Neurodiversity in the Cybersecurity Industry

Around 700,000 people in the UK are on the autism spectrum – making up one in every 100 individuals. In the US, this number reaches 3.5 million – accounting for one in every 59 births.

Yet, according to the National Autistic Society, just 16% of adults with autism are in full-time work, and the figure has stayed stagnant since 2007.

These figures occur at the same time that the cybersecurity industry is crying out for new talent. The latest annual survey of global IT professions from the Enterprise Strategy Group showed that the biggest gap in skills was in the cybersecurity industry – with 53% of respondents reporting a shortage of talent.

NeuroDiversity UK says that up to three-quarters of cognitively-able autistic adults could possess the aptitude and skill-set for a career in cybersecurity. So, is the industry seizing this opportunity, and what more can be done to encourage more neurodiverse candidates into roles?

Neurodiverse Conditions and Cybersecurity Professionals

Emma Kearns, partnerships and employment training manager at the National Autistic Society, says the small number of autistic people with jobs is a “huge waste of talent at a time when there’s a big skills shortage.”

However, she adds that it’s important, as a first step, to remember that all people are different.

“Every autistic person has different skills, interests and support needs,” she says. “Not everyone wants to work in technology and some people aren’t able to work at all.”

Mary-Jo de Leeuw, director of cybersecurity advocacy for (ISC)2 – a global organization for IT security professionals – agrees that neurodiverse conditions alone do not “predispose individuals to being well-suited to the sector.”

However, she says that some of the most talented individuals in the business frequently possess some form of neurodiverse condition.

“The underlying skills and interests would have been there regardless of whether the individual has a neurodiverse condition,” she adds.

“Nonetheless, it is clear that the cybersecurity sector has a significant number of people at the top of the industry who have been diagnosed as being on the autistic spectrum for example, not to mention a significant number who have not been formally diagnosed but are living with and functioning with a condition.”

Mike Spain, founder of NeuroCyber UK, agrees that the issue is not about labels or disability. “It is about people,” he explains. “People that are highly capable or highly qualified and underrepresented.”

Spain says neurodiverse conditions, including autism, dyslexia, dyscalculia, dyspraxia, ADHD and OCD, see people “thinking differently” and that can lead to them “being able to identify problems that others may overlook and finding creative solutions otherwise unseen.”

However, he adds: “It is inaccurate to assume that being neurodiverse automatically means ‘superpowers’ or a desire, or aptitude, for a career in cyber.

“As with anyone, we all have our strengths, weaknesses and interests. There are some characteristics, however, that when given the right support and environment, can translate into highly successful cyber-professionals.”

Skills that neurodiverse individuals can possess include great loyalty, reliability, integrity and focus. Couple that with true outside the box thinking, attention to detail, cognitive pattern recognition and a very logical and methodical way of thinking, and Spain says: “These are all traits that benefit any organization, but that can be very successfully applied to cyber.”

“People that could be seen as awkward or difficult that should instead be seen as different – and difference is strength”

The Impact of Neurodiversity So Far

Richard Branson is Dyslexic. Mozart had indicators of Autism. Tesla, Turing, Darwin and Einstein all had a range of unique ways of thinking.

So, as Spain puts it, we would not be where we are today without neurodiversity.

“There are many trailblazers, but there are also your talented team members – those who spot things others miss or have that capability for outside the box thinking,” he says. “People that could be seen as awkward or difficult that should instead be seen as different – and difference is strength.” 

Bringing it back to the industry, just look at Auticon – an IT consultancy that recruits only autistic consultants. It has seen its clients report 50% efficiency gains through using autistic staff on a particular project thanks to the consultants’ creative reorganization of the data testing procedure. 

Becky Pinkard, co-founder of Women Empowering Diversity in Startups (WEDS), has seen it herself and reaped the benefits.

“I’ve personally experienced situations where a neurodiverse individual was able to provide attention to detail and a willingness to commit a level of time and focus in the pursuit of a security monitoring problem,” she tells Infosecurity.

“I’ve also witnessed circumstances where neurodiverse individuals challenged the status quo and forced a team to step outside of their ‘group think’ culture, prompting them as a team to explore alternative theories to a problem.”

De Leeuw has one individual that also sticks in her memory. “One example I know personally is an individual who is the head of the Red Team at one of Europe’s largest telecoms operators,” she explains.

