Do you have any tips on how an org can encourage a more diverse candidate pool for a senior and specialized infosec position? We are located in a mid-sized city and we want to do a better job at reaching a good cross-section of candidates.
Dear Hiring Today,
It’s quite commendable that you want to do this. I won’t even address or approve comments from trolls about your overall purpose. Diverse backgrounds build better security and better tech, period.
Two thoughts come to mind. First of all, I can’t see your posting. One simple tactic for reaching a diverse pool of candidates are ensuring that your posting makes it to a wide set of hiring networks and industry groups. That means traditional networks like job sites and also social media, professional and academic groups, and conference hiring channels.
To make a job appeal to a wide group of people, try to remove gatekeepy, artificial barriers such as working in the office, strict work hours, a portfolio of public conference talks or code contributions, and specific degrees or certifications as a hard job requirement. None of these things are necessary to be an excellent and knowledgeable infosec person. If you’re using them as a crutch to boost performance, I recommend looking at your interview skills or management techniques. Make sure that your language is clear, concise, and free of gendered language or sub-cultural gimmicks that won’t translate correctly to every candidate. Try to think of 3 friends or family members who have very different backgrounds, hobbies, and interests than you and consider if the posting would appeal to them or confuse them.
My second thought is more complex. We talk endlessly about the “cybersecurity skills shortage” and what that really means. In general, the consensus of people who are actually training people in the industry tends to be that there are plenty of junior infosec people hungry to get into the field or progress up the ranks, but companies perpetually hire only for senior and extremely technically specialized roles. In those senior ranks, there is a shortage of experts. So pundits proselytize about there not being anyone to hire, when in fact they should simply be training and promoting the slew of great junior people.
Of course, that’s easier said than done. Training an infosec person from the ground up requires a substantial investment of time and money. It is also very likely that that person will ultimately leave for a new job when they become senior. So, to leaders it can seem pointless to make the investment. This is clearly short-sighted because multiple companies building up more people as a whole means a wider candidate pool across the industry. There are still too few companies who see the big picture. Smaller and less-resourced organizations may simply not be able to do it at all.
Here’s the unfortunate truth – let’s look at malware reversing as an unscientific example. When I search LinkedIn for GREMs in Chicagoland, I get about 50 results. I am one of them, and I know about 20 personally. Of the profiles I can view, 4 present as women, including me. If you’re hoping to locally hire say, a woman as a malware analyst, and you’re demanding a GREM as part of the job requirement, your talent pool is about 4 people. I don’t even do that work as my full time job. You’ve made a really gatekeepy job requirement, and dropped it into an already small senior talent pool.
Conversely, though, there are lots of great junior minority candidates who would love to learn reversing. Maybe they just haven’t had the opportunity to take a couple courses on it and get a certification. Maybe they can’t afford a license for software or tools. This stuff corporations take for granted is often prohibitively expensive for individuals. You could help grow the cybersecurity talent pool by making students into SOC analysts, SOC analysts into malware analysts. It benefits everybody, both in skills and economically.
So, to recap, my advice is two-fold. Firstly, consider if you’re artificially gatekeeping in your job postings and eliminating good candidates. Secondly, consider that the pool of senior talent; particularly senior diverse talent – is relatively tiny (and maybe a bit inbred on ourselves, if I take an unhappy peek at my own research groups!). If we really want to get to the root of the problem of diversity in tech, we have to bite the bullet and start actually investing in junior diverse talent. Not just playing lip service, not just “mentoring’, but putting money where your mouth is and enabling people to climb the career ladder.