Anyone who knows me personally knows that I’m a football fan. The NFL has a majority of white head coaches. To combat this, they adopted the Rooney Rule. Critics say it is a failure. Just like in the world of cybersecurity, minorities still struggle to find opportunities. This article will discuss why the Rooney Rule fails, and how it relates to diversity in cybersecurity.
Background Of the Rooney Rule
The Rooney Rule was established in 2003 and is named after Dan Rooney, chairman of the league’s diversity committee. It states that teams searching for senior positions must interview minority coaches for the position. It has recently come under fire due to there being only 3 minority head coaches as of 2020.
Where It Goes Wrong
The rule only covers senior-level positions. The candidate pool is assistant coaches in the NFL and head and assistant coaches at the college level. Since there isn’t a similar rule about providing opportunities at these levels, the pool is limited. The easy excuse is that there just aren’t qualified, minority candidates to choose from, although even that isn’t true.
Part of the problem is that people tend to shy away from taking risks. It is riskier to go with someone you don’t know, than someone you do know. An NFL head coach is a pretty key position. In the NFL, many minority head coaches had prior relationships with the teams that hired them to that position. If not, then being recommended by someone trusted by the organization is crucial.
There are programs in development to promote minorities interested in coaching. These are basically internships to give senior leadership a meet and greet with more diverse aspiring coaches. They try to provide that entry-level opportunity, but it falls short by not mandating policies league-wide.
What This Has To Do With Diversity In Cybersecurity?
In the world of cybersecurity, minorities face a very similar situation. They struggle to get their feet in the door in entry-level positions. It is more difficult to make the connections to get those internal promotions. In some cases, it is more difficult for minorities to network with the right people, or to get the right experience/training.
Why Is Diversity In Cybersecurity Important
This is a question I’ve been asked several times. ‘I’m not racist, but why should I go out of my way to promote diversity’ question. I feel it is crucial to understand this in order to help. Simply put, diversity matters because it’s the right thing to do. It is only fair to ensure that everyone has an equal opportunity to work their passions.
The reality is that we live in a world where businesses only care about the bottom line. If you are asking a company to spend money or other resources, there has to be a return on the investment. Here is a list of business cases that provide answers to that question:
- A diverse set of eyes can help solve problems faster and cheaper.
- Diversity of thought can prevent problems in the development stage.
- Reviewing all qualified candidates means you get to pick the best candidate.
Diversity Can’t Just Be A Check In The Box To Succeed
In order to obtain success with diversity in cybersecurity, a company has to fully embrace change. They can’t just hire a handful of minorities or require that minorities be interviewed like the NFL. The company culture has to change, along with how a company screens and hires candidates. Once that is accomplished, the studies show that it can improve those three factors.
Learning from the failure of the Rooney Rule, my suggestion would be to do the opposite. Hiring a more diverse entry-level staff means there is a larger pool of qualified candidates to promote. When screening for mid-level or high-level jobs, enforce interviewing every candidate that applies, and actively recruiting from communities that are under-represented within the company.
Let’s Talk About Job Postings
In 2014 a Hewlett Packard report tried to explain why fewer women apply for jobs. They found that in general, women won’t apply unless they feel 100% qualified. It was concluded that women didn’t feel confident enough to do the job, while men would apply if they only met 60% of requirements. That isn’t necessarily the case.
A subsequent study done by the Harvard Business Review delved deeper. They specifically asked candidates who did NOT apply for a job why. Only about 10% of the women thought they couldn’t do the job. 15% said they were just following the guidelines. 20% more said they didn’t want to set themselves up for failure. Another 40% said they didn’t want to waste their time because they didn’t check all the boxes. Finally, 13% said they figured since they didn’t meet the requirements they didn’t want to waste the time of the interviewers.
Be Careful What You Wish For
The moral of this story is simple. Be mindful of what you put into job postings. Words matter and every group will react differently to them. Diversity in cybersecurity hinges upon as neutral a posting as possible. A trend that I’ve personally tried to follow with my job postings is to limit the actual requirements to the bare essentials:
- Keep out vague ‘years of experience’ as a requirement.
- Don’t put a degree as a requirement.
- Clearly separate what is actually required with what makes a candidate stand out.
This Article Requires 5 Years Of Experience
Requiring years of experience for a tech job is a little ridiculous. Too often you will see a posting requiring years of experience with a technology that just came out. People with knowledge of similar platforms willy apply, broadening the search.
Why Do We Still Require A Degree?
A degree is not easy to achieve and means that you have put time, study and work into it. There are many people who don’t have reasonable access to a degree. They cost money and make it difficult to earn money while you are obtaining them. Not having one shouldn’t disqualify someone, but having one should be a bonus. Don’t even mention it on a job posting, but weigh it when evaluating a candidate.
Only List The Essentials As ‘Requirements’
A lot of jobs just have a ‘requirements’ section with a laundry list of what managers think are needed. Most of the time, they aren’t. For example, working in government space, my only requirements for engineers was they needed clearance and an 8570 certification. We listed some skills that would make a candidate stand out, like scripting in specific languages, network troubleshooting experience, etc.
In Conclusion, Diversity In Cybersecurity Is Important
Not only is it the right thing to do, but it has a direct benefit to ROI if done correctly. There are many different ways to make positive changes. Large organizations like the NFL have tried but failed. We can use their example to reach better results within our own companies.