class I'm going to teach is actually going to be in person, and that's going to be May 3rd and 4th. And hopefully that'll be in San Diego, Omicron and COVID permitting. So, yeah. So we're really going to go into this topic. It's not just a handbook. It's actually, we're going to teach this stuff and help people actually do the good things that the handbook says.

Jake Bernstein: That's excellent. All right. Well, go ahead. Let's wrap this up.

Kip Boyle: Okay. Thanks, everybody. That wraps up this episode of this Cyber Risk Management podcast, episode 102. Today we took a look at the Cybersecurity Hiring Manager's Handbook, which has been released as an open source project. And we want you to check it out. We'd love for you to contribute. Thanks for being here and we'll see you next time.

Jake Bernstein: See you next time.

Speaker 1: Thanks for joining us today on the Cyber Risk Management podcast. If you need to overcome a cybersecurity hurdle that's keeping you from growing your business profitably, then please visit us at Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).


Jake Bernstein
K&L Gates LLC

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.