Hiring managers must rethink old-school practices to find the right candidates and be ready to engage in meaningful conversations about their company's values. Here are three ways to start.

5 Min Read
"Help wanted" key on keyboard
Source: Wavebreakmedia Ltd FUS6 via Alamy Stock Photo

Cybersecurity hiring managers face a seemingly impossible task: filling nearly 500,000 open positions quickly during a perceived labor shortage. There's much hand wringing in the industry about this "crisis"; it's often said that the talent to fill these positions simply doesn't exist.

To put it frankly: That idea is ridiculous. There is no lack of cybersecurity talent. Rather, a narrow mindset about who can excel in the field stifles hiring and creates roadblocks for candidates who don't fit a traditional mold.

Even hiring managers searching for diverse talent can be part of the problem if outdated approaches get in their way. They need to focus on what candidates care about now: a potential employer's values matter more than ever before, and a nationwide labor shortage makes it easy for candidates to walk away from companies whose values don't resonate with them.

There are plenty of talented, qualified cybersecurity candidates out there. Hiring managers must rethink old-school practices to find them and be ready to engage in meaningful conversations about their company's values. Here are three ways to start.

1. Evaluate Hiring Panels and How They Make Decisions
Similar-to-me bias, which skews hiring decisions toward cultural fit instead of cultural contribution, can stifle hiring efforts. Cybersecurity leaders need to critically assess whether their hiring panels run an inclusive and fair process.

A hiring panel whose members share similar backgrounds, education, and experiences may unduly scrutinize a candidate whose background is different from theirs. Both of us have experienced this: Having gone through most of our respective careers without cybersecurity certifications or a college degree, countless people have asked us to justify our existence in this field. This sends a clear message: You are not welcome, and your expertise will be questioned even once you're in the role.

To build a diverse team, hiring panels should themselves be a diverse group that seeks to foster inclusion and psychological safety for candidates. For instance, when hiring panelists introduce themselves with their pronouns, it shows candidates that the team values and practices inclusivity. If a panelist speaks honestly about the company's policies and where they have room to grow, that vulnerability builds trust early in the candidate's experience.

Hiring a diverse team avoids the potential of similar-to-me bias to curb innovation. At a previous company, one of us watched two engineers get stuck on the same part of a problem, then realize that they had an identical approach because they had taken the same professor's class. Someone with a different background might have moved the team forward faster. A diverse team will also better empathize and communicate with the users it serves, as well as anticipate their problems. The organization, product and users will all benefit.

2. Anticipate and Embrace Tough Questions
As demand for cybersecurity talent grows, candidates gain leverage in the hiring process – and they're willing to turn down offers from companies whose values don't align with theirs. Hiring managers can no longer treat interviews as a candidate's chance to win them over. Instead, they need to engage with tough questions and initiate transparent conversations that help both sides assess whether their values align.

Hiring managers can prepare for questions like: What is the composition of your team by race or gender? What is the company's philosophy on work/life balance? Will I be the "only" (for example, the only nonbinary or Black person) on my team?

The tone of an interviewer's response is as important as its content. A candidate who asks about a company's diversity, equity, and inclusion commitment has probably already read its reports and looked up its executive team. If the company's leaders are all white men, don't sugarcoat — candidates can spot a performative response. Acknowledge where the organization must do better and outline what's being done to address the issue.

Hiring managers can also broach these topics proactively, especially with junior candidates who may not be comfortable asking. To treat candidates equitably, be sure they all receive the same information: tell women and men about parental leave policies; share information about gender affirmation surgery benefits with cisgender and transgender candidates.

3. Rethink Degrees and Pedigrees as the Hiring North Star
Many security pros, including both of us, entered the industry through nontraditional paths. Neither of us have a cybersecurity degree, and some of the best security hires we've made are people without high school or college degrees, or technical backgrounds — including a former administrative assistant and an exercise physiologist. Determining whether candidates with nontraditional backgrounds are the right fit requires hiring managers to focus on their potential and analogous experience.

To do that, hiring managers can give recruiters explicit guidance on what is not required for a position, such as a cybersecurity degree or certification. This will ensure promising candidates are not screened out before the interview process.

Hiring managers can also focus on how a candidate's skills and experiences could translate to security. Take a candidate with no security background who served in the military. They might excel in an incident response analyst or compliance analyst role because their military training prepared them for situational awareness, following processes, executing procedures, and staying cool in escalating conditions.

Finally, avoid conversations about past compensation. Not only are they banned in many states, but making offers based on past pay can perpetuate the undervaluing of candidates with nontraditional backgrounds. To break that cycle, make an offer based on a candidate's skills and potential.

As security professionals with nontraditional backgrounds, we've both experienced how ineffective the hiring process is when it's handled poorly — and how impactful it can be when done right. The competition for cybersecurity talent is heating up, and it's on companies to expand the definition of who that talent is. Organizations that prioritize inclusive hiring practices and engage with candidates about their values will come out on top.

About the Author(s)

Jamie Tomasello

Head of Security Programs and Security GRC at Gusto

Jamie Tomasello is the Head of Security Programs and Security GRC at Gusto, the people platform that enables 200,000+ small and medium-sized businesses to pay and provide benefits for their teams. She/he has been combating Internet abuse, addressing security and compliance issues, and establishing trust for over 20 years at Internet service providers, security companies, law firms, and nonprofits. Jamie is a hybrid policy technologist with a focus on practical, sustainable operations aligned with business risk. She/he is also a Certified Information Privacy Professional (CIPP/US and CIPT). In addition to being passionate about protecting customers and their data, Jamie finds joy in building teams and providing support to burgeoning leaders.

Fredrick "Flee" Lee

Chief Security Officer, Gusto

Fredrick "Flee" Lee is the Chief Security Officer at Gusto, where he leads information and physical security strategies including consumer protection, compliance, governance and risk. Before Gusto, Flee spent more than 15 years leading global information security and privacy efforts at large financial services companies and technology startups, most recently as Square's Head of Information Security. He previously held senior security and privacy roles at Bank of America, NetSuite and Twilio. Flee was born and raised in Mississippi and holds a bachelor's degree in computer engineering from the University of Oklahoma.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights