Threat Intelligence

11/28/2018
10:30 AM
Lysa Myers
Lysa Myers
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The "Typical" Security Engineer: Hiring Myths & Stereotypes

In an environment where talent is scarce, it's critical that hiring managers remove artificial barriers to those whose mental operating systems are different.

The more we learn, the more it becomes clear that there is no "universally optimal" brain. We all have our own unique strengths and weaknesses. Things we do to help people with different neurotypes aren't just accommodations for rare individuals. Being considerate of each other's mental operating systems can improve everyone's functionality.

Each year brings more reports that document the challenges of hiring in cybersecurity, with an alarming number of unfilled positions. But this may ring hollow to those struggling to find work in the industry. There are many factors that cause this discrepancy, and today let's look into one such area: inclusive hiring practices for neurodiversity.

Defining Neurodiversity
Most of us have a clear mental stereotype of a "typical engineer." This may include personal issues and quirks as well as traits that help people succeed in intellectually demanding jobs. The positive qualities include things like intense specialized interests, laser-like focus, creative and vivid imagination, or the ability to find signals within noisy data sets.

From a neurological perspective, many of these traits — both positive and more challenging ones — frequently intersect with signs of "mental operating system" differences such as autism and attention deficit hyperactivity disorder. As a result, popular tech-hiring practices can sometimes put off the very people who have always been an important part of science and technology.

Neurodiversity also includes a wide variety of neurological differences related to developmental and learning disorders, mental health conditions, and mental perception variances such as amusia and aphantasia. Individuals are referred to as "neurodivergent" while groups of people are referred to as "neurodiverse." While many people define these variations as "disabilities," the traits can and do bring benefits to individuals as well as potential employers.

Hiring Benefits of Neurodiversity
Part of the benefit of having diversity is that it improves the breadth of knowledge within your organization. People with different brains — as well as genders and ethnicities — will have different backgrounds as well as strengths. And naturally, they'll have different security and privacy concerns, most of which will not be obvious to people outside of those groups.

Paying extra attention to hiring practices can help you root out ways you might be generating "false negatives" that exclude neurodiverse job candidates for reasons that have nothing to do with their ability. In an environment where talent is scarce, it's imperative to remove artificial barriers to entry.

It's also important to understand that women and minority communities tend to have high rates of under-diagnosis, so they may not be identified as neurodivergent. And because the constellations of qualities that lead to someone being identified as neurodivergent are not traits absent in "neurotypical" people, being inclusive will help everyone. Here are five neurodiversity hiring practices to keep in mind:

Set Expectations Early and Often
Hiring is seldom a straightforward process because there are many variables that can affect timing. But it's important to tell people what your process is and to give them a window of time in which steps should occur, including notifying applicants if they were not chosen for the position. If you need to deviate from that schedule due to unforeseen circumstances, it's best to notify candidates as early as possible rather than leave them guessing. Once someone has been hired, set them up to succeed by continuing to set goals and schedule dates for deliverables, including discussion about deferred activities.

Err on the Side of Clarity
Not everyone processes information the same way. Some people prefer text to verbal instructions, or they may understand diagrams better than written words. Some may misunderstand idioms or interpret things very literally. It's better to cover all your bases, and stick to simple and clear descriptions. If the option is available, ask people their preferred communication method and double-check that your words are interpreted as you intended them. When you're not able to ask, err on the side of providing as many options as are appropriate.

Consider your job ad wording
It can be difficult to communicate the level and types of skills a prospective employee is expected to have. The way this is most commonly done is with numbers — for example, such as "five years of experience" associated with a certain technology or position. But there's nothing intrinsically magical about five years of experience. You can express the same idea more clearly by rewording it as "experience with" or "fluent in," or other phrases that more clearly express the problems you're trying to solve or level of familiarity with a technology that you require.

Stick to Criteria that Pertain to the Position
Coders don't necessarily need to maintain a lot of eye contact to be effective. Being a social butterfly doesn't indicate someone is a better reverse engineer. Make sure that the criteria on which you're judging candidates are decided by a group of interested parties in advance, that they pertain to the job at hand, and that they are the deciding factors that employees are graded on.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. Because keeping up with all ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
11/30/2018 | 10:23:14 PM
Re: Very few understand security
@REISEN: Well, sure, in a better world, we wouldn't have this outsourcing. We'd have companies investing in their staff, which only happens if you're willing to be imaginative in your hiring practices and commit to your employees.


