Neurodiversity is often associated with children, but adults with the same condition are often left out and ignored. Nathan Chung interviews world renowned cybersecurity writer, blogger, speaker, security researcher, and Neurodiversity champion Kim Crawley where she shares her personal stories of triumph and success working in Cybersecurity while being Neurodiverse. If you work in IT or Cybersecurity, listen and be inspired.
0:04
Good morning everyone. My name is Nathan Chung and welcome to the NeuroSec Podcast where we unite people and organizations to support and advance Neurodiverse people in cybersecurity. Today my special guest is Kim Crawley, world famous cybersecurity writer, speaker, gamer, and a whole bunch more I probably can't talk about. So welcome, Kim,
0:30
Nice to be on your show. Thank you, Nathan.
0:33
So first of all, congratulations on your new book, The Pen Tester Blueprint that you wrote with Philip Wiley.
0:39
Yeah.
0:40
What inspired you to write it and how did it all come together, can you share?
0:44
ned it. And this was April of:3:05
And it was a very successful collaboration. And it's very important that Phil guided the book creatively, because he is the expert pen tester. My cybersecurity knowledge is a lot more broad and generalized.
3:23
So I'm, as far as cybersecurity is concerned, I'm more of a master of all sorry, not mastered like a jack of all trades, master of none. So it's really his experience in penetration testing. That was a tremendous asset to the book. And also, I interviewed a lot of very experienced pen testers, for their feedback about the book, the book is about penetration testing. The focus really is on though, how to have a career as a pen tester how to get your foot in the door, get your first ethical hacking job.
4:01
Incredible. I also notice you, you also contribute to a lot of other books as well. I thinks it's called Tribe of Hackers.
4:08
Yeah!
4:10
riting amazing articles since:4:22
I grew up with writing, like, my dad was a novelist, and he wrote fiction. He wrote, like, writing fiction, like I've only ever professionally written nonfiction. But growing up with a dad who wrote books for a living it made the idea of writing for living seemed like a normal thing to me. And my dad taught me a lot of important things when I was a kid, about how to be an effective writer. When I was a little girl, I didn't necessarily want to be a professional writer when I grew up, but by the time I was in my 20s it was one of the few things that I knew how to do. So my career just kind of went in that direction. Because I've always been interested in computers and that led to working in desktop support and then getting into cybersecurity. writing about cybersecurity is something that I just naturally fell into.
5:24
aw an article you wrote round:6:06
We ran DOS box, do you play games in DOS box?
6:10
Not anymore. But I do remember getting a perfect score in Choplifter back in the day. So which, which were, which were your favorite games from back then?
6:22
I have nostalgia for the Commander Keen platformer franchise.
6:28
I remember that.
6:29
I think I played every mainlined Commander Keen game. Apogee also published Crystal Caves and Secret Agent.
6:37
I remember that.
6:38
So I liked I really liked Where in the World is Carmen San Diego.
6:43
Oh my yes.
6:44
I played the original DOS version of that game. Yeah, I mean, a lot of a lot of millennials grew up with like the Oregon Trail. But I didn't grow up with that game, I guess partly because I'm not American. I think American schools pushed the Oregon Trail.
7:04
Yes they do, yes they do, I remember playing that back into Apple II days or even DOS days? Have times have changed. I literally grew up watching graphics change from two color then to four color CGA, 16 color EGA to 256 color VGA, and now we have millions and millions of colors. It's a it's an amazing revolution. So switching gears, I also caught your webcast you did with ITSP where you talked about Neurodiversity and the need for allies. I really was inspired when you brought up ableism. And because no one talks about that. So what what, what makes you such a strong advocate for Neurodiversity and to be yourself.
7:54
Autism acceptance was a very long journey for me, I got like very close to being diagnosed with what was then known as Asperger's Syndrome a few times when I was a kid, but then I wasn't diagnosed. At that time, my teachers interfered and other times my parents interfered. My my parents my dad didn't like the idea that I could be Autistic. She he just liked to think of me as his brilliant little girl. So that kind of thinking prevented me from getting an Autism diagnosis when I was a kid. It wasn't, it was always like I suspected for years that I was either Autistic or ADHD. By the time I was in my mid 30s, I was finally making enough money that I could spend a few $1,000 on a private psychologist to diagnose me, formerly. And so I did that. And like that was a lot of like, I'm not rich. So it's a lot of money to spend like $3,000 on something. But I really wanted to know, like, could I get an Autism diagnosis? So I did it. And that and so I got medical confirmation of something that I suspected about myself. My whole life. I was less surprised to be diagnosed with ASD one and I was more surprised that I was diagnosed with ADHD inattentive type at the same time. That surprised me. I was like, wow I'm ADHD too now. So the past couple of years has really been a learning process trying to fight my own internalized ableism because I think also, shame prevented me from identifying as Autistic for a long time. You found out about me, I think because I wrote something for AT&T cybersecurity blog.
