Bias in Cybersecurity Job Descriptions Hurts Diversity in the FieldAnita Balaraman / Oct 6, 2021
As a recent report by the Aspen Institute confirms, one of the biggest challenges faced by the field of cybersecurity today is the lack of diversity in its workforce – both technologists as well as policy makers. The number of women working in cybersecurity is just 24% of the workforce, and the number of cybersecurity workers who are identified as Hispanic, African American, Asian, and American Indian/Native Alaskan are woefully low – 4%, 9%, 8%, and 1% respectively.
It is estimated that nearly 3.5 million jobs globally in cybersecurity will remain unfilled by the end of 2021, and of the candidates who apply, less than 1 in 4 are qualified for the roles. Over the past decade, there has been a lot of work around improving student and worker prospects for careers in cybersecurity in an equitable way in order to meet the demand for cybersecurity jobs. These efforts often come down to a focus on improving skills and providing access to formal and informal education, including numerous certification pathways. However, another point of intervention-- and one of the more obvious ways in which candidates find out about cybersecurity jobs-- is often ignored: job descriptions.
Cybersecurity job descriptions vary from organization to organization in their requirements and expectations of skills and experience. The descriptions are often long, filled with jargon, and hard to understand. According to Alyssa Miller, a business information security officer and a recent TED speaker on the issue of job descriptions in cybersecurity, “cybersecurity job descriptions tend to focus on confusing minutia of majors, and certifications, while ignoring what makes a candidate successful.” This confusion and disconnect is evident when cybersecurity hiring managers emphasize communication skills and analytical skills over technical skills, while the new cybersecurity recruits prioritize a slew of technical skills above all else.
Even today, employers routinely list mandatory degrees or major requirements for a job posting, while fully understanding that communication, analytical, problem-solving, and critical thinking skills are essential to success in cybersecurity roles. According to a report by the U.S. Department of Homeland Security (DHS), “… one of the highlighted problems with finding talent to fill vacant cybersecurity positions is that job descriptions do not accurately represent the qualifications needed for a position. This causes inadequately qualified candidates to apply and discourages others that may actually be a better fit.” Prior research has implied that algorithms in recruitment software downstream of job descriptions may further exacerbate representation and biases, thereby leading to the incorrect conclusion that there is only a limited pool of talent to recruit from.
The report published by DHS, "Cybersecurity Career Pathways and Progression," recommended to widen candidate pipelines by not making degrees mandatory; and focus job postings on core requirements instead. To test the efficacy of this recommendation, we set out to measure the impact of job descriptions on applicant engagement, specifically for under-represented minorities. In this study, we quantified and evaluated changes in the engagement of applicants when a set of cybersecurity job descriptions is changed to exclude mandatory degree/major requirements, while including curated competencies to highlight the core job requirement.
For the study, we recruited students from the University of California, Berkeley who identified themselves as historically under-represented and were curious about jobs in cybersecurity. We exposed them to a ‘control’ set of 10 active public sector cybersecurity job descriptions across the work-role categories framework and an ‘experimental’ set, consisting of the 10 job descriptions that were modified by (a) removing mandatory degree/major requirements, and (b) adding competencies such as communication, analytical skills etc., necessary for each role.
The study participants were asked to review the 10 job descriptions from the ‘control’ followed by the ‘experimental’ set, to identify up to 3 jobs in each phase for which they might consider being potential applicants, and to rate their confidence in being a good fit for those roles. The results suggest the number of potential applicants that applied for the cybersecurity roles increased, and their overall self-perception of being a good fit for the roles increased in the experimental set compared to the control set. Our results demonstrate that when cybersecurity job descriptions are modified to eliminate mandatory major/specialization degree requirements and use broader competency to signal the requirements of the job, the number of potential applicants increases by 56%.
The European Union (EU) provides one of the most nuanced definitions to distinguish between a skill and a competency: a “competency is a demonstrated ability to apply knowledge, skills and attitudes for achieving observable results”. Hence, a competency is not a skill; on the contrary, a competency embeds skills. When a job description lists mandatory degree/major requirements or specific courses, it signals skills, rather than competencies such as problem solving, analytical thinking etc. Women and historically under-represented minorities have been shown to take the job description literally, and be less confident in their ability to execute on the job advertised. "People who weren’t applying believed they needed the qualifications not to do the job well, but to be hired in the first place. They thought that the required qualifications were…well, required qualifications. They didn’t see the hiring process as one where advocacy, relationships or a creative approach to framing one’s expertise could overcome not having the skills and experiences outlined in the job qualifications," Tara Sophia Mohr wrote in the Harvard Business Review.
It is also noteworthy that modifying the job description to include competencies to signal the job requirements leads to an improvement in the candidate’s self-assessment of fit for the role-- we find it increases by 37%. The self-assessment measure referred to as self-efficacy/fit is a strong predictor of employment interview process and employment outcomes. For the first time, there is data to indicate that tactical steps to changing job descriptions for cybersecurity jobs may increase employment process outcomes by 37%. The results of this study confirm the extent of the defeating effect cybersecurity job descriptions have on potential applicants' understanding of a role and how to decrease their hesitancy in applying to one. This is significant because women and minorities are more likely to get hired-- as should be obvious-- once they actually apply.
Cyber threats and cyber attackers are endlessly inventive in the ways they are breaking into digital systems. For cybersecurity’s defensive capabilities to stay ahead, cybersecurity professionals need heterogeneity that comes from a wide spectrum of education, linguistics, race, gender and ethnicity. As the cybersecurity skills shortage perpetuates for a fifth year, organizations report lack of policies and resources to recruit, train, and support cybersecurity careers equitably. They can do this both strategically and tactically via education & mentoring and modifying job descriptions to be more reflective of competencies rather than skills accessible to a select few.