Threat Intelligence

11/28/2018
10:30 AM
Lysa Myers
Lysa Myers
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The "Typical" Security Engineer: Hiring Myths & Stereotypes

In an environment where talent is scarce, it's critical that hiring managers remove artificial barriers to those whose mental operating systems are different.

The more we learn, the more it becomes clear that there is no "universally optimal" brain. We all have our own unique strengths and weaknesses. Things we do to help people with different neurotypes aren't just accommodations for rare individuals. Being considerate of each other's mental operating systems can improve everyone's functionality.

Each year brings more reports that document the challenges of hiring in cybersecurity, with an alarming number of unfilled positions. But this may ring hollow to those struggling to find work in the industry. There are many factors that cause this discrepancy, and today let's look into one such area: inclusive hiring practices for neurodiversity.

Defining Neurodiversity
Most of us have a clear mental stereotype of a "typical engineer." This may include personal issues and quirks as well as traits that help people succeed in intellectually demanding jobs. The positive qualities include things like intense specialized interests, laser-like focus, creative and vivid imagination, or the ability to find signals within noisy data sets.

From a neurological perspective, many of these traits — both positive and more challenging ones — frequently intersect with signs of "mental operating system" differences such as autism and attention deficit hyperactivity disorder. As a result, popular tech-hiring practices can sometimes put off the very people who have always been an important part of science and technology.

Neurodiversity also includes a wide variety of neurological differences related to developmental and learning disorders, mental health conditions, and mental perception variances such as amusia and aphantasia. Individuals are referred to as "neurodivergent" while groups of people are referred to as "neurodiverse." While many people define these variations as "disabilities," the traits can and do bring benefits to individuals as well as potential employers.

Hiring Benefits of Neurodiversity
Part of the benefit of having diversity is that it improves the breadth of knowledge within your organization. People with different brains — as well as genders and ethnicities — will have different backgrounds as well as strengths. And naturally, they'll have different security and privacy concerns, most of which will not be obvious to people outside of those groups.

Paying extra attention to hiring practices can help you root out ways you might be generating "false negatives" that exclude neurodiverse job candidates for reasons that have nothing to do with their ability. In an environment where talent is scarce, it's imperative to remove artificial barriers to entry.

It's also important to understand that women and minority communities tend to have high rates of under-diagnosis, so they may not be identified as neurodivergent. And because the constellations of qualities that lead to someone being identified as neurodivergent are not traits absent in "neurotypical" people, being inclusive will help everyone. Here are five neurodiversity hiring practices to keep in mind:

Set Expectations Early and Often
Hiring is seldom a straightforward process because there are many variables that can affect timing. But it's important to tell people what your process is and to give them a window of time in which steps should occur, including notifying applicants if they were not chosen for the position. If you need to deviate from that schedule due to unforeseen circumstances, it's best to notify candidates as early as possible rather than leave them guessing. Once someone has been hired, set them up to succeed by continuing to set goals and schedule dates for deliverables, including discussion about deferred activities.

Err on the Side of Clarity
Not everyone processes information the same way. Some people prefer text to verbal instructions, or they may understand diagrams better than written words. Some may misunderstand idioms or interpret things very literally. It's better to cover all your bases, and stick to simple and clear descriptions. If the option is available, ask people their preferred communication method and double-check that your words are interpreted as you intended them. When you're not able to ask, err on the side of providing as many options as are appropriate.

Consider your job ad wording
It can be difficult to communicate the level and types of skills a prospective employee is expected to have. The way this is most commonly done is with numbers — for example, such as "five years of experience" associated with a certain technology or position. But there's nothing intrinsically magical about five years of experience. You can express the same idea more clearly by rewording it as "experience with" or "fluent in," or other phrases that more clearly express the problems you're trying to solve or level of familiarity with a technology that you require.

Stick to Criteria that Pertain to the Position
Coders don't necessarily need to maintain a lot of eye contact to be effective. Being a social butterfly doesn't indicate someone is a better reverse engineer. Make sure that the criteria on which you're judging candidates are decided by a group of interested parties in advance, that they pertain to the job at hand, and that they are the deciding factors that employees are graded on.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. Because keeping up with all ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
11/30/2018 | 10:23:14 PM
Re: Very few understand security
@REISEN: Well, sure, in a better world, we wouldn't have this outsourcing. We'd have companies investing in their staff, which only happens if you're willing to be imaginative in your hiring practices and commit to your employees.


