An IBM security operations center.
Image: John Mottern/IBM

Cybersecurity moves fast and changes constantly, which requires strong problem-solving skills and outside-the-box thinking. The other challenge the industry faces is an ongoing shortage of people to fill open positions. One way to solve this problem is to modernize hiring requirements to include candidates who have the capabilities for the work without the traditional credentials.

SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)

Liviu Arsene, a global security researcher at Bitdefender, said that the cybersecurity industry could benefit from hiring more neurodivergent people.

Arsene said that a recent survey showed that increasing diversity in general could create a bigger talent pool for hiring and recruiting more neurodiverse people could make security teams stronger overall.

“In fact the study found 20% of infosec professionals believe that increased neurodiversity in cybersecurity will help combat cyberwarfare, a threat that 63% of security decision-makers believe is a threat to their organization,” he said.

The Bitdefender 10 in 10 Study is based on feedback from 6,724 infosec professionals in large organizations across the United States and the EMEA and APAC regions.

Incident responders and other types of specialists need skills that go well beyond traditional requirements for cybersecurity jobs, Arsene said, which is why some security professionals believe they must look to nontraditional disciplines, backgrounds and cognitive abilities as part of the recruiting process.

“It could be that the skills shortage in the cybersecurity space and the competition in attracting the best candidates may have led the industry to focus on a small pool of candidates until now,” he said.

SEE: Autistic people succeed in IT jobs when companies hire for capabilities not credential (TechRepublic)

In addition to the shortage of cybersecurity talent, the threat landscape is becoming more sophisticated and continues to evolve.

“Perhaps one way security decision-makers could address this mounting challenge is by building more diverse cybersecurity teams that can look at the same problem from several different angles,” he said.

Neurodiversity in the SOC

SAP and IBM have made it a priority to expand the hiring process and add neurodiversity to their workforces. Two neurodiverse individuals who work in cybersecurity shared their perspectives.

Michael Seborowski, an incident response investigator at SAP, joined the company via the Autism at Work program. He manages digital forensics cases and solves incidents as they come into the queue. Seborowski said he likes the daily challenges that cybersecurity presents as well as collaborating with his various security-minded colleagues.

“Before the pandemic, I also had opportunities to travel to other parts of the world for work, which gives you greater perspective on the world and the people you work with.”

For managers who want to expand their hiring process, Seborowski said leaders should keep in mind that people might not immediately declare themselves as being on the spectrum, and new programs should take that into account.

“Biases and stereotypes that might affect a colleague on the spectrum need to be replaced with caring, and companies need to be able to work with colleagues constructively to figure out problems,” he said.

Megan Roddie is a cyber threat researcher with IBM’s X-Force Threat Intelligence team and an autistic professional. She also works part-time on the development team to build tools for threat researchers and automate processes to be more efficient. She said she has worked with her manager to set a daily workflow that allows her to work most efficiently. This means limiting meetings and setting aside dedicated time for research and development.

SEE: How an IBM social engineer hacked two CBS reporters–and then revealed the tricks behind her phishing and spoofing attacks (free PDF) (TechRepublic)

“Often when management and executives hear ‘disability accommodations,’ they’re thinking of physical or medical things to do,” she said “They’re not thinking about the fact that autistic people just think differently, and most of us neurodivergent professionals function fine.”

Roddie founded the Actually Austistic Task Force when she joined IBM. This group provides a closed communication channel for anyone who identifies as autistic and meets weekly through WebEx. She said companies should use these employee resource groups to guide initiatives and collect feedback, as the Neurodiversity at IBM team does.

“A lot of organizations mess up where they create a neurodiversity program in the workplace, and they don’t actually talk to any neurodiverse people and mostly go based on stereotypes or assumptions,” she said. “Having conversations with and including neurodivergent people in the development phase of social initiatives is important.”

Roddie said companies should set more intentional outreach goals to bring more neurodiverse individuals into the workforce.

“Businesses should also be cognizant of unconscious biases during the application process,” she said. “Some neurodivergent candidates may have large gaps in their resumes or may lack formal higher education.”

Seborowski said that neurodiverse people who want to work in cybersecurity should work closely with diversity coordinators and managers to understand the process and make sure it is flexible and accommodating.

“To stay resilient in these times, keep a positive attitude, be curious about how different systems can get used in unintended ways, and to reach out for help if you need it,” he said.

SAP and Autism at Work

Jose Velasco is a program director in the business process intelligence division of SAP and an Autism at Work ambassador. Velasco was a leader of the company’s initial efforts in 2013 to expand hiring efforts to include neurodiverse people.

The project started in Germany, Ireland, Canada and the United States with the intention of understanding how to best work with people on the autism spectrum. The program has evolved to reflect different understandings of autism as well as local labor laws, Velasco said.

“We started a program in each location to accommodate a different set of capabilities as well as knowledge in the community and bias,” he said. “It was a program that was defined with global objectives with the freedom of local implementation.”

Today SAP has an Autism at Work program in 16 countries with people working in 30 roles that range from task-oriented jobs to customer-facing work.

Some companies take a center of excellence approach to hiring neurodiverse people by focusing on jobs in a particular area such as cybersecurity, data services, or testing.

Neurodiverse people work across SAP in any role that is a good fit, Velasco said.

“In our case, the people that we’ve hired, they are sometimes the only neurodiverse person on the team,” he said. “We think that’s the only way we can change the perspective of the company with complete cultural change.”

How the program works

Once a year, SAP enrolls a cohort of people in an Enterprise Readiness Academy. The six-week training program has an online component and a hands-on session at an SAP office.

Participants learn the basics of the business world and create a work portfolio. The session ends with a two-week crash course in building a company.

“We give them a problem and hardware and sensors and robots, and they come up with a prototype,” he said. The training includes the basics of market analysis and empathetic design principles.

At the end of the course, students do a presentation of their business proposal in front of an audience of 50 to 75 people. The next step is to look for an open position at SAP and apply. Velasco said finding the right fit is a crucial part of the process.

“We are trying to support people from the very early stages to validate a good match between person and the job,” he said.

Training for managers is part of SAP’s Autism at Work program. When a job candidate from the program comes in for an interview, program leaders ask the individual about discussing neurodiversity with the hiring manager. If the candidate is comfortable sharing that information, the next step is to train the manager.

Velasco said that changes to the interview process include:

  • Having at most two people in the session
  • Limiting the session to 45 minutes
  • Scheduling 15 minutes between meetings
  • Providing a quiet room for breaks if needed

If the person is hired, the new SAP employee can rely on a support circle that includes a manager, a team buddy, the Autism At Work mentor network, and job and life skills coach.