By Theo Nassiokas
A “security mindset” is the ability to be able to look for and identify potential or actual compromise. This could be compromise or potential compromise of a process, system, application, operating system, platform, infrastructure and even a person; yes, a human being. This might sound strange to many, but people can and have been compromised and this is certainly not limited to fooling people with phishing email to obtain their credentials. Why is having a security mindset important for security practitioners? This is because the security practitioner needs to be on the lookout for anomalies that may lead to compromise. Having a security mindset means that the security practitioners’ default will be to look for compromises, thereby identifying control weaknesses.
A security mindset can have different contexts and can therefore have different objectives. For example, in the context of the COVID global pandemic, having a security mindset leads to greater resilience; if you’re a criminal, having a security mindset leads to avoiding identification or evading capture; and if you’re a security practitioner, having a security mindset leads to proactively identifying actual or potential compromises and remediating security weaknesses if you’re a ‘white hat’ security practitioner – or – exploiting them if you’re a ‘black hat’ security practitioner.
Can anyone be trained to have a security mindset? To some degree of effectiveness, yes. But not everyone can be trained to have the same heightened level of security mindset, just like we can’t all be good at the same things. We all have different strengths and weaknesses. Neurodiverse security practitioners could have an advantage in this regard. Being neurodiverse could provide a heightened security mindset, for instance noticing anomalies or “things that don’t fit” in a specific scenario or context. This would be the case where the neurodiversity exhibited by an individual is suited to identifying differences in expected patterns of behaviour, for example as found in a process.
A process driven security activity would follow a series of repeatable and repetitive steps. For example, a Secure By Design process where security artefacts required within each stage of the project development life cycle would represent a constant pattern in terms of the documentation required, the data to be completed within each document and the persons authorised the signoff each of these documents. A neurodiverse security practitioner running a Secure By Design process would achieve a very high level of competence in establishing process patterns and identifying anomalies that may be introduced into the process, for example incorrectly signed-off, incomplete or incorrectly completed documentation. Additionally, and unlike most neurotypical people, neurodiverse people generally have a far higher tolerance for remaining focussed on tasks for extended periods of time. This adds process efficiency and increases process quality.
Do you value a security mindset? Are you seeing the benefits of your team applying a security mindset? When recruiting, do you consider neurodiverse people for security job roles, as part of your diversity agenda? Identifying neurodiverse people to help execute security processes, could provide a heightened security mindset that is able to identify actual or potential compromise more efficiently than neurotypical security practitioners.