Recruiting female cyber pros: Are your hiring practices under-qualified?

Author Bradley Barth - Published September 20, 2021 by SC Media

The Paepcke Auditorium at the Aspen Institute in Colorado. The Aspen Institute recently revealed a series of expert recommendations for promoting diversity efforts in the cyber industry, including how to improve recruitment and hiring. (Bluerasberry, CC BY-SA 4.0 https://creativecommons.org/licenses/by-sa/4.0, via Wikimedia Commons)

Another time, another company, another circumstance, and Oryan De Paz might not have landed the cyber job that she relishes today.

Seeking employment at Symantec, De Paz struggled with a timed, take-home technical screening test, despite appearing to understand her assignment beforehand. Sensing that nerves may have gotten the best of her, Omer Yair, endpoint team lead at Symantec (and formerly Javelin Networks before its acquisition), contacted De Paz and suggested that she retake the test over a weekend, with no timed element.

“He told me that he could tell from our phone calls that I knew what needed to be done, but my final result wasn’t reflecting it, and just revealed my stress,” said De Paz, now a researcher and developer at the company, in a panel session at the 2021 Black Hat conference. “Without the second chance, I'll probably won't be here today.”

De Paz was ultimately hired because of various policies that Javelin instituted several years ago, with the goal of recruiting and retaining employees for the long term, while also increasing the number of women working within the company’s walls. One of these policies involves calling candidates before the screening test and monitoring their progress to ensure that their performance is not unduly influenced by stress.

This is but one example of how the cybersecurity industry can rethink the way recruitment and hiring is conducted in order to introduce more women into the fold. Female infosec professionals bring with them their own diversity of thought that can being new perspectives and skills to the table — but to take advantage, employers may want to consider changing what qualifications they look for, how they write job descriptions, how they interview and test potential talent, and more.

Recruiting a diverse cybersecurity workforce is not a side project. It’s not a ‘nice to have.’ We know it's absolutely essential to the success of our security missions in the public and private sectors, and expansive and growing scientific literature has documented the many ways that diverse teams of all kinds, outperform homogenous ones,” said Rep. Lauren Underwood, D-Ill., speaking at a recent webinar hosted by the Aspen Institute. “We need our best and brightest minds tackling the challenges ahead of us, working across sectors and disciplines.”

Job descriptions

Job descriptions on employment platforms are one area that companies sometimes go wrong. Too often businesses are looking for the perfect employee with virtually impossible credentials. According to experts, employers must set reasonable expectations for experience and technical knowhow, while also leaving room for softer skill sets like leadership and dedication. And rather than looking for an endless list of idealistic attributes, they should hire for what they actually need.

Determined to improve diversity, equity and inclusion in cybersecurity, the Aspen Institute recently invited infosec professionals representing a spectrum of viewpoints and disciplines to create a series of recommendations — released just this month in a formal report — to promote DEI efforts in the industry, including how to improve recruitment and hiring.

To that end, the advisory group has proposed that the industry convene a group of pro bono experts who can help cyber employers write better job descriptions that eschew alienating tech jargon and focus more on the traits that the company needs most, including hard and soft skills.

One company that believes it’s helping level the playing field in this regard is CyberSN, a cybersecurity staffing firm that last August unveiled its new Deep Job Platform, an online career marketplace that connects infosec professionals to more than 53,000 cyber jobs and helps match them to the ones that fits their capabilities best.

Click here for full coverage of the 2021 SC Media Women in IT Security

To counteract the inconsistency with which different employers often describe career opportunities, CyberSN leverages an established “job taxonomy” that organizes jobs into 10 categories and 45 functional roles, based on their most common tasks and responsibilities. Applicants can create an anonymous profile that can be matched to relevant positions — and employers can then judge whether the candidate would likely be qualified for and interested in the job based on how well their past experience lines up.

