How to improve hiring practices for cybersecurity professionals

There are few things that cause the computer security industry more concern than the need to avoid “false negatives”. While no product or technology is a silver bullet for preventing every single genuine threat, we go to great lengths to provide comprehensive, ever-improving detection and protection – and to have this reflected in competent, independent tests. And yet, there is a huge number of systemic false negatives happening in our efforts to populate security positions.

We discussed in 2014 that very few kids are getting computer-related education in grades K-12 in the US. While things have certainly improved in the past few years, there is still a long way to go until digital literacy standards are addressed in all US states, or until computer science (CS) classes are offered in all schools.

And at this point, many schools treat CS as an elective rather than as a valid science or math class credit.

Students who are not offered computer-related classes before college are less likely to go on to choose a CS undergraduate degree, as many of these students will feel that they’re having to play catch-up to students who’ve been steeping in computer-related concepts since they were young. Whatever you think of the utility of college degrees as preparation for a career in computer security, many companies do still require a four-year CS degree, even for an entry-level position. Many people find getting that crucial first job prohibitively difficult without those credentials.

Many students may not even be aware of the possibility of a career in cybersecurity, due to lack of exposure to computer-related education. Due to a fluke of geography, those children who’ve grown up in under-funded school districts, rural districts, or those that are lagging behind on digital literacy standards are effectively being excluded from these important and fulfilling career opportunities. Training, higher education and credentials

If you’ve gone through the process of getting a degree or security certification, it’ll be no surprise that this is hard work that is often time consuming and expensive, especially if you’re underemployed or underpaid. It’s often well worth the effort, and will pay for itself in time. That fact may be irrelevant if you don’t have the time or funds to begin with. And for people of color or those unable to relocate to a city that’s a major tech center, it’s far more likely that this gamble will not pay off.

If you talk to either recent graduates or people hiring for entry-level positions, you’re likely to hear that both groups find four-year degrees are often a mismatch for the specific needs of a position in the industry. With the blinding pace of change in tech in general – and security specifically – this either means that CS degrees need to focus more on the meta-concepts of computer science rather than specific programming languages or security threats, or that job-related training needs to be carried out by other types of organizations that can adapt curriculum more quickly. A lack of clarity on the specific skills and steps needed to be successful in acquiring a security job certainly makes solving this much more challenging. Recruiting, interviewing and hiring

This excessive weeding tends to happen because most people involved in the hiring process view their task as weeding out “unsuitable” candidates rather than uncovering “hidden gems”. As such, many organizations will create as many impediments as possible, regardless of whether these obstacles actually have anything to do with a candidate being truly qualified.

As competition for available security talent is fierce, and many of the candidates approached by recruiters may already be employed, it’s equally important to sell potential applicants on why they might wish to join your organization. Keep in mind that the more unrelated your hurdles are to the performance of necessary duties, the more likely you are to scare off candidates who understand what the job actually entails. What can we do?

There has been a lot of discussion about choice of wording in job listings, focusing on “gendered language”. Whether or not these word choices are actually reflective of gender preferences, they do focus on people who value competitiveness and hierarchy over cooperation and community. My colleague Stephen Cobb has discussed the problems with relying only on the risk assessment of just a small segment of the population who reflect these traits. It’s also important to keep your skill requirements simple and accurate; someone who has experience will likely view overinflated requirements as a sign that employers may be overly demanding.

Consider how different groups will view your ad. Are sites where candidates input information reasonably secure and usable? Can you use a font that’s clearer for people with dyslexia? Is all necessary information clearly readable for people with color blindness? Is text accessible to screen readers? Do you use idioms that could trip up non-native speakers? Could your choice of words have an unintended meaning if read literally by neurodivergent individuals?

Another important way to sell your organization to candidates is to grant reasonable requests in terms of communications. Do they prefer to communicate via email or phone? Do they need a little more explanation about the position before submitting their résumé? If you enable your candidates to get to know your needs a little better and make the best showing of their fitness for the job, you’ll get a clearer view of their capabilities and what they could bring to the position.

Be considerate of your interviewee’s time and energy; sitting through interviews should not be as taxing as running a marathon. Try to organize things in a way that works, within reason, with your candidate’s schedule, ability, and stamina. People don’t tend to perform at a representative level when they are especially exhausted, anxious and stressed out.

You can also help improve your future hiring options by partnering with organizations that help educate kids about computer-related topics, or those that focus on helping under-represented groups prepare for careers in cybersecurity or technology. There is a truly astounding number of great organizations out there; here is a sampling of a few such groups: