Though it’s tough to tell, Jonathan Scott-Lee typically avoids eye contact. On Zoom, he strategically positions the window containing his emails near his computer camera, giving the illusion that we’re looking at each other. If we were in person, he tells me, he probably wouldn’t look at my eyes. Instead, he’d analyze my nose, my cheek muscles, and my hand gestures. From this information, Scott-Lee would be able to glean whether my mannerisms and micro expressions match what I’m saying.

He can do this not because it’s innate, but because he’s actively learned about body language and interpreting it, a skill that comes more naturally to neurotypical individuals. Scott-Lee, the Asia-Pacific chief information security officer and ambassador for neurodiversity at HSBC, is neurodivergent—a term used to describe someone with a variation in their brain that affects sociability, learning, attention, or mood. In 2013, Scott-Lee found out he had attention deficit hyperactivity disorder, and earlier this year, he received an Asperger’s diagnosis.

Neurodiversity and neurodivergence are umbrella terms for a wide range of atypical brain functions, including autism and Asperger’s, ADHD, dyslexia, obsessive compulsive disorder, Tourette syndrome, and several others. Scott-Lee is part of a growing group of bankers advocating for neurodiverse individuals within financial institutions, not just for awareness and accommodations—though that’s part of it—but to apply their skillsets to difficult technology roles, particularly in cybersecurity.

One of our suspicions is that people within cybersecurity are more neurodiverse than not. … [But] financial institutions use a lot of standardized testing to filter people out, so we suspect that cybersecurity talent is getting filtered out before they even come in to interview

Jonathan Scott-Lee, HSBC

“Cybersecurity is one of those disciplines where you have to be deeply technically skilled, and you have to know the whole stack, end to end, from the software level right down to the hardware level in order to do it properly. There are very few people who have the patience to really do that, so one of our suspicions is that people within cybersecurity are more neurodiverse than not,” Lee-Scott says.

According to a recent survey conducted by the International Information System Security Certification Consortium (ISC2), the non-profit organization that issues the widely sought-after Certified Information Systems Security Professional (CISSP) qualification to cybersecurity professionals around the world, the global shortage of cyber defense talent reached roughly 3.5 million this year—about 400,000 more than last year.

Bank of America and HSBC are two institutions that have become vocal in neurodiversity issues and are developing suitable hiring strategies and training programs for current and future talent, both beginning in cybersecurity, but now also extending to areas such as artificial intelligence, algo writing, software testing, and general innovation.

Issues that seem small and inconsequential to neurotypical people could change a neurodivergent person’s entire job. Take, for example, one of HSBC’s senior members, one of two leaders of the steering committee that oversees the bank’s young neurodiversity program and whom Scott-Lee reports to in his ambassador capacity. Part of this member’s job, Scott-Lee says, is reviewing an internal dashboard once a month that tracks outages using the colors red, green, and amber to stay on top of resilience risk. As luck would have it, the person responsible for the dashboard happened to have red-green color blindness. So the bank added letters that corresponded to each color.  

It wasn’t until December 2018 that Craig Froelich, Bank of America’s CISO, first heard the term. At an all-hands meeting, one of the last large, in-person events held by the team before Covid-19, a woman on his team—BofA’s “all-star” cryptographer, as he describes her today—approached Froelich and asked if he could send her his talking points and written materials in advance of the next meeting. Though they had known each other for roughly 10 years, she explained then that she’s neurodivergent, which makes it difficult for her to follow auditory and visual stimuli at the same time.

Froelich set out to research neurodiversity, and at a follow-up all-hands, he implored others who might be neurodiverse to speak up as well so the bank could serve them better. In those early days, about a dozen more employees on Froelich’s 3,000-person team shared their own conditions with him, with several more doing the same since then.

I think we hold more information security patents than any other financial services company. … And I honestly think the reason why we have so much innovation that takes place is because we’ve got this really broad tapestry of individuals that are thinking about these hard problems from all different angles

Craig Froelich, Bank of America

A man on Froelich’s team was one of the first to follow suit—a US military veteran who has dyslexia. At the time, he was an individual contributor to BofA’s information security team and a member of the military reserves. Froelich says the man shared some suggestions that could make his work environment easier for him, and the bank accommodated them. Six months later, he fully retired from the military to become a business information security officer for the bank while using his spare time to learn reverse malware engineering through an intensive, six-week training program that BofA offers.

BofA has developed a twofold strategy: better serving their existing neurodiverse employees and recruiting more of them. And it has enlisted the help of Neurodiversity in the Workplace, an organization connecting neurodivergent job seekers to high-level careers for which they are qualified but could otherwise not access. Froelich credits this program with a dramatic spurt over the last few years in the number of patents filed by BofA’s information security team and approved.

“Oftentimes, when the threat is at your doorstep, you’ve got to create new things that have never been done before. And the way I understand whether or not we are doing well at that is tracking the number of patents that we have filed for and been granted,” Froelich says.

The information security team at BofA, which spends more than $1 billion on cybersecurity annually, had filed 178 patents in 2021 as of September 30. In all of 2020, it filed 172. In 2019, there were 117. In 2018, before the initiative began, it filed 82. This year, BofA recorded the most patents granted in the first half of any year in the company’s history, with 227 patents granted bank-wide during that timeframe.

“I think we hold more information security patents than any other financial services company. … And I honestly think the reason why we have so much innovation that takes place is because we’ve got this really broad tapestry of individuals that are thinking about these hard problems from all different angles,” Froelich says.

HSBC’s Scott-Lee, for example, got his start in banking in technology. Being “very socially awkward,” he had little luck in finding a job—he fell into penetration testing, a fancy term for simulated cyber-attacks on your own system. Soon, Deutsche Bank found him, and wanted to hire him to optimize code to shave off milliseconds on electronic trades to get them to market faster. It was highly specialized and “geeky,” Scott-Lee says, but he was good at it.

While he has risen through the ranks of cyber roles, he has watched entry-level talent become harder to find and keep.

“Financial institutions use a lot of standardized testing to filter people out, so we suspect that cybersecurity talent is getting filtered out before they even come in to interview,” Scott-Lee says. “A lot of neurodiverse cybersecurity talent can find it easier and more comfortable working underground on the dark web, where they don’t have to deal with people, governance, and office politics.”

HSBC recently began developing a new kind of standardized test for prospective candidates, which will hopefully not filter out applicants who appear to think differently. HSBC’s program is quite young—Scott-Lee only became the Apac neurodiversity ambassador earlier this year, but he hopes that a new type of test will be ready six months from now.

As someone with ADHD, planning very far into the future is not a strong suit for Scott-Lee. When asked what goals he hopes the program achieves in a few years’ time, he hasn’t even thought about it. But he knows there are a lot, and any awareness he can raise today that wasn’t there yesterday, is a success in its own right.