Across nearly every sector, organizations are connecting more machines to the internet, employing globally distributed teams, and relying on systems packed with countless applications. Managing this complexity while defending against external threats requires constant vigilance. Yet, despite cybersecurity’s critical importance, the industry continues to grapple with a talent shortage. A gap that is worsened by ineffective hiring practices.
Unrealistic expectations around work-life balance, preconceptions about the ideal candidate, and inaccurate job descriptions can blind recruiters to unique talent sets. Let’s examine how assumptions still play a part in hiring and how to make a difference.
1. Unrealistic Work Expectations
In 2006, a study on the worldwide information security workforce didn’t even mention women in cybersecurity. Four years later, there were some mentions of the inequalities they faced, but women still only made up 11% of global teams.
In addition to arising from gender-based stereotypes, this gender gap has been linked to “hacker culture,” or encouragement that staff stay late into the night, obsessing over their work. That expectation alienated women because it required a lack of work-life balance and the potential danger of staying at the office late alone.
By 2018, 28% of women in cybersecurity were in C-suite roles, but many went back to school for further degrees and certifications so people would perceive them as qualified as their male counterparts, and they could earn equal pay.
2. Recruiting Bias
Recruiters can also quickly judge an applicant based on their appearance. Though mentorship and scholarship opportunities have helped grow diversity in cybersecurity, there is still a long way to go. According to the U.S. Bureau of Labor Statistics, just 12.6% of the workforce was Hispanic, 11% was Black, and 8% was Asian in 2024.
The team may even have biases they don’t recognize. For example, they could assume someone is less trustworthy with confidential information based on how the applicant speaks or the way their hair is styled.
A collection of interviews showcased the thinking of a few white Euro-American cybersecurity experts who described both stereotypes they acknowledged and subconscious biases. Some felt customers in the Middle East were “difficult” to have a technical conversation with, and one said the idea that people from Qatar and Kuwait would gain cybersecurity skills was “unrealistic.” One British Bangladeshi man said people who run government entities would cancel meetings with him because they didn’t believe he was British.
3. Job Listing Confusion
Job descriptions have been a large barrier to cybersecurity positions for women and minorities. These groups are more likely to take descriptions literally, comparing themselves to the required degrees and qualifications. They are then much less confident in their ability to do the job well or even be considered, which can deter them from applying at all.
The details of listings have also been a point of contention. Those creating them may have unrealistic expectations for the years of experience required, which can scare newer professionals away and dissuade more experienced ones. Plus, they may only focus on certifications rather than the tools a candidate needs to thrive. All this can lead to an inaccurate job description that attracts people without the necessary abilities for the role.
The Results
These elements do not add up to a sustainable industry. Lacking critical knowledge, remaining undiverse, and creating toxic work environments could be why 62% of CISOs have experienced burnout.
Almost 3.5 million cybersecurity roles were forecast to remain vacant by the end of 2021. 83% of executives say they’re struggling to find skilled, local talent, and 41% of businesses say these shortages are affecting their growth. Small- and medium-sized entities are most affected, as stakeholders may pressure them to show results fast with their limited resources.
Not having diverse perspectives can also lead to critical issues in the industry. It can cause gaps in addressing threats, dissuade innovation, and increase feelings of alienation. Missing out on hires who can bring new perspectives to the field only serves to widen the hiring gap and perpetuate a stagnant mindset that has no place in the ever-changing world of cybersecurity.
How to Address Cybersecurity Recruiting Issues
Cybersecurity recruitment is in desperate need of a change. To ensure hiring teams can find the best of the best, here are a few strategies for reducing snap judgments.
Promote a Healthy Work-Life Balance
While some professionals may be content staying at work all day, most will want some reprieve. According to the Information Systems Security Association’s 2024 report:
- 57% of cybersecurity professionals say the job is stressful at least 50% of the time, while 31% say the workload is the most stress-inducing.
- 77% say the position is taxing, especially when balancing work and home life.
- 67% have considered leaving their current jobs at least occasionally, while 37% have thought of leaving the sector entirely.
- 48% have considered leaving the sector due to high stress, while 35% say cybersecurity doesn’t offer the work-life balance they need.
If the cybersecurity team gets burned out, retention can drop, and threats could slip through the cracks. Ensure interested parties know this enterprise takes their mental health seriously and will rarely contact them outside business hours or ask them to stay late without advance notice.
No longer perpetuating the idea that their whole lives should center around work can draw in a much broader pool of applicants who need to decompress after clocking out and come in fresh the next day.
Focus on Finding Unique Viewpoints Over Quota-Filling
Some critics of diversity, equity, and inclusion initiatives argue that companies are only trying to fit predetermined quotas through their hiring. Some recruiters may even have the same thoughts, ignoring potential hires because they feel they need to fill a role with someone specific. However, both are incredibly narrow views of such practices.
Rather than ignore or solely focus on what makes applicants diverse, explore how their views could bring new perspectives. Perhaps the mother of six, whom hiring teams might’ve previously passed over because of her need for a hard end to the workday, has some great thoughts on keeping people focused during cybersecurity training. Someone on the autism spectrum could be great at rooting out inefficiencies in a tech stack. Let them explain how their experiences create unique advantages and selling points.
Train Recruiters on Bias Awareness
It’s easy to assume people have fewer biases today, but they can creep up in subtle ways. Training the whole hiring staff on people’s differences can show them where they might unintentionally subscribe to stereotypes or perform microaggressions.
This is also an excellent time to introduce standardized interview questions and recruitment panels, which can combine multiple perspectives to find the ideal candidate. The team may even switch to anonymized screening, which enables them to see only the applicant’s experience on their resume and cover letter. Training and a supportive workplace will still be key to successful interviews and retention, but these are good steps.
Adjust Job Description Language
The U.S. Department of Homeland Security (DHS) has found that a significant issue in filling cybersecurity roles is that job descriptions often do not accurately portray the necessary qualifications. Rather than focus on the degrees or experience someone should have, list competencies — broader skills workers can apply to learn the specifics of the position. Interested parties can then tailor previous experiences to fit the expertise that makes them excellent candidates.
The DHS report recommends removing confusing language and degree requirements and focusing on core competencies to broaden the talent pool. In its own research, Tech Policy found that doing so can improve employment processes by 37% and increase the number of applicants by 56%.
Beat the Talent Shortage With Fairer Recruitment
Bias is significantly reducing the cybersecurity labor force’s hiring power. Recruiting teams should identify where they hold judgments, consider applicants with unique backgrounds, advertise the longevity of a cybersecurity career, and tweak descriptions to highlight critical abilities over qualifications. This will widen searches and help find more suitable employees.
Zac Amos is the Features Editor at ReHack, where he covers phishing, ransomware, and other cybersecurity topics. He has also been featured in publications like VentureBeat, the Global Cybersecurity Alliance, and Cyber Defense Magazine.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.