There are three rules for portraying a hacker in media. They have to be white; they have to wear a hoody; and they're probably autistic.
The portrayal of neurodivergence as shorthand for ‘socially inept but highly skilled' is slowly becoming recognised as an outdated stereotype. Not everyone displays savant syndrome, and most are completely capable of holding a conversation - or going on-stage at the Cybersecurity Festival, as Holly Foxcroft did last week.
For years neurodivergence has only been thought of in terms of the negatives: those who have difficulty communicating, are easily overwhelmed and procrastinate.
But the positives are increasingly recognised. Those with ADHD are energetic and enthusiastic, while autistic people are logical, analytical thinkers with great attention to detail.
"Why wouldn't you want someone like this on your team?" asked Foxcroft, who has both conditions herself.
This slow change in attitudes is accompanied by a rising number of studies into neurodivergence, including around the cyber aspect.
In 2019, the NCA's Pathways into Cybercrime report found that many young offenders showed characteristics of autism. Last year, the study continued and found that around 17% of subjects referred for Cyber Prevent or Pursue activity had an autism diagnosis, or self-referred with autism-like traits. That's compared to 1-2% in the general population.
The ingredients of a cybercriminal
According to routine activity theory, the route into criminal activity revolves around three elements: a potential offender, a suitable target and the absence of a capable guardian.
Note the word "capable." When it comes to cybercrime, a loving parent might also be incapable of providing the guidance a young person needs to stay on the right side of the law.
The same applies to schools. Some might show videos or talk about the dangers of cybercrime, but there is no positive message - for example, about ethical hacking.
And that's a problem. The average age a person starts their online presence today is six. That's a lot of years to be exposed to the dangers of the internet without education.
"We need to embrace that, because it's not going anywhere," said Foxcroft. "Schools need to embrace it, too. That's where the cyber skills gap comes from."
This is especially true for cybersecurity. Even the Computer Science GCSE contains no cyber education - in fact, there's nothing formally taught about cybersecurity until university.
Neurodiverse individuals often struggle with traditional education, and are more likely to leave school before reaching university than a neurotypical person. That means they're likely to miss studying cybersecurity - or teach themselves.
No quick solution
It's long been recognised that neurodivergent people - who have a propensity for thinking differently - are of great use to the cyber community. That dates back to at least the 1940s, when GCHQ hired Enigma codebreakers based on their answers to a Telegraph crossword puzzle.
Today the industry still tries to recruit, or at least arouse a positive interest, through games. Organisations like Cybersecurity Challenge UK and the NCSC are just two examples pursuing this strategy.
These are just one recruitment thread, though. Gamification might arouse an interest, but neurodivergent people also need to be accepted and encouraged into corporate life.
"It's a managerial and culture change, and it's addressing unconscious bias," said Foxcroft. It means understanding that sometimes employees will behave differently than you might expect, and not penalising them for that. They might also need different treatment, like a day free of meetings or a reserved quiet space in the office, to help them reach their full potential.
"We do have what some may call weaknesses, or others might call areas we need more support in," said Foxcroft. "Don't try to force autistic people into an environment that doesn't work for them."
Cyber is a fast-paced environment where neurodivergent people can and do flourish. Business-level support will help attract them to, and keep them on, the white hat path.