The well-publicized cyber-skills gap is arguably the greatest challenge currently facing the cybersecurity industry. With a widening attack surface as a result of growing digitization, exacerbated by the COVID-19 crisis, time is fast running out to ensure the pipeline is filled by personnel with the right skillsets. Much of the focus has, rightly, been on adapting the education system to provide youngsters with the technical know-how and desire to pursue a career in cybersecurity.
Alongside this though, could organizations adapt their hiring practices for security staff to ensure they are fully utilizing the talent that is potentially already out there? Infosecurity recently caught up with James Hadley, chief executive officer of Immersive Labs, to discuss this issue, and the importance of having a neurodiverse cybersecurity workforce.
What are the traditional hiring practices in the cybersecurity industry, and are there any drawbacks to these approaches?
Executives need to recognize that traditional hiring processes often reinforce unconscious biases and result in managers appointing people whose lives and outlooks mirror their own. Cybersecurity is no different, and the traditional approach of hiring based purely on CVs, accreditations and slick interview techniques must be brought into the modern day to combat this.
By nature of the fast-paced and practical cybersecurity industry, certificates are often not sufficient as a measurement of capability or suitability. The threat landscape is constantly changing, so why are we still measuring the ability of our staff to combat them with a bit of paper that was out of date before the candidate even sat the exam? Hiring should be based on proven ability, with certifications and qualifications as a secondary requirement. Without interactive, timely skills assessment and development, there is often a gap between the actual requirements of the job and the skills that are being touted as ‘desirable’ in the job description. We need to flip this on its head and put skills first.
Furthermore, today’s resumes and job specifications often reinforce pre-existing prejudices. Focusing on capability over certifications encourages hiring based solely upon the candidate’s ability to complete the tasks at hand, their ability to learn and face new tasks in the future – and not on socioeconomic backgrounds. This removes the subconscious bias inherent in the hiring cycle, allowing for more diverse security teams aligned closer to risk, as opposed to being influenced by personal choice.
Has the changing threat landscape made neurodiversity more important in the cybersecurity industry?
It has always been important. Neurodiverse individuals have been overlooked for too long, yet NeuroCyberUK has found that up to three-quarters of cognitively-able neurodiverse adults may possess the aptitude and skill set for a successful career in cybersecurity. Neurodiverse individuals address problems differently and can challenge approaches to drive the best possible outcome in security. Their unique skill set can also positively impact the cyber field that is facing a very real talent gap.
"Neurodiverse individuals address problems differently and can challenge approaches to drive the best possible outcome in security"
The industry needs another 4 million trained security workers in order to properly defend organizations, according to research by (ISC)². The traditional approach to hiring and equipping individuals with the cybersecurity skills they need is broken and that is putting organizations at risk. So, we need to expand where and how we mine for talent. By expanding its DE&I efforts, the cybersecurity industry can discover and support many bright minds to bridge this dire skills gap. And we should not be overlooking neurodiversity as one of those groups.
The fact of the matter is, cyber-criminals have long embraced neurodiversity. Just look back at the 2012 and 2013 hack of the FBI, U.S. Army, Missile Defense Agency and the Federal Reserve. There are no hiring rules or “best practices” in cybercrime – they only care about who has the best skills, not who has the most polished CV or the best interview technique. We should embrace the same mentality to stay on top of the rising cyber-threat landscape. For example, some neurodiverse individuals are uniquely skilled at finding patterns in seemingly unrelated data or relentlessly pursuing potential signs of data breaches. This could prove invaluable as part of companies’ efforts to detect, mitigate and respond to threats. If we want to keep up with cyber-criminals, we need to start thinking and hiring like them, by placing more emphasis on skills, not certifications.
What soft skills do you think are currently lacking in the sector? Which kinds of people/backgrounds could help address these deficiencies?
