Cyber threat activity is at an all-time high. With the pandemic and rapid digitization of financial services that has accompanied it, cybersecurity professionals have never been in more demand. Yet we are facing an acute talent shortage; the industry effectively has negative unemployment. One way we are helping to solve this problem at Bank of America is to focus a piece of our recruitment and retention efforts on neurodiversity.
Neurodiversity is a medical term that encompasses a spectrum of diagnoses such as autism, Asperger’s, dyslexia, and OCD. It is not widely known that a superpower of neurodiverse people is that they process information differently, which can be a tremendous benefit to cybersecurity teams, especially in our current environment.
My journey to becoming an ally to those who are neurodiverse started a few years ago. One of the women on the team is, in my opinion, one of the world’s best cryptographers, which is a deeply technical and mathematical skillset. I was chatting with her during one of our regular meetings, and she asked, “Did you know I’m neurodivergent?” I was taken aback; I’d never heard the term. She explained to me that she processes information differently, and said that I could do some things differently to help her be more successful at her job, including sending her an agenda ahead of meetings. That way, she would be able to prepare better answers, because she needed time to review the information and process. When I began doing that, she went from great to truly extraordinary. That is when I realized I knew nothing about neurodiversity.
So I held a town hall with our 3,000 Global Information Security employees from around the world where I and others talked openly about neurodiversity, and why we need these kinds of smart minds around our table. After the meeting, I got a flurry of emails from people saying they were neurodiverse or someone in their family was. I realized there was a potentially huge pool of untapped talent. In response, my team and I decided to be more intentional about how we both recruit and retain neurodiverse talent, as well as how we grow people’s careers.
Neurodiverse teammates make us a stronger organization. As with any institution of the size and scope of Bank of America, it is business-critical for us to anticipate what threat actors may do and, in response, put controls in place long before an attack hits us. So having a diverse and inclusive cybersecurity team is not just the right thing to do, it is an imperative. If you do not have people thinking about the problems in different ways, you are going to miss something. You are effectively giving a strategic advantage to your adversary.
Beyond that, there are specific – and highly sought after - cybersecurity skills that neurodiverse people seem to excel in, such as cryptography, data analytics, and reverse malware engineering. Their different ways of processing information enable them to see patterns neurotypical people like me do not.
For example, while we use machine learning and artificial intelligence to aid in processing the billions of alerts we get every day, those technologies are only as good as the models human design and the teammates overseeing them. After a month immersed in our data lake, one of our neurodivergent analysts came up with a new model to better understand whether people were handling information appropriately, which drove an improvement in our overall control structure. I already have some of the best data analysts in the world, but this one person was able to drive outcomes we had never thought of before simply because he thought differently about data.
That’s not to say neurodiverse people only function well in purely technical roles. Richard Branson is dyslexic, and therefore neurodivergent, but he is a CEO. Our goal is not to designate roles for neurodiverse individuals; it is to help craft career paths for them where they can succeed.
The first step in harnessing neurodiversity for the benefit of the firm is to help people feel comfortable saying that they are neurodiverse. For that, having executive allies talk about it goes a long way. Once people feel “seen,” it creates a ripple effect and those who are neurodiverse see there is no penalty for being self-aware and open with who they are.
The more you learn about how neurodiverse people work, the more you learn how to help them be more effective at their jobs. Small changes in workflows or behaviors benefit not only those who are neurodiverse, but neurotypical teammates, too. One example is sending agendas ahead of meetings, as I described earlier. As our managers were trained to better work with neurodiverse teammates, they got better at working with everyone. For example, neurodiverse people tend not to do well with open-ended questions, so being more direct and asking for specific or even binary answers gets better outcomes. And it turns out that improves communication and results with neurotypical teammates as well.
So if you want to improve your company or your organization, adopting a neurodiverse hiring strategy is key. Understand that you don’t need to have all the answers before you embark on a program like this. Third party partners who have experience in this space can be valuable allies. We now work with a non-profit, Neurodiversity in the Workplace, on a program to both recruit and retain neurodiverse talent. It was important to me that the program not be a “bolt-on,” but that it be integrated into our entire hiring and retention strategy, just as those who are neurodiverse are fully integrated into our teams. In our most recent hiring sprint, we have hired more than 20 neurodiverse people onto my team. Interestingly, the percentage of people in this program who went on to get offers is higher than any of our other recruiting programs.
Fewer than one in six autistic people have full-time employment. And yet there are clearly highly talented people who are in this underutilized and often stigmatized group. My hope is that by sounding the call that we are committed to nurturing neurodiverse talent, those people will come and build careers with us instead of working in unsatisfying jobs.
For firms committed to diversity and inclusiveness, adding neurodiversity into their strategy can only be of great benefit. Our firm is on a journey to represent the diversity of the customers we serve every day, which means our cybersecurity team needs to reflect that. Beyond being the right thing to do, we get better outcomes. Finally, given the severe talent crunch we face in cybersecurity at a time where cybercrime levels have never been higher, recruiting and retaining the relatively untapped pool of neurodiverse talent is a competitive advantage.
© 2023 FS-ISAC, Inc. All rights reserved.
Craig Froelich is chief information security officer for Bank of America. He leads a team of experts in 13 countries dedicated to protecting the money and information of the company’s individual consumers,...Read More
small and middle-market businesses and large corporations. The Global Information Security (GIS) team provides defenses for current and future threats within the company and partners closely with industry and government associations to keep the sector secure. GIS inventors have filed or been granted more than 650 cybersecurity patents. The team won the 2018 Information Security Team of the Year from SC Magazine in addition to a 2018 CSO50 Project Award and the 2017 Information Security Executive® Southeast Project of the Year. Craig has also received industry awards for his leadership. Before his current role, he led the Cybersecurity Technology team, responsible for innovation and architecture, engineering, development, deployment, maintenance and support of technology security controls. In addition, Craig has held roles in managing the company’s security operations, insider threat and information protection programs. Prior to Countrywide Financial’s acquisition by Bank of America, he was responsible for Countrywide’s cybersecurity technology, data and voice networks, crisis management and security operations. Before joining Bank of America in 2001, Craig held executive management roles at consulting firms and security service organizations. He has more than 10 years' experience in product management and application development for software and hardware companies and technology service providers. He has long supported programs that narrow the gender gap in technology, serving as an executive sponsor for Girls Who Code and participating in the company’s employee networks, and advocacy groups such as Women in Technology & Operations. The GIS team strives for innovation through a commitment to diversity of talent, recruiting women, military veterans, people of color and members of the LGBTQIA community. Craig serves as the chair of the Financial Systemic Analysis & Resilience Center. He is a former chair and current member of the Financial Services‒Information Sharing and Analysis Center’s board of directors, and he is a former chair and current member of the Executive Committee of Financial Services Sector Coordinating Council. He also serves on the board of Sheltered Harbor and the executive committee of BITS, the technology policy division of the Bank Policy Institute.