The cyber security industry has long been affected by a significant shortage of skills. But from SMEs to Fortune 500 giants, and everything in between, a growing number of organisations across the world are trying to solve this problem by encouraging neurodivergent people to take up cyber security careers.
Neurodivergent – a term many now prefer over the previously used neurodiverse – essentially describes people whose brains are wired differently to neurotypical people. Someone diagnosed with a condition such as autism, attention deficit hyperactivity disorder (ADHD), dyspraxia or dyslexia falls into this category.
While neurodivergent individuals often struggle with skills that come naturally to most people, they may be gifted in other areas. For example, many autistic people are great at thinking logically and dedicating their attention to a specific area. Meanwhile, those with ADHD might have a creative flair and possess the ability to hyper-focus on the subject at hand.
These unique skills make neurodivergent people perfect for roles in the cyber security industry, according to Auticon lead job coach Russell Botting. “Many organisations report a huge skills shortage, especially in STEM [science, technology, engineering and maths] roles,” he says. “Such roles are often well-suited to neurodivergent talent who see the world in a different way and often possess cognitive strengths such as pattern recognition, sustained attention and concise communication skills.”
Getting neurodivergent candidates into the cyber workforce
Auticon, which solely employs autistic adults as technology consultants, helped KPMG DevSecOps engineer James Brashko pursue a career in the cyber security industry.
“I got into cyber security when I started working for Auticon, a consultancy that hires autistic IT consultants,” he tells Computer Weekly. “In the first six months of working for them, I was ‘on the bench’, during which time I worked towards lots of different certifications, including one in cyber security risk, which led to Auticon putting me forward for my current role.”
To help James settle into his new career and ensure those around him understood his needs, Auticon conducted an internal autism training session at KPMG. “I have been working on my placement for just over two years now, and they’re pretty good at supporting me. For instance, I am not great at talking to people and the team has been able to help with mediating with other people for me, or dealing with any issues around bureaucracy,” he says.
James explains that his working environment at KPMG is flexible but has structured components like regular standup meetings. “The team has helped to make it clear what is expected of me in these situations, such as the type of information to provide, level of detail to go into, etc,” he says.
“Auticon also provides me with a job coach who I meet with regularly to check in on how things are going and deal with any issues that might crop up, though they rarely do.”
He admits that, as someone with autism, job interviews can be challenging. But the fact that his current job didn’t require an interview was helpful. James explains that he was already employed by Auticon, which took him on based on a series of assessments to identify his capabilities, followed by a period of getting to know him so they could put him forward for a job he would be suited to.
If James were to one day apply for a job that required an interview, he says he would benefit from simple things, such as being told the questions in advance, but he might still have trouble recalling his prep when under pressure in an interview situation.
Being neurodivergent is rewarding
Nicola Whiting, who is also on the autistic spectrum, has built a successful career in the cyber security industry over the years and is currently co-owner of security software specialist Titania.
“As an autistic, I find it really rewarding that I can deep dive into areas I’m passionate about. Following ‘special interests’ can so often be seen in a negative light, but in cyber those skills are often celebrated and sought after,” she tells Computer Weekly. “I also love bringing my experience from other industries to come up with new ideas and ways of looking at things. It’s a benefit that I love using when contributing to cyber strategy.”
“As an autistic, I find it really rewarding that I can deep dive into areas I’m passionate about. Following ‘special interests’ can so often be seen in a negative light, but in cyber those skills are often celebrated and sought after” Nicola Whiting, Titania
Unfortunately, like many other female technology professionals, Nicola has experienced challenges such as a lack of support and imposter syndrome. “There’s lots of evidence that women face more questioning on decisions than their male peers, which tends to breed self-doubt and imposter syndrome,” she says. “In response, we often overcompensate on preparation, which can lead to higher levels of burn-out – it’s a very negative cycle.”
Her view is that organisations must increase awareness of unconscious bias and take steps to tackle it. Firms can also support neurodivergent people by integrating “inclusion by design” into their policies and practices. “Everyone needs different things to thrive – some folks need things verbally, some in written format, some people love noise and interaction, others need quiet to focus,” she says.
“When it comes to people – one size does not fit all. Treating people as individuals who have a deep drive to be successful and giving them the tools to thrive and achieve that success is essential to high-performing teams. It all starts with open, trusted conversations.”
Breaking into the industry
Alex Sobil, a cyber security engineering and operations analyst at Dell Technologies, got a break in the industry after attending a Dell-run neurodiversity hiring event. He loves his current job.
