This article is about cybersecurity careers and drug testing required by those employers.  If you are instead looking for information on cybersecurity employer background checks and security clearances, you can read our article on security clearances here.

Many people are interested in getting into the cyber security field, but are concerned about the background check and drug testing that may be required as part of the application process.  It’s important to know up front what activities from someone’s past may preclude them from getting a job in cyber security. Perhaps the most commonly asked background check question asked by applicants is related to prior drug use.

So, do cyber security jobs drug test?  Most government cyber security positions require an applicant to not have used marijuana within the past three years, and other illegal drugs within the past ten, regardless of state law.  However, cyber security jobs in the private sector commonly do not require drug testing unless that position is part of a government contract.

Let’s take a look at what options you may have for a career in cyber security if past drug use is a concern for you.

Government Positions – Still Just Saying No

Currently, the NSA and other defense agencies require that applicants go through a full background check.  Background checks like these not only verify criminal backgrounds related to misdemeanors and felonies, but also look at other aspects of the applicants life, such as financial information, alcohol use and reputation.

These agencies are looking for any aspect of an applicant’s life and background that many indicate dishonesty, but also leave the applicant open to compromise or bribe by an outside hostile group.  For example, if an adversary knows you’re financially struggling, this could be theoretically used against you in order to pressure you to leak information.

Included in this background check is a polygraph and other forms of questioning about prior and current drug use.  This also will eventually include a drug test. Agencies like the NSA claim they have a zero tolerance policy for drug use.  Specifically, they would eliminate any applicant from consideration that has used marijuana within the past three years or any other illegal drug within the past ten.

What about if it is legal in your state?

There has been a major shift in laws related to recreational marijuana use during the past few years.  Several states have now either legalized marijuana for medical use, or legalized it for recreational use.  Additionally, there are a number of states and jurisdictions that, while marijuana use is technically illegal, they have adopted a policy of non-enforcement.  So how does the NSA feel about marijuana use for those in these states?

It doesn’t matter.  The NSA currently claims that they do not allow for marijuana use by any applicant, even if that activity is legal in your home state.  You can check out the NSA’s policy on substance use here.

What about other government agencies?

Other government agencies, such as the FBI, also state that they follow the same policy, however they have publicly acknowledged in the past that they are having trouble finding qualified cyber security applicants because of their no-weed policy.  It is possible that some agencies may make a shift in policy in the future in order to ease hiring needs, but if that occurs, it may take a decade or more.  You can see the FBI’s substance use policy here.

What to do during the background check

If you are moving forward through any agencies background check process, which could be for a full time job or even an internship program, you may be wondering how you should handle questions about prior substance use.  Just about everyone suggests that the most important rule is to not lie.  Dishonesty about any topic, that the agency later finds out to be not true, is almost always a sure fire way to termination.

I’ve heard it said before that these agencies know you’re human, and that at some point you’ve probably done something questionable or illegal on a small scale, and if you lie and claim that you’ve never done any such thing, they assume you’re lying.  All advice i’ve heard regarding the background check process is to be honest.

Private Sector Cyber Security Opportunities Are Available

The good news for those that have some substance use in our backgrounds is that most private sector cyber security employers do not conduct drug testing.  While many do state in their employment paperwork or employee manual that they have the right to do randomized testing of employees, in many cases that policy is there to give them options if they need it and is not enforced overall.

It appears that most private sector cyber security employers that do not interact or contract with the federal government expect you to perform your job to satisfaction, and they do not intend to complete extensive background checks or drug tests unless your performance is or becomes a problem.

The reasons for this are many.  First, drug testing does take time, it does cost the employer money, and it doesn’t do much to build trust between the employee and employer or foster a good working environment.

Additionally, as stated above, the laws and general public outlook about marijuana use in particular have changed greatly, and employers are following suit.  Employers are having enough trouble as is finding good cyber security talent to be overly-restrictive in their hiring processes. And with so many cyber security jobs being hired out remotely to other states, where drug usage laws vary, it’s become even more difficult to enforce any kind of policy like this for private sector employers.

Important Points to Consider

  • If you have substance use in your past history, working for a government agency may be be an option for you.
  • Common advice is to not lie regarding past substance use on a background check.  Lying will automatically disqualify you.
  • People with substance use in their past can still find employment in cyber security in the private sector.
  • Private sector employers typically do not drug test, but most reserve the right to do so in order to address an issue.
  • Continual substance use, unless exclusively recreational, legal and minimal, is generally not accepted among all employers, regardless of sector.

Related Questions

How long does a background check take?  Background checks for cyber security jobs vary based on how in depth the background check needs to be and the amount of history that an applicant has.  Background checks can take anywhere from a few months to well over a year. Red flags or background aspects that are hard to document can also extend a background check.

Can I get a job in cyber security with no experience?  It is possible to get a job in cyber security with no experience.  Check out our suggested plan for how to get into cyber security without experience here.

Do government cyber security jobs pay well?  Cyber security jobs in general pay much better than average salaries, including within government agencies, however some government agencies are having trouble keeping up with the quickly rising salaries now being offered by the private sector.


About the author 

Matt Day

Matt Day is a cybersecurity professional with over twenty years of experience in the IT, cybersecurity, and technology training fields. He has a degree in Computer Information Science and CompTIA A+, Network+, Security+, Server+, CySA+, and Cisco CCNA certifications.