Using this platform, there’s no more demanding three years of, say, Python scripting experience, if that’s not needed for the vacant role. “Job descriptions can't be a profile of a person. They literally have to be a job description, said CyberSN CEO Diedre Diamond. “Because when they're a job description, they’re literally the tasks and the projects that one needs completed.”

Indeed, “it would be helpful for job descriptions to be more streamlined so that the skills that are crucial to the position are highlighted and clearly delineated from those that are merely ‘desired’ or ‘ideal,’” concurred Mary Moore, assistant professor of computer information systems at Potomac State College, and a member of the organization Women in Cybersecurity (WiCyS).

But that’s not the only fix needed. Problematic job descriptions sometimes also want experience that would be impossible for many candidates, especially women who trying to get their foot in the door.

“Hiring managers should make sure job descriptions reflect the level of employment. For example, a job that is listed as entry-level should not require years of experience,” Moore continued. “It's also important to be aware of the technologies listed and to make sure that there are no discrepancies between the number of years of experience required and the number of years the technology has existed. It is not uncommon to see positions advertised that require a given number of years’ experience that is greater than the number of years that a given technology has been in existence.”

“Even in recruiting for senior roles, the job posting frequently is disconnected from required critical skills and expectations for the job,” added fellow WiCyS member Karen Worstell, senior cybersecurity strategy at VMware.

Certifications is in particular one hot area of debate when it comes to job descriptions and their requisite qualifications. Some argue employers place too great of an emphasis on formal education, degrees and credentialing, which discounts many promising and suitable women and minority candidates who lack exposure to cyber academic programs or don’t have the funds to pursue multiple industry certifications.

"It’s a non-starter for an entry-level cyber position to require a CISSP… yet we see it all the time,” said Worstell.

“A huge barrier of entry into the cybersecurity field is that most jobs require expensive certifications that are hard to obtain,” said Meha Ahluwalia, program coordinator at the Aspen Tech Policy Hub. “With more time and support, the cybersecurity field should investigate whether its certifications are even a necessary requirement at all and if they're an effective gauge of a candidate’s ability to perform a cybersecurity job.”

Indeed, this is another of the Aspen Institute report’s recommendations. After all, there are other ways to gain knowhow and experience, including on-the-job upskilling, boot camps, internships and apprenticeships.

Aspen Institute session panelist Karyn McMillan Harker, the global HR business partner for cybersecurity at Accenture, said that while certifications can help build capabilities and awareness around various security topics, “for [Accenture] it's not the only thing that's important. And in fact we don't require it in a lot of our job descriptions.” However, the company does pay for employees to pursue certifications if they wish to further their education.

But even when the listed job requirements are more realistic and pragmatic, some women still may not apply due to a so-called “confidence gap.” There’s an oft-cited statistic from a past Hewlett Packard internal report that women tend to be less likely than men to apply for jobs for which they appear under-qualified. Reportedly, men on average will apply if they meet 50% to 60% of necessary qualifications, while women won’t apply unless they meet all of the criteria.

“Women discriminate against themselves. They pass on job applications where they may be lacking a few skills on the list, not realizing that men will apply for those jobs anyway,” said WiCyS member Jody Forness, senior security researcher at Obsidian Security. “Companies can counter this self-sabotage by changing the language of the job description to say "or equivalent experience" or "may possess some of these skills.”

Another option: publish two job listings for the same job: one calling the role a senior-level position and the other describing it as a junior-level position, which might sound more attainable to women who don’t have the confidence to consider themselves senior-level material.

At Black Hat, Yair said his team learned this technique from “a happy accident” whereby Javelin published both a senior and junior version of a job listing. “We got about 40 CVs, and I will let you guess which gender applied to which role,” he said. And yet, “when we looked at the CVs themselves, we actually found out that the years of experience in those CVs [between men and female applicants] were almost the same.”

“So instead of trying to find a middle ground, and post one job listing that tries to address both sexes, you can actually post two job listings for the same role and filter it out by the years of experience and the requirements for your job,” Yair continued. “And this actually creates a level ground for both the more confident and less confident audience that you’re trying to reach.”

