Embracing Neurodiversity Within Information Security

Security’s unique cultural and complexity challenges benefit from neurodiverse perspectives.

Melodie Wilson, Scott Behrens

Summary

• Learn more about neurodivergence and why a diverse team produces better results in many different fields of business.
• Get practical examples of skills that people of all neurotypes bring to strengthen your information security program.
• Tips for getting started on building a neurodiverse team.

Terminology

Let’s start with standard terminology and language to set the stage. We borrowed much of our terminology here from our stunning Netflix colleague Julia Stern, Inclusion Manager at Netflix. Let’s start by defining neurotype, a type of brain structure and function in terms of how one interprets, processes, and responds to stimuli. Neurotypical refers to the most common neurotype or most common cognitive functioning. Neurodivergence refers to the neurotypes that diverge from the most common or typical neurotype or cognitive functioning. Some examples, while not all-inclusive, would be autistic, dyslexic, or ADHD. Neurodiverse[1] refers to a group in which not everyone has the same neurotype.

The Science Behind Neurodivergence and The Technology Industry

Many articles support the benefits of neurodiversity in the workforce, with fewer articles on the tech sector and even fewer on the security industry. There is consistent data supporting the positive benefits of diversity in teams and leadership roles [2]. While the research for neurodiversity in the workforce is still emerging, some signals indicate it provides similar advantages to those offered by other types of diversity.

Neurodiversity and InfoSec are Complimentary

Let’s start by examining a few peer-studied strengths of neurodivergent individuals. We provide citations for these studies in the works cited section. We would like to clarify that these strengths are neither inclusive of all strengths nor present in all neurodivergent individuals. We also want to emphasize that these strengths can be found in neurotypical individuals and are not unique only to neurodivergent individuals. We cite each strength and suggest specific information security roles, functions, or problem sets that benefit from neurodivergent individuals. We also share personal stories on our experiences and how we leverage those strengths in our work.

Creative thinking [3]

Individuals with strong creative thinking can excel in threat modeling or security assessments, considering or assessing the probable ways an attacker may target a system. Additionally, people with strong creative thinking can devise non-obvious ways to bypass security controls to conduct red team exercises.

Visual-spatial reasoning ability [4,5]

Attack graphs and attack analysis are intricate tools and work to represent the multiple paths an attacker could take visually to achieve their objective. People who excel at visual-spatial reasoning can quickly comprehend this complexity, discern relationships between nodes, and rapidly identify vulnerable paths. Furthermore, their ability to recognize patterns can help simulate different attack paths and identify the optimal placement for deploying defenses. Malware analysis has similar characteristics, including complex visual components such as call trees, code execution patterns, and obfuscation. For instance, individuals who excel at visual-spatial reasoning can be well-equipped to detect subtle differences in steganography used in malware and C2 infrastructure.

Scott — At Netflix, I currently lead our security posture lifecycle program, which focuses on helping the team use an attacker-focused lens to manage security risks. I have successfully built a methodology that allows us to decompose our enterprise’s top risks into the attacks used to achieve them and access our control posture against them. My strengths in visual-spatial reasoning have helped me build a lifecycle that can tame the complexity of attack graphs. This lifecycle allows us to identify hot spots and attack patterns common across many risks to ensure we prioritize the most important work.

Hyper-focus, passion, and courage [6]

Incident response can benefit from folks who concentrate deeply on the required tasks and are courageous in decision-making when there are tough trade-offs. Incident response and forensics will frequently result in deep-dive investigations where detailed-oriented, focused examination of logs, code, and patterns are necessary.

Melodie — when investigating bug bounty reports, there is a tendency to explore reports with only the surface details provided. However, without thorough investigation, security engineers can sometimes miss the spirit of the report and risk closing out a valid bug report. I’ve had several opportunities to further explore bugs from our bug bounty program, dig into additional instances not reported, and provide a more comprehensive remediation plan that ultimately helped make Netflix more secure. Using my passion for helping to protect our subscribers and digging into the courage it takes to advocate for additional investigation and remediation are all skills that help me to be a more effective security engineer.

