Former FBI Director James Comey foresaw a hiring dilemma, hinging on the legality of marijuana and the perception of workers who partake.
"I have to hire a great workforce to compete with those cybercriminals, and some of those kids want to smoke weed on the way to the interview," he told The Wall Street Journal in 2014.
He was questioned during a congressional FBI oversight hearing the same week. "Do you understand that that could be interpreted as one more example of leadership in America dismissing the seriousness of marijuana use and that could undermine our ability to convince young people not to go down a dangerous path?" then-Sen. Jeff Sessions, R-AL, said.
Comey was criticizing a longstanding drug policy in the FBI, which requires applicants to be marijuana-free for at least three years prior to employment with the agency, regardless of whether it's legal in an applicant's state.
In response to Sessions, Comey said, "I am determined not to lose my sense of humor, but unfortunately, there I was trying to be both serious and funny."
While Comey's comments were made partly in jest, the restrictive drug policy stands; other security-related fields have similar requirements, including government contractors or industrial control companies. The disqualifier is another barrier to entry in cybersecurity, where jobs outpace available talent in the public and private sectors.
In general, only 5%-6% of cybersecurity jobs require drug testing in the private sector, compared to more than 80% in government, according to data from Burning Glass Technologies.
"I've worked side by side, in classified spaces, with people who have done every substance, literally everything."
David "Moose" Wolpoff
CTO and co-founder of Randori
The legality of marijuana has only been addressed at the state level, but the landscape is changing. Blanket statements around substances legally acceptable in some areas could deter candidates from applying for a cybersecurity job in public or private industry.
"There's almost a perception of rejection of candidates that isn't necessarily real or manifests," said David "Moose" Wolpoff, CTO and co-founder of Randori.
Prior to co-founding Randori, Wolpoff spent the bulk of his career in government security, including his role as a red team lead at government defense contractor Kyrus Tech. "Insofar as I was doing that, I was not allowed to participate in a marijuana culture at all.
"I was a cleared professional for almost the entirety of my professional career … I've worked side by side, in classified spaces, with people who have done every substance, literally everything," said Wolpoff. Comey's statements could unintentionally give prospective hires the impression that, "because I have this background, I can't go do this thing."
Drug policies are not the only hurdles keeping cybersecurity jobs unfilled. Other factors for cyber talent — like constant certifications and lack of diverse representation — contribute to the global job gap of about 3 million open jobs in 2020, according to data from (ISC)². The research firm estimates there will be 10,300 available cybersecurity professionals for every 100,000 U.S.-based businesses.
The federal government's cybersecurity hiring and retention is more dire. Annual cybersecurity job turnover is 18% in the federal government, compared to 14% in other federal IT positions, according to a Burning Glass Technologies report released in March.
Of federal cybersecurity professionals hired in the last five years, 27% left within a year of working for the government, the report said. Though degrees are required less frequently in federal work compared to private industry, barriers in culture inhibit longer tenure.
"I'm not a frequent user of marijuana currently, though in college I smoked infrequently socially," a professional white hat hacker based in Colorado, told Cybersecurity Dive on condition of anonymity. "I did apply for a government-related security software internship in college, which I got."
The job required initial drug testing and subsequent, randomized testing throughout her internship. "To be sure I would be eligible I ensured I wasn't in any situations where there would be marijuana or people partaking until I was able to drug test. Then, I abstained for the duration of the internship," she said.
In her current role, the company does not perform drug testing. "I don't think they care so long as the quality of one's work isn't impacted."
The sources who spoke to Cybersecurity Dive privately did so to avoid future employers associating them with an illegal substance.
The times they are a-changin
Approval of recreational marijuana has been on the rise for the last decade. As of November 2020, 68% of Americans support legalization of the drug, according to a Gallup survey.
"Certainly, the hacker and security communities don't deviate too far from the norm. They're just more colorful about certain aspects of it," said Wolpoff.
The federal government classifies cannabis as a Schedule I drug, meaning the substance currently has no "accepted medical use" and also has "a high potential for abuse," according to the Drug Enforcement Administration.
Cannabidiol (CBD)-related products are legal federally, but more state laws in regards to marijuana are complicating policies. Cannabis products are becoming more mainstream — gummies, oils, supplements with CBD are sold in grocery store aisles even in states where recreational marijuana is illegal.
The Agriculture Improvement Act of 2018 (Farm Bill) legalized hemp and CBD sales federally. While hemp products still need to meet FDA requirements (though it's not regulated), the cannabis derivatives were understood to have less than 0.3% of delta-9-tetrahydrocannabinol (THC). On Monday, the House of Representatives passed the SAFE Banking Act of 2021, which gives banks the ability to work with cannabis businesses in marijuana-legal states.
