COMMENTARY: While the cybersecurity industry has grown more aware of its lack of diversity, we still have a long way to go to create meaningful change. For example, despite making up half the population, women account for an estimated 20% – 25% of the cybersecurity workforce. If we look at racial and ethnic diversity, studies find that only 11% of security practitioners are Black, 8% are Asian, and 12.6% are Hispanic.
Having a diverse employee base isn’t just important from a diversity, equity, and inclusion (DEI) perspective. It can actually help increase a security team’s effectiveness, allowing practitioners to evaluate a threat from multiple perspectives and explore new problem-solving strategies based on their unique lived experiences.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
If security teams want to change the status quo and reach a wider range of diverse cybersecurity candidates, hiring managers must re-think their existing recruitment practices. Here are five tips hiring managers can use to attract and retain more diverse cyber talent:
- Identify the organization’s greatest diversity gaps. First, the organization needs to understand where it’s starting from. How does today’s employee base break down by gender, age, accessibility, ethnicity, and race? Are diverse employees being hired across all levels of the company and promoted fairly alongside their colleagues? How long do diverse employees remain at the company? All of these factors can help managers understand where the greatest opportunities for improved diversity lie.
- Strive for an inclusive recruitment process. Many diverse professionals fall through the cracks because of organization’s biased and non-inclusive recruitment practices. Does the company use blind hiring to make decisions that are only based on an applicant’s qualifications? Do managers use panel interviews with diverse interviewers from across the organization to ensure unbiased decision making? These methods can offer checks and balances to ensure all qualified candidates have a fair chance to secure the job.
- Make sure the job requirements match the title. Next, it’s important to make sure the job’s requirements have been right-sized to fit the level of experience the company wants to hire. For example, some companies will post an entry-level role, but ask that candidates have their CISSP certification or other advanced requirements. This strategy excludes many junior-level candidates who are often qualified and excited to grow their skills, but who haven’t yet had access to that level of training.
- Market job listings through organizations that attract diverse candiates. Hiring managers also need to consider where they’re finding candidates. Organizations that serve minorities like Historically Black Colleges and Universities (HBCUs), Hispanic Serving Institutions (HSIs) and Tribal Colleges and Universities (TCUs), along with their alumni networks are excellent resources to ensure the company reaches a diverse talent pool. Also look to establish relationships with dedicated professional organizations like Women4Cyber, Cyversity, the Ethnic Minority in Cyber Network, and WiCyS.
- Consider candidates without college degrees. Finally, don’t be afraid to look at candidates who don’t have a college degree. Many core IT and security skills can be obtained through experience in previous technical or non-technical roles or learned on the job. By judging potential employees based on their proven skills rather than their degree status, employers can pull from a deeper talent pool to find the best fit for the job.
Of course, recruiting diverse cyber talent is just the first step. Once a manager finds the right person for the role and hires them, they need to create an environment that encourages them to stay.
As part of an initial audit of the existing workforce, companies should conduct a pay equity review and assessment to ensure employees are being paid fairly for the work they do. Next, analyze and scrutinize the organization's structure and employee policies and how flexibly it can accommodate varying lifestyles and employee needs.
Does the company offer paid family leave for all employees—regardless of their gender, partnership status, or how their family was created? Is there a built-in framework to encourage good mental health and accommodate employees who need more flexibility in their working hours? A comprehensive benefits plan that supports employees inside and outside the office goes a long way toward retaining workers for the long haul.
Finally, DEI programs work best when they are continuous and proactive, not a one-and-done exercise. By investing in internal training and education, companies can better maintain an inclusive environment that ensures employees of all backgrounds have the resources they need to thrive.
Dwan Jones, director of diversity, equity and inclusion, ISC2
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.