Security Strategy, Plan, Budget, Security Staff Acquisition & Development

‘Think about problems in a different way’: Inside the Bank of America CISO’s neurodiversity push

Craig Froelich, chief information security officer of Bank of America Merrill Lynch, described how cybersecurity is not just a technology risk during a 2017 annual meeting of the Securities Industry and Financial Markets Association. (SIFMA)

Diversity and inclusion programs gained a great deal of traction in the last few years as a means of hiring minorities, women and other underrepresented members of the modern security workforce. Certainly, that's a positive development.

But Craig Froelich, chief information security officer at Bank of America, is concerned that one group may be getting overlooked: “I don't know that they've necessarily thought about neurodiversity,” said Froelich, who leads a global team of infosec professionals tasked with defending the $91.2 billion institution’s data and financial assets.

Many might not even realize workers in their organizations are neurodivergent – those with attention-deficit/hyperactivity disorder, autism, dyslexia or dyspraxia, perhaps. Froelich found that to be the case as he learned more about his team over the years. And as his interest grew, he began to seek out more of these individuals, with that understanding that neurodiverse people can sometimes offer a different way of thinking that can prove beneficial to cyber trades such as forensic malware analysis and cryptography.

Froelich spoke with SC Media about this ongoing initiative. (And for more on diversity hiring, click here for a feature on a new enterprise formed to help blind and visually impaired cyber pros find employment.)

How did you personally become so attuned to the issue of neurodiversity in the work environment?

One of the interesting things about cybersecurity is that in order for you to be able to really anticipate the actions of an adversary and make sure that you have the right defenses in place long before the threat is at your doorstep, you need to be able to think about that problem from all different angles. And so diversity, inclusiveness has got to be part of your talent management strategy. It is not just the right thing to do, but it is actually paramount in order to be successful – or at least to be able to give you an opportunity for success when it comes to cybersecurity.

Neurodivergent people are already in our organizations. And they are already a part of our teams. They’re already providing great services for us today. And when I started to ask the question of who's neurodivergent [on my team], and people started raising their hand – and we started to remove the stigma from what it meant to be neurodivergent – it was something that was fascinating as to how important and critical they were to our success.

So I said: How do we find and tap into these people more? And that's when we started thinking about building out an entire way to be able to attract and bring people into the team to be able to augment the folks we already had.

Craig Froelich, CISO at Bank of America.

Is there an organization companies can work with that specifically aims to find employment for neurodiverse individuals?

There are absolutely partners that you can work with. We've got a very good partnership with Neurodiversity in the Workplace. But by no means are they the only folks in this space. What was great about Neurodiversity in the Workplace is that they helped us figure out where to start.

This is about an entire transformation of how we acquire and how we retain people in the organization. And they helped us look at our entire process…

They’re a nonprofit. And when we reached out to them, the first thing that we asked them to do is to help us understand what are the types of tools and techniques that we should be using when we are identifying people who are neurodiverse. And what's the interview process look like? How does that interview process need to potentially work the same as and/or different from what you may have for somebody who is not neurodiverse?

So they've been a really good partner. And not only did they help us with the process side of it, but they've also helped to identify candidates. They've got a really good network of folks. And they've been able to bring those people to the table, and help to be able to introduce us together so that we've got a really good pipeline.

Individuals whose brains may work in different ways can offer certain unique skills, perspectives or ways of thinking that can prove valuable to an organization. Can you explain how that might apply in a cybersecurity role specifically?

What's been fascinating to watch firsthand is how neurodiverse individuals… think about problems in a different way.

People who are neurodiverse, they often do a better job with pattern recognition than people who aren't. And so there are lots of jobs in cybersecurity that require pattern recognition… positions where you're going out and looking for adversaries that may exist inside of your environment.

It's a very detailed role, where you have to look at mountains of logs and data. And sometimes you can use analytics to do that, sometimes you can't. And so neurodiverse people will have an ability to process that information, and to do it with a higher degree of accuracy than generally people who aren’t.

In addition, we've also seen lots of people who are neurodiverse focus on areas like malware, reverse engineering – highly technical [jobs where you] spend a lot of time in front of a computer looking at very sophisticated code... And that tends to help because in a lot of cases, neurodiverse people have the ability to be able to connect dots that we may not be able to connect.

And it doesn't require them to have to interactions with lots of other people where they may have some concerns or may not necessarily feel comfortable.

Are there certain classifications of neurodiverse individuals who tend to have a particular affinity for cybersecurity?

