INSIDE THE 
NEWS + ADVICE
How to Hire More Diverse InfoSec People
Hiring with diversity goals in mind is a growing effort, but it can be a difficult undertaking—not to mention the added difficulty of hiring for security clearances on top of cyber security skills. If you’re hoping to encourage a more diverse candidate pool for specialized infosec positions, you’re going to need to reach a wide cross-section of candidates.
Lesley Carhart, Principal Industrial Incident Responder at Dragos, has some insights to help you hire more diverse cyber security professionals. With over 20 years in the IT industry, including 13 years in information security, Carhart brings a useful perspective to the challenge.
Before we dissect how to increase diversity, you might ask why this is something you should take on. For one, “Diverse backgrounds build better security and better tech, period,” says Carhart. If you want to bring depth to the workplace and stimulate growth and innovation, read these tips to promote diversity in your infosec recruitment efforts.
Increase Your Reach and Improve Your Job Postings
Carhart’s first suggestion to help you reach a diverse pool of candidates is to ensure “your posting makes it to a wide set of hiring networks and industry groups. That means traditional networks like job sites and also social media, professional and academic groups, and conference hiring channels.”
The more venues your job opportunities can be found in, the more diverse candidates you’ll be able to reach. So take advantage of job boards, cleared job fairs, and conferences in the cyber security community to make sure your employer brand and job postings are visible.
However, just because your job postings are visible doesn’t mean they’ll excel at attracting diverse applicants. To make a job appeal to a wide group of people, Carhart suggests that you “try to remove ‘gatekeepy,’ artificial barriers, such as working in the office, strict work hours, a portfolio of public conference talks or code contributions, and specific degrees or certifications as a hard job requirement.”
While Carhart says these things aren’t necessary to be an excellent and knowledgeable infosec person, cutting requirements like these aren’t always an option for a recruiter working in the cleared community. Because contractors must hire to the requirements found in the contract, you don’t have free reign to change the requirements of the job, but you do have some flexibility in how you choose to advertise it.
Too many job postings in the cleared community are simply copied and pasted or pulled straight from the government contract award. Think about the elements that you can modify as a cleared recruiter. One might be rethinking commonly used language and focusing on more gender-neutral wording to attract a more diverse group of candidates.
“Make sure that your language is clear, concise, and free of gendered language or sub-cultural gimmicks that won’t translate correctly to every candidate,” urges Carhart. For instance, male-oriented words are frequently found in job postings, especially in male-dominated industries. When masculine wording is used, potential applicants assume that the company skews male. This perception makes the posting less attractive to women, sometimes causing them to pass on applying for the position. Removing words that are gender biased can typically increase the number of applicants by over 40 percent.
So examine the language used in your job posting and take steps to improve how it will be received to attract candidates more effectively. For example, you might say you’re looking for “go-getters” rather than “assertive” candidates. Paying closer attention to wording in your job postings will create a level playing field and attract more qualified diverse candidates. And finally, “Try to think of 3 friends or family members who have very different backgrounds, hobbies, and interests than you and consider if the posting would appeal to them or confuse them,” suggests Carhart.
Invest in Junior Talent
Carhart’s second approach to address the challenge may not always be feasible in the cleared community, but it gives us a better understanding of what’s going on in the cyber security landscape overall. We’ve often heard of the cyber security skills shortage, but Carhart reminds us that there are plenty of junior infosec people hungry to get into the field or progress up the ranks. The issue is that “companies perpetually hire only for senior and extremely technically specialized roles,” explains Carhart.
Even in those senior ranks, there’s a shortage of experts. So while people say there isn’t anyone to hire, in reality “they should simply be training and promoting the slew of great junior people,” advises Carhart. Of course, that’s easier said than done, and in the cleared community, contractors hire to the requirements found in the contract, and in most cases that doesn’t allow for training junior people. But if we look at the big picture in the long-term, “multiple companies building up more people as a whole means a wider candidate pool across the industry,” explains Carhart.
To bring this all back to a diversity standpoint let’s take a look at malware reversing as an example. When Carhart searched LinkedIn for GREMs (GIAC Reverse Engineering Malware certification) in Chicagoland, she got about 50 results. Of the profiles she could view, 4 presented as women, including herself. “If you’re hoping to locally hire a woman as a malware analyst, and you’re demanding a GREM as part of the job requirement, your talent pool is about 4 people,” determined Carhart. “You’ve made a really ‘gatekeepy’ job requirement, and dropped it into an already small senior talent pool.”
On the other hand, “there are lots of great junior minority candidates who would love to learn reversing,” adds Carhart. She explains that maybe they just haven’t had the opportunity to take a couple courses and get a certification. Or maybe they can’t afford a license for software or tools. “You could help grow the cyber security talent pool by making students into SOC analysts, and SOC analysts into malware analysts,” urges Carhart. “It benefits everybody, both in skills and economically.”
So to recap, Carhart’s advice is two-fold. For one, improve your job postings to minimize gatekeeping. And second, “If we really want to get to the root of the problem of diversity in tech, we have to bite the bullet and start actually investing in junior diverse talent,” suggests Carhart. “Not just playing lip service, not just ‘mentoring,’ but putting money where your mouth is and enabling people to climb the career ladder.”
