Information security job descriptions are terrible – we’ve all heard and seen it. We see entry level job descriptions that require a CISSP, job descriptions with a laundry list of “must haves”, non-developer jobs requiring programming in at least three languages. We hear about bad job descriptions on Twitter, in job search webinars, and from recruiters. When job seekers ask for advice, we are told “Apply anyway.”
That’s not good enough!
Homogenous teams produce homogenous results, whereas diverse teams work better and find effective solutions faster. Bad job descriptions are not the way to create a diverse workforce.
Marginalized groups (women, people of color, neuro diverse people, older people, etc.) feel that we must be better than everyone else to be considered for jobs, so “apply anyway” will be ignored by these groups. Many times, we will not apply for jobs that we don’t meet the requirements for because we don’t believe it’s worth our time and when we do, we frequently don’t receive any response.
Another problem with the “apply anyway” answer is that it enables gatekeeping. When employers receive many applicants that don’t meet the requirements, it becomes a judgement call as to who to interview. Employers can easily identify a person’s race/ethnic origin, age, gender, etc., by looking at their name, date of degree, or even what college they attended (Historically Black Colleges for example). That information can then be used (consciously or unconsciously) to invite the same group of people who are already overrepresented in infosec to interview while ignoring marginalized groups.
Finally, the answer “apply anyway” doesn’t work because it doesn’t actually fix the problem. The problem of bad job descriptions can only be fixed by writing good job descriptions – meet three of the five requirements, move programming to “nice to have” rather than “must have”, match the experience required for the job to the job’s seniority level, etc. These descriptions must be written by the infosec community with Human Resources, not by Human Resources, and we must hold each other accountable for bad job descriptions.
Until we fix job descriptions, we will not have the diverse information security workforce that we need.