In an exclusive interview with The Cyber Express, Holly Foxcroft, Head of Neurodiversity in Cyber Research and Consulting, discussed neurodiversity and the need to create a more supportive environment in the cybersecurity space for the neurodiverse workforce.
Q.1: The cybersecurity skill gap has continued to increase. Do you think hiring folks from the neurodiverse spectrum is the solution?
I am going to take a bit of a different approach here. I don’t think that there’s a skills gap. I think we do not understand our candidates, and we’re looking for people, and our expectations are wrong.
And this will, again, highlight that individuals who are neurodivergent, who are diagnosed or identified or don’t know that they are neurodivergent, and are facing barriers when it comes to employment.
Now, individuals who have cyber and technology and digital skills seem to be that data would suggest that individuals in this career space have higher likely to be neurodivergent or have characteristics of neurodivergent conditions.
Yes, there’s a higher chance of finding candidates who are suitable for these roles. But they’re facing social barriers because of the way that we recruit and the way that we look for individuals in that onboarding process.
So, if we look to change that and change what our understanding is of neurodiversity, particularly neurodivergent conditions and individuals.
Not that we’re expecting people to become experts in this field, but rather focus on individual needs, and removing that subconscious bias that we have, or organizations can have when they recruit in their own image. It’s about actually changing how you recruit as a whole and becoming more inclusive.
But why I would say it’s kind of vital in cyber, and this is where it becomes quite interesting is research has suggested, and government agencies globally have identified that within their pathways into cybercrime, and for their convicted cyber offenders, there has been a higher number of individuals who are neurodivergent.
Now personally, I come to this with an understanding that we should look at the vulnerabilities of neurodivergent conditions. And that’s how we must approach it with the lens of looking through and understanding that. But if our adversaries are neurodivergent, then our best asset to understanding the human thought process or the logic is then hiring a diverse team.
By nature, cybersecurity is diverse, so we need to replicate that. And we need an altered and different way of thinking, processing, and seeing. That’s why neurodiversity is categorically imperative. It’s so important when we’re looking at building a cybersecurity team.
Q2: In terms of support, there seems to be a problem, especially during the hiring process. Also, the imposter syndrome and the unconscious bias plays a crucial role. How do you think business leaders can be educated more on the subject?
Taking the subject of neurodiversity and wanting to perhaps look at that recruitment, ensuring that you and your cyber team are at its best. This is a strategic move from the offset. This is where that first move needs to come from.
And it’s not about just focusing on your recruitment. If you just target, wanting to hire individuals because they’re neurodivergent, but without addressing the home, then you’re not going to keep a neurodivergent team.
The first thing that a senior leader or board advisor needs to look at is what the culture looks like in the organization for supporting an individual’s needs. It’s not about supporting autism, it’s not about supporting ADHD. It’s about what your reasonable adjustments and your cultural bias look like, at addressing an individual that may be socially different or whose needs are different.
Their specific learning objectives or specific ways of learning are different. Once you start looking at just being inclusive, in general, the cultural change.
Now, DNI initiatives are huge, and neurodiversity still has this negative stigma attached to it. A lot of that comes from misrepresentation. Autism is seen as a very linear diagnosis, in that you are either Rain Man or Einstein. It does not understand that each individual experiences things differently and their characteristics are different.
You’re only going on what you think you know about the diagnosis. And unfortunately, that has been quite negative up until now. And the way that I’m looking to support employers and organizations is by approaching it with the social model of disability, and that a lot of neurodivergent individuals are made disabled. We’ve faced these barriers because of social expectations that are placed upon us and social barriers which are considered normal.
Once we start to remove what those barriers are, the way that we do things, our culture of understanding and our bias of conditions, then we can start to be more inclusive and welcome a more diverse workforce.
Q.3 You mentioned a couple of times about the top-down approach; what does that exactly mean?
When we say a culture change, it needs to come from leadership. The processes and way that we do things. By creating a neuro-inclusive policy, is saying that this is just how we do things. It’s about making voices heard within your organization. In that saying, I want to be more neuro-inclusive, and I’m going to turn to the people within my business, and I’m going to build a mentorship program to support people.
Unfortunately, like the cybersecurity skills gap, neurodiversity is becoming a buzzword, and lots of people are talking about it. But it is essential to actually take that commitment to action and get the right support from the individuals that know neurodivergent or people who are neurodivergent to create change.
Now looking at what your communication looks like, what does your management understand about supporting neurodivergent Individuals? What do your reasonable adjustment policies look like in understanding an individual’s need?
It’s about having conversations as to what the budget looks like. Put money where your mouth is, and actually understand if you want to be this, then how can you support it?
We can all talk about initiatives and say, “We’re going to start doing this”, but how are you going to actually support that and make sure that it is supported in 3,6, 9 and 12 months from now?
