The "Typical" Security Engineer: Hiring Myths & Stereotypes
In an environment where talent is scarce, it's critical that hiring managers remove artificial barriers to those whose mental operating systems are different.
The more we learn, the more it becomes clear that there is no "universally optimal" brain. We all have our own unique strengths and weaknesses. Things we do to help people with different neurotypes aren't just accommodations for rare individuals. Being considerate of each other's mental operating systems can improve everyone's functionality.
Each year brings more reports that document the challenges of hiring in cybersecurity, with an alarming number of unfilled positions. But this may ring hollow to those struggling to find work in the industry. There are many factors that cause this discrepancy, and today let's look into one such area: inclusive hiring practices for neurodiversity.
Defining Neurodiversity
Most of us have a clear mental stereotype of a "typical engineer." This may include personal issues and quirks as well as traits that help people succeed in intellectually demanding jobs. The positive qualities include things like intense specialized interests, laser-like focus, creative and vivid imagination, or the ability to find signals within noisy data sets.
From a neurological perspective, many of these traits — both positive and more challenging ones — frequently intersect with signs of "mental operating system" differences such as autism and attention deficit hyperactivity disorder. As a result, popular tech-hiring practices can sometimes put off the very people who have always been an important part of science and technology.
Neurodiversity also includes a wide variety of neurological differences related to developmental and learning disorders, mental health conditions, and mental perception variances such as amusia and aphantasia. Individuals are referred to as "neurodivergent" while groups of people are referred to as "neurodiverse." While many people define these variations as "disabilities," the traits can and do bring benefits to individuals as well as potential employers.
Hiring Benefits of Neurodiversity
Part of the benefit of having diversity is that it improves the breadth of knowledge within your organization. People with different brains — as well as genders and ethnicities — will have different backgrounds as well as strengths. And naturally, they'll have different security and privacy concerns, most of which will not be obvious to people outside of those groups.
Paying extra attention to hiring practices can help you root out ways you might be generating "false negatives" that exclude neurodiverse job candidates for reasons that have nothing to do with their ability. In an environment where talent is scarce, it's imperative to remove artificial barriers to entry.
It's also important to understand that women and minority communities tend to have high rates of under-diagnosis, so they may not be identified as neurodivergent. And because the constellations of qualities that lead to someone being identified as neurodivergent are not traits absent in "neurotypical" people, being inclusive will help everyone. Here are five neurodiversity hiring practices to keep in mind:
Set Expectations Early and Often
Hiring is seldom a straightforward process because there are many variables that can affect timing. But it's important to tell people what your process is and to give them a window of time in which steps should occur, including notifying applicants if they were not chosen for the position. If you need to deviate from that schedule due to unforeseen circumstances, it's best to notify candidates as early as possible rather than leave them guessing. Once someone has been hired, set them up to succeed by continuing to set goals and schedule dates for deliverables, including discussion about deferred activities.
Err on the Side of Clarity
Not everyone processes information the same way. Some people prefer text to verbal instructions, or they may understand diagrams better than written words. Some may misunderstand idioms or interpret things very literally. It's better to cover all your bases, and stick to simple and clear descriptions. If the option is available, ask people their preferred communication method and double-check that your words are interpreted as you intended them. When you're not able to ask, err on the side of providing as many options as are appropriate.
Consider your job ad wording
It can be difficult to communicate the level and types of skills a prospective employee is expected to have. The way this is most commonly done is with numbers — for example, such as "five years of experience" associated with a certain technology or position. But there's nothing intrinsically magical about five years of experience. You can express the same idea more clearly by rewording it as "experience with" or "fluent in," or other phrases that more clearly express the problems you're trying to solve or level of familiarity with a technology that you require.
Stick to Criteria that Pertain to the Position
Coders don't necessarily need to maintain a lot of eye contact to be effective. Being a social butterfly doesn't indicate someone is a better reverse engineer. Make sure that the criteria on which you're judging candidates are decided by a group of interested parties in advance, that they pertain to the job at hand, and that they are the deciding factors that employees are graded on.
Related Content:
Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.
About the Author
You May Also Like
DevSecOps/AWS
Oct 17, 2024Social Engineering: New Tricks, New Threats, New Defenses
Oct 23, 202410 Emerging Vulnerabilities Every Enterprise Should Know
Oct 30, 2024Simplify Data Security with Automation
Oct 31, 2024