James Coker takes a deep dive into the NCSC’s recent Decrypting Diversity report, analyzing its findings in respect of neurodivergent and disabled people working in cyber
The topic of diversity has generated much discussion in the cybersecurity industry in recent years. This includes growing recognition of the enormous benefits a diverse range of experiences can offer security teams. Simon Hepburn, CEO of the UK Cyber Security Council, explains: “There has been a lack of focus on these areas in cyber as a solution to combatting the skills gap that we are still seeing. Cybersecurity teams combining professionals with unique skill sets from different educational and social backgrounds, genders, ethnicities and even with neurological abilities can build the right pool of talent to tackle a wide range of cybersecurity challenges.”
Encouragingly, progress regarding the representation and experiences of ethnic minorities and women was recorded in Decrypting Diversity, a collaboration between the National Cyber Security Centre (NCSC) and KPMG in the UK. Much work remains in these areas, however. Importantly, this study also provided fascinating insights into lesser-discussed areas of diversity. These include the experiences of neurodivergent and disabled people in the sector that are deserving of significant attention, particularly from security leaders and decision-makers.
Neurodiversity
Neurodiversity encompasses both NeuroTypical and NeuroAtypical people, such as those with autism, dyslexia and dyspraxia. Interestingly, around one in five (19%) of the 945 industry professionals interviewed for the study identified as neurodivergent, which is substantially higher than the estimated proportion of the UK population as a whole. Does this suggest that the sector is especially welcoming to people with these characteristics? Or is the sector particularly attractive to those who think differently?
A well-known anonymous Twitter profile, named The Disabled CISO (@CisoDisabled), who offers insights on his work as a physically disabled and neurodivergent CISO, believes it to be the latter. He thinks the main explainer for this disparity is the nature of cybersecurity, which is well-suited to neurodivergent attributes. “As someone living with dyslexia and dyspraxia, I identified that my brain worked differently and was hungry for the challenges and problems cyber presents on a daily basis. I became very successful in this field,” he explains.
Worryingly, the report flagged numerous problems faced by neurodivergent people working in cyber. Around a third reported feeling unable to be themselves in the workplace, and a similar proportion said they experienced discrimination in their job. In addition, over a third (37%) said they had experienced at least one career barrier while working in the sector, and 29% said they were considering changing employer or leaving the industry because of the barriers they have encountered.
There is a range of factors that lie behind these concerning statistics, mainly emanating from a lack of understanding of the particular challenges faced by neurodivergent people. The Disabled CISO highlights the example of dyslexia: “Their dyslexia sometimes means their emails, reports, etc., contain spelling mistakes or they make grammar errors – colleagues and line managers belittle them and make them feel stupid.”
Another factor is that neurodivergent people tend to think and learn differently from their colleagues, which often isn’t catered for by their employers. For example, Nicola Whiting, co-owner of Titania, pointed out that many Autistic people (like herself) are reflective thinkers, “which means we perform at our best when we get the data upfront and can have the appropriate time to process it.” Yet, in training courses, information about what will be taught is typically not provided in advance, putting such thinkers at a disadvantage. “One of the challenges is that we forget that what is good for one set of people may not be good for another. Businesses need to remove participation barriers to maximize performance and effectiveness,” she observes.
"One of the challenges is that we forget that what is good for one set of people may not be good for another"
Disabilities
The Decrypting Diversity report also provided vital insights into the lives of disabled security professionals. In parallel with neurodivergent people, the study found a higher proportion of people with a disability working in cybersecurity than comparatively in the wider population (25% vs. 20%).
Unfortunately, there are also similarities regarding the workplace challenges people with disabilities face. Around a third of disabled cyber professionals didn’t feel they could be themselves in the workplace, and a third faced discrimination in their jobs. Additionally, over a third (36%) reported experiencing a barrier in their career. Unsurprisingly, this resulted in a much higher proportion of disabled people considering moving employer than those who are not (21% vs. 9%) and leaving the sector entirely (7% vs. 3%).
The Disabled CISO offers some stark explanations for these concerning statistics: “Those of us living with disabilities are sometimes seen as weak, incompetent, not pulling our weight, etc., when in essence it is the polar opposite. On a daily basis, those living with disabilities face challenges in the workplace. They can be passed over for promotion as they took too many sick days – they weren’t sick, but their organization has a policy of recording hospital appointments to manage their disability as ‘sick days,’” he outlines.
