Cybersecurity has a diversity problem. We suffer from a lack of representation in the industry from women and ethnic minorities. This seems odd given the industry has another long-running challenge: the skills shortage. It doesn’t take much to join the dots and take major strides to solving both of these issues. Yet, hiring practices and how we think about roles are a stubborn barrier to progress.
We simply don’t have enough talent to go around in the industry. But we can help to address this by thinking differently about recruitment and where to look for much-needed talent. Diversity can help to address the skills crisis, which will let organizations address cybersecurity more effectively and transform themselves into more desirable places to work. Here are three ways hiring managers can foster real change:
- Shake up how we talk about our job roles.
Cybersecurity can often appear like a black box to the unseasoned observer. Part of that stems from unnecessary jargon and obtuse job descriptions. Some candidates will no doubt take one look at the role and run a mile. It all feels like there’s a lot of industry lexicon, creating a perception that the job seeker needs a special handshake to get into the field. This does nobody any favors. Job descriptions can also call out a whole list of desired skills, which could intimidate anyone no matter how appealing the job or how qualified they are.
This kind of jargon also creeps into job advertisements and may well end up deterring prospective candidates from applying. Employers need to think differently about how they describe security roles, so they appeal and resonate with women and those from minority backgrounds. They can leverage tools such as Textio to monitor tone and gender bias while writing job descriptions. Organizations can also use blind assessments or panel interviews to filter out bias at interview stage.
- Don’t obsess over skills, experience, and certifications.
It’s not just the language that can seem exclusive, it’s also the skills requirements. Hiring managers haven’t been very flexible over their requirements for certification, accreditations, college degrees, and work experience which they believe certain roles demand. It has not served the industry well. There’s a growing realization today that we need to widen the pool of potential applicants by relaxing these requirements.
But it’s not about letting standards slip. It’s about recognizing that people can learn some skills on the job. Certifications can serve a real purpose, and especially when cyber was a “new” domain, they were often used to reflect a degree of knowledge in this emerging space. But over the years, infosec certs have been somewhat diluted and are used too often as a “checkbox” way to pre-qualify candidates. This “expected by default” mentality can exclude people without certs who may actually have stronger overall credentials.
We also need to understand that diverse candidates, working in adjacent sectors, may bring skills to the table that can’t be easily taught, but are just as valuable as a set of letters after their name. Of course, people need to have technology acumen. But in many roles, so too are problem-solving, communication, and strategic thinking and planning. Candidates with a background in risk management, business analysis, sales, project management, marketing and communication could all boast these transferable skills.
A candidate may also have years of experience in similar roles, but no university degree, and for that, they fail to make the grade. We have removed this as a default prerequisite for jobs at HP, while for others we specify a desire for “a degree or equivalent experience.” Others are often turned down because they are in mid-to-late career. That’s a wasted opportunity. Just think about the number of women who struggle to restart their careers after having a child. Some may have taken that time to reassess what they want and relish the challenge of a fresh start in cyber.
Hiring managers need to broaden their horizons to people with a wider variety of experience levels, those without traditional degrees and industry accreditations, and candidates who currently don’t currently work in the industry.
- Build a pipeline of diverse talent.
Finally, think more carefully about the future. Where will the next generation of diverse workers come from? By proactively engaging with grassroots organizations and academic institutions, companies can take control of their own destiny, by nurturing a diverse pipeline of future talent.
For example, we now have initiatives with HBCUs, and organizations such as Black Girls Code, Boys and Girls Clubs of America, and minority-owned suppliers. This creates new opportunities for diverse talent and help us find future stars in cybersecurity.
Look for talent
Many commentators have warned that the Great Resignation spells potential trouble for the cybersecurity industry, in that it may lead to an exodus of skilled professionals the sector can barely afford. Turn this on its head, though, and that same volatility in the jobs market may serve as a boon for hiring managers. The job market has become flooded with professionals looking to change careers, employers just need to find the right way to reach them.
We need to make driving greater diversity in the cyber workplace an intrinsic part of what we do. It won’t just help to fill vacant positions. A more diverse team will boast a richer set of skills for CISOs and senior managers.
And that’s great news for security teams.
Joanna Burkey, chief information security officer, HP, Inc.