Scott — During the 2014 Shellshock vulnerability, I could lock into hyperfocus mode and quickly write a Python task to identify vulnerable instances across the Netflix fleet. During this time, I was able to ignore all other distractions, resulting in a solution that we could use to identify and mitigate the vulnerability quickly.

Innovative thinking and detail observation [7]

People with innovative thinking and detail observation tend to come up with novel solutions and the meticulousness to notice fine details often overlooked by others. Vulnerability research benefits from those who can observe those fine details that are often overlooked and can manage the complexity involved when developing novel exploits. Forensics work benefits from those who can recognize traces (such as timestamps, log alterations, and file metadata) and have a strong attention to detail, especially when navigating complex attacks. Security Architecture Design requires one to consider security solutions tailored to a specific organization’s needs and benefits from innovative thinking that can balance business needs (such as productivity, time to market) against security needs (like risk reduction).

Scott — In 2021 and 2022, I worked with several colleagues on our data protection strategy and technical design. I leveraged my strengths in innovative thinking to co-develop a data protection lifecycle that is simple to execute, easy to measure the effectiveness of, and defensible when it comes to showing how it reduces risk. Our strategy at a high level focuses on five stages: Data Visibility, Data Classification, Data Handling Guidelines, Data Platform Control Readiness, and Control Adoption. Each phase provides distinct benefits and has quantitative metrics to show progress. Our design also ensured our data protection program could address changing business practices and increased regulatory scrutiny driven by emerging data governance laws.

High verbal comprehension, visual-spatial skills, and storytelling [8,9]

Neurodiversity encompasses many neurotypes, and some neurotypes are particularly adept at synthesizing the spoken word and verbally articulating complex concepts to audiences. A recent paper by Ernst & Young highlighted this skillset as a particular strength for many professionals with Dyslexia. One example of how this relates to information security is the ability to express nuanced and complex topics, such as the importance of investing in risk reduction strategies for a proposed software architecture. Utilizing those crucial verbal communication skills becomes a superpower when communicating the “whys” of investing the necessary resources required to improve a product or service’s security posture.

Conclusion

We discussed several ways that embracing neurodiversity in Information Security benefits an organization. However, these examples merely scratch the surface, and the potential benefits are undoubtedly more comprehensive. We’ve shared our personal experiences as neurodivergent security professionals. We hope that others will see the value of continuing to invest in inclusion strategies that not only encourage work that all neurotypes can contribute to but also foster environments where security professionals can thrive in the ever-changing landscape of information security.

Getting Started on Building and Making Your Neurodiverse Team Successful

Providing an environment that is inclusive of neurodivergent professionals improves outcomes for both neurodivergent and neurotypical colleagues, in terms of enhanced organizational effectiveness, stimulating innovation, boosting productivity, and creating a thriving work culture. Moreover, committing resources to create environments where colleagues of all neurotypes can grow and thrive serves as an effective strategy to ensure the success of the whole team. As our stunning colleague, Christine Chalmers, articulately stated, “Everyone will have a diverse set of abilities and disabilities. There is no human without needs.”

Are you excited about what you should do next to grow a neurodiverse team?

We’ve compiled below a list of resources and additional strategies for cultivating and supporting neurodiversity within your team.

1. Leverage EARN’s Finding Candidates with Disabilities.
2. Ensure your job descriptions use inclusive language.
3. Design an interview plan that helps candidates understand how they are evaluated and the outcomes you seek (e.g., avoid vague questions, watch out for assumptions).
4. Remove barriers for the candidate in the interview process (e.g., minimize distractions, provide flexible options for interview schedules).
5. To mitigate biases in interviews, actively engage with the experiences of neurodivergent workers and leaders. Understand and acknowledge the equal importance of neurodivergent and neurotypical minds, avoiding assumptions that others think and process information as we do.

Are you energized to make your neurodiverse team successful?

Here is a list of practical advice and recommendations that you can use to ensure your neurodiverse team thrives.

