Dozens of technology companies, including several cybersecurity firms, have excluded remote workers in Colorado from searches for job candidates since a state law requiring pay transparency in job listings went into effect.
CyberScoop identified at least five cybersecurity firms or tech companies with active security-related job listings excluding Colorado workers from remote work.
The companies represent a small subset of hundreds of employers navigating 2019’s Equal Pay For Equal Work Act, which went into effect on January 1 and requires employers to include compensation in job postings and keep job descriptions and wage records for two years after an employee leaves the company. Advocates for equal pay say that salary transparency is a powerful tool in closing the wage gap between men and women. Companies that implement pay transparency tend to have a lower wage gap at all job levels, the salary data site PayScale found in a 2020 study.
A violation of the law could result in fines of up to $10,000 for each violation. The Colorado Department of Labor could also ask the company to come into compliance with the law instead of issuing a fine.
One notice from the cloud computing vendor Rackspace lists dozens of states where remote work is eligible but excludes Colorado. Another listing from Contrast Security, a software security firm, is more explicit: “We could support remote work in most states except Colorado.” Both companies declined to comment for this story.
Other firms have taken action since CyberScoop flagged their job posts in recent days, and as attention around compliance with the law has grown.
Cloud company Box, which offers security compliance tools, said that it has updated job listings to no longer exclude Colorado workers. However, it has not added salaries to the listings at press time.
A spokesperson from Accenture said that the job posting flagged by CyberScoop was outdated and that recent listings had since come into compliance with the law. CyberScoop confirmed that recent listings, including security postings for a threat analyst and industrial control system consultant, included a salary range.
Crowdstrike, one of the country’s most prominent cybersecurity firms, had also appeared to exclude Colorado workers as recently as July 28. The company has since added salaries to its job postings for positions including a software engineer for cloud security and senior security researcher engineer. Language excluding Colorado workers is also no longer listed in the most recent listings.
The company did not return a request for comment.
The apparent reluctance to list salaries at a time when the competition to hire cybersecurity talent is steeper than ever underscores deep-seated inequities in the industry, experts say.
There are roughly half a million open cybersecurity jobs in the U.S., according to an estimate by CyberSeek, a nonprofit project funded by the U.S. Commerce Department. The number of open cybersecurity jobs is expected to climb in the coming years.
“It’s a major problem in the cybersecurity industry where hiring and recruitment and retention is such a big issue,” says Tatyana Bolton, director for R Street’s Cybersecurity & Emerging Threats team. “It’s unbelievable that they would no longer recruit candidates from a given state because of a pay transparency law.”
Women and people of color still are paid less than their white male counterparts in the industry, inequities that can plague employees throughout their career, Bolton says. In North America, women in cybersecurity are paid roughly $16,500 less than male counterparts, according to a workforce study from (ISC)2.
Laws like Colorado’s are meant to help to even the playing field because the pay is based on job performance, rather than a candidate’s prior salary history.
Jackie Singh, a senior threat and incident response analyst who worked for the Biden campaign, suggested that the provision signaled concerns about a company’s commitment to equality.
“More and more people in the industry are starting to realize that there’s a relationship between not treating a certain subset of employees well and the company’s culture,” she said
While the law has been in effect since January, a website that aims to identify companies trying to skirt the law is attracting more attention. ColoradoExcluded, designed by Colorado engineer Aaron Batilo, has grown from 20 companies in May to nearly 150 thanks to reports from job seekers who found the site via social media or press coverage.
“I hope long term what happens is more and more states start to adopt this to the point where companies don’t have a choice in sharing salaries because then they would just be diminishing their potential labor pool by a very notable amount,” Batilo said.
The Colorado Department of Labor and Employment confirmed that it had received dozens of complaints about companies violating the law.
“Labor law requirements are mandatory, not optional based on employer preference, so excluding Coloradans does not eliminate pay disclosure duties,” Scott Moss, director of the Division of Labor Standards and Statistics said in an email.
The law only applies to companies with workers already in Colorado, which means a number of employers that have taken to barring remote candidates in Colorado have done so unnecessarily, Moss noted.
“We’re reaching out to these out-of-state employers to explain that there is no need for them to limit their own talent pool by excluding Coloradans, just to avoid complying with a law that does not apply to them,” Moss wrote in an email.
Such postings make up “a very infrequent phenomenon, reaching perhaps only about 1% of remote jobs,” Moss added.
Such behavior will become even more difficult as more states pursue similar laws. Connecticut has a law requiring that jobs list a salary band going into effect in October.