Oh, well.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
11/30/2018 | 8:29:45 AM
Re: Very few understand security
True to the extent of "most jobs" like planning, human resources, plumbing, etc.  These are long known jobs that have a history and thus plenty of qualified folk.  Cybersecurity is relatively new and in IT with only the past 5 or 10 years at max.  Plus IT is now jaded as management often outsources to India (Wipro, been there, done that) without regard to QUALITY  of work - just the expense of it.  So few people now enter the field because of the good chance their career job will be decimated.  Why go there?  Less so with cyber security but the effect lingers.  Why go there too. 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
11/29/2018 | 11:13:56 PM
Re: Very few understand security
@REISEN: In some areas, like AI, some companies are hiring people in STEM fields other than computer science, like astronomers and physicists, with the idea that they can apply and adapt their mathematical and scientific expertise to AI programming.

That's probably what cybersecurity needs -- instead of HR people looking to check a bunch of boxes. Most jobs people don't know how to do until they start doing it. Cybersecurity is no exception.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/29/2018 | 1:10:45 PM
Re: Very few understand security
With a knod to James Bond to aggressively kill and hunt the stuff. It is not a dull and boring field. Agree. Not at all. It is getting more and more attraction and that is good for IT field.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/29/2018 | 1:09:04 PM
Re: Very few understand security
So staff is hard to find. Then you have the investigavtive mindset Makes sense. We just hired a new graduate developer and he found another good paying job in 6 months.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/29/2018 | 1:07:46 PM
Re: Very few understand security
you have to be hired to get experience and that requires a cert so you don't get hired thus staff does not exist. Good point. It is mainly learning at the job in most cases.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/29/2018 | 1:06:15 PM
Re: Very few understand security
Certifications are darn hard to obtain and having experience is the best route to that but, Agree with this and some are useless anymore.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/29/2018 | 1:05:09 PM
cybersecurity
Each year brings more reports that document the challenges of hiring in cybersecurity, with an alarming number of unfilled positions. This is true fur is too, we could not find right resource for cybersecurity.
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
11/28/2018 | 3:18:59 PM
Very few understand security
This field is like the wild west right now - few people are good gunslingers, fewer know how to shoot.  Certifications are darn hard to obtain and having experience is the best route to that but, well, you have to be hired to get experience and that requires a cert so you don't get hired thus staff does not exist.  Endless circle of frustration.  Some who have experienced malware and ransomware understand it, a few know how to defeat it.  I did twice for my clients many years ago (catalog backups).  So staff is hard to find.  Then you have the investigavtive mindset - one has to be Sherlock Holmes to find Moriarty these days.  With a knod to James Bond to aggressively kill and hunt the stuff.  It is not a dull and boring field.  
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
The Case for a Human Security Officer
Ira Winkler, CISSP, President, Secure Mentem,  12/5/2018
Windows 10 Security Questions Prove Easy for Attackers to Exploit
Kelly Sheridan, Staff Editor, Dark Reading,  12/5/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-8651
PUBLISHED: 2018-12-12
A cross site scripting vulnerability exists when Microsoft Dynamics NAV does not properly sanitize a specially crafted web request to an affected Dynamics NAV server, aka "Microsoft Dynamics NAV Cross Site Scripting Vulnerability." This affects Microsoft Dynamics NAV.
CVE-2018-8652
PUBLISHED: 2018-12-12
A Cross-site Scripting (XSS) vulnerability exists when Windows Azure Pack does not properly sanitize user-provided input, aka "Windows Azure Pack Cross Site Scripting Vulnerability." This affects Windows Azure Pack Rollup 13.1.
CVE-2018-8617
PUBLISHED: 2018-12-12
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8583, CVE-2018-8...
CVE-2018-8618
PUBLISHED: 2018-12-12
A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge, aka "Chakra Scripting Engine Memory Corruption Vulnerability." This affects Microsoft Edge, ChakraCore. This CVE ID is unique from CVE-2018-8583, CVE-2018-8...
CVE-2018-8619
PUBLISHED: 2018-12-12
A remote code execution vulnerability exists when the Internet Explorer VBScript execution policy does not properly restrict VBScript under specific conditions, aka "Internet Explorer Remote Code Execution Vulnerability." This affects Internet Explorer 9, Internet Explorer 11, Internet Exp...