The best security people have acute situational awareness of other people’s roles, the part they play within the wider business context, and the other risks that the business faces. Plenty of industry experts reinforced this in one of our recent studies on the people of infosec. While cybersecurity is everyone’s responsibility, it is not everyone’s priority. It’s easy to get caught up in the belief that infosec risk is the only risk a business faces – it’s hard to shake that attitude when you consider that there are 65,000 attempts to hack UK SMBs every single day – but it’s essential to understand and appreciate the other risks, goals and priorities of the business in order to do the job well.
It’s also important to always have a hunger to learn and to challenge what you think you already know. It’s called cognitive agility, and it’s the soft skill that every person in cybersecurity should work on developing. The cyber-threat landscape changes on a daily, if not hourly basis. New threats, new tools, new techniques, new actors – it’s an ever-changing space, so the very best cybersecurity people are those who can face the unknown, question their assumptions, and find creative solutions to wicked problems. Encouraging cognitive agility in security teams can be done in two ways: firstly, by frequently running micro-drills to help people become self-aware enough to understand how their thoughts, decisions and actions impact performance; and secondly, by increasing diversity. With diversity comes the ability to see the world and its problems from different perspectives. The importance of this cannot be overstated, especially when facing some of the “unsolvable” problems that we must tackle in cybersecurity.
How can a wider pool of talent be encouraged to pursue a career in cybersecurity, even if they do not have the typical educational background of a cybersecurity professional?
It all starts with companies fostering a safer and more inclusive environment to convey the message that diversity of thought and background is welcomed and necessary for long-term success. This sort of environment must start – and be enforced – from the top.
Practices and solutions can also be implemented to remove such biases, such as creating a digital profile based on a platform that tests skills. Removing all the other details and focusing just on ability has the tremendous benefit of removing potential unconscious bias, including an applicant’s socioeconomic background. This way, the approach simply matches skills to requirements.
"Removing all the other details and focusing just on ability has the tremendous benefit of removing potential unconscious bias, including an applicant’s socioeconomic background"
There’s another facet to this, however. One of the primary reasons that white men with backgrounds in IT, computer science and engineering are dominant in cybersecurity is simply because most of the job applications come from them. If we look at how most people develop an interest in infosec, it’s because they fostered a natural curiosity in the matter and felt free to explore it. But there are many blockers to freely exploring those ‘intriguing’ elements of infosec. In some cases, it can even be dangerous or lead to criminality, and in all cases, going out and doing it yourself is risky. As such, if we hope to widen the talent pool, we must facilitate this curiosity and provide safe, secure environments in which the potential infosec community of the future can explore it. Immersive Labs does this with its Digital Cyber Academies for military veterans, neurodiverse individuals and students.
It’s time to address this imbalance, but we must acknowledge that the change will not happen overnight – we have to be in it for the long run. It has to be a cultural shift around the way cybersecurity is perceived as an industry and a potential career by young people today and in the future.
How can organizations adapt their recruitment strategies to ensure greater neurodiversity in their security teams?
Companies can engage with the external organizations that help address the need for greater diversity as part of their hiring strategy, including, for example, NeuroCyberUK.
It’s also up to companies to re-evaluate how to qualify candidates for jobs that go beyond traditional certification; for example, by taking a step back from legacy training methods such as classroom learning. People from neurodiverse backgrounds learn in different ways, and many of them are so passionate about their craft that they are obsessed with developing skills. But without access to legitimate tools that accommodate their way of learning, they can be tempted to test these skills illicitly. Making hands-on training more accessible will remove barriers that may otherwise deter individuals and also foster an inclusive environment that nurtures and develops this talent.
We also need to move away from the notion that someone has to ‘fit in’ to a team. This way of thinking reinforces unconscious biases, as hiring managers will naturally look to those who share the same outlooks and characteristics as those already on the team. That’s no way to increase diversity. We should be celebrating the uniqueness of individuals and what they can bring to bolster the team rather than hiring based on our preconceived notions of the ‘ideal candidate’.
Cybersecurity needs to acknowledge that a bigger, more diverse talent pool with a deeper skillset is, in and of itself, a risk reduction exercise.