“I thoroughly enjoy working in cyber security, motivated most by the ability to protect people. Through my role in identity and access management [IAM], I get to be a big part of each employee’s journey, ensuring everyone has access to everything they need and preventing unauthorised access. Essentially, I work on proactive security rather than reactive – I’m making sure there isn’t a problem, and I like that,” he says.
“Even though I’m at the early stages of my career, it has been wonderful so far. For example, having been selected through the Dell Technologies Neurodiversity Hiring Program, I am entitled to a career coach. We meet weekly to help me navigate the working world and understand the bits I might find more challenging. This has been invaluable as I start my career in cyber security and learn the best ways of working for myself and others.”
Having a manager who sets clear, transparent expectations and tasks has been invaluable for Alex as a neurodivergent cyber security professional. But, as was also mentioned by James, he says the interview process was his biggest struggle.
“I often have difficulty expressing my thoughts quickly and clearly, which makes the traditional interview process challenging. If businesses want to create a more diverse workforce, thinking outside the box for hiring processes is a good first step,” he says.
“For instance, the interview process for the Dell Neurodiversity Hiring Program [designed in partnership with Neurodiversity in the Workplace] took place over two weeks. It allowed us to showcase how we approached and solved problems, both individually and working as part of a team.”
Organisational culture is paramount
A supportive and diverse organisational culture is paramount for neurodivergent people to survive, thrive and succeed in cyber security roles, according to Canal and River Trust IT security manager Richard Cornell, who has autism and dyslexia. “The attitude of the senior staff towards inclusive language and actions and the extent to which they promote people on merit, hard work and reliability are key,” he says.
“For all employees to be the best they can be, they need an atmosphere that promotes equality of opportunity and has zero tolerance for inappropriate and biased behaviour. Having a fun-loving, light-hearted, jokey office where banter is encouraged can be great for some but hell on Earth for others. Some workplaces need to have a good look at themselves and the messages they put out if they want to attract and retain talent in all its forms.”
“Diversity and inclusion isn’t about having KPIs that show the workforce is representative, it’s about having a normal way of working that naturally includes everyone and makes the best use of the talents available” Richard Cornell, Canal and River Trust
Implementing hybrid working policies is one way to support neurodivergent employees, says Richard. This gives them the opportunity to work from home if they’re experiencing a mentally challenging day and to go into the office when they feel up to it.
“Where I work, we have just started up a series of inclusion circles where like-minded people can discuss the issues they are facing and share hints and tips in a safe space,” he says. “I have started a neurodiversity inclusion circle, which has proved a real eye-opener in terms of common issues for people with a diverse range of differences and the degree to which people suffer in silence or just leave and try to get a more suitable position elsewhere.
“This has helped shine a light on some attitudes and behaviours that can then be tackled in terms of organisation-wide culture. It also helps people who have felt a little alone in their divergent world. Diversity and inclusion [D&I] isn’t about having KPIs [key performance indicators] that show the workforce is representative, it’s about having a normal way of working that naturally includes everyone and makes the best use of the talents available.”
Oliver Betts-Richards, who is autistic and works as an apprentice cyber security analyst at the University of Derby, believes organisations hiring neurodivergent cyber security talent should practice what they preach. “Organisations, in my experience, can do a lot more to create inclusive workplaces. But if that work doesn’t involve intentionality to create an inclusive workplace, then it’s only likely to involve token gestures with soulless marketing campaigns and hashtags,” he says.
“Senior leaders should be saying they want their organisations to be inclusive for everybody to thrive and be successful. Senior leaders should be working to understand the neurodiverse experience and actively engage with the neurodiverse community to understand how they can make that experience better.”
Oliver also wants to see the industry reframe the stereotype that neurodivergent people are perfectly suited to STEM careers because they love computing. “Not only is it demonstrably untrue that any specialism or endeavour in the technology space is only about computing – there’s also the arguably more important people and processes – but there’s also the harmful and dehumanising subtext that neurodiverse people can be easily left alone in their cubicles because it’s their natural habitat,” says Oliver.
The cyber security industry presents great opportunities for neurodivergent people and recruiting them is also a great way for organisations to close internal cyber security skills gaps. But it’s clear that business and cyber security leaders need to do more to support current and prospective neurodivergent employees, whether it’s eradicating offensive stereotypes or tweaking recruitment processes.