States where recreational marijuana is legal
| State | Year legalized | Impending legalization, rules |
|---|---|---|
| Colorado | 2012 | |
| Washington | 2012 | |
| Oregon | 2014 | |
| Alaska | 2014 | |
| District of Columbia | 2014 | |
| California | 2016 | |
| Nevada | 2016 | |
| Maine | 2016 | |
| Massachusetts | 2016 | |
| Vermont | 2018 | |
| Michigan | 2018 | |
| Illinois | 2019 | |
| New Jersey | 2020 | |
| Montana | 2020 | |
| Arizona | 2020 | |
| South Dakota | 2020* | |
| New Jersey | 2021 | |
| New York | 2021 | |
| Virginia | 2021 | |
| New Mexico | 2021 |
*South Dakota constituents voted to legalize recreational marijuana in 2020. However, in an effort to delay implementation, Gov. Kristi Noem, R, is creating a counter proposal.
As more states pass marijuana-tolerant laws, whether for medicinal or recreational use, the federal government and private industry are at a policy standstill. Some professions and industries are adapting company policies, while others are stuck.
Companies in marijuana-friendly states are moving away from zero-tolerance drug policies and focusing on behavior analysis based on performance or safety reviews, reported Cybersecurity Dive's sister publication HR Dive.
"People aren't going to give up their marijuana, especially as the trend is towards legalization in the States," said Eric Meyer, partner at FisherBroyles. "If the government doesn't change its hiring practices, the eligible supply [of workers] is going to dwindle."
The Office of Personnel Management (OPM) addressed hiring policies in a memo for federal agencies related to marijuana and cannabis in February: Candidates apply to positions they are "well-qualified" for and yet their marijuana use "may or may not be of concern when considering the suitability or fitness of the individual for the position," said Kathleen McGettigan, acting director of the OPM and suitability executive agent, in the memo.
The conclusion was, don't disqualify candidates solely based on prior marijuana consumption. Instead, agencies should focus on a candidate's conduct on a case-by-case basis "to determine the impact, if any, to the integrity and the efficiency of the government," the memo said.
While policies might loosen for agencies, McGettigan flagged some exceptions. "This memorandum does not address consideration of marijuana use in determinations of eligibility for access to classified information or for employment in [a] sensitive national security position, since the Office of the Director of National Intelligence is responsible for guidance on national security eligibility."
The fine print also discourages active use; agencies still want "evidence that use will not occur again," according to the memo.
Though the modification to hiring is limited, the OPM letter was a reaction to changing state laws.
A question of medicinal cases
Because of the various forms cannabis takes, there are nuances in how it's seen by employees and employers. "I don't consider CBD in the same category as marijuana at all as you can literally get it in the grocery store, so I expect at least some [people] use that for sore muscles and so forth," said the Colorado-based hacker.
States where medicinal marijuana is legal
| State | Year legalized | Impending legalization |
|---|---|---|
| Hawaii | 2000 | |
| Delaware | 2011 | |
| Connecticut | 2012 | |
| New Hampshire | 2013 | |
| Minnesota | 2014 | |
| Maryland | 2014 | |
| Louisiana | 2015 | |
| Arkansas | 2016 | |
| Pennsylvania | 2016 | |
| Ohio | 2016 | |
| Florida | 2016 | |
| North Dakota | 2016 | |
| Iowa | 2017 | |
| West Virginia | 2017 | |
| Oklahoma | 2018 | |
| Missouri | 2018 | |
| Utah | 2018 | |
| Mississippi | 2020 |
Last year, one-quarter of HR professionals were "extremely challenged" regarding changing medicinal and recreational marijuana laws, according to a 2020 XpertHR survey. HR policies have to align with employee state medical rights, while being cognizant of federal regulation and company standards. HR departments could face run-ins with Americans with Disabilities Act (ADA) if cannabis compliance isn't in accordance with state laws.
"It gets a little bit tangled up when we start talking about like, impairment by prescription medications," said Nancy Delogu, shareholder at Littler Mendelson. "Although an employer can prohibit someone from coming to work while impaired, the individual has a right to treat their medical condition with legal medication, and they may be entitled to accommodations."
Theoretically, federally legal, small THC doses in over-the-counter CBD products is undetectable in employment drug testing. However, an applicant's use of CBD products is still under review at the FBI while the Department of Defense has a zero tolerance CBD policy.