This perspective is informed by personal experience. “I was working for an organization when my physical health was particularly bad due to my disability, resulting in time off work. Those in the workplace who did not understand my disabilities just felt I wasn’t pulling my weight, which resulted in me convincing myself I was failing as such. I wanted to give 120%, which simply was not physically possible,” he adds.
Solutions
From speaking to Nicola Whiting and The Disabled CISO, it is clear that organizations need to facilitate flexible ways of working and learning to enable people with physical disabilities or neurodiverse conditions from these backgrounds to be most effective. In respect of neurodiversity, The Disabled CISO notes: “Those who come to problems differently because their dyspraxia, autism and ADHD means they see the world differently and take a different journey are mocked by colleagues because the status quo has been challenged. ‘We have always done it that way’ is probably one of the most dangerous phrases in cyber and should be challenged!”
More generally, the Decrypting Diversity report highlighted several recommendations for the industry to become more inclusive for these individuals. These include diversifying routes into the sector, providing role models and harnessing hybrid working.
Diversifying Pathways into Cyber
Developing more routes into the sector outside of university education, such as school leaver and apprenticeship schemes, was highlighted as a crucial way of significantly increasing the number of disabled and neurodivergent candidates entering the field. The Disabled CISO notes: “It’s worth noting that many neurodivergent individuals found school/college challenging, with many not going to university. This does not make them any less worthy of a role, but sticking with a ‘you must have a degree from a red brick university’[attitude] will stop them from applying. I also know of some very talented individuals living with disabilities working successfully in cyber who did not take an academic route due to struggles they had at school.”
“It’s worth noting that many neurodivergent individuals found school/college challenging, with many not going to university"
It is also important to note that a high proportion of neurodivergent and disabled people come from less affluent socioeconomic backgrounds, thus are less likely to be able to afford university education. For example, the report found that 29% of respondents who were eligible for free school meals identified as neurodivergent, which compares to 19% of all respondents. This further suggests that more accessible routes into the sector will also translate into more diversity in other areas.
Additionally, Saj Huq, director at Plexal, which is involved in developing the UK government’s latest cyber start-up initiative, the Cyber Runway program, believes people from these backgrounds should consider looking for roles within the UK’s burgeoning start-up sector, which is often more open to candidates with different educational backgrounds and experiences. “A lot of our members and the companies we work with always cite talent attraction and recruitment as one of the biggest barriers in their growth, and as a result of that, a lot of them are taking quite novel approaches to try to find the talent that they need,” he explains.
Role Models
Decrypting Diversity also outlined the importance of publicizing success stories of people with diverse backgrounds in the sector. Huq explains this is something Plexal is incorporating into its work. “One of the key findings from the report talks about highlighting the case studies of people who have been successful in the sector. This helps those from underrepresented communities to better see themselves reflected in the narrative of the sector.”
The benefits of showcasing stories of people from diverse backgrounds are well recognized by Whiting. In fact, she only realized she was autistic after listening to neurodivergent speakers during a conference she attended and spoke at in her late 40s. “Their description of their experience of life – running out of social energy, of the impact of noise, the impact of sound and scent – I’m like, ‘that’s my life experience,’ and suddenly I realized I was part of a different tribe to the tribe I thought I was part of,” she outlines.
Hybrid Working
Another interesting recommendation in the report was how the shift to hybrid working could be leveraged to promote diversity and inclusion in the sector. Whiting notes that this shift can be especially beneficial to neurodivergent people, who often find social interactions challenging. “Hybrid working gives people more opportunities to thrive in the environment that they are best suited for. If somebody thrives in a busy, socially interactive environment, then they can choose that. If somebody thrives more when they don’t have to use the energy for social interactions, they can choose that.”
The option of home working clearly offers additional opportunities to disabled people too. The Disabled CISO comments: “Many people living with disabilities want to play a very active role in society, and that includes having gainful employment, but the traditional 9-5 sat in front of a computer in a big open plan office in a big city like London simply would not work for them.”
The findings in the report suggest that at the heart of improving inclusion among people with disability and those that are neurodivergent requires greater flexibility, appreciating there are many different ways of learning and contributing to security teams. Thus, providing alternative pathways and ways of working will help attract and enable a more diverse range of thinkers to thrive in cybersecurity, which combats group-think and increases innovation and resilience. Embracing diversity can only benefit the industry and, ultimately, society.