At the Defence Academy of the United Kingdom on March 2 2017, many relevant parties gathered to discuss neurodiversity and careers in cybersecurity.
The event was organized by IAAC and Cyber Security Challenge UK, sponsored by NCC Group and Northrop Grumman and supported by National Cyber Security Centre, the National Autistic Society and other industry and government bodies.
With the current cybersecurity skills gap, industry is recognizing that people on the autism spectrum can provide invaluable skills to the sector and are often the best performers in technical roles. GCHQ, for example, is one of the biggest employers of autistic people in the country.
At the neurodiversity event, multiple presentations and discussions offered advice to businesses on how to make their workplaces more suitable for autistic candidates and how to attract and hire people on the spectrum.
Despite the fact that only 16% of adults diagnosed with autism are in full-time work, most of the speakers acknowledged that there is a great number of diagnosed and undiagnosed autistic people already working in the cybersecurity industry. Experts said that “diagnosis is unlikely” in those aged over 30. The event sought to offer advice and share best practice for employers on how to support autistic people working in the industry.
Whilst one speaker (who cannot be named because the event was held under Chatham House Rules) said “we often look at autism and think about the problems and barriers to overcome,” adding, “but actually, we need to see the potential and not exclude. We want to shape our workforce in a way that makes it easier for autistic people to be in the cybersecurity workforce.” Recent research by the National Autistic Society, however, shows that 34% of employers think that an autistic person would be unlikely to fit into their team.
The National Autistic Society declared it is trying to change government policy around employment and improve workplace understanding of autism by influencing employers’ practice.
Why Autistic People Make Great Cybersecurity Professionals
The National Autistic Society noted that people on the autistic spectrum are often methodological and detail-orientated, skills that are ideal for business, and in particular, cybersecurity. “The UK has a shortage of digital skills so there is a business case for addressing neurodiversity.”
Holly Foxcroft is a neurodiversity consultant, and a guest speaker at the event. She listed the many benefits of employing an autistic candidate in cybersecurity:
- Investigative nature
- Inquisitive mindset
- Will always maintain deep level of interest in their role and thus stay on top of the threat landscape
- Dedicated to their subject matter
“It’s a complete myth that autistic people can’t communicate well,” said Foxcroft. “They can communicate really well about what they’re passionate about.” Another myth, she said, is that autism is mainly prevalent in males. “We believe there are just as many females with the condition,” Foxcroft continued, “there is already an under-representation of women in STEM anyway, so to be an autistic woman is just another barrier.”
Foxcroft highlighted pen testers and SOC analysts as particularly well suited roles for autistic candidates. “Often the desire to reach a senior management level [that includes the management of people] is lessened in autistic people,” she argued, “so they are able to focus more on technical capacity.”
According to Tom Coyle, CEO of Auticon, autistic people have so much to offer the cybersecurity industry that his company only employs those on the autism spectrum. “We have built a successful business on only seeking out the talents in the autistic industry”, he told the audience.
Auticon is an IT and compliance consulting business. “We pride ourselves on creating autism-friendly work environments as well as delivering outstanding quality to our clients,” said Coyle.
“We seek only autistic people because the skills we’re looking for are more prevalent in the autistic community.”
Auticon uses recruitment methods specifically tailored for autism. “We interview absolutely everyone that applies. We don’t judge CVs, work experience, education or interview performance. Instead, we use skills assessments to find out what candidates are really good at and then match up clients with consultants, identifying the projects we know our consultants can really deliver.”
Coyle dispels the myth that autistic people can’t be client facing. “We send them out to client sites, they interact, communicate and present; they do everything anyone else would.”
Auticon offers its consultants in-house job coaches, who ensure that the consultants’ work environments allow them to live up to their full professional potential. “A lot of barriers to autism in the workplace are just little things. Give them the confidence to use terminology, provide support and never use contradictory instructions.”
Many organizations have recently created programs or initiatives for supporting autism in the workplace. Proctor and Gamble have created a work experience program to create opportunities for autistic people without traditional education backgrounds. EY are also providing support to recruit autistic analysts and Microsoft has developed an autistic apprenticeship program.
Some autistic people experience difficulties in a one to one situation where there is a requirement to be communicativeCREST report
How to Recruit Neurodiverse Candidates
Many of the speakers voiced a need to address the language used in the engagement process of attracting cybersecurity talent in order to reach its full potential in attracting neurodiverse candidates. Event attendees agreed that the language used should be carefully selected with autism in mind.
It was suggested that autistic people may only apply for a role if they meet every single requirement listed in the job advert, indicative of the very literal understanding common with the condition. It was therefore suggested that organizations advertise a role with a ‘must have’ skills list and a ‘nice to have’ skills list to encourage more neurodiverse candidates to apply.
Increasing awareness of opportunities and presenting the industry as desirable to autistic people is also important. According to Foxcroft, “flexibility and work environments” are an important factor in desirability.
CREST recently published a report on Autism and the Technical Security Industry. The report recommends the creation of specific films related to autism and ‘day in the life of’ interviews featuring autistic cybersecurity professionals, with the objective of encouraging more applicants that are autistic.
The report also recommends that support and reasonable adjustments to the interview process are made for autistic candidates. “Some autistic people experience difficulties in a one to one situation where there is a requirement to be communicative. What we need to do is educate the employer to be more sympathetic to the needs of autistic people, supporting applicants and ensuring they are less stressed and are more comfortable in the interview process.”
Permanent employment comes with “office politics and unwritten rules” which can be problematicHolly Foxcroft
Supporting Autistic People in the Cybersecurity Workforce
Retaining autistic people in the workforce was also a key area of consideration, given that there is a fairly high level of turnover of autistic employees. Foxcroft explained that contract employment can be “isolating for autistic people”, and that permanent employment comes with “office politics and unwritten rules” which can be problematic. The flip side to permanent employment, said Foxcroft, is routine. "The emotional relationships that are built in full-time employment can be both a pro and a con. It also means more chance to disclose [their condition] to colleagues – which could be seen as either a positive or negative.”
Nicola Whiting, COO at Titania, argued that both neurodiverse and neurotypical employees all come with challenge. “The policies and procedures put into place for the neurodiverse will also benefit everyone else,” she said. “The guidance we give employers on how to treat autism should be considered best practice generally.”
“It’s all about the office environment, tolerance and understanding each other”, she continued, adding that, in her experience, mindfulness sessions have really benefited autistic employees. “It’s important to understand that when you speak to neurodiverse colleagues they can take you very literally. It’s like sending an email – they can’t detect sarcasm, humor or exaggeration.”
The Defence Academy of the United Kingdom is opening the doors of its Defence Cyber School in June. It will provide a center of excellence for cyber-training to meet the needs of the country’s defense, addressing all aspects of cyber-training, education and exercising of responsibility. At first the Academy will only be open to Defence Academy students, but later to incorporate all Government Departments.