"I know many friends that have turned [a cybersecurity job opportunity] down, especially veterans that use cannabis to manage symptoms of PTSD, that wouldn't take jobs," because of government drug restrictions, said John Jackson, senior application security engineer at Shutterstock.
Clients had "pretty serious ailments … [they] weren't just people with a med card looking to get high. They were looking for relief."
John Jackson
Senior application security engineer at Shutterstock
The FBI's drug policy also applies to medicinal use; marijuana use, regardless of a prescription, "cannot be used as a mitigating factor," the policy says.
"I think it's frustrating," said Jackson, who prior to becoming a security professional worked as a budtender in a medical dispensary in Colorado. From his experience, clients had "pretty serious ailments … [they] weren't just people with a med card looking to get high. They were looking for relief," he said.
For Jackson, drug screening for medicinal use feels unfair. And individuals who use marijuana for health-related reasons will opt out of a medical license because it goes on their record. "What I've heard from infosec professionals is, 'What if I want to contract for the government at some point?'" said Jackson.
Compared to other IT jobs, cybersecurity roles are twice as likely to require drug testing, according to Burning Glass Technologies. However, more broadly across jobs and industries, cybersecurity jobs are less likely to request a drug test.
Applicants can't be eliminated from job consideration if they test positive for marijuana under the New York and New Jersey laws. Employers aren't allowed to take "adverse employment action" based purely on cannabis use.
New Jersey's law, which was signed into law in February but has yet to go into effect, defines any adverse action as "refusing to hire or employ an individual, barring or discharging an individual from employment, requiring an individual to retire from employment, or discriminating against an individual in compensation or in any terms, conditions, or privileges of employment."
The caveat is a first related to marijuana acceptance in the workplace. It's "a whole new ball of wax that we're opening up," said Delogu.
Who's engaging in cannabis culture
Knowing who uses cannabis products is an imperfect science.
"When it comes to the effects of cannabis use, and cannabis in combination with other illicit drug use, on employment, the results are also mixed," according to a 2015 study by Ioana Popovici, assistant professor within the sociobehavioral and administrative pharmacy department at Nova Southeastern University and Michael T. French, professor and department chair of health management and policy at the University of Miami.
Inconsistent use patterns and labor markets are contributing factors to a "lack of research consensus" on the implications of marijuana and employment, according to the researchers.
There aren't specific statistics as it relates to marijuana use in cybersecurity professions, but "I would say use is common, at least from a hacking perspective," said Jackson. "None of them are in government," but they are employed by private enterprises.
"I do have friends in the security industry who occasionally smoke."
A professional white hat hacker based in Colorado
The professional hacker and security workforce is no different than other professionals in regards to cannabis culture. There are cliches and stereotypes that follow security professionals, but it doesn't distract from the trust their employers have in them.
"I find it's something folks don't talk about for the most part," the Colorado-based hacker said. Marijuana is legal in her state, and while she's unsure if her coworkers engage in cannabis culture, "I do have friends in the security industry who occasionally smoke."
It's not to say private industry doesn't require drug testing, but the policies are more relaxed than government or government-linked organizations.
A security professional working in the healthcare industry, based in Houston, is tested yearly, though he stopped smoking after 2012. Prior to then, "I would definitely not work for anyone who drug tested," he said on condition of anonymity.
Companies likely have a "don't ask, don't tell" policy if their industry sits outside of federal regulation, according to several sources. As of 2018, 70% of cannabis users, or those who used within 30 days, are full-time employees, according to data from National Household Survey of Drug Abuse (NHSDA).
If employees "want to have a drink or two with dinner or use marijuana at night, as long as it doesn't impact what they do on the job, it's really not an issue for most employers," said Meyer.
By comparison, the FBI's tolerance for off-duty alcohol consumption is also monitored to a certain extent. Alcohol consumption, alongside drug use or "notoriously disgraceful conduct," are considerations for security clearances, according to a 2015 Department of Justice review. Each reviewed behavior is seen as a potential impediment to an employee's performance or an opportunity for exploitation.
"Drugs, like alcohol, can impair judgment and impulse control, but illegal use of drugs is even more destructive to the integrity and credibility of both the employee and DOJ, which is responsible for enforcing and prosecuting violations of federal drug laws," the review said.
Unlike the government, where alcohol or drugs could be a "precursor to other problematic off-duty behavior," employers are not necessarily concerned about marijuana use; they're focused on impairment on the job.
Depending on the intake, individuals need to wait between six and eight hours before engaging in safety-related activities, according to the Colorado government.
"Allowing positive tests for marijuana could be a problem."
