Neurodiversity has an important role to play for IT security, with neurodivergent (ND) people providing a broader range of perspectives and skill sets that can be used to identify and mitigate security threats.
Neurodiverse individuals often think outside the box and can see things from different angles, which can be invaluable in spotting potential security vulnerabilities or malicious activity.
However, there is more that needs to be done not only in reaching out to neurodiverse IT security professionals, but also within company culture to ensure a productive, inclusive work environment is being created.
Stitch Wilson, product manager at Coalfire, says a good way to understand this for autistic people is that they have a “different operating system” than allistic (non-autistic people) do.
“If one is Linux and the other is Windows, we each cater to specific needs, and the pathways to accomplishing specific tasks are different, but one OS isn’t better suited to all tasks than the other,” Wilson explains. “We’re just differently capable.”
Wilson says the ways in which ND people solve problems, unique to their needs and perspectives, offer usefully distinct operating methods that can be more effective and efficient than the (typically) linear stack analysis (based on predetermined understanding) methods that predominant neurotypes employ in problem solving.
“As an autistic person, because my world isn’t prefiltered in the same way as an allistic person’s, I’m more adept at seeing patterns and — from their perspective — cognitively non-linear vectors than my allistic colleagues,” Wilson says. “This gives me a clearer picture of the ways in which, for example, a bad actor could formulate an attack on an organization through social manipulation combined with software vulnerability detection and hacking.”
That unique perception comes with unique data, as well as differences in perceiving the same data others can access.
Reaching Out to Neurodiverse Talent
“There are not enough skilled people in this field, but neurodivergent individuals bring an essential skillset to cybersecurity — hyper focus on analyzing data and identifying trends,” explains Rex Johnson, executive director of cybersecurity at CAI. “Not everyone has this ability, or at least do it well, except for neurodiverse talent.”
To reach out to neurodiverse professionals, Johnson says organizations must look beyond traditional recruiting methods. “Depending on the need, consider a team of neurodivergent individuals who work under a supervisor who understands how to manage this dynamic and be the liaison to other management teams,” he advises.
They can look for organizations that implement an end-to-end neurodiversity employment program that not only bring the right neurodivergent teammate in the door, but also work with the employer to create workplace accommodations that increase retention, morale, and productivity.
“Not everyone is the same. People are inspired and motivated by many different visions and missions,” Johnson adds. “The culture must allow for this type of diversity. But the fabric of company culture can also improve if we intentionally weave neurodiversity into the employment model.”
He says it starts with getting neurodiverse talent in the door and letting the rest happen organically. “As long as business objectives are met or even exceeded, both employer and employee benefit.”
Crafting Clear, Concise Job Posts
Darryl MacLeod, vCISO at LARES Consulting, an information security consulting firm, pointed out neurodiversity can help to improve innovation and creativity in the field of cybersecurity, as well as provide a greater range of skill sets to draw upon.
He explains that IT security leaders can reach out to neurodiverse talent by partnering with organizations that specialize in supporting neurodiverse individuals, such as the Autism Society.
“IT security leaders can also create an inclusive and supportive environment that values the unique perspectives and skillsets that neurodiverse individuals bring to the table,” he says.
To help aid outreach to neurodiverse candidates, IT security leaders should craft job postings that are clear and concise and avoid using jargon or technical language that might be confusing for neurodiverse individuals.
From Wilson’s perspective, companies tend to use buzz words that are cryptic and unnecessarily abstract, noting neurodivergent, and specifically autistic people, better understand direct communication and usually communicate directly by default.
“If you want people to be able to evaluate if they want to do the kind of work that you’re hiring for, be explicit in describing that work and expectations of it, so that the person can make an informed decision and ask structured questions to explore the opportunity,” Wilson says.
MacLeod says organizations should also structure the interview process in a way that is welcoming and accommodating to neurodiverse candidates, such as allowing for alternate formats (e.g., written instead of oral) or extra time to process questions.
Wilson notes it’s also important to offer interview options that don’t require eye contact. “Many autistic people find direct eye contact or visual focus on themselves to be incredibly intimate and violating,” Wilson says. “It’s one of the hardest parts of meeting new people or the expectations of an interviewer.”
Wilson adds companies could miss out on hiring someone who’s a great fit for the problems they want to solve because they looked down the entire time and that was interpreted, inaccurately to intent, as disrespectful.
Ensuring an Accommodating Work Environment
MacLeod says companies should ensure the workplace is inclusive and accommodating to neurodiverse individuals, providing adequate support and resources, and fostering an environment of understanding and respect. He adds it is important to be aware of the unique challenges that neurodiverse individuals may face in the workplace and to provide accommodations as needed.
“As awareness of the importance of neurodiversity increases, more and more organizations are beginning to recognize the value that neurodiverse individuals can bring to the field,” he says. “Additionally, new initiatives and programs are being developed to support neurodiverse individuals in pursuing careers in cybersecurity.”
Wilson says a good place to begin is by (re)framing understanding around inclusivity, diversity, and disability.
“Societies and systems often create avoidable disabilities, obstacles which can be removed by changes in perception, expectations, and systems, to be designed for all of us,” Wilson says. “There is nothing wrong with being neurodiverse from one another. We all have something to offer and should be aligned to what we do best without judgement about the rest.”
Wilson adds changes that support ND people often improve the lives of everyone else. “For example, clear communication, expectations, and unambiguous direction make it easier for every employee to understand what they should be doing and how to achieve desired outcomes.”
The Future of Cybersecurity is Neurodiverse
MacLeod says with continued support and investment, neurodiversity would become an increasingly integral part of the cybersecurity landscape. “New initiatives and programs are being developed to support neurodiverse individuals in pursuing careers in cybersecurity,” he adds.
Johnson says he has seen a number of neurodivergent individuals in cybersecurity throughout his career, and those who have been the most successful are the ones who have had the appropriate support structure.
“I have also seen average team members turn into rock stars once they were put into a different and more accommodating environment,” he says. “The difference is the support they receive. Employers are understanding this and realizing the benefits of neurodiversity. It’s only a matter of time until all organizations employ the incredible talents of neurodivergence.”
Wilson says they would like to see companies spend more time investigating how individuals best operate prior to setting performance or other expectations and align salary and metrics on specific achievements to the individual.
“If you pull a fish out of water then judge performance based on its ability to climb a tree, it will fail,” Wilson says. “Go to the water, understand how the fish operates, and set performance expectations on tasks they can do well.”