Traditional hiring practices often home in on white, male recruits with pricey cybersecurity certifications, to the extent that employers often dismiss or simply fail to consider many other candidates, speakers said. These approaches often impose additional obstacles for people of color and women wishing to join or progress in the field.
The exclusionary impact of these hiring strategies — whether accidental or intended — is both a moral problem and a national security one, said U.S. Rep. Lauren Underwood, D-Ill. Failing to bring in all available talent leaves the industry missing out on important ideas, and relying heavily on candidates with similar backgrounds makes cybersecurity teams less informed and less able to catch each other’s blind spots, because the teams can only draw on a narrow range of viewpoints and lived experiences, she said.
“Less diversity means more blind spots in our threat assessments and fewer creative ideas for solutions,” Underwood said. “Recruiting a diverse security workforce is not a side project. … It’s absolutely essential to the success of our security missions in the public and private sectors.”
The hiring practices that have led to a largely homogenous workforce have also failed to sate demand, with CyberSeek reporting that national demand for cybersecurity workers outstripped supply by 13,700 between April 2020 and March 2021.
“What we’ve been doing so far hasn’t been working,” said Lodrina Cherne, principal security advocate at Cybereason and digital forensics instructor at the SANS Institute.
Comparing 2019 Census data to 2021 cybersecurity employment reports, Aspen researchers found that Hispanic people comprised 19 percent of the population but only 4 percent of cybersecurity workers. Similarly, Black people were 13 percent of the population but only 9 percent of cybersecurity workers and women comprised 51 percent of the population and 24 percent of the cybersecurity workforce.
Many firms pledged more inclusive and equitable practices in the wake of George Floyd’s killing last year, but few promises have turned into measurable progress, said Aspen Institute Executive Director Vivian Schiller.
Real change requires outlining specific steps to be taken, setting clear metrics for assessing progress and attaching rewards or consequences to those results, researchers said. Organizations could assess progress on diversity, equity and inclusion (DEI) initiatives during performance reviews, for example, the report stated, while Aspen Tech Policy Hub deputy director and co-lead author on the report Mai Sistla proposed an independent website to track and rank firms against DEI metrics, thus exposing them to public scrutiny.
INCLUSIVE RECRUITING
Hiring underrepresented talent is only possible if organizations can first ensure that they have a diverse pool of applicants to consider. The report urges employers to take concrete actions, such by keeping up job postings until a certain number of non-white or non-male job seekers apply or committing to interviewing a certain number of such applicants before deciding.
Employers who continually mine the same recruitment sources that gave them a mostly white, male staff are also unlikely to diversify if they stick by those methods.
As such, the report cautioned against using employee referrals in hiring, and Ron Ford, cybersecurity adviser at the Cybersecurity and Infrastructure Security Agency (CISA), said employers cannot just direct career fairs and recruitment efforts at predominately white institutions but must also reach out to historically Black colleges and universities and other institutions that serve significant minority populations.
UNNECESSARY CRITERIA
Hiring professionals can unwittingly block out candidates by over-valuing certain criteria, the report noted. Entry-level jobs often come with requirements that applicants hold cybersecurity certificates, but this isn’t realistic for everyone. This can exclude those who cannot afford the expensive programs at the start of their careers and who may have other ways of demonstrating talent and building up skills.
“When you have limited yourself to only candidates that maintain certifications, you are closing the door for a number of other reasons, including financial limitations, background limitations, or people who aren’t good test takers,” said Camille Stewart, global head of product security strategy at Google and co-founder of the #ShareTheMicInCyber campaign to amplify Black voices in cybersecurity.
Apprenticeship programs and other offerings can present less expensive alternate pathways, for example, and organizations should consider sponsoring certifications for some candidates, the report said.
Background checks are another concern, with the report noting that past involvement in the criminal justice system may have little relevance or bearing on candidates’ abilities to perform the jobs well and can adversely impact some demographics more than others due to systemic biases. The report advised reassessing whether refusal to hire applicants on that basis alone is necessary or fair.
“There’s an incredibly high percentage of people who have criminal records because of minor infractions or felonies, and that really limits the career path or even the life path,” said Ford. “I think employers should be able to consider [background checks] but it shouldn’t be the end-all, be-all. For someone trying to just get an entry-level job and just get reacclimated to society … if that’s the one thing that will keep [employers] from hiring someone, it’s an existential issue. At least give them a chance to be interviewed for the position.”
ENCOURAGING APPLICATIONS, RETAINING HIRES
Employers also need to craft descriptions to avoid unnecessary jargon, thus making it easier for job seekers to recognize positions that match their skill sets, and the report called for creating a team of pro bono experts to assist. Meha Ahluwalia, program coordinator for the Aspen Tech Policy Hub and co-lead author on the report, said the NICE Cybersecurity Workforce Framework provides a good starting point for such efforts.
Helping underrepresented groups envision themselves in the cybersecurity field also needs to start young. The report recommended efforts to show middle and high school students that professionals who look like them have a place in cybersecurity.
Mentorship programs can also help retain professionals once hired, and the report recommended consulting with underrepresented candidates to understand the kinds of supports that would be most meaningful.
The report draws in part on roundtable discussions that the Aspen Institute held in October 2020 and February 2021, where members spoke with cybersecurity professionals of different ages and career stages and representatives from groups such as academic, journalism, government and big tech, said Ahluwalia.