Neurodiversity has become a serious topic in cybersecurity over the last four years. The perceived skills shortage has opened the door for those who are neurodiverse. It includes people with Autism, Attention Deficit Hyperactivity Disorder (ADHD), Dyslexia and Dyspraxia.
According to a recent announcement from Crest: “GCHQ is one of the biggest employers of Autistic people in the UK, while the National Crime Agency (NCA) has revealed that some teenage hackers have been found to be on the Autistic spectrum and are being targeted for recruitment by criminals.”
Crest has also published the latest in a series of papers looking at diversity across the security industry. Titled: “Neurodiversity in the technical security workplace,” it draws on workshops that Crest has held. Importantly, it also provides a set of follow-up actions that organisations can implement to create a neurodiverse strategy.
Ian Glover, President of CREST, said: “As a society, we’ve put great emphasis on literacy, numeracy, concentration and social interaction in terms of fundamental skills for the workplace, but the tide is turning as employers recognise they cannot afford to ignore large and previously untapped reservoirs of talent.
“Embracing a workplace that offers different thinking styles and approaches to problem solving, and innovation can thrive simply makes good business sense.”
Understanding the different types of neurodiversity
The report starts with a good introduction to what neurodiversity means. It states: “Often, the issue is that managers and HR teams are subconsciously optimising for neurotypical people. However, starting with the understanding that each individual thinks differently and has their own preferences creates a platform for more effective recruitment processes, management and customer interactions.”
It then moves on to look at the four main areas of neurodiversity mentioned above. For each of these, it looks at:
- What is it?
- The percentage of the population affected ADHD (4%), Autism (1-2%), Dyslexia (10%) and Dyspraxia (5%)
- The current employment situation for those with a specific disorder – ADHD (30% chronic unemployed), Autism (16% in full-time work), Dyslexia (<50%) and Dyspraxia (66%)
- The business case for employing neurodiverse people in cybersecurity
Some of the numbers given are surprising. The rates of unemployment across all four groups are high, and they represent a much larger than expected percentage of the unemployed. Two reasons for this are the lack of employer awareness of the condition and inappropriate management.
The report also makes a good case for cybersecurity to focus on neurodiverse candidates. All groups tend to be very detail-orientated and methodical. They possess an ability to focus and learn that gives them an in-depth and detailed knowledge of a subject. They also see complex problems as interesting and are often adept at pattern recognition.
All of these are important in a constantly changing world, such as cybersecurity.
What are the employment challenges?
Being perceived as ‘different’ has created a systemic barrier to employment for those who are neurodiverse. The report asks the question: “What needs to change in the recruitment process and how can more neurodiverse people be attracted into the cyber security industry?” It lists some of the responses from the workshop, including some targeted at specific areas of neurodiversity.
Among the suggestions are:
- Make role descriptions for jobs inclusive, clear and precise
- Ensure that potential employees can disclose as neurodiverse without fear of discrimination or exclusion
- Consider the language used in job applications
- Create a broader and more inclusive job application process including audio/video
- Ensure all adverts are written in plain language without jargon
In addition to the above, employers and managers must deal with their own bias against neurodiversity. It may also require changes to how workplaces are set up, such as providing more quiet rooms. The office may also need to be reconfigured to remove sensory overload and distraction.
Another issue in many workplaces is time-keeping. Many of those who identify as neurodiverse can struggle with this, and it can cause friction with other work colleagues.
A more important and potentially challenging issue is freedom over how computers are setup. Colours, fonts and themes are all mentioned in the report. All of this should be available under accessibility rules inside organisations. However, many IT departments prefer to deliver standardised environments to simplify the support workload.
A call to action
The most important part of this report is its call to action. Here is seeks to provide objectives for both Crest and employers to widen the opportunities for neurodiverse employees.
The report says that a neurodiversity strategy should not be a one-size-fits-all initiative. Dr Jill Miller, of the CIPD (Chartered Institute of Personnel and Development) said: “We need to ensure we don’t generalise about certain groups of people, such as assuming all Autistic people dislike social interaction.
“On a personal level, if someone discloses, you can talk about what would make them more comfortable. It’s about acknowledging differences in cognitive processing across a spectrum, not just how a ‘condition’ relates to work. Once you realise this, you see it in a new way. However, some people may not want to disclose, so good practice would be to consider reasonable adjustments from any applicant or employee; this could take performance from good to excellent.”
There are 13 suggestions in the report and some link to other groups such as The Cyber Neurodiversity Group in the UK. It wants organisations to expand their existing support groups for staff. This means expanding the remit of support groups to include Dyslexia, Dyspraxia and ADHD to oversee and coordinate activities and set performance metrics as per Autism.
Other suggestions are around the creation of materials about employment aimed at potential neurodiverse employees. These would appeal to those potential employees and make offices as welcoming to them as they are to other groups of employees.
Enterprise Times: What does this mean?
This is the second piece of work by CREST looking at Autism. The first was a workshop it ran with the National Autistic Society. It led to the Cyber Security Challenge UK running its own neuro-diversity day. At that event, Enterprise Times talked with Emily Swiatek, Employment Training Consultant at the NAS. Swiatek talks about the challenges for employers in dealing with autistic employees.
One of those challenges is how we talk and engage with people with autism. Part of that is about using the right language. Take the statement: “I want your best job, and I want it by Friday.” We’ve all heard it and probably deal with it. Swiatek points out that for some autistic people, you either want their best job, or you want it by Friday. It means better clarity is needed in those conversations.
Another issue is that of job descriptions and interview processes. The former is a problem across cybersecurity a whole. Many jobs have loosely defined descriptions which do nothing to help employees or employers get the right skills mix for the position. The interview process is similarly confused. The bottom line is that we all need to do better.
Crest has addressed some of this in its call to action. Cybersecurity specific career guides for Dyslexia, Dyspraxia and ADHD are a start. Another is the call to review activities supporting the interview process. Crest has more workshops and reports planned in this area. It will be interesting to see how many HR teams engage with it to improve how they approach the issues raised in the workshop.