I think it's the entire spectrum of folks that fall into the neurodiverse category. I don't really think of neurodiversity as a condition. I don't think of it as a disability, I think of it as a difference. And I think it's one of those differences that, when you think about diversity initiatives, it's almost an invisible initiative because you have people who already exist in your organization, and they may not necessarily feel that they can raise their hand and acknowledge that they are neurodiverse without a stigma being applied to them.

And so, it can be people who are have dyslexia or ADHD, it can be people who are autistic. 

The important thing is to be able to create an environment that allows them to be able to feel comfortable to say, "You know what? I'm neurodiverse. That means I think differently, but it also means that when you're interacting with me, I may need different types of support. And that difference is actually okay."

It sounds like you've hired neurodivergent individuals on your team – sometimes through an organization or program, but also through the course of traditional hiring. Can you share any success stories?

Let me give you some examples of somebody who was already in the organization that was neurodiverse and somebody we brought after we started being more open about wanting to intentionally hire people who are neurodiverse.

In the case of the person who was already on the team, we have a woman who has always been thought of very highly within the organization as one of our very best cryptographers. She's outstanding... but she is very unique in that she can also deliver and make cryptography something that is easy to understand for people like myself, who add two numbers together on a calculator and get them wrong.

When I started talking openly about how neurodiversity was an important component to our overall hiring strategy, she raised her hand and said, “I'm neurodiverse.” And one of the things that she said was, “Oftentimes, when I'm meeting with you, we have a conversation – but because I'm neurodiverse, I like to be able to read things in advance, so if you can send me some of the materials in advance, I'll be able to have a better conversation with you.” And so I changed the way that I interact with her. I sent her all the materials in advance for the next couple meetings – and it was amazing the types of insights that she would provide because she had a chance to be able to think about it in advance when she wasn't being put on the spot and had to try to think about how to be able to communicate in that moment… It unlocked an unbelievable new set of capabilities from somebody we already thought of very highly.

A second example: through Neurodiversity in the Workplace, we identified somebody who was applying for a job. [He] didn't come from a traditional background, did very well on all of the aptitude tests, but without exception is autistic, and was told that he was probably never going to be able to live by himself or be able to take care of himself because of his autism.

He had worked for the most part at a yogurt shop. But he was deeply technical. He was passionate about technology and when we brought him into the organization… he just nailed it in terms of all of the skills that we were looking for… He's been with us for about a year and a half now. I connected with him not too long ago. He now has an apartment, lives on his own. He's built up a network of folks that are also neurodiverse in the city that he lives in. And none of that would have been possible if he hadn't been given the opportunity.

Do individuals with more visible or noticeable neurodivergent conditions struggle to find work, based on what you’ve learned from your own ongoing mission to hire such people?

I think you're spot on. I think people who are neurodiverse – depending upon where they are on the spectrum of neurodiversity – believe that there's a stigma associated with self-identification.

More specific to cybersecurity, the challenge as an industry we face is that it can be a little daunting if you're not a cybersecurity expert to understand where to start – and I say that regardless of who you are or your background. We use complicated language. It's a fairly technical space.

And so how do we make cybersecurity more appealing so that more people choose to take it up as a career path? But also how do we make it more approachable?

And through the conversations with Neurodiversity in the Workplace, and through the conversations that we've had with people who are neurodiverse already in our organization, and that we have been hiring, they’ve improved our entire practice. So we have better managers today as a result of the fact that they've needed to learn how to be able to work and operate differently with people who are neurodiverse. And for that reason, they are crisper in the way they communicate, they are more deliverables-based, they're more outcome-focused.

[Also] our job specifications are better written today... What I'm most proud of is that we didn't create a one job specification for people who are neurodiverse and one for people who are not. We have one job specification. But what we did is we took the time and the energy to make sure that that job spec was something that could be consumed by anybody. And by making it more approachable, it allowed us to be able to bring not just neurodiverse people to the table, but people from a variety of different walks of life.

What are some of the other accommodations that you've introduced to make the workplace a more comfortable and equitable place for neurodivergent individuals?

This is a journey. By no means should anybody walk away from this conversation thinking that we're perfect at this. [We’re] learning as we go.

Sometimes neurodiverse people want to be able to have a more quiet environment, so getting them sound-canceling headphones is an easy solution. Putting them in places in your building… where there's not a lot of foot traffic. Sometimes lighting is really important.

These are some things that from an accommodation standpoint are relatively straightforward and for the most part are inexpensive and easy to do.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.