SoS Musings #32 - Neurodiversity in Cybersecurity

SoS Musings #32 -
Neurodiversity in Cybersecurity

According to recent studies, embracing neurodiversity could serve as an advantage to the cybersecurity field and help fill the cybersecurity workforce gap. Neurodiversity is the concept that differences in neurological functions are natural variations in the human genome that should be just as respected as any other type of human differences such as race, age, gender, religious beliefs, and more. The term "neurodiversity" covers conditions including autistic spectrum disorders, ADHD, dyslexia, OCD, Tourette's syndrome, and other conditions within the neuro-diverse spectra. While education systems have increased their efforts to support neurodiversity, most organizations still do not seek such diversity because of the perception that neurodiverse candidates have very limited skills. Studies have shown that people with conditions such as autism possess skills and abilities that could significantly benefit companies, especially those within the cybersecurity field. The Centers for Disease Control and Prevention (CDC) estimates that 1 in 59 children in the US have autism with the incidence of autism in boys being 1 in 42 and 1 in 189 among girls. According to the CDC, more than 70 million people worldwide are living with autism, with over 3.5 million Americans on the autism spectrum. An estimate suggests that 80% of adults with autism are underemployed or unemployed worldwide. A survey conducted by the Center for Strategic and International Studies (CSIS) revealed that more than 80% of employers are facing a shortage of skilled cybersecurity professionals. The Center for Cyber Safety and Education also reported an expected 20% increase in unfilled cybersecurity jobs from 1.5 million in 2015 to 1.8 million by 2022. Given that security professionals are well aware of the shortage of cybersecurity skills and the impact that this shortage can have on their organizations, it could be beneficial to recognize the talent possessed by this group of individuals. Cybersecurity is a discipline that requires focus, logic, problem-solving, the will to learn, and pattern detection, making many people with autism and other conditions on the neurodiversity spectra suitable for positions in this field. Companies might explore how they could tailor their approaches to recruiting, selecting, and retaining these types of candidates.

At an event organized to discuss neurodiversity and the occupation of cybersecurity jobs by neurodiverse people, a neurodiversity consultant spoke about the many benefits of considering an autistic candidate for a role in cybersecurity. She highlighted the traits they possess, such as their investigative nature, inquisitiveness, dedication, logical ways of thinking, systematic approaches to operations, and intense interest for their role and the subjects associated with the role. She also listed potential roles that are well suited for autistic candidates, which include penetration testers and SOC (Security Operations Center) analysts. Other traits that make those on the autism spectrum suitable for jobs in cybersecurity include high levels of curiosity and willingness to solve problems. Autistic people are often found to have Hyperlexia, which refers to a deep level of interest for letters and numbers, and extraordinary reading comprehension, which could facilitate shifts between English and programming language. The ability to think based on patterns allows one to easily detect syntax errors in source code, such as a missing semicolon or an extra bracket, increasing the effectiveness, security, and safety of programs used in cybersecurity operations. Another trait commonly associated with autism, photographic memory, eases one's visualization of network architecture and the security flaws that could be present in the architecture. Rhett Greenhagen, Casey Hurt, and Dr. Stacy Thayer gave a presentation at BLACKHAT USA 2018 in which they discussed how people with autism could enhance the cybersecurity workforce, presenting the results of a survey to which 290 computer security professionals diagnosed with autism responded. The survey highlighted the ability of those on the autism spectrum to quickly filter out the noise that masks attacks as well as to detect the concealed signals and indicators of attacks. Organizations seeking to hire more cybersecurity professionals should not overlook the unique talents of those with autism but instead increase their efforts to utilize these talents and alter their workplace culture and recruitment for those on the spectrum.

In order for companies to tap into neurodiverse talent, HR processes should be scaled to consider behaviors and abilities that may not fit the standard neurotypical profile as the criteria commonly used in recruitment often rule out neurodiverse people. Traditional practices in recruiting, hiring, and development need to be altered accordingly as they often depend on candidates that are proficient at social interactions, reading body language, and picking up social cues. An article published by the Harvard Business Review pointed out two factors that often cause organizations to miss out on neurodiverse talent: interviewing, and complete conformity to standardized methods. Interviews present a major obstacle for autistic people in that they often lack good eye contact, are more susceptible to going off on a conversational tangent, and can be overly expressive about their weaknesses due to confidence problems stemming from past interviews, thus causing such individuals to score lower in interviews than less-talented neurotypical prospects. Therefore, companies should consider alternative methods of preparing autism spectrum candidates, such as implementing month-long workshops and mentorships. Microsoft's Autism Hiring Program was established in 2015 with the goal of hiring autistic people for full-time jobs. The program concentrates on job assistance and training for people on the spectrum. The interview process implemented by the program is also unique in that it is more of a workshop in which potential hires can demonstrate their skills instead of just talking about them. Although the program emphasizes the demonstration of skills, candidates are still given the opportunity to practice doing presentations and one-on-one talking. Another problem typically experienced in large companies is associated with the reluctance to deviate from standardized approaches. Companies are encouraged to change managers' focus from enforcing compliance through the use of established practices to adjusting work environments based on individuals' needs. Although these accommodations do not require much expense, they do require managers to alter work settings to fit individuals. Companies must look into programs and other initiatives geared explicitly toward helping companies implement changes to support neurodiverse candidates and employees.

There needs to be an increase in collaborative and exploratory efforts in support of increasing neurodiversity in the cybersecurity field. A pilot program, called Neurodiversity in Cybersecurity, was one of three grand prize winners of the Government Effectiveness Advanced Research (GEAR) Center challenge, supporting the recruitment of neurodiverse adults for cybersecurity jobs in the federal government. The program, created through the partnership of George Mason University, Mercyhurst University, Rochester Institute of Technology, Drexel University, SAP, Specialisterne, the DXC Dandelion Program, and the MITRE Corporation, supports management and co-worker training in addition to career and social development programs for neurodiverse candidates. Those involved in this effort emphasized the importance of embracing this specific part of the population when seeking to fill positions in cybersecurity, pointing out that talent attraction and retainment remains a significant challenge for the US government, states, and organizations within the private sector. The Neurodiversity in Cybersecurity project aims to tap into the talent pool of neurodiverse individuals, using an approach that involves key practices and tools adopted by the private sector and non-governmental organizations. The Frist Center for Autism and Innovation at the Vanderbilt University School of Engineering gathers experts in neuroscience and education, in addition to engineers, business scholars, and disability researchers to improve and increase the recruitment of neurodiverse talent. The Center underlines the exploration of autism and neurodiversity to develop and commercialize new technologies inspired by neurodiverse abilities, which in turn provides support to neurodiverse people in the pursuit and fulfillment of roles in careers, including those in the cybersecurity field. Additionally, the Center focuses on the development of tools and training programs and the establishment of policies and workplace practices that support neurodiverse people in the workforce. Other efforts to increase hiring of neurodiverse talent include those of Specialisterne, a Danish consulting organization with locations in the USA, Canada, Australia, Spain, Singapore, and more, with a specific focus on filling technology roles with autistic people and other neurodiverse individuals. Specialisterne examines recruitment, training, and retainment processes and cultures in corporations, universities, high schools, and community agencies to help them create environments in which neurodiverse people can thrive. The organization also uses its resources to help neurodiverse candidates prepare to take on roles in cybersecurity and other technology fields. Organizations should find inspiration in companies, including Microsoft, Hewlett Packard Enterprise (HPE), Ford, SAP, and Willis Towers Watson, and other companies that tailored their human resource (HR) processes for neurodiverse people. Efforts to increase neurodiversity in the cybersecurity field should continue to flourish.