“That individual is one of the most successful and high-achieving people in the hands-on cybersecurity industry, someone who has helped thwart major cybersecurity attacks on communications infrastructure, kept data flowing and commerce operating in the face of global-scale attacks – all while being diagnosed with a significant neurodiverse condition.”

Spain adds: “Organizations with a diverse and stronger workforce have a competitive edge that clients are increasingly looking for.”

Attracting More Neurodiverse Candidates into the Industry

A number of organizations in both the UK and US have created programs or initiatives specifically to attract and support neurodiverse candidates in the workplace. Microsoft launched an autism hiring program in 2015, joining up with specialist firms who help with training and support for those on the spectrum.

It focused on changing the interview process to make it more of an ‘academy’ – allowing candidates to showcase their skills in a different way. Others followed suit, including SAP and HP, sharing insight and knowledge along the way.

Proctor and Gamble have created a work experience program to generate opportunities for autistic people without traditional education backgrounds, while EY are also pushing for recruitment of autistic analysts. 

The public sector has played its part too. The UK government set up the DCMS Cyber Skills Immediate Impact Fund in 2018, with the aim of quickly increasing the diversity and numbers of those working in the cybersecurity sector.

The department said it was part of the government’s overall National Cyber Security Strategy, which hopes to develop a sustainable supply of home-grown cybersecurity talent in the UK. The fund has given money to a number of neurodiverse schemes to get them off the ground.

Spain’s organization is involved in running events such as the Cyber Security Challenge, where neurodiverse individuals, parents, educators, third sector, government and industry all come together to learn more, and he has seen that the talent is out there.

The sharing of good practice, whether in the private or public sector, plays a key part in encouraging more programs.

However, for Pinkard, not enough is being done to attract neurodiverse people into the industry. “It was one of the drivers for the WEDS team, as we all believe that a truly diverse working environment helps to create the greater whole,” she says.

“The best people working in cybersecurity are not always those predisposed to excel in conventional learning.”

What More Can Be Done?

Pinkard believes the first step is making sure the issue is noticed. “Talking about the type of diversity we need to continue to pursue, highlighting gaps in current hiring practices and helping to share tips and language on how to engage with all types of people are just a handful of the ways to help,” she says.

De Leeuw thinks education is also key – but not in the traditional sense. “Normally, employers would ask for high-level qualifications, like a PhD or a higher degree,” she says. “However, the best people working in cybersecurity are not always those predisposed to excel in conventional learning.”

She points out that the cybersecurity industry in the Netherlands has changed to reflect that, focusing less on generalist qualifications and more on practical application. This includes hackathons and cybersecurity challenges, and de Leeuw feels moving more towards this recruitment tactic could help diversify the industry.

“Many participants in these events with neurodiverse conditions go on to secure cybersecurity roles,” says de Leeuw. “This is as a result of showing what they can do in practical, familiar surroundings rather than being graded using fixed assessments.”

“Ultimately, we should stop focusing on traditional formal education alone like degrees and doctorates as the only measure
of capability.

“Practical demonstration of skills with tailored qualifications and certifications all play a role and all offer those with neurodiverse conditions alternative ways into the industry that can be more tuned to their specific needs and conditions.”

Along with these practical steps for recruitment and training, the industry must look further down the line too.

Spain argues: “The effectiveness of many excellent local and regional initiatives is limited by the lack of a joined up ecosystem. Training neurodiverse cyber-staff is fantastic, but if there are no organizations ready to employ them, the impact is diluted.

“We must coordinate activity to build that ecosystem to provide opportunity, not cliff edges.”

Also, as with any element of the industry, it is a matter of culture too. “Most importantly, we need to do more to be inclusive,” says de Leeuw. “We should be actively encouraging and inviting those with neurodiverse conditions to apply for a role, in the same way that we have made progress to improve workplace inclusivity for other groups within society such as those with physical disabilities. Inclusivity has to start at the very beginning of the employment process.”

Pinkard concludes that neurodiverse candidates “bring fresh perspective, with an ability to see cybersecurity challenges from new and unique viewpoints.”

Why would an industry – especially one with a skills shortage – want to miss out on that?

What’s Hot on Infosecurity Magazine?