Oh, well.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
11/30/2018 | 8:29:45 AM
Re: Very few understand security
True to the extent of "most jobs" like planning, human resources, plumbing, etc.  These are long known jobs that have a history and thus plenty of qualified folk.  Cybersecurity is relatively new and in IT with only the past 5 or 10 years at max.  Plus IT is now jaded as management often outsources to India (Wipro, been there, done that) without regard to QUALITY  of work - just the expense of it.  So few people now enter the field because of the good chance their career job will be decimated.  Why go there?  Less so with cyber security but the effect lingers.  Why go there too. 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
11/29/2018 | 11:13:56 PM
Re: Very few understand security
@REISEN: In some areas, like AI, some companies are hiring people in STEM fields other than computer science, like astronomers and physicists, with the idea that they can apply and adapt their mathematical and scientific expertise to AI programming.

That's probably what cybersecurity needs -- instead of HR people looking to check a bunch of boxes. Most jobs people don't know how to do until they start doing it. Cybersecurity is no exception.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/29/2018 | 1:10:45 PM
Re: Very few understand security
With a knod to James Bond to aggressively kill and hunt the stuff. It is not a dull and boring field. Agree. Not at all. It is getting more and more attraction and that is good for IT field.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/29/2018 | 1:09:04 PM
Re: Very few understand security
So staff is hard to find. Then you have the investigavtive mindset Makes sense. We just hired a new graduate developer and he found another good paying job in 6 months.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/29/2018 | 1:07:46 PM
Re: Very few understand security
you have to be hired to get experience and that requires a cert so you don't get hired thus staff does not exist. Good point. It is mainly learning at the job in most cases.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/29/2018 | 1:06:15 PM
Re: Very few understand security
Certifications are darn hard to obtain and having experience is the best route to that but, Agree with this and some are useless anymore.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/29/2018 | 1:05:09 PM
cybersecurity
Each year brings more reports that document the challenges of hiring in cybersecurity, with an alarming number of unfilled positions. This is true fur is too, we could not find right resource for cybersecurity.
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
11/28/2018 | 3:18:59 PM
Very few understand security
This field is like the wild west right now - few people are good gunslingers, fewer know how to shoot.  Certifications are darn hard to obtain and having experience is the best route to that but, well, you have to be hired to get experience and that requires a cert so you don't get hired thus staff does not exist.  Endless circle of frustration.  Some who have experienced malware and ransomware understand it, a few know how to defeat it.  I did twice for my clients many years ago (catalog backups).  So staff is hard to find.  Then you have the investigavtive mindset - one has to be Sherlock Holmes to find Moriarty these days.  With a knod to James Bond to aggressively kill and hunt the stuff.  It is not a dull and boring field.  
Windows 10 Security Questions Prove Easy for Attackers to Exploit
Kelly Sheridan, Staff Editor, Dark Reading,  12/5/2018
Starwood Breach Reaction Focuses on 4-Year Dwell
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/5/2018
Symantec Intros USB Scanning Tool for ICS Operators
Jai Vijayan, Freelance writer,  12/5/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I guess this answers the question: who's watching the watchers?
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10008
PUBLISHED: 2018-12-10
A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in stapler/core/src/main/java/org/kohsuke/stapler/MetaClass.java that allows attackers to invoke some methods on Java objects by accessing crafted URLs that were not intended...
CVE-2018-10008
PUBLISHED: 2018-12-10
An information exposure vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in DirectoryBrowserSupport.java that allows attackers with the ability to control build output to browse the file system on agents running builds beyond the duration of the build using the workspace br...
CVE-2018-10008
PUBLISHED: 2018-12-10
A data modification vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in User.java, IdStrategy.java that allows attackers to submit crafted user names that can cause an improper migration of user record storage formats, potentially preventing the victim from logging into Jen...
CVE-2018-10008
PUBLISHED: 2018-12-10
A denial of service vulnerability exists in Jenkins 2.153 and earlier, LTS 2.138.3 and earlier in CronTab.java that allows attackers with Overall/Read permission to have a request handling thread enter an infinite loop.
CVE-2018-10008
PUBLISHED: 2018-12-10
A sandbox bypass vulnerability exists in Script Security Plugin 1.47 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox/SandboxTransformer.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM, if plugins using the Groovy san...