Ask Chloé: Discrimination in Hiring Practices
Welcome to the Ask Chloé column on Security Boulevard! Each week, Chloé provides answers to readers’ questions to help guide them as they navigate the technology industry. This week, Chloé addresses the role bias and discrimination play in maintaining the cybersecurity skills gap.
Dear Chloé,
I keep hearing that there’s a cybersecurity skills gap and that there isn’t enough personnel. However, I’ve noticed we receive plenty of resumes, but hardly any of them go forward from the recruiter to the team. Sometimes the hiring manager gets the resumes, but doesn’t even schedule a call with the applicants. I’m wondering if I’m missing something here. Why is it so hard to find people to join our team? Hoping you can provide guidance on this front.
Thanks!
Joe the Analyst
Dear Joe the Analyst,
I’m glad that this question was asked. To be honest, more and more these days I’ve become more aware that the hiring practices in our industry enforce discrimination practices. I don’t think we actually have a cybersecurity skills gap, but rather terrible, biased processes in place that continue to fail so many people who would otherwise be asked to join companies, especially those trying to get their first job in InfoSec.
There are some hiring managers that are looking for certain certs and backgrounds on resumes. If the candidate doesn’t match it exactly, then the otherwise qualified applicant will be rejected. We also see this with recruiters using a company-provided list to match against résumés with the job description and responsibilities. Now, obviously, you want to hire someone who is able to perform the job and handle the responsibilities! What I’m saying is that often, companies will hand off a list of the maximum requirements — everything they could ever want their ideal, unicorn candidate to have. But then, they’re unicorns for a reason. If an applicant doesn’t list one certain technology or use extremely specific terms, then recruiters will reject them, even if they are, say, 80% qualified. Sometimes it can be chalked up to the fact that recruiters don’t understand the minimum requirements of the role they are asked to fill and keep rejecting candidates who would be great. It is also a matter of volume. There are so many roles and so many applicants that most companies use automated résumé scanners that quickly reject qualified candidates.
I call this common hiring practice gatekeeping because companies use these various strategies often; they are based on beliefs (because they are not proven facts, more like human biases) that prevent valuable candidates from being considered seriously for roles. It’s gatekeeping because the use of these old-fashioned hiring practices serves to only qualify candidates who are more likely to have a privileged background, not measure their actual skills and performance.
Technology Discrimination
The expectation that applicants must know everything and be fully trained to use every single product related to the role before they start discriminates and dismisses candidates’ abilities to learn new things. Most technology can be taught to newly hired people when onboarding, such as Salesforce and Burp Suite. Such dismissal of applicants who don’t already have these skills often prevents those with different backgrounds from being considered. If the applicant is willing and able to roll up their sleeves and do their best to learn and increase their abilities, then that person deserves a shot at the role and the opportunity. Research has shown us that grit is the biggest factor that determines success in the workplace. It’s time we start listening to researchers instead of basing practices around beliefs!
Technical Discrimination
In InfoSec, no matter what role, there are hiring managers that unnecessarily focus on technical skills for roles that don’t require them. For example, sales and marketing roles that want the applicant to be able to code. Sometimes the statement “not technical enough” for a role that isn’t a technical role has been used to exclude and discriminate against marginalized persons.
Degree and Certifications Discrimination
The requirement that one must have a college degree or an MBA often excludes highly qualified candidates that instead have real-world, on-the-job experience. An example is security researchers—those who are self taught and/or hackers—who are rejected because they do not have formal education but who are perhaps some of the best bug bounty hunters on the market. It’s about the ability, not the paper. Not to mention that not everyone can afford to get a degree or a certification. Asking people to take out loans and receive a degree is not feasible or appropriate anymore, especially when there’s not a guarantee it will land them a role. There are many people carrying more than $200,000 in college debt! Even if candidates do have education in the form of degrees and certs, it is most likely theory based, not hands-on, and really doesn’t prepare most folks to become security practitioners. You know what does? Experience and skills. And no, it’s not about the number of years of experience, it’s just simple experience and ability.
If companies were actually serious about security, they would know that attackers themselves don’t usually have higher education and/or certs, and yet, they can take down a company armed with just their drive and curiosity. This is why degrees and certs aren’t necessarily an accurate measure of people’s suitability for security roles. It’s the person’s drive, grit and curiosity that makes them amazing at what they do.
Making higher education a requirement is another form of discrimination. When we’re hiring, we claim to look for the best person for the role, but by emphasizing certain factors that aren’t important, we aren’t actually doing that. Companies are trying to take shortcuts in hiring practices, and end up rejecting qualified candidates. Then, it just perpetuates the systemic issues that support bad hiring practices and discrimination.
Side note: I don’t even want to get started on job postings that say, “Top school degrees are preferred.” That’s a huge red flag when it comes to DEI, but it’s also a bad security practice. Think about it—would you be more concerned about the attacker with an MIT degree or an attacker without a degree? Answer: You should be concerned with both.
Just Flat-Out Discrimination
If anyone uses the phrase “not a good culture fit,” you better believe that discrimination is occurring. This term has historically been used to exclude marginalized persons who are otherwise qualified applicants, especially BIPOC or those with disabilities. Basically, whenever companies prioritize how the applicant will fit in their preexisting culture, it reenforces the status quo that supports systemic biases and issues and cedes advantages to cisgendered white men.
Overall, these ongoing problems with hiring practices in InfoSec keep qualified candidates from joining organizations. It also continues to create unhealthy, biased environments for marginalized employees. It also supports the revolving door.
Time and time again, research shows that when companies work on taking actual DEI actions, they are more successful in capturing new markets, they deliver better products, are better at security and are better at ensuring their creations can reach wider markets.
Unfortunately, interviewing for many roles is still more about “Is this someone who looks, acts, talks like me? Is this someone I would want to hang out with after work?” If not, then many otherwise qualified candidates are rejected. Once again, that’s a bias that harms the entire InfoSec industry.
Learn more about the award-winning tech changemaker, Chloé Messdaghi, at https://www.chloemessdaghi.com.
Have a question? Want advice? Submit your anonymous question to Chloé: [email protected].
