Rawpixel - Fotolia
People searching for work in infosec often find companies with an unreasonably long list of requirements, even for entry-level positions, but writing inclusive job descriptions can help attract more diverse candidates.
While hiring managers focus on trying to find the perfect employee, they may be missing out on potential candidates who could grow into the position if they don't have all the required skills or bring a fresh perspective to the job if they don't have a traditional infosec background.
Jules Okafor, CEO and founder of RevolutionCyber, a security awareness and training firm based in Annapolis, Md., said cybersecurity job listings make people feel like they can't contribute if they haven't been in the industry for three to five years.
"Cybersecurity listings exist in isolation from the rest of the world," Okafor said. "Hiring for other tech or software jobs has migrated to personality tests, scenario-based, experiential interview and hiring practices. Why haven't we? Why are we not hiring for the value of the whole person yet?"
Because of the way infosec job descriptions are written, the onus is put on job seekers -- some of whom are right out of school -- to know whether it is OK to apply even if they don't meet all of the listed requirements. Writing inclusive job descriptions can help avoid situations where candidates self-select out of opportunities because they believe they aren't qualified.
Tia Hopkins, vice president of global solutions engineering at eSentire, a threat detection and response vendor based in Waterloo, Ont., said she has seen self-selection happen with her mentees entering the cybersecurity field. Job listings are often unclear about required skills or omit information about training and educational opportunities to learn new skills.
Some job listings simply contain too many requirements, she added.
"A common theme among entry-level job seekers is that many self-select themselves out of an opportunity simply due to the list of requirements," Hopkins said. "What's more surprising is that a number of them self-select out of an opportunity even if they possess most, but not all, of the 'required' skills."
New recruits will certainly learn on the job, but job descriptions rarely mention what skills can be acquired and which are absolutely necessary for viable candidates.
Camille Stewart, fellow at New America, a think tank based in Washington, D.C., said the cybersecurity industry also focuses too much on degree and certificate requirements demonstrating technical skills that can be taught on the job.
"By identifying the skills needed and offering training to bridge technical gaps, more diverse applicants will be eligible," Stewart said. "Our focus on recruiting from our networks and at certain schools limits access to diverse candidates."
How hiring managers can find diverse candidates
Writing inclusive job descriptions isn't just a way to widen the potential candidate pool, but a way to attract more diverse candidates.
Katie Dunn, director of career services at Momentum Learning Inc., a software developer training firm based in Durham, N.C., said cybersecurity employers need to be creative about requirements and where they find candidates.
Jules OkaforCEO and founder, RevolutionCyber
"We know that about 80% of jobs are won through networking, so recruiters who cultivate networks outside of the typical channels are likely to find more diverse candidates," Dunn said.
Dunn suggested getting involved with organizations supporting diverse technical talent, including National Society of Black Engineers, Society of Hispanic Professional Engineers and Women in Technology International. Job boards like PowerToFly, Black Career Network and BlackJobs.com can also help find potential job candidates.
Beyond developing inclusive job listings, hiring managers should also consider that infosec positions are not always as scientific and technological as one might think.
Okafor noted that cybersecurity is just as much art as it is science, but infosec hiring tests are typically designed only to find scientists. She suggested a better way to hire would be to "let people connect with the work."
"Describe the average day, describe the personality or energy of the person you are seeking to hire," Okafor said. "Have candidates discuss their projects and discuss the ways people are continuously learning or keeping up with their industry."
Soft skills are rarely mentioned in job listings, but they can often be the most important. Alyssa Miller, hacker and security advocate, said on Twitter that communication is one of the most lacking skills in the infosec field.
Empathetic communication. Seriously. I realize you're probably looking for a tech skill, but being able to understand the motivations of the people you're talking to and use language that connects with them is a crucial skill that too many #infosec people are lacking.— Alyssa Miller (Speaking at Hacker Halted) (@AlyssaM_InfoSec) September 6, 2020
Hiring managers also need to be careful about conflicting requirements. Hopkins said she had seen listings looking for someone with one to two years of experience but also required a CISSP despite that certification requiring five years of industry experience for endorsement.
Although hiring managers may think a longer list of requirements will attract top talent, Hopkins said that strategy can backfire.
"While including a long list of requirements can deter unqualified candidates, those requirements can also deter qualified candidates capable of bringing tremendous value to an organization," Hopkins said. "Job postings crafted with realistic and relevant requirements increase the odds of more qualified candidates applying for the role."