Candidate selection and evaluation

If certifications and a formal education background aren’t necessarily a predictor of hiring success, then what other kinds of traits should employers be looking for in cyber candidates?

To tackle this important question, the Aspen Institute issued a recommendation that companies collect and share anonymous data about what traits and skill sets actually correlate with their best historical hires, so that businesses can look for those same attributes when filling similar roles — thus increasing the likelihood of repeat success.

“A data repository containing sample profiles of successful hires from a wide diversity of experiential, educational and cultural backgrounds could help hiring managers adjust job requirements and focus on the skills new hires actually need,” the report states.

Of course, ample past experience can give any candidate a leg up, but there’s more to a job applicant than what’s on a résumé.

Cyndi Gula, managing director of Gula Tech Adventures, formerly vice president of operations at Tenable (one of SC Media’s Women in IT Security honorees this year), said that hiring candidates is about finding their strengths and “letting themselves shine,” instead of just looking at “the paper that they are presenting.”

Few candidates are the total package, but you can always upskill them later. “We had so many people that we would hire… and they became quality engineers, and then went back to school and became more professional developers,” said Gula about her time at Tenable. Ultimately it was about finding the “best people who were really passionate about a mission, whether it was to help their customers… [or] designing their next product.”

“Nothing beats sheer passion and a willingness to learn,” agreed Jackie Omekara, security analyst at Service New Brunswick, and another WiCyS member. “I believe any skill can be learned with proper training put in place. However, passion, determination and being teachable are skills that are embedded in one’s sense of self… These are key factors that should be looked out for when it comes to attracting top talent into cybersecurity.”

Moreover, employers should think creatively and be willing to consider out-of-the-box candidates with unorthodox backgrounds. Ellen Sundra, chief customer officer at Forescout, actually removes acronyms from job postings, because they too often cause individuals to opt out of applying. She also revamped the interview process to be more open to different skillets.

"And we did actually start to see different candidates come in, across different races, different backgrounds, a few more female," Sundra said. "I don't need specific programing [certifications]. That can be part of onboarding. But you can never underestimate transferable skills. If you're a school teacher and you teach math, you could probably become an excellent systems engineer. We really need to make sure people realize that this is not such an intimidating field."

Same with Accenture: “When we do bring in entry-level individuals, we’re really opening up the scope of the kinds of degrees or experiences that we’re looking for,” said Harker. “So we are hiring music majors and literature, science and arts majors, all sorts of backgrounds. And then we are providing for them, a boot camp type opportunity, but infused with a consistent use case throughout that they are working on and presenting at the end to our leadership teams.”

According to Harker, in Europe Accenture requires at least 50% gender diversity in its cyber boot camps. The company also just made its boot camp program available in India, pledging to upskill at least 100 women there. “I do think these combinations of upscaling programs, plus the practical application the use case [and] the work on soft skills and presentation skills throughout is a really impactful way to go about it,” she said.

Job applicants who are selected for further consideration may next be brought in for additional screening and interviews. Yair said that his screening process doesn’t score or rate candidates, but simply checks to see if applicants pass the minimum required to qualify for a job. “And when you do the technical screening, make sure you don't give any riddles, or whiteboard tests to the candidates, because researchers have shown that when you use those kinds of tests, you're actually testing whether the candidate is confident or not and you're not testing if the candidate is competent for the job,” Yair recommended. “So, eliminate those as much as you can from [the] technical skill process.

The evaluation should also look at character and personality of the individual to see how well she will fit in. “So every time you post a job listing, also try to make a list of what are the personality traits that you're looking for on your candidates,” said Yair. Among Javelin’s favorite traits: passion (there's that word again), perseverance and a willingness to learn.

Also, if the candidate possesses strong qualities, don’t let a bad interview ruin a good thing. Gula recalled how some of Tenable’s best programmers gave an “absolutely horrible interview,” but the company overlooked that because “that’s not their strength,” nor is interviewing a skill programmers need to have.

