undefined

Tackling diverse cyber threats with a diverse team

By Holly Foxcroft, award winning international speaker, thought leader in neurodiversity in cyber and organiser of UK Cyber Week

Cyberspace as a domain is evolving and changing at an exponential rate. With that comes an ever-evolving threat landscape and the emergence of diverse, innovative ways to compromise technology and the humans that use it. Cyber security by nature is diverse, and we need diversity to combat our adversaries. One of the main ways to approach cyber security is through the three pillars of people, processes, and technology.

Diversity in teams is not just a matter of representation or inclusivity, but rather about leveraging the unique strengths and perspectives of individuals to enhance problem-solving and decision-making processes.

Research has consistently shown that diverse teams outperform homogeneous ones when it comes to creativity, problem-solving, and innovation. This is because diversity brings a variety of viewpoints, experiences, and cognitive styles to the table, leading to more robust and effective solutions. However, diversity and inclusion are not without equity. It is part of an employer’s social corporate responsibility to ensure they are offering the correct support for their employees.

Creating neurodivergent teams 

Neurodiversity refers to the natural variation in neurological traits present in human beings. Embracing neurodiversity means recognising and valuing the differences in how individuals think, learn, process information, and interact with the world around them. We are all neurodiverse. The term neurodivergent is given to individuals who have a neurotype that ‘diverges’ from society’s typical or expected approach in behaviour, learning, or working styles.

The neurodiversity paradigm encompasses a broad range of neurological differences and diagnoses. Some of the most recognized conditions within the neurodiversity framework include – autism, ADHD, Dyslexia, Tourette’s, OCD, Complex Post Traumatic Stress Disorder. Each one is recognised as having distinct characteristics, although many can be co-occurring. Neurodivergent individuals, often possess unique cognitive abilities that can be highly beneficial in cyber security.

Studies have shown that individuals on the autism spectrum, for example, may exhibit exceptional attention to detail, pattern recognition skills, and an aptitude for logical reasoning—qualities that are highly relevant in cyber security roles such as threat analysis, penetration testing, and forensic investigation.

It does not mean that all autistic individuals are fit for a career in cyber security, despite media representation often stereotyping the ‘hacker’ to have autistic like tendencies in films and tv shows (such as Mr. Robot). What is valid, however, is that a neurodivergent person is likely to approach problem solving in unique ways that differs to the neurotypical members of our society. This means that neurodiverse people naturally bring different skills and strengths that are needed in this industry. As a result, the implementation of neurodiverse teams can significantly bolster cybersecurity defences and stay one step ahead of adversaries.

The National Crime Agency has released data in its Pathways into Cybercrime Report, that indicates a growing number of cybercrime offenders have some form of neurodivergence. Research has also supported the idea that neurodivergence is also a vulnerability that can contribute towards individuals experimenting with cybercrime activities, not to be inherently deviant, but through their natural inquisitiveness and ability to hyperfocus.

Supporting neurodiverse teams

While recognising the evident advantages of embracing neurodiversity, many organisations still fall short in providing adequate support and accommodation for neurodivergent individuals within the workforce. Numerous factors contribute to this shortfall.

Notably, the interview process stands out as a major obstacle for neurodivergent talent seeking entry into the workforce. The inflexibility of processes and interview structures often places neurodiverse individuals at a disadvantage. Moreover, for certain individuals, this drawback commences as soon as they encounter the job description and application process, which frequently lacks inclusivity in its language.

Recognising the distinct strengths inherent within a neurodiverse team, particularly in addressing a wide array of security threats, serves as impetus for organisations to proactively integrate a more diverse pool of applicants. Nonetheless, given statistics indicating that approximately 20% of the population falls within the neurodivergent spectrum, (a statistic sourced from the National Autistic Society) it is probable that many organisations already harbour neurodiverse teams. Industry research, notably by KPMG (2019, 2021), underscores a higher prevalence of neurodivergent individuals within the cybersecurity workforce compared to other sectors.

Neglecting to provide adequate support for employees, irrespective of their neurocognitive profiles, can precipitate adverse impacts on their mental well-being. Neurodivergent individuals are particularly susceptible to experiencing burnout and adverse mental health outcomes when their needs remain unaddressed, both within and outside the workplace, owing to a multitude of factors contributing to sensory overload. Thus, it becomes evident that organisations must prioritise the provision of adequate support, even before considering compliance with the Equality Act 2010.

Neurodivergence constitutes a protected characteristic (Equality Act 2010), ensuring that employees disclosing their neurodivergent status are entitled to reasonable accommodations, safeguarding them against direct discrimination and harassment. As previously mentioned, around 20% of the population identifies as neurodivergent, a percentage anticipated to increase due to a growing trend of seeking private diagnoses and the rising openness of individuals willing to share their neurodivergent experiences in adulthood.

This openness fosters increased self-awareness, and it is reasonable to anticipate a surge in requests for reasonable accommodations to support disclosures of neurodivergent status. Considering this, it will be imperative for employers to foster organisations which are neuroinclusive.

To achieve this, employers are encouraged to bring awareness to neurodiversity through comprehensive training and education programs. By cultivating a culture of acceptance and appreciation for neurodiversity, organisations can foster an environment where all individuals feel valued and empowered.

Recognising the inherent diversity among neurodivergent individuals is essential, as each person’s experiences and requirements are unique. Offering flexible working arrangements, including remote and hybrid options, serves as one approach to accommodating diverse needs while simultaneously broadening the talent pool. Such arrangements not only cater to neurodivergent individuals who may thrive in more flexible environments but also accommodate those who may struggle within traditional office settings, thereby facilitating optimal productivity.

Furthermore, extending training and awareness initiatives to encompass cybersecurity education ensures that the entire workforce, not just cybersecurity teams, is equipped with the necessary knowledge to mitigate risks effectively. Understanding neurodiversity serves to fortify cybersecurity measures by ensuring that training initiatives are accessible to all, thereby enhancing overall cyber resilience.

Embracing diversity, including neurodiversity, transcends moral considerations; it represents a strategic imperative in the ongoing battle against cyber threats. By harnessing the unique strengths of neurodiverse individuals and cultivating inclusive workplaces, organisations can forge more resilient cybersecurity teams capable of navigating the complexities of the digital landscape.

It is incumbent upon the cybersecurity industry to recognise the inherent value of diversity and take proactive measures to support and empower all members of its workforce. Only through such concerted efforts can true cyber resilience be achieved in an era marked by diverse threats and adversaries.