There’s no shortage of obstacles holding back folks from finding meaningful employment in the cybersecurity sector. Some of these obstacles are imposed by human resources policies and the software used to automatically scan through resumes in a game of electronic buzzword bingo, one of the most insidious of these being the requirement of a college degree for any cybersecurity role, really, but certainly for entry-level roles. While this isn’t the first time we’ve written about how CISOs face a self-inflicted staffing shortage, this is the first time we are going to get this personal about our journey without the supposedly coveted piece of paper, the college degree.
As we’ve gone through our technology careers, we’ve run into several roadblocks, gatekeepers, and numerous other ways people told us that we weren’t good enough for the jobs we were seeking. The most common reason that we got rejected (in the final steps, in some cases) was because we didn’t have bachelor’s degrees.
In fact, both of us started in the cybersecurity field without a degree. Jeff obtained his in his mid-30s after several starts and stops in traditional degree programs, and Steve is in pursuit of his.
We both experienced two negatives by not having one. The first was social: We were judged for not having one, but it may not surprise you to learn that future analysts tend to have … a rather sizable amount of self-confidence available (ahem). The second was the devils that lurked in HR departments: resume filters and hiring managers. While we had several things that went our way, there are still folks that don’t have that self-confidence or have challenges that they need to surmount that put them even farther from getting their foot in the door. Not having a degree robbed us of opportunities. And when you know the shady reasons why degrees even exist as a job requirement, it will become clear that hiring managers and organizations need to change their thinking to be more inclusive.
See, at one point in recent history, college degrees weren’t required for “white collar” work. Instead, companies used “standardized” tests, which have long been proven to discriminate based on race and gender. With the passage of the Civil Rights Act of 1964 and the Griggs v. Duke Power Co. decision in 1971 by the US Supreme Court, ability tests were ruled out for promotion and as a hiring requirement. Without going into the particulars of the case, lawyers and employers created a proxy to preserve discrimination: the college degree. For example, 29% of African Americans ages 25–29 hold a bachelor’s degree, compared to 45% of Caucasians.
By requiring a college degree for cybersecurity roles, CISOs arbitrarily limit their talent pools and inadvertently preserve racial inequalities by requiring a degree, despite there being limited concrete evidence showing that a college credential bears on the work.
Artificial Scarcity Still Feels Like Scarcity
While we know that there should be numerous pathways into a technology career, the stark reality is that isn’t true. There needs to be multiple pathways to careers in technology. The traditional path is go to school, get good grades, get into a highly prestigious college/university, and pursue a bachelor’s degree in a technology discipline. Ultimately, you’d then intern at several different places to prove your worth and build real-world skills, with the hope of being offered a job at one of those places.
Most employers apply the above criteria to people they’re looking to hire — either a brand-new person to cybersecurity (in some cases, their first corporate job) or someone who is a seasoned infosec veteran. By throwing up these barriers, they’re eliminating a huge section of highly talented members of the cybersecurity community who haven’t followed that traditional path.
Our colleagues covered some other nuances of this in previous research about the need for more qualified cybersecurity talent in the report “Reverse Cybersecurity’s Self-Inflicted Staffing Shortage.” Organizations need to start thinking about unique ways to attract quality talent that isn’t tied to a formal education. Some ideas include:
- Use Capture The Flags (CTFs) or other competitions to identify quality talent. This approach also showcases your organization’s culture naturally through direct interaction with potential colleagues.
- Find technology-adjacent customer-experience-focused roles (retail, repair shops, food service, etc.).
- Don’t assume that a criminal background is always a red flag — especially with the changes coming to US drug policy and noting that computer crimes in the US with the CFAA (Computer Fraud and Abuse Act) are quite draconian when it comes to enforcement and sentencing.
- Utilize the strength of degree programs that aren’t typically associated with IT or security. Specifically, we’ve heard of folks with musical degree backgrounds becoming extremely successful in roles that were heavy in pattern identification and matching.
- Look for talent that took an alternative educational path, including those who attend two-year technical schools or community colleges.
- Consider military veterans with related technology training. That training doesn’t need to be specific to cybersecurity, but open the doors to members of the armed forces who have experience working with computers, networks, aviation systems, and communications.
The Cybersecurity Skills Shortage Is Fake News
As the cybersecurity profession continues to grow along with the evolving threat landscape, there is the notion that there is a security skills shortage – but this is a false narrative. The issue continues to be that organizations need to change their viewpoints and lower their artificial barriers to entry to start looking at people without a formal education. Even the big technology players that had committed to getting rid of this practice still dance around the requirement by listing a bachelor’s degree first but tacking on “or equivalent practical experience” to the job requirements.
Be bold and more inclusive by doing the following:
- Eliminate degree language and multiple years of experience in a technology from all job postings, and put language in your job postings around practical experience. (Talk about deploying various security technologies, talk about level of experience such as expert knowledge, and stop focusing on academics.)
- Recruit from a neurodiverse candidate pool to bring different perspectives to the table. Everyone is in some way, shape, or form differently abled; we should be enabling our organizations by accommodating and actively shifting our hiring processes for people who look at the world from a different lens.
- Lean into people’s diverse backgrounds to map to job requirements. The experiences and challenges people have faced give them a significant advantage and can very well map to the practical experience that you’re looking for.
- Stop asking textbook security questions in interviews and trying to trip up potential candidates (not every successful infosec candidate is going to know about cryptography, web application security, etc.).
- Ask problem-solving and cultural questions to gauge a fit to the team, such as:
- “You made a security change that impacted selling widget X. What are the steps you’d take to address it?”
- “What is your preferred work style?”
- “When working on a team, what role do you feel like you’d play on that team?”
- “What are the top qualities you look for in a boss or senior leadership to help make you successful in your job?”
Hiring managers, HR departments, and organizations need to look beyond the degrees and certifications to dive into the practical abilities of candidates. Drop the formal education requirements and focus on what a person has learned through other means, whether that be through actual practice in different areas or hands-on experience doing what your organization needs. Most important of all, you want someone who will mesh with your team, and we’re pretty sure that they don’t need a degree from some prestigious university to have some fun while being an amazing colleague.