The cybersecurity skills shortage and workforce gap continue to be of concern to organizations. As they seek to protect digital assets by finding professionals with the right skills, demand remains higher than supply.
With recent surveys suggesting the cybersecurity workforce gap decreased in 2020 from previous years — from 4 million worldwide in 2019 to 3.1 million in 2020 — 28% of CISOs firmly believe that "serious disruptions" will occur if these roles are not filled. Around 76% of CIOs and CISOs believe the answer to this shortage lies in a more diverse skill set among those tackling cybersecurity tasks. Additionally, a third of infosec professionals agree that neurodiversity will make cybersecurity defenses stronger while also helping to eliminate bias in the industry.
Defining Diversity and Neurodiversity
Diversity is nature's way of increasing its odds of survival. It's a fact that genetic diversity helps maintain a healthy population and build up resistance to diseases, while allowing it to adapt to change.
Neurodiversity is considered a natural genetic variation in the population and usually refers to the range of neurological differences in brain functions and behavioral traits, typically associated with social skills, learning ability, and mood. Commonly, individuals that diverge from the dominant societal standards of "normal" neurocognitive functioning are referred to as neurodivergent.
Since first introduced as a concept in the late '90s, neurodiversity has also become a social justice movement that seeks civil rights, equality, respect, and full societal inclusion for the neurodivergent. Regardless of the specific definition, the topic is typically associated with individuals that may be diagnosed with ADHD (attention deficit hyperactivity disorder) or on the autism spectrum and possess exceptional high pattern-recognition abilities, attention to detail, focus, and even outside-the-box thinking.
Diversity, including neurodiversity, in cybersecurity could improve an organizations' overall resilience to cyberattacks. Cybersecurity teams combining professionals with unique skill sets from different educational and social backgrounds, genders, ethnicities, and even with exceptional neurological abilities, can build the right pool of talent to tackle a wide range of cybersecurity challenges.
How Cybercriminals Leverage Diversity and Neurodiversity
Cybercriminals may have long embraced neurodiversity. With no rules on educational background or hiring practices, the cybercriminal community often simply seeks the person who can do the job best. It's likely that most cybercriminal gang members have different social backgrounds, are of different ethnicity or religion and possess differing levels of education, but that doesn't stop them from breaching some of the largest companies or pulling off massive digital heists.
Consider the cybercriminals diagnosed with Asperger's syndrome who pulled off hacks against the Federal Bureau of Investigation, the US Army, the Missile Defense Agency, and the Federal Reserve. It's safe to speculate that diversity and neurodiversity are no strangers to cybercrime.
Although there is little to no empirical evidence to suggest the relationship between autistic individuals and cyber-driven crimes, some studies have tried to find a link between cybercrime and gifted individuals. However, due to the nature of the Internet and cybercrime, it is difficult to find and prosecute these criminals, let alone study and assess their cognitive abilities.
Strengthening Cybersecurity Efforts
Four in 10 cybersecurity professionals believe communication remains one of the biggest barriers in the cybersecurity industry. Tech jargon brought into the boardroom can significantly hamper board members' understanding of the security risk their organization faces. This, in turn, can negatively affect security budgets because of the lack of perceived risk.
Diversity of talent on cybersecurity teams could potentially solve this communication problem. Building teams with different skill sets ranging outside technical qualifications can have a positive impact.
For example, instead of creating an all-tech team, each with their area of expertise, infosec leaders should consider adding a staff member who's an excellent communicator. He or she could translate technical details and present them in terms non-technical board members can understand, providing clear insight on the organization's security challenges, which in turn could lead to positive outcomes, including improved cybersecurity posture of the organization. Gaining buy-in from board members and achieving cybersecurity objectives is one goal where a non-technical member of a security team can be invaluable.
Incorporating neurodiversity into cybersecurity teams may have additional positive impacts. Employees that are uniquely skilled at finding patterns in seemingly unrelated data or relentlessly pursuing potential signs of data breaches could prove invaluable as part of companies' efforts to detect and respond to threats. While automation currently does most of the heavy lifting in spotting these anomalies, security team members with unique skills and attention to detail may contribute additional insights and correlations that validate findings and even improve tuning of automated systems.
Of course, there's no recipe for success in building diversity and neurodiversity into a cybersecurity team. Motivating people with different skill sets and from across the neurodivergent spectrum may prove challenging, but a growing number of CIOs and CISOs believe neurodiversity in the sector will help combat advanced persistent threats and cyberwarfare.
Striking the balance between using the best security technologies, automation, and people should be a goal for any organization when pursuing a more effective cybersecurity posture.