If there’s a change in the business, if a person leaves, how you’re going to make sure that it’s going to carry on, and that’s from weaving back into your policy design.
Being inclusive is not just, we’re going to do this, and then it’s yesterday’s news; once you start that, you need to make sure that it is continued. And the way that that is continued is through the management and making sure that the practices that you put forward and your policy is carried forward.
Q 4. Historically, cybersecurity has actually not been an inclusive industry in terms of representation of women, which was around 11% a while back, and then it reached 24%. It has remained stagnant for five years now. Does it mean that it may not be the right space
If we look at academic research, and within neurodiversity, and cyber skills, then it is quite limited. However, because of neurodiversity and because of, unfortunately, the offender side, there is more research being conducted into our industry.
Now, is it the space? Yes, because what research has uncovered is that there is a higher percentage of digital skills and cyber skills in the neurodivergent community. The neurodivergent community show a better aptitude and understanding. Because of the way some of their brain works, it is linear to the skills of what you would want in a cybersecurity employee.
We’re analytical, we see things, we do see things differently, and we spot patterns. We are hyper-focused, and we understand we have a creative way of thinking that is completely different. And when we think of cybersecurity, we need to think creatively; we need to be very analytical; spotting those patterns and understanding that altered way of thinking is critical to having a cybersecurity employee.
Q.5 How did you come into this space? What was your journey like?
Actually, neurodiversity came first because that came from birth. I am neurodivergent. I didn’t know, and so later in life, which is very common for females, because we mask, and our characteristics can be different from men.
Also, because of societal expectations of what females should be, often, we aren’t picked up as being neurodivergent. Following on that neurodivergent and neurodiversity, my son is autistic with ADHD. That kind of really started my head into understanding his particularly world, but then obviously that wider, wanting to have it soak more socially understood, and not accepting the medicinal barriers that he’s medically disabled when actually I could see that if society changed certain tweaks, then he could still do the things that they said he never could.
And that’s when I really started on wanting it to be more inclusive. And his diagnosis did not define him. That’s where that kind of started.
Now, if I put it in the cyber side, that kind of that started in the military actually started with electronic warfare. And then merging into the interest of cyber security and cyber warfare.
I started technical recruiting, and that’s when having been armed with the understanding of neurodiversity, I started to see the trend within the candidates that I was working with, as showing characteristics of being neurodivergent.
Having open conversations, if I’m honest, with these candidates and noticing that although they had the right skills and aptitude, they were constantly being met by barriers because of communication skills, interviews, and how they would feel uncomfortable with going to certain employers.
So I went to an autism employment event. And I wanted to talk about, you know, cybersecurity is that is a great career. And I met a government agent there who worked for the National Crime Agency, and that’s when we had the conversation of actually quite a lot of young offenders are displaying characteristics of being neurodivergent. And it’s within cybercrime. So that’s where that started to come in.
And then with, alongside the cyber security challenge, who supports young individuals in developing cybersecurity skills, a lot of those individuals were neurodivergent, that were joining the cybersecurity challenge or part of that movement.
Back in 2017, we all had a discussion that we were going to put on a day where employers can see that the students who are neurodivergent, through the cybersecurity challenge, can see their skills. And running alongside that I ran the employment side of why we should look to employ and support these individuals, why it works, and how we can start a movement together. And that was the volcano; that’s where it all started to erupt.
The start of the two worlds coming together. I then started looking at the educational side of cyber, in that the individuals, particularly young offenders, the age of these offenders will shock people; they are very young, some below the age of criminal responsibility in the UK, which is 13.
Learning that digital skill is currently absent in schools, they’re self-learning and that self-learning isn’t governed. That’s why they’re falling into these early pathways to cybercrime. And this resonated with me because of my son, who has been showing coding skills from the age of five.
For my personal reasons, I wanted to make sure that if he wanted to go into that club of career, and other individuals like him, who are more vulnerable, they are vulnerable young adults and can be vulnerable adults when they grow older, that they are supported.
Because of the cybersecurity skills gap, because we’re not teaching them, and that education at university is otherwise unattainable, particularly for people who can be neurodivergent not saying that it is, but it can be difficult. I started developing cybersecurity and further education, which is college level.
I conducted my own academic research into understanding cybercrime offenders who are neurodivergent. Not just looking at autism, I expanded it into understanding co-occurring neurodivergent conditions with others, and why we should look at it through the lens of vulnerability.
That then supports understanding the condition and having my understanding of cybersecurity. It’s put me into the position I am in today, which is helping support employers and organization into being neuro-inclusive recruiters and to further support the industry by feeding in the latest industry insights with regards to neuro divergence and cybersecurity and how we can further support industry itself and academia feedback into the fountain of knowledge as to what we know about this phenomenon.