WiCyS member Sarba Roy, product security consultant at Umpqua Bank, additionally recommended that “there should be an attempt to include people across all genders in the interview panels to help create a shared understanding that women can be on both sides of the interview table.”

Eliminating bias

“No matter how qualified a candidate is, that person doesn't have equal access to a cybersecurity opportunity if the hiring process is biased against them,” said Ahluwalia with Aspen.

And so it is imperative that companies take steps to remove bias — both explicit and implicit — from the recruiting and hiring process. This means “eliminating” the false premise “that women cannot be good enough for a technical role,” said Roy.

Symantec headquarters. Symantec is the parent company of Javelin Networks. (LPS.1 Template:Author=Debi A ~n~ Jesse, CC0, via Wikimedia Commons)

Yair said one key step to accomplish this is to “measure everything.” That includes what percentage of résumés you receive from women and what percent you get from men. Then you look at the candidates that advanced to the interview and screening process to see what percentage of men and women candidates made it that far. If there is a significant deviation in the percentage numbers — i.e. a disproportional percentage of men are advancing compared to women, “then it means you have unconscious bias, and you need to take a look.”

Back in 2018, “there were no misogynists, no sexists or any bad culture on our core team, yet initially it consisted entirely of men, and no women. We understood that there was an unconscious bias on our team,” said Yair. Moreover, when Javelin looked at the numbers, the team saw that only 2.5% of résumés reaching its our pipeline came from women.

In response, the company reformatted its job descriptions and also began reaching out to communities and organizations that focus on women in cyber, tech and coding, and sought out both advice on hiring and recommendations for candidates. Javelin also began actively searching for female candidates on LinkedIn and contacting them directly about job opportunities.

“And when we took all of those steps we actually managed to increase [the percentage of] women’s résumés that we got from 2.5% to 50%,” Yair said.

There are actually two sides to this argument. While some argue that it’s important to know candidates’ gender so that companies can ensure they are adding women to their ranks and thereby enhancing their diversity of thought, others say that a good way to eliminate bias from hiring is to anonymize the recruitment process. (For instance, CyberSN’s Deep Job Platform anonymizes all of the résumés submitted by users.)

“This wasn't my idea, but was passed along to me from another strong female leader: Have HR remove any personal, identifying information on the resume when they send them over to you for review,” said Judy Hatchett, WiCyS member and vice president and CISO at Surescripts LLC. “This helps eliminate the implicit bias at first glance.”

Create a welcoming environment for women

Even if you’re actively reaching out to women in cyber, you’ve got to make your work environment inviting enough to make them want to join your team. Talk is cheap.

"If organizations want to attract women and diverse candidates, they need to go beyond mission statements and marketing campaigns,” said Jeff Combs, principal of recruitment firm J. Combs Search Advisors. “Is the culture truly inclusive? They need to back it up. Are there women and diverse candidates in executive leadership roles? Are there mentorship programs and professional development programs? What about gender-based income equality? How supportive are their benefits and polices around healthcare, maternity leave and child care? It's a candidate's market and demand for diverse candidates is high. These are the questions being asked."

Work-life balance came up several times among the experts. “Highlight flexibility — many women are doing double duty as family caretakers. If all or part of the job can be completed off hours, state that explicitly so job-seekers know they can have some control over their work schedule,” said SecurityCurve cofounder and CTO Diana Kelley, a WiCyS member.

“It’s always great to offer childcare assistance — for anyone, actually,” added the now-retired Renee Beckloff, former vice president of global cloud enablement and community at ForgeRock — and yet another WiCyS member. “Finally, ensure your company can show career paths for women and others. Women bring so much more to a role than just what is on the paper.”

All of this figures to become even more important as workforce attitudes evolve in light of shifting expectations among employees.

“The Great Resignation is real. We're in the early stages of it,” said Combs. “A lot of assumptions made about talent, recruiting and retention are going to be put to the test in the coming years.”

Get our latest insights. Subscribe to our newsletter.