There are few things that cause the computer security industry more concern than the need to avoid “false negatives”. While no product or technology is a silver bullet for preventing every single genuine threat, we go to great lengths to provide comprehensive, ever-improving detection and protection – and to have this reflected in competent, independent tests. And yet, there is a huge number of systemic false negatives happening in our efforts to populate security positions.
While the detection of hazardous threats is necessarily different from the detection of a target with positive attributes like interested students or qualified applicants to meet the massive shortfall in finding cybersecurity professionals, the failure to detect is similarly causing problematic results.
Locks on the schoolhouse doors
We discussed in 2014 that very few kids are getting computer-related education in grades K-12 in the US. While things have certainly improved in the past few years, there is still a long way to go until digital literacy standards are addressed in all US states, or until computer science (CS) classes are offered in all schools. And at this point, many schools treat CS as an elective rather than as a valid science or math class credit.
Students who are not offered computer-related classes before college are less likely to go on to choose a CS undergraduate degree, as many of these students will feel that they’re having to play catch-up to students who’ve been steeping in computer-related concepts since they were young. Whatever you think of the utility of college degrees as preparation for a career in computer security, many companies do still require a four-year CS degree, even for an entry-level position. Many people find getting that crucial first job prohibitively difficult without those credentials.
Many students may not even be aware of the possibility of a career in cybersecurity, due to lack of exposure to computer-related education. Due to a fluke of geography, those children who’ve grown up in under-funded school districts, rural districts, or those that are lagging behind on digital literacy standards are effectively being excluded from these important and fulfilling career opportunities.
Training, higher education and credentials
If you’ve gone through the process of getting a degree or security certification, it’ll be no surprise that this is hard work that is often time consuming and expensive, especially if you’re underemployed or underpaid. It’s often well worth the effort, and will pay for itself in time. That fact may be irrelevant if you don’t have the time or funds to begin with. And for people of color or those unable to relocate to a city that’s a major tech center, it’s far more likely that this gamble will not pay off.
If you talk to either recent graduates or people hiring for entry-level positions, you’re likely to hear that both groups find four-year degrees are often a mismatch for the specific needs of a position in the industry. With the blinding pace of change in tech in general – and security specifically – this either means that CS degrees need to focus more on the meta-concepts of computer science rather than specific programming languages or security threats, or that job-related training needs to be carried out by other types of organizations that can adapt curriculum more quickly. A lack of clarity on the specific skills and steps needed to be successful in acquiring a security job certainly makes solving this much more challenging.
Recruiting, interviewing and hiring
By the time we begin recruiting, a large number of potentially interested and interesting candidates have already been scooped out of the pool and discarded unnecessarily. And yet, the recruiting, interviewing and hiring process is where the nonsensical hurdles get truly creative.
This excessive weeding tends to happen because most people involved in the hiring process view their task as weeding out “unsuitable” candidates rather than uncovering “hidden gems”. As such, many organizations will create as many impediments as possible, regardless of whether these obstacles actually have anything to do with a candidate being truly qualified.
As competition for available security talent is fierce, and many of the candidates approached by recruiters may already be employed, it’s equally important to sell potential applicants on why they might wish to join your organization. Keep in mind that the more unrelated your hurdles are to the performance of necessary duties, the more likely you are to scare off candidates who understand what the job actually entails.
What can we do?
Changes we make within our own organization are in some ways the simplest. But they can also be more challenging, as situations we’re in the middle of can become so mundane that they escape notice. The more honest and neutral you can be about existing procedures, the better the odds that you can make a positive impact.
Here are some things to consider, for removing irrelevant obstacles in the hiring process:
-
Job listings
There has been a lot of discussion about choice of wording in job listings, focusing on “gendered language”. Whether or not these word choices are actually reflective of gender preferences, they do focus on people who value competitiveness and hierarchy over cooperation and community. My colleague Stephen Cobb has discussed the problems with relying only on the risk assessment of just a small segment of the population who reflect these traits. It’s also important to keep your skill requirements simple and accurate; someone who has experience will likely view overinflated requirements as a sign that employers may be overly demanding.
Consider how different groups will view your ad. Are sites where candidates input information reasonably secure and usable? Can you use a font that’s clearer for people with dyslexia? Is all necessary information clearly readable for people with color blindness? Is text accessible to screen readers? Do you use idioms that could trip up non-native speakers? Could your choice of words have an unintended meaning if read literally by neurodivergent individuals?
-
Choice of ad placement
Are you placing job ads only on a few major sites? Or are you approaching people on sites that focus on specific, underserved groups? Rather than requiring that the best candidates come to you, find out where there’s a wider variety of candidates and meet them where they are.
-
Listen to candidates
Another important way to sell your organization to candidates is to grant reasonable requests in terms of communications. Do they prefer to communicate via email or phone? Do they need a little more explanation about the position before submitting their résumé? If you enable your candidates to get to know your needs a little better and make the best showing of their fitness for the job, you’ll get a clearer view of their capabilities and what they could bring to the position.
-
Interviews should not be a slog
Be considerate of your interviewee’s time and energy; sitting through interviews should not be as taxing as running a marathon. Try to organize things in a way that works, within reason, with your candidate’s schedule, ability, and stamina. People don’t tend to perform at a representative level when they are especially exhausted, anxious and stressed out.
-
Standardize interview questions
It can be very difficult to give everyone an even chance if you’re not asking everyone the same questions. A panel of interested parties should determine beforehand a selection of appropriate questions, and interviewers should stick to that list. Notes should be taken on the answers given, and a review should occur shortly afterwards.
You can also help improve your future hiring options by partnering with organizations that help educate kids about computer-related topics, or those that focus on helping under-represented groups prepare for careers in cybersecurity or technology. There is a truly astounding number of great organizations out there; here is a sampling of a few such groups:
Women’s Society of Cyberjutsu (WSC)
International Consortium of Minority Cybersecurity Professionals (ICMCP)
CompTIA’s Advancing Diversity in Technology community
Latinos in Information Sciences and Technology Association (LISTA)
Society for Advancement of Chicanos/Hispanics and Native Americans in Science (SACNAS)
I’ll be talking in more depth about this topic in my presentation at this year’s Virus Bulletin conference in Montreal, if you would like to hear more about ways in which to decrease our blind spots within the hiring process. Please feel free to share your favorite Diversity in Tech organizations in the comments!
