Dave Merkel (also known as "Merk") is the Co-Founder and CEO of Expel, a cybersecurity company based in the Washington, DC area.
getty
The cybersecurity industry is subject to a number of unfortunate, but well earned, stereotypes. People outside the industry often view it as highly exclusionary, with underrepresented groups like women, people of color, LGBTQ+ individuals and others struggling to get ahead.
Worse still is the (again, well earned) perception that the industry turns a blind eye toward the toxic “bro culture” that many Silicon Valley startups perpetuate, enabling a system that rewards misogyny, harassment and other unacceptable behavior. And then there’s the elitism—many job seekers believe that they might as well not even consider cybersecurity as a career if they don’t have a master’s degree in computer science from a top university.
These stereotypes paint the entire industry with a broad brush, but this reputation didn’t appear out of thin air. The technology sector has long been known for gatekeeping, whether on the basis of race, gender, education level, socioeconomic background and other criteria.
Not only is this behavior unacceptable, it’s also self-defeating. By making entire groups feel unwelcome, companies aren’t just hurting those people—they’re shrinking the entire talent pool. Combating this problem means business leaders must actively work to build a better culture—one that eliminates gatekeeping and adopts a “better when different” mentality in recruiting and training practices.
The Self-Perpetuating Myth Of The Skills Gap
Many complain about the so-called “cybersecurity skills gap,” bemoaning the lack of available qualified talent. While it’s true that there may be a shortage of applicants with the specific experience and qualifications that many hiring committees look for, the reason is no mystery. At a certain point, the reputation of the cybersecurity industry became a self-fulfilling prophecy: The problem isn’t just that certain groups of people are rejected; it’s that they’re self-selecting themselves out of the talent pool entirely because they don’t believe it’s worth their time to apply. It should surprise no one that if an industry has a reputation for being hard on underrepresented people, fewer are going to throw their hats into the ring.
This isn’t a hypothetical—women today make up just 24% of the cybersecurity workforce, while people who do not self-identify as white or Caucasian make up just 26%—and even those numbers are a substantial increase from where the industry stood just a few years ago. Is it any shock, then, that a recent Microsoft survey found that men are twice as likely as women to believe they’re qualified for a job in cybersecurity? Or that a significant percentage of gay and lesbian security professionals say they have experienced discrimination at work? Or that just 23% of minorities in cybersecurity occupy leadership positions despite 62% holding advanced degrees? Of course there’s a skills gap—huge sections of the population feel unqualified, underrepresented and unwelcome.
Speaking of advanced degrees, those without them often find themselves the victims of a different type of gatekeeping. Job listings regularly include requirements like an M.S. in Computer Science or Computer Programming, which can dissuade otherwise qualified individuals from applying to positions. Similarly, while seven years of industry experience might be nice, is it really necessary? Inflated requirements like these only serve to artificially limit the available talent pool, putting organizations at a competitive disadvantage.
Addressing The Problem From Within
Before the hiring process even begins, it’s critical for organizations to engage in self-examination. “Diversity, equity and inclusion” (DEI) has become an increasingly important consideration for businesses, and it serves to emphasize the fact that simply bringing new faces into the fold isn’t enough. One way to do this is to focus on equity first, then inclusivity, as the result is diversity.
Also, before hiring new employees, consider your current ones. Ask yourself and your team: Are we treating our current crew equitably and working on building an inclusive culture? If a gender pay gap exists at your company or you find that employees from underrepresented backgrounds don’t feel empowered to speak up, those problems need to be addressed. Better hiring practices might get new faces in the door, but if compensation models are skewed or someone in the C-suite is making inappropriate jokes, employees aren’t going to stick around long.
If you’re confident that your company culture matches your stated commitment to DEI, you can look to improve your recruiting and hiring practices.
Avoid getting hung up on finding the “perfect” candidate. Few applicants will check every box, and those that do will be in high demand. Instead, identify traits that lend themselves well to your industry, or even to specific positions. Refusing to settle for less than a perfect candidate is a tacit indictment of your company’s recruitment and training programs. Good hiring managers should be empowered to identify candidates who have the traits needed to succeed at your company and hire them. An effective training program can turn talented individuals into successful employees—but it’s important to recognize potential.
This, in turn, can help address representation problems in cybersecurity. Women, for instance, are statistically less likely to pursue STEM degrees. Does this mean they will be less talented analysts? Of course not. It means that security companies need to look beyond arbitrary qualifications to identify the traits that truly define success in the industry. This can help build a more equitable and inclusive company culture where people are valued equally for the diverse skill sets they bring to the table.
Leave Gatekeeping Behind
While the situation for underrepresented groups in cybersecurity has improved incrementally, it’s long past time the industry challenged its gatekeeping problem head-on. Hopefully the worsening “skills gap” will help companies recognize that they need to shift the way they think about recruiting, hiring, training and retaining employees.
A renewed focus on DEI can help organizations not only recruit new talent but ensure that employees from every background feel represented, valued and empowered. There isn’t a skills shortage—there are just too many people who have been discouraged and excluded from an industry that should welcome them with open arms. It’s time to change that, and it starts with ensuring that gatekeeping has no place in cybersecurity.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
