It's time to stop subjectively reviewing resumes and assuming that more time spent on earth improves our expertise. There is a significant difference between "Years of Exposure" versus "Years of Experience". We cannot statistically or scientifically prove that years of exposure (commonly confused with years of experience) improves knowledge.

Hiring managers are forced to come up with their own pseudo-science and hiring practices to validate one's experience. Unfortunately, these practices are not equitable and extremely biased. We must move to performance-based interviews, hiring/promotion assessments, competency exams, and quantify experience based on task performance, not time spent on earth.

Let's do a fun exercise to show you just how fallacious "years of experience" is:

Method one: Calculating your actual experience in a year

1. Multiply the average days worked in a week by
2. the average hours worked in a day by
3. 52 weeks in a year (assuming no PTO, sick days, and holidays)

✅Example: 5 days (❌) 8 hours (❌) 52 weeks = 2,080 <- This is your quote-unquote year of experience in hours 😅 Remember a year of experience = 8,760 hours

Method two: Calculating how many years of experience you actually have in your field right now.

1. Take the number of years of experience you have and multiply it by 2,080 (average hours worked in a year) Note: Your number may be a bit higher

2. Now, divide this number by 8,760 (total hours in a year)

✅Example: 10 years (❌) 2,080 ➗8,760 = 2.37 years of experience

If you're a hiring manager, you should reevaluate how you're quantifying experience and whom you're hurting by using outdated practices.

To my third-party hiring and HR organizations: You have a great opportunity to work with National Initiative for Cybersecurity Education (NICE), National Institute of Standards and Technology (NIST), SFIA Foundation to build equitable hiring practices. More importantly, working with vendors and organizations like Microsoft, Cisco, Offensive Security, ISACA, (ISC)², Amazon Web Services (AWS), CompTIA, IAPP - International Association of Privacy Professionals, SkillsTX, DVMS Institute, APMG International and more can help us develop proficiency assessments for the hiring process. This will also educate our workforce of what areas they are weak in instead of just saying "sorry we're not going to move forward with you...etc".

Let's do better and start using evidence-based approaches and performance assessments in our hiring and promotion practices.


Creating the Next Generation Cybersecurity Auditor:

#science #hiring #experience #hiringandpromotion #equitableaccess #equitableopportunities #evidencebasedpractice #minorities #sheleadstech #womenincyber #womenintech #bigfour #bigtech