Increasing acceptance of marijuana use raises questions about whether cybersecurity firms will follow suit

The Office of Personnel Management (OPM) recently addressed hiring policies related to marijuana and cannabis in a memo for federal agencies, signalling a shift in the long-standing stance on these substances.

Currently, cannabis is classified as a Schedule I drug by the federal government, meaning it has no "accepted medical use" and a "high potential for abuse." However, the OPM memo encourages agencies to focus on a candidate's conduct on a case-by-case basis to determine the impact, if any, on the integrity and efficiency of the government.

In contrast, employers in states like New York and New Jersey are not allowed to take adverse employment action based purely on cannabis use. New Jersey's law, yet to go into effect, defines any adverse action as refusing to hire or employ an individual, barring or discharging an individual from employment, requiring an individual to retire from employment, or discriminating against an individual in compensation or in any terms, conditions, or privileges of employment.

The legality of marijuana has only been addressed at the state level, but the landscape is changing. Recreational marijuana is legal for adults over 21 in 24 U.S. states, and other states allow only medical use. Six states, including Nebraska, North Carolina, South Carolina, Idaho, Kansas, and Wyoming, fully prohibit cannabis.

The Agriculture Improvement Act of 2018 (Farm Bill) legalized hemp and CBD sales federally, but the use of CBD products is still under review at the FBI and the Department of Defense. Federally legal, small THC doses in over-the-counter CBD products are undetectable in employment drug testing.

In the private sector, only 5%-6% of cybersecurity jobs require drug testing, compared to more than 80% in government. Companies in marijuana-friendly states are moving away from zero-tolerance drug policies and focusing on behaviour analysis based on performance or safety reviews.

However, the FBI's drug policy applies to medicinal use of marijuana; marijuana use, regardless of a prescription, cannot be used as a mitigating factor. The FBI's policy requires applicants to be marijuana-free for at least three years prior to employment.

The House of Representatives passed the SAFE Banking Act of 2021, which gives banks the ability to work with cannabis businesses in marijuana-legal states. As more states pass marijuana-tolerant laws, whether for medicinal or recreational use, the federal government and private industry are at a policy standstill.

The widespread popularity and acceptance of marijuana use are evident, regardless of the generation. Smoking among Gen Z, millennials, Gen X, and baby boomers increased from 2019 to 2020. A Gallup survey from November 2020 revealed that 68% of Americans support the legalization of marijuana.

David Wolpoff, CTO and co-founder of Randori, expressed concerns that the restrictive drug policies could deter candidates from applying for a cybersecurity job. He, like former FBI Director James Comey, who expressed similar concerns in 2014, believes that fundamental societal issues are being too comfortably avoided.

In the face of these changes, HR departments could face run-ins with Americans with Disabilities Act (ADA) if cannabis compliance isn't in accordance with state laws. As the landscape continues to evolve, it is crucial for both public and private sectors to navigate these complex issues with sensitivity and understanding.

Increasing acceptance of marijuana use raises questions about whether cybersecurity firms will follow suit