It’s just an unfortunate reality that it took a skills shortage for the cybersecurity industry to realize that bias recruitment has long been a problem and it needs to be addressed for the workforce to be more diverse, according to Michael Page Australia regional director George Kauye. “I think most of us in the workforce acknowledge that there needs to be more inclusive and diverse hiring, but the reality is it actually took more a commercial scenario where there’s a candidate shortage market with a high job demand to accelerate that process, rather than this is the right thing to do,” Kauye tells CSO.
Hopkins cautions that when cybersecurity organizations address bias in their recruitment process, it needs to be more than just a box-ticking exercise to improve a company’s diversity, equity, and inclusion (DE&I) position.
“It’s important to understand that diversity and removing bias from processes stretches beyond the gender gap and … it also stretches beyond the race and ethnicity gap, which is also a large conversation that’s being had as well. There’s ageism, there’s ableism, there’s neurodiversity, there’s all these things that need to be considered,” Hopkins says. “I think part of the problem is we haven’t really, as an industry, landed on, accepted, or discussed what diversity actually encompasses … because what you’ll find is that there are very specific segments within diversity but at the corporate level, when you look at ‘how can I diversify my team?’, it’s not enough to say we’re going to do it with women or just Black people.”
How to remove bias when hiring cybersecurity professionals
Make tweaks to job descriptions
When it comes to hiring new talent, there are several steps that cybersecurity organizations can take to remove bias from their recruitment process. One example Doyle points to is eliminating gendered language in job descriptions to ensure a role attracts a variety of talent. “Position descriptions should be reflective of the type of cyber professional you want to hire. Look for well-rounded talent who may have come up a different track in their security journey,” she says.
She adds companies have begun focusing less on specific job requirements believing it potentially rules out talent that may have taken a different path into security, and instead are focused on applications that are skills-based. “Eliminate degrees and instead focus on certificates or the skills candidates bring to the table, as not all cyber professionals come up the same track,” Doyle says.
It’s an approach that Kauye agrees with. He points out how there is widely reported statistic that suggests men apply for a job when they meet only 60% of job qualifications, compared to women who will only apply for a role if they meet 100% of the criteria. “When it comes to non-negotiables with the key selection criteria, companies are always putting a long shopping list down. But what they should be doing is putting down three, four, or five absolute non-negotiables, and that’s a sensible number of skills that are generally required for a role,” he says.