Harnessing Neurodiversity Within Cybersecurity Teams
Neurodivergence, by its name, implies a different way of thinking. The question we wish to examine is whether the inclusion of this neurodiversity can bring something positive beyond the simple expansion of general diversity to and within the cybersecurity teams.
The world is basically divided into those with neurotypical and those with neurodivergent ways of thinking. Neurotypical is ‘typical’ only because it is more common. Neurodivergent simply diverges from the most common. There is no choice in the type – it is fundamentally governed biologically by how the brain works in different people.
It has been said, from the ‘divergent’ viewpoint, that ‘the ‘normal’ brain is easily distractible, is obsessively social, and suffers from a deficit of attention to detail and routine.’ This is what most people have and must work through, largely using a lineal thought process.
The neurodivergent brain is not cluttered with social complications, has a finely tuned sense of detail and focus, and is not easily distracted (this is called hyperfocus). Most importantly, it has a tendency towards non-linear thinking (for which, read problem solving).
Hyperfocus and non-linear thinking have clear and obvious benefits to problem solving in cybersecurity. But neurodivergence is the minority, and like all minorities requires accommodation from the majority in order to flourish.
The two types of neurodivergence that we shall consider are classified as ADHD and ASD (formerly known as Asperger’s syndrome). It is important to note that there are different types and degrees of ADHD, and that an important (but not defining) difference between ADHD and ASD is the ability to ‘socialize’ within a typical society. Aspects of each classification can also be apparent in the other, but in general, ASD has greater difficulty in social constructs.
Neurodivergents are capable of long periods of intense concentration on a single subject. This is called hyperfocus. It is possible in neurotypicals, but the focus is likely to be disrupted by social, image and other neurotypical interruptions that will not interrupt the neurodivergent.
Hyperfocus is similar to the concept of being ‘in the flow’ described by psychologist Dr Mihaly Csikszentmihalyi (sportsmen might describe it as being ‘in the zone’). For Csikszentmihalyi, this state occurs most naturally when two conditions combine: control and arousal. ‘Control’ is natural to neurodivergents. ‘Arousal’ can be considered as extreme interest in the subject.
Neurodivergents have some control over switching into (but not necessarily out of) hyperfocus. If there is a high level of interest in computers, computing and the internet, there is a strong potential for hyperfocused concentration on the subject – which is often channeled towards cybersecurity.
Observationally, an interest in computing is not uncommon among neurodivergents. This is not part of the condition, but is possibly a result of the modern world. Neurodivergent children are ‘different’. Differences are not easily handled by other children, who may tease, criticize or even bully the divergent. This can be exacerbated by both parents and teachers who may fail to understand the neuro differences and classify the child as lazy or inattentive. As a result, neurodivergent children can retreat from the typical. The obvious retreat is the computer in the bedroom, and the computer can become a focus of interest.
Leigh Honeywell, CEO and founder of Tall Poppy, a former technology fellow at ACLU (and herself diagnosed ADHD), points out that it is with the computer and the internet that neurodivergent youngsters find communities of other neurodivergents, find possibly their first friends and realize they are not alone. This tends to concentrate and reinforce the interest in computers and the internet, and heightens the potential for hyperfocus in those areas.
The concept of non-linear thinking (sometimes described as seeing patterns in things not obviously related) is difficult to grasp – especially for the neurotypical mind. Conceptually (this is not a scientific or clinical explanation) think of it like remembering a connection between two stimuli. In cybersecurity, the memory may be that this incident may be associated with that incident and lead to this outcome.
The ability to see the relationships comes from memory. Complex memories are based on connections between different memory snippets. If we don’t have those connections in the memory, we can see neither the problem nor its solution. This is neurotypical problem solving – this can lead to this and result in that. If the incident is not within our linear conception, we do not see it.
The neurodivergent brain does not work like this. It does not rely on known connections stored in memory. Memory is a fog of unrelated incidents that have not been consciously filed as being connected. Nevertheless, the neurodivergent brain can see possible patterns and connections in this much larger fog of incidents and solve problems without being aware of how the solution is achieved.
The closest parallel for neurotypical brains is the idea of ‘sleeping on a problem’. It is not uncommon to be faced with a problem that is so difficult that we give up – yet wake up the next day knowing there is a simple solution. It is our subconscious that works on and solves the problem – possibly in a non-linear fashion – while we are asleep.
Accommodating neurodiversity in the security team
The potential power of harnessing hyperfocus and non-linear problem solving in cybersecurity is obvious. But neurodivergency must be accommodated. The potential for these cybersecurity strengths is not a constant. There will be times where the disadvantages of the conditions are in the ascendency. We’ve all heard the ‘squirrel’ jokes. These can be conceptually accurate but should be considered insensitive (unless both parties are in the same minority). Those periods need to be accepted and helped where possible, and not blindly criticized.
