As nation-state activity, organised cybercrime, and cybercrime-as-a-service offerings combine with the increasing political and economic influence of data, to mean that the likelihood of a cyberattack hitting a business is greater than ever before. While this is happening, the staffing necessary to fight the ever-increasing cyber-threats are harder to come by than ever: As of November 2019, the skills gap between required staff and open security positions topped 4 million.
More concerning still is that the places people access diligent and qualified security staff are not capable of adequately dealing with the problem. Universities and schools have a role to play but are unable to make up the kind of numbers necessary to adequately provide the protection we need to defend our enterprises. However, many people believe there’s significant untapped potential for hiring right in front of our eyes: the security community needs to embrace neurodiversity.
The case for a diversity of perspectives in security has already been shown to be successful in other forms. The growth of STEM programs, University degrees focusing on cybersecurity and other initiatives such as the all-women’s coding bootcamp Hackbright have all been hugely successful impactful: To extend this industry initiative to the neurodiverse community strikes me as a natural next step. Neurodiversity refers to a diverse range of characteristics, spanning from Autistic Spectrum Disorder (ASD) to ADHD. Broadly speaking, those who exhibit neurodiverse characteristics have different cognitive methods of processing information. According to ACAS, a UK public body set up to improve working life, one in seven people in work in the UK would be considered neurodiverse. Despite this, many neurodiverse people struggle to find and retain meaningful employment: The National Autistic Society suggests only 16 per cent of adults with an ASD diagnosis are in full time employment. This compares with 47 per cent of disabled people and 80 per cent of non-disabled people. This may be due to perceived stereotypes surrounding neurodiverse people.
This is a wrong which the security industry could be uniquely placed to make right. Taking the specific example of Autism, some of the associated traits with the developmental disorder are the very traits that could make for a diligent and effective security professional. The National Autistic Society list the following as common associated traits:
Repetitive behaviour and routines:
A lot of ASD people will take pleasure and reassurance in following a set structure for their day. The world through their lens can often seem somewhat unpredictable, so an ability to follow rules is an important way to retain control for those with ASD. This lends itself naturally to a role such as computer sciences, where noticing unusual or anomalous activity – in other words, activity which does not conform to the rules – is of the utmost importance.
Highly focused interests
People along the ASD spectrum are likely to have interests which develop incredibly strongly from a young age, and often remain for life. These interests can range to anything from animals to trains or computers, encompassing the whole spectrum of human curiosity. Therefore, if these interests cross over with computers – and the protection of computers from threats, specifically – ASD people are likely to develop into extraordinarily dedicated employees, who go the extra mile for their organisation’s security needs.
It has even been claimed that the link between autistic people and computers goes further than the professional relationship, passion or interest which other security professionals might have. In a 2019 guest blog post for AT&T, malware researcher Kim Crawley suggested some autistic people’s very ability to communicate is founded in technology such as mobile phones and computers: “Computers facilitate social media, online chat, and email, so you can socialise with other people without their physical presence and without possibly misinterpreted body language. Some autistics, especially those with high support needs, are nonverbal or selectively mute. Many autistic children and adults with high support needs or intellectual disabilities are assumed to lack the ability to communicate with language until they’re given PCs, phones, or Augmentative and Alternative Communication (AAC) devices.”
Beyond the benefits that are evident in the traits associated with ASD, it is also important to make a case for diversity for diversity’s sake. In the modern enterprise, it is almost universally accepted that other manifestations of diversity (Race and religion, gender identity and sexual orientation) are represented in order to provide a variety of perspectives, ultimately enriching the capabilities teams can tap into. Similar individuals share the same blind spots; it needs someone who sees and understands the world differently – due to personal experiences, identity or neurodiversity – to spot what others can’t.
The cultural and societal understanding of traits associated with ASD have been highly misleading. The 1989 film Rain Main for example helped the general public to equate the mathematical skills of some ASD people with all ASD people, which is patently not the case. If a more diverse range of people who hold ASD traits were more widely represented in the workplace, it stands to reason that such stereotypes would not hold so much sway over understanding of the condition, and the benefits it could provide to an enterprise. Furthermore, in the same way a company would provide appropriate resources in order to make these individuals feel comfortable (gendered or non-gendered bathrooms, prayer rooms, recognition of religious holidays) should an employer engage with the neurodiverse community in the same way, they should attempt to provide the relevant resources to make their working lives as pleasant as possible. According to the National Autistic Society, this may include access to sensory rooms, or quiet spaces to relax and unwind.
This is the kind of employment initiative which, provided the companies approach it with an open mind, has no downside: filling much needed security positions with capable members of staff, who may struggle to find work in other areas of the economy. Should security organisations choose to embrace the neurodiverse community, the benefits for both should be clear. As well as an ability to fill the ever-burgeoning skills gap, it can also help people who have always been told that their neurodiversity was a hindrance to begin to view it as a strength.
Corin Imai, senior security advisor, DomainTools