Whether we’re aware of it or not, we’re all biased. It stems from our individual experiences, upbringings, and backgrounds. These biases, unfortunately, are pervasive in all aspects of everyday life, including the recruitment process. A study by Harvard Business Review showed if there’s one female candidate up against three male candidates, she has a 0% chance of being offered a job.
Bias can manifest in several ways throughout the hiring process. For example, a candidate’s suitability for a role could be unfairly favored or unfavored based on their gender, ethnicity, or age. It can also play a role in how job advertisements are written and advertised, as the language used in a job posting may deter or appeal to certain applicants, and lead to a less diverse candidate pool.
Overcoming bias can help fill the cybersecurity skills gap
However, the conversations around the need to address bias when it comes to talent acquisition of cybersecurity professionals have been shifting over the last few years.
According to Tia Hopkins, eSentire chief cyber resilience officer and field CTO and Cyversity board member, cybersecurity organizations are beginning to realize that removing bias can help widen their talent search. She acknowledges that there is no doubt that bias has been a contributing factor to the industry’s global skills gap. “Biases are largely contributing to the skills gap that we have because there’s no way that we’ve got millions of jobs opening, but we’ve also got all these people saying, ‘I can’t find a job in cybersecurity’ — something’s broken,” she tells CSO.
Heller Search Associates managing director Kelly Doyle agrees the limited talent pool in the industry has forced companies to approach hiring strategies differently. A 2023 ISC2 study found that cybersecurity professionals value a diverse workforce, with 69% stating that an inclusive environment is essential for their team to succeed and 65% believe it is important that their security team is diverse.
“Companies have learned through research and history that having a diverse leadership team is better for culture, profitability, customers and innovation,” Doyle tells CSO. “Over the last decade, we have seen a consciousness toward adding diversity to technology leadership. Today, doing this in cyber is particularly important because cyber threats are growing to the point where if an employee does not participate in a company’s cyber program, the entire company is at risk.” This is why, Doyle believes, companies need to hire a diverse cybersecurity workforce so employees can relate and react. “Having a range of different backgrounds on your cyber team will foster more variety in ideas and thoughts around threat protection.”
It’s just an unfortunate reality that it took a skills shortage for the cybersecurity industry to realize that bias recruitment has long been a problem and it needs to be addressed for the workforce to be more diverse, according to Michael Page Australia regional director George Kauye. “I think most of us in the workforce acknowledge that there needs to be more inclusive and diverse hiring, but the reality is it actually took more a commercial scenario where there’s a candidate shortage market with a high job demand to accelerate that process, rather than this is the right thing to do,” Kauye tells CSO.
Hopkins cautions that when cybersecurity organizations address bias in their recruitment process, it needs to be more than just a box-ticking exercise to improve a company’s diversity, equity, and inclusion (DE&I) position.
“It’s important to understand that diversity and removing bias from processes stretches beyond the gender gap and … it also stretches beyond the race and ethnicity gap, which is also a large conversation that’s being had as well. There’s ageism, there’s ableism, there’s neurodiversity, there’s all these things that need to be considered,” Hopkins says. “I think part of the problem is we haven’t really, as an industry, landed on, accepted, or discussed what diversity actually encompasses … because what you’ll find is that there are very specific segments within diversity but at the corporate level, when you look at ‘how can I diversify my team?’, it’s not enough to say we’re going to do it with women or just Black people.”
How to remove bias when hiring cybersecurity professionals
Make tweaks to job descriptions
When it comes to hiring new talent, there are several steps that cybersecurity organizations can take to remove bias from their recruitment process. One example Doyle points to is eliminating gendered language in job descriptions to ensure a role attracts a variety of talent. “Position descriptions should be reflective of the type of cyber professional you want to hire. Look for well-rounded talent who may have come up a different track in their security journey,” she says.
She adds companies have begun focusing less on specific job requirements believing it potentially rules out talent that may have taken a different path into security, and instead are focused on applications that are skills-based. “Eliminate degrees and instead focus on certificates or the skills candidates bring to the table, as not all cyber professionals come up the same track,” Doyle says.
It’s an approach that Kauye agrees with. He points out how there is widely reported statistic that suggests men apply for a job when they meet only 60% of job qualifications, compared to women who will only apply for a role if they meet 100% of the criteria. “When it comes to non-negotiables with the key selection criteria, companies are always putting a long shopping list down. But what they should be doing is putting down three, four, or five absolute non-negotiables, and that’s a sensible number of skills that are generally required for a role,” he says.
Focus on the job application in front of you
In a bid to further anonymize the recruitment process and eliminate any potential room for bias creep, Hopkins says HR professionals are introducing policies that state recruiters are not allowed to look up candidates’ LinkedIn profiles. She says it removes any initial bias of whether a person is qualified for a role, particularly if a person’s LinkedIn profile is missing certain elements a recruiter is looking for.
“Because [a LinkedIn profile] can tell you a lot about a person’s background, especially when you’re talking about underrepresented communities and individuals trying to break into cyber … but that doesn’t mean you’re less talented than the next candidate,” she says.
Introduce diversity to the panel — and the company
To remove bias from the hiring process, organizations need to have a diverse interview panel. Doyle says that having multiple perspectives on an interview panel can help identify and counteract bias when evaluating potential candidates. “If you want to hire diverse talent, your company should show up in the process with diversity on the interview panel, having interviewers share their unique stories and experiences.”
Hopkins points out how common it is for cybersecurity candidates from diverse backgrounds to encounter a lack of representation in leadership roles. “Looking internally, you want to make sure your organization is presenting itself as an organization that is ready for diversity because candidates are doing their homework,” Hopkins says. “I can’t tell you how many people I’ve talked to who’ve said, ‘I’ve done some research, but I looked at their leadership team and what they’re doing, and I just don’t see anything that looks like it’s for me.’”
But how can a company overcome bias without diversity to begin with? Doyle suggests cybersecurity firms partner with a variety of organizations or certain colleges and universities to train and bring in diverse cyber talent from entry-level and promote up.
Hopkins makes a similar point, saying that cybersecurity firms can partner with organizations like Cyversity that aim to increase the number of women and underrepresented talent in cybersecurity. “Partnering with these companies can help organizations be more conscious about the bias that individuals may be facing as [Cyversity] gets feedback from candidates going through the hiring process,” she says. “It’ll help corporations reform the way they recruit, the way they support individuals as they come into the organization, and even the way they write their job descriptions and groom their talent once they’re on the inside.”
Organizations also need to be conscious of where the diversity within the company exists. Bias training for hiring managers to drive awareness can be helpful to the process as well as addressing bias is an “ongoing mission and not a trend”, according to Hopkins. “It needs to be a defined program with a defined leader with defined outcomes and metrics.”