Eric Meyer
Partner at FisherBroyles
With major tech companies based in marijuana-friendly states, developing policies might be commonplace. For Randori, which has locations in Colorado and Massachusetts, there is no policy. Wolpoff only cares if an employee is impaired while on the job.
"We have no specific policy around marijuana," he said. "My general rule of thumb is, I don't want to know about what you do in your personal time. Don't make it a problem and it won't be a problem."
For companies that are not exclusively in the security industry, but either offer security services or have an internal team, there are likely uniform policies across internal employment types. If it's a safety-sensitive role defined by the Substance Abuse & Mental Health Services Administration (SAMHSA), there might be mandated randomized drug testing, which other roles are not subject to.
It's common for certain industries to impose drug testing after a physical incident or accident. In cybersecurity, where there is debatably an incident every day, there isn't clear guidance on ensuring or proving an employee's sobriety.
There are state laws that mandate the opportunity for recovery treatment if an employee tests positive for an illicit drug. "No state law says you have the opportunity to test again, that's sort of like saying, 'Catch me if you can,'" said Delogu.
"No state law says you have the opportunity to test again, that's sort of like saying, 'Catch me if you can.'"
Nancy Delogu
Shareholder at Littler Mendelson
However, employers can be slapped with negligent management if they continue to test for marijuana but don't act on it. "To me, that's a really big risk for the employer," said Delogu. Failure to remove an employee from their role after testing positive for an illicit drug usually falls in, again, regulated fields or roles operating heavy machinery.
Cybersecurity Dive reached out to a dozen companies in tech and cybersecurity to determine their hiring and employment policies in respect to their state marijuana laws; they declined to comment.
"I'm telling you right now, the reason being is because it is federally illegal," said Jackson. States don't have a standard marijuana-related policy, leaving companies uncomfortable going on the record as supportive or neutral toward a federally illegal drug.
For companies grappling with opposing state and federal laws, President Joe Biden has backed decriminalizing marijuana, but any federal laws are likely on the back burner. The federal government just moves slower than state or company policies.
"I do think [marijuana policy] eliminates a lot of good people from the workforce because let's be honest, some people drink a cold one after work, and others prefer a smoke," said the healthcare security professional. "That's the skinny of it."
Comey's comments read like "'We have to hire these great people, and hello, most of them smoke weed.'"
A security professional in the healthcare industry
There will always be jobs requiring testing in highly regulated industries, but it's unknown if cybersecurity will always have to oblige to those same rules. "They are federally regulated industries. If you are a federal contractor, you probably have a drug free workplace obligation to be a federal contractor, so allowing positive tests for marijuana could be a problem," said Meyer.
While the professional hackers don't expect federal hiring policies to change for cybersecurity any time soon, the healthcare security professional interprets Comey's comments as an endorsement: "It reads like, 'We have to hire these great people, and hello, most of them smoke weed,'" he said.
Smoking in 2020
In 2020, marijuana overall use increased; whether it was due to more time alone at home, external stresses or just more legalization, Americans turned to the drug. When nationwide lockdowns began mid-March 2020, cannabis orders increased 36% compared to the weeks prior, according to the 2020 State of Cannabis report by Vangst, LeafLink, and Flowhub.
No marijuana use in an applicant's background will be increasingly difficult to find. "They're looking for unicorn hackers," said Jackson. "It doesn't exist. I don't know a lot of information security professionals who haven't either used controlled substances or substances in general, or are currently users."
Societal popularity and acceptance is widespread, regardless of the generation. Smoking among Gen Z, millennials, Gen X and baby boomers increased from 2019 to 2020, according to a cannabis consumer behavior 2020 report by Headset. The report used aggregated data from California, Colorado, Nevada and Washington's recreational cannabis markets.
For reference, 44% of the cybersecurity workforce are millennials, followed by 39% Gen X, 13% baby boomers, and 1% is Gen Z, according to (ISC)². Millennials account for one-third of the overall U.S. workforce, according to 2019 data from Pew Research.
The uptick in marijuana use last year was part of another issue companies are too comfortable avoiding. "I think there are fundamental societal issues that we ignore. And then those things become catalysts for other behaviors that we then focus on," said Wolpoff.
Burnout in cybersecurity is common; a 2020 survey found 18% of IT security professionals left a job due to burnout or overwork. At least 25% of respondents either personally have, or knows someone who has considered leaving a job, because of it, according to the Chartered Institute of Information Security.
In the context of 2020, there were "coping mechanisms that we saw pop up with folks in isolation," said Wolpoff. It's less of a security and risk issue, and more of a healthcare one for him. "Security people are security people, but it's not like we're fundamentally different than anybody else in business."
