top of page

Attract and Retain Women in InfoSec with The Rooney Rule

We’ve been doing a lot of talk in the InfoSec about hiring and retaining women in our field. The conversation is happening in the greater IT community as well.

I’d like to suggest something that is more than talk. I’d like to suggest something that isn’t a government regulation but more of a self-imposed rule. A rule that, if adopted, would almost immediately move the ball forward. Finally, I’d like to propose something that’s already been done: The Rooney rule.

There are plenty of places for one to get read up on the Rooney rule. I’ve included some links at the bottom of the post. In short, it was introduced into the NFL as a way to get more African-Americans into coaching positions. I’m proposing we do something similar in InfoSec and apply it to hiring women.

I think this can apply to the broader tech industry as well.

What I envision is very simple: companies write into their HR policies a simple rule. The rule states that you must interview a female for an open position for which you’re reviewing candidates. You cannot say you couldn’t find any. You cannot say that you already know someone else. You cannot say you’ll get it next time.

Here’s the deal though. If you don’t think we have a problem right now with our approach to women in our industry, I’m not sure how well you’ll receive this. If you don’t think having more women in InfoSec is a good thing, well, then you’re just not going to be interested in this idea. And if you aren’t going to hold your hiring managers accountable, then you shouldn’t have read this post this far (but seriously, thanks for stopping by. Leave a comment and explain yourself if you don’t mind?).

And hey, lookie here, I wrote a skeleton policy for you!

Section [x] Hiring <for Information Security>

[x.1]Candidate Search and Interview – For all open, posted positions, where external or internal candidates are interviewed, hiring management:

x.1.a – Must post a full description of job

x.1.b – Must avoid gender-specific descriptions or “teasers” in the job description or include off-setting gender-specific descriptions or “teasers.” Example: “Do you have a wicked handlebar mustache….we think those are dope” must be balanced with, “Do you love to rock a fedora, a cute dress, and some kick-ass boots…we think those are dope.”

x.1.c – Must conduct at least one (1) in-person interview with a female candidate

Simple right?

I’m not suggesting this is a silver bullet. But I am suggesting by implementing this rule, InfoSec organizations will begin to challenge themselves in ways they hadn’t previously. Further, I’m suggesting that the challenge will be good for both parties. The diversity of our teams will be enhanced (I feel like this is a self-evident “good.” Maybe you don’t…I don’t know) and we’ll be opening the doors to deserving candidates who otherwise may not have been available to us. Finally, we’d be doing this because it’s the right thing to do for everyone and we don’t need an outside entity to tell us to do it.

  1. I realize there are other underrepresented groups in our field. This post is about women.

  2. https://en.wikipedia.org/wiki/Rooney_Rule

  3. http://www.post-gazette.com/sports/steelers/2017/04/14/Dan-Rooney-Rule-NFL-diversity-minority-coaches-Pittsburgh-Steelers/stories/201704140130


bottom of page