1. Remember that people process information in different ways. When delivering important information, such as feedback, ask the individual how they best receive and process information, whether written or verbal, email or text, etc.
2. Share clear behavioral guidelines to help ensure employee success (e.g., meeting etiquette, sharing new ideas, expected working hours, etc.)
3. Consider flexibility in scheduling and deadlines to support professionals with different ways of focusing during certain times of the day or week.
4. When evaluating performance, consider whether expectations are inclusive of neurodivergent professionals. For example, many neurodivergent individuals struggle with social expectations, such as maintaining eye contact when speaking or being spoken to. Expecting eye contact in meetings does not focus on outcomes and can exclude an otherwise high-performing neurodivergent professional from being evaluated fairly.
5. Seek feedback from neurodivergent colleagues to discover if some modifications or changes would improve the employee’s success.

Bios

Hello there, my name is Melodie (she/her), and I am a person with ADHD. At Netflix, I work as an Application Security Engineer, focused on reducing infrastructure risk across the Netflix ecosystem. Some of the major areas I have worked on include identifying risk in emerging software infrastructure in Games and in Growth Engineering, and contributing to baseline requirements for our most critical applications. Additionally, I have worked on identifying changes to our risk profile of existing infrastructure in our authentication and authorization ecosystem.

I have been interested in bringing light to neurodivergence in the Information Security field, as I have experienced it firsthand, both as a neurodivergent person, and a person with neurodivergent friends and family. While my experience is only my own, my hope is that sharing my unique point of view will resonate with others who might be in similar positions, or with those who are open to learning about an experience they do not share.

Hi Folks I’m Scott (he/him) and I’m an ADHD person. At Netflix, I currently work as a principal security engineer, focusing on driving solutions to large and complex cross-functional problem areas that often span security, privacy, and enterprise risk. My focus at Netflix is on developing technical strategies and architectures to manage security and privacy risks while improving user productivity efficiently. I develop these strategies cross-functionally with the help of experts across many disciplines, and I focus much of my time on mentorship to level up team members. My notable projects in the last few years include data protection, enterprise identity and access management, attacker-driven risk management & continuous control assurance.

I’ve been passionate about increasing awareness and advocacy for neurodivergent individuals as I witnessed the additive strengths of neurodiverse cross-functional teams within the projects I lead.

What has motivated me to work with Melodie on this blog post is my hypothesis that the unique problems we face in the security domain are primed to be solved more effectively with neurodiverse teams. I have witnessed the additive strengths of neurodiverse cross-functional teams within the projects I lead. The perspectives I share in this blogpost are unique to me and may not reflect your experience as a neurodivergent person. I am not an expert in neurodiversity! But I hope these perspectives strengthen or provide context to you on the value of seeking to create neurodiverse teams within the information security field.

Research Works Cited

1. https://www.psychologytoday.com/intl/blog/my-life-aspergers/201310/what-is-neurodiversity
2. https://www.mckinsey.com/capabilities/people-and-organizational-performance/our-insights/why-diversity-matters
3. White HA, Shah P. Uninhibited imaginations: creativity in adults with attention-deficit/hyperactivity disorder. Pers Individ Dif 2006
4. Grant D. The psychological assessment of neurodiversity In: Pollak D. (ed.). Neurodiversity in Higher Education. Chichester, UK: Wiley-Blackwell, 2009
5. Karolyi C, Winner E, Gray W et al. Dyslexia linked to talent: global visual-spatial ability. Brain Lang 2003
6. Armstrong T. The Power of Neurodiversity. Cambridge, MA: De Capo, 2010
7. Armstrong T. The Power of Neurodiversity. Cambridge, MA: De Capo, 2010
8. Eide B, Eide F. The Dyslexic Advantage. Plume: New York, NY, 2011. [Google Scholar]
9. Grant D. The psychological assessment of neurodiversity In: Pollak D. (ed.). Neurodiversity in Higher Education. Chichester, UK: Wiley-Blackwell, 2009,33–62 [Google Scholar]
10. https://adhdatwork.add.org/help-adhd-employees-succeed/
11. https://www.forbes.com/sites/victorlipman/2017/05/19/2-valuable-tips-to-help-manage-employees-with-adhd/#5326c6c6ed67