There are a lot of women out there with tech backgrounds. So why aren’t there more women in cyber?

I think it comes down to hiring practices, and which companies tend to look for diverse candidates in the first place.

Job descriptions and automated talent systems are doing our industry a disservice. Typically, when companies are looking for cybersecurity and technology talent, they’re looking for generalized experience that people just don’t have because technology stacks are tailored to specific organizations.

As a result, HR folks who don’t get enough input from technology leaders inside the company are liable to pass over worthy female candidates, because the job description lists very generalized requirements.

What’s more, most HR departments make the mistake of using automated talent systems that scan resumes for keywords and scores them on that basis. I think ATS is probably the worst technology ever created because it has cultivated a hiring environment that’s mostly based on referrals. As a result, the men who are typically in charge end up hiring the sons of people who golf with them, or went to college with them, or are in the same club as them.

If I were to challenge people to write down the names of 20 people they would reach out to when they had a really important hire, I’ll bet the average person is going to struggle to come up with the names of more than two minorities or women.

Tenure is another issue: Women tend to stay longer in jobs because they don’t have access to the same networks, so it’s harder for them to find the next position. By being tethered to a job for seven or eight years, women fall behind from a technical standpoint and don’t improve their skills.

This situation also contributes to the pay gap and suppresses upward mobility because historically for technical roles, if you want a raise you’ve got to go somewhere else.

There’s also the issue of which companies are hiring women. I’ve noticed that it tends to be the larger companies that hire more diverse candidates because they purposefully have diverse hiring campaigns.

But the smaller companies tend to be the more interesting places to work because they have better tech. Better tech tends to be cheaper, and it also allows these smaller companies to be more nimble.

The combination of lack of access to networks and less opportunity to gain experience with new technology makes it harder for women to find positions. The same holds for minorities, too, but I think you’re more likely to find a man of color in a cybersecurity position than you are a woman, white or of color.

Two things must happen for this situation to change.

First of all, HR departments have to get better at hiring tech people. They have to lose the ATS and find better ways of recruiting besides referrals. It wasn’t until later in my career that I realized I could get better quality talent if I went out and searched for the right candidate myself. Not just because I knew what I was looking for from a technical standpoint, but because I didn’t rely on resumes.

Instead, my focus was on the candidate’s aptitude to be an innovator and problem solver, and their willingness to tackle challenges and the chaos that tends to swirl around cybersecurity and tech in general. These are the things we should be hiring for.

Tech executives have to work more closely with their HR counterparts to make sure they have the know-how to source for technology candidates. HR doesn’t know what a network engineer does versus a systems engineer versus a security engineer versus a SOC analyst. Executives have to give HR examples of what a good candidate looks like, what skills they absolutely must have and how to gauge aptitude. Execs also have to get more involved in building job descriptions.

The other piece that needs to happen is for smaller companies to focus more on diversity. There’s nothing wrong with setting a target number for female candidates.

It’s not that there’s a limited pool of women with tech backgrounds. There’s a limited pool of jobs that will even accept them in the first place. We need to change this situation now if we want to cultivate the type of talent we need.