updated 15/8/23
The UK’s cyber security skills gap is well publicised – but addressing it remains a key concern for those in the industry and the UK as a whole.
With a 14,000 short fall in practitioners, it’s clear that stakeholders across the industry need to work together to build a deeper, broader pool of talent across the cyber industry. Attracting more people into the sector, be they college leavers or mid-career switchers, is key to this. The sector also needs to work to be as inclusive as possible, so that potential new entrants to the industry don’t perceive attributes such as their gender, heritage, or socio-economic background as a barrier to entry.
In addition to this, it’s also important for the industry to embrace the contribution neurodiversity can bring to the sector as it seeks to attract more talent.
So, what is neurodiversity? It’s estimated that around 15% of the UK population is neurodiverse, though it’s difficult to know for certain how many are undiagnosed. While the term is often associated with autism, it can also refer to people with ADHD, dyslexia, dyspraxia, Tourette’s syndrome, or many other neurological conditions, making this a broad category that is diverse in itself.
While some neurodiverse people may initially be interested in computing as a career, ensuring that the hiring process is as inclusive as possible is important to make sure capable candidates are given an equal opportunity, particularly given navigating a traditional interview process can often require skills that are not integral to the job itself.
With this in mind, it’s important to remember that all neurodiverse people, or even those with the same neurological condition, are not a homogenous group. Everyone has different skills, and different areas where they need further support, regardless of whether they are neurodivergent or not. In fact, this diversity is a strength, as different ways of processing information or approaching problems can be hugely beneficial in ensuring security systems are as robust as possible. It’s therefore imperative that we build on the existing diversity across the sector by continuing to demonstrate – and make accessible – the varied roles available for people with a host of different attributes.
This isn’t just an issue for the cyber security sector; according to the National Autistic Society, there are an estimated 700,000 people in the UK on the autistic spectrum, but only 16% of adults in this group are in full time employment. Making companies and their hiring processes more accessible to neurodiverse people could not only increase the number of neurodiverse people in full time work, but also tap into a new pool of talent that previously may have felt excluded.
As a starting point, the Council undertakes blind recruitment to remove unconscious bias in the hiring process, as well as encouraging diversity on recruitment panels. But just doing this does not remove barriers for Neurodivergent people, after all you cannot tell if somebody is dyslexic just by looking at them, and so other adjustments and pathways are needed to make things equal and accessible. The duty to make things equal for people of protected characteristics is a duty upon the organisation not the employee, student or applicant and they do not have to disclose anything, so how do you manage this, and get it right?
This requires some critical thinking on the part of an organisation, depending on what it is you are trying to achieve. For example, a job interview is a kind of a social test, whereby someone with autism may have difficulties and anxiety with social interaction. So, a standard job interview for a technical job that does not require any specific social skills would be very un-fare.
It is time for organisations to change their language and actions to tap into this huge pool of underutilised skills and talent. To do this you will have to tear up the traditional rule book, develop a menu of alternative pathways that are proportionate to the objectives of your organisation. Make those pathways available to all regardless of any dis-closure and allow individuals to choose the path that best suits them but still reflects your business objectives. We cannot tell you what is appropriate for your organisation but here are some examples to support your critical thinking on this important topic:
Scenario | Making This Equal |
You are recruiting for security agents to respond to customer calls, alerts, and tickets. |
Some Neurodivergent people are very calm in a crisis and may have extensive technical knowledge. The job role as an agent would not entail responding without some kind of playbook, training, and prior knowledge. Therefore, proportionately it would be perfectly acceptable to allow all applicants to know interview questions in advance to prepare. |
A Neurodivergent CISO working in an open plan office has sensory issues involving light and noise. |
Giving all staff the ability to vary the light levels within their own work area and have quiet working spaces that staff can go to would make the environment better suited. Homeworking can give staff the option to take full control of their own environment. |
I am a cyber security trainer and I want to make sure that my training is accessible, and the exams do not put a Neurodiverse person at a dis-advantage. |
There is already a lot of supportive best practice available to follow like The Joint Council for Qualifications' Access Arrangements and Reasonable Adjustments has some good advice and examples. But you will need to engage with individuals to find out what is appropriate for them and your examination objectives. |
It is also important to carefully consider the culture within an organisation, does the organisation invite open conversations about what people may struggle with in a non-judgemental way, so that those obstacles can be removed? Do you have a mental health first aider, staff mentors, allies, or employee wellbeing programmes? This might not be possible in a small organisation, but an open-door policy and an empathetic approach may be all that is needed and go a long way to support staff retention.
At a time when the cyber security industry has a skills shortage of roughly 13,500 new people each year to meet demand according to the Department for Science, Innovation & Technology (DSIT), it’s not hard to see why increasing neurodiversity in the industry should be a priority.
There should be diversity among cyber security professionals because the businesses and populations they protect are themselves diverse. Adding valuable perspectives to the conversations around cyber security will only make systems more robust, and this is true across gender, ethnicity, sexuality and neurological condition. Neurodiverse voices are a vital part of the population of the UK, and the cyber security industry can only benefit from reflecting that.
Overall, there is a real opportunity for the UK cyber security industry to open itself up to talent from underrepresented groups across the UK, not only to close the skills gap, but to ensure cyber professionals are a representative group with wide ranging skills and diverse ways of thinking.
New perspectives can channel new solutions, and in an industry focused on problem solving, that’s exactly what we need.