Unconscious Bias in Cybersecurity Recruiting

The inability for companies to attract a diverse range of candidates is an underlying current to today’s broader cybersecurity staffing crisis. In fact, close to half of security insiders today believe that the underrepresentation of women and minorities stands as a major factor contributing to the current shortage of skilled security workers.

Anti-discrimination laws and cultural norms have largely pushed out the most overt cases of discrimination to the periphery of the industry. However, even with obvious bias isolated to the edge cases, what we’ve seen left behind are traces of unconscious bias that nevertheless hamper the industry. Unconscious bias has a way of creeping into even the organizations most gung-ho for diversity, keeping their cybersecurity teams from bringing in new kinds of people and their fresh perspectives for problem-solving.

One recent placement I worked on demonstrated to me exactly what this kind of bias looks like in action—and it was from a friend who I know to be fair and thoughtful. I was helping this executive fill a role to which he’d hoped to bring some diversity. As such, my team had provided an extra helping of women and minorities to a well-qualified candidate list. Needless to say, I was surprised to hear he ended up hiring a non-diverse candidate for the position.

As I got him to rewind the process for me, he told me that when the women on the list were asked why they were interested in cybersecurity, they didn’t bring enough ‘passion’ to the answer. While the man’s answer had more to do with personally seeing the problems in the industry that he wanted to fix, the women tended to relate stories about family members having their identities stolen and how that spurred an interest in the industry that protects people from those experiences. For the hiring manager, the way the man answered resonated as more ‘passionate.’ But looking at it from an outside perspective, it looked more like the man simply provided an answer that most closely matched my friend’s own worldview of professional enthusiasm. What he failed to see is that the sources of passion and work ethic can vary greatly by background.

What he ended up with is another non-diverse candidate, rather than a person with a wealth of new views that could have helped to round out his team. And this is really the crux of the diversity problem we face in the cybersecurity industry. The whole point of bringing in more women and minorities into teams isn’t to meet some quota. It’s to nurture a team-building mindset that attracts a range of people with totally different backgrounds who can bring fresh ways of tackling problems. This establishes a team dynamic where you’ve got a multifaceted way of attacking things. This is huge in security, which is so dependent on creative problem solvers.

In order to root out unconscious bias, we need to start listening for the answers we’re expecting from candidates and also the equally good answers that challenge our expectations. And achieving a bias-free workplace doesn’t end at the offer letter—not by a long shot. We’ve also got to think about how unconscious bias keeps us from retaining those underrepresented folks. As leaders, we need to take a hard look at the kinds of team-building exercises we do and about the kind of work atmosphere we promote. Let me know your ideas, advice, tips, or tricks to help further unbiased hiring. I’d love to hear from you.