So understanding is key to employing neurodivergency within the security team. This understanding should come from both the team leader and neurotypical members of the team. Casey Ellis – founder, chairman and CTO of Bugcrowd, and diagnosed with ADHD himself – suggests that without personal understanding of neurodivergence, the team leader should consult closely with corporate HR on how to understand and handle neurodivergent personalities.
Medication must also be considered. There are several types of medication for the different types of ADHD. When they work, they work very well, allowing the patient to better handle the more problematic symptoms without eliminating the potential for hyperfocus and non-linear thinking. But there are difficulties. Firstly, the most common method for clinicians to recommend the right drug at the right dosage is simply ‘trial and error’. So not every person’s medication may be optimal all the time. Secondly, the drugs have a half-life. It is important that a neurodivergent person does not work or be expected to work beyond the half-life of the medication without the ability to take his or her next dose.
Flexibility with remote working is an additional option. It is particularly relevant to ASD and its problems with social interaction – but is also useful on occasion to ADHD neurodivergency. The option of being able to work away from the distractions of the office environment can be a powerful coping tool.
Neurodivergence and cybersecurity
The potential for including the advantages of neurodiversity within the cybersecurity team is not just theoretical. In 2012, then UK Home Secretary Theresa May refused a US request to extradite British hacker Gary McKinnon, saying “Mr. McKinnon is accused of serious crimes… He has Asperger’s syndrome…” McKinnon had been accused of breaking into Pentagon and NASA computers, with very little attempt to hide his tracks. He never denied the accusations, but insisted that his hacking was not driven by malicious intent – he was simply looking for information on UFOs.
Similar happened with Lauri Love, a British/Finnish hacker accused of “breaching thousands of computer systems in the United States and elsewhere – including the computer networks of federal agencies – to steal massive quantities of confidential data.” Extradition to the US was again ultimately denied – Love is also ASD.
More recently, it has been reported that the alleged leader of the Lapsus$ extortion gang is a British autistic teenager living near Oxford. Lapsus$’ victims include Microsoft, Okta, NVIDIA, Samsung and Ubisoft, and the alleged leader is thought to have amassed something like 300 bitcoins (by the age of 17).
Lapsus$ members either never heard or simply ignored the advice of Casey Ellis: “It’s OK to think you can use your skills to hack different companies, but remember this: sooner rather than later, you will get caught.”
Ellis is proud that his Bugcrowd endeavor can offer neurodivergent hackers an alternative route, where they can exercise their skills for the good of society rather than its detriment. Bugcrowd’s report, Inside the Mind of a Hacker 2021 reports that no less than 21% of the Bugcrowd ethical hackers are neurodivergent.
One of them, Katie Paxton-Fear, comments, “I speak all about autism because it’s what I have, so therefore I know a lot more about it. But someone who is autistic can have hyperfocus moments where they are so invested in something, it is all they can focus on. They can focus for hours on one thing. And that is a real advantage because if you have somebody like that looking at your website, you have got the most dedicated security tester, right? You have got somebody that will go above and beyond because it is something they really enjoy.”
She also describes non-linear thinking, which she calls lateral thinking (a term made famous by Maltese psychologist Edward de Bono in his book The Use of Lateral Thinking). “Most people can think of ten uses for a paperclip,” she says, “but people who are really good at what’s called lateral thinking, don’t just stop at thinking of a paperclip as a small, metal thing. They think, what if the paperclip was huge? What if the paperclip was made of glass? What if the paperclip was on your computer as an animated character telling you how to solve problems? We want people to be able to think outside the box…”
Society almost channels neurodiverse youngsters towards an interest in computers and the internet – and by natural extension, towards hacking. There is no ethical imperative in neurodiversity, so it is natural that some become black hat hackers. But this is as much the fault of society not offering an alternative than any natural inclination to be bad.
Organizations like Bugcrowd can and do offer a legitimate use and outlet for these skills – and the wider cybersecurity ecosphere benefits from it. However, these skills could have a more direct and immediate benefit to individual companies if they are employed and harnessed within the corporate security team. Non-linear thinking combined with a propensity for hyperfocus can be a powerful tool for detecting weaknesses in your defense, or existing stealthy intrusions.
Put simply, high functioning (that is, ‘intelligent’ in neurotypical terms) neurodivergents with an interest in computers and the internet are not candidates that security leaders should avoid. They could be a valuable addition to the general diversity of a security team, and are potentially top-grade, problem-solving threat hunters and policy analysts.
SecurityWeek would like to thank Leigh Honeywell (Tall Poppy) and Casey Ellis (Bugcrowd) for spending many hours helping us to a basic understanding of neurodivergence. Both are themselves diagnosed as ADHD. Both are also company founders – and proof that neurodivergence does not preclude success in a neurotypical world.