9:56
Absolutely.
9:57
About being Autistic and at AT&T cybersecurity, I have an absolutely wonderful editor. Her name is Kate Guru. And she got the idea for that article, because she saw me tweet about Autism a lot. And she's not Autistic. But she felt like I was educating her a lot about Autism. And she's a really nice woman. And she said, Kim, I want you to write about being Autistic and careers in cybersecurity for AT&T blog. And I was like, sure, I'd be delighted. That was a conscious decision for me to be open about being Autistic. Because I wasn't formally diagnosed until I was 35 years old, I could have kept it my own private secret. But I came to the conclusion that you know, I have a little bit of influence in the industry. People have heard of me, I've been in the Tribe of Hackers book, I've been in the media, I work in the media. There's a lot of Autistic people who can't be open about being autistic, because they'll get fired, or they won't get the job that they want to get, I decided to take that risk, I decided to take the risk, because I felt like I could be open about being Autistic, and it wouldn't have a negative impact on my career. And I believe if I could do that, and take that risk, I have responsibility too. Because the more of us who opened about being Autistic, the less likely that an Autistic kid in the future is going to have to hide their Autism in order to get a job.
11:41
You are absolutely correct. And that is one of the reasons why I'm doing this podcast, because we need to flip the script. So people can be themselves. They should, they should be comfortable to work and live and be themselves. They should not have to hide. They should not have to fear for their jobs. That's why you are amazing for all that you do for advocating for for Neurodiversity, Autism and ADHD. It's incredible. Not too many people that come out, there is still a strong stigma in the industry where people if they come out and admit that they have a mental condition. In the industry is still old school thinking where they think you're flawed, you're broken, you're not of any use to the company. So we need you to leave. That needs to change. That really needs to change.
12:36
A lot of the ableism is subtle. A smart company that doesn't want to be sued is not gonna say, okay, we're firing you because we found out you're Autistic or we were firing you because we found out that you're secretly transgender or whatever. But they will say, okay, well, you've been late coming to work a few times. So I guess we're gonna have to let you go because of your tardiness. They might find an excuse to fire you.
13:07
Yes, I've seen that happen to friends, it's horrible. It's like the most insidious evil plot and loss. And another thing you brought up is how whenpeople hear Autism, ADHD people just automatically think it is something for kids, but people forget, adults have it too. And it's, it's like where a lot of people are suffering in silence is like, and no one's really talking about ADHD or Autism in adults.
13:41
I think it's because the the abled mainstream, they, they they're they center their focus is on the parents. They want to sell products to the parents. You can't sell a shady Autism therapy to an autistic adult. But you can get the parents to be terrified that if they don't buy ABA for their kid or whatever, they're never going to have a job or get married. With more advocacy in the disability community, the idea that people grow out of Autism or ADHD or Dyslexia or whatever, at age 18, will eventually disappear.
14:30
Yep. It has to. So shifting gears to talk about Neurodiversity in cybersecurity, I see numerous studies and articles that describe Neurodiverse people as often being cited as being a good fit for cybersecurity and even hacking hut based on your experiences and people you have interviewed. Do you feel that this is true?
14:56
Yeah, some quite quite often yeah. Being being Neurodivergent can help with a cybersecurity career. It doesn't mean that all Neurodivergent people have a knack for IT or computer science or cybersecurity. But for a lot of people, it can be a definite asset. Because think about cyber threat modeling, for instance, you have to try to be inventive and come up with ways for how your organization might be threatened by cyber attacks. If your mindset is just to think in the most conventional way, then you might not have the creativity to I hate the expression but think outside the box. So, yeah, I mean, if if your Neurotype is to normal, maybe that might interfere with your creative potential. Maybe you should pursue a career in accounting. Although some accountants are very creative, especially the ones who work on Wall Street.
16:11
Oh, yes.
16:15
So among the cyber jobs, which which do you think are best suited for Neurodiverse people? There's just so many jobs out there.
16:27
I think that has more to do with the person's temperament and their interests than whether or not they're Neurodivergent. There is a yes, you know, I don't have to tell you there is like a wide variety of different roles and areas in cybersecurity. I mean, there are defensive Blue Team people, offensive, Red Team people. There are people who make great network administrators, CISOs. I would recommend that it might be helpful to get involved in online communities related to cybersecurity, maybe find subreddits, like the network security subreddit, of find the infosec community on Twitter with the hashtag infosec. Ask people if you don't know where you want to get to ask questions. There also, I am going to promote my own stuff. Reading the book that Phil and I just wrote that we just published. If you are curious about penetration, testing careers, that book would be appropriate. And you might read our book and decide you would rather work in digital forensics incident response.
17:56
That reminds me, now that the book is finished, what is your next project?
18:01
I always have online writing gigs. Like I've been steadily writing content for AT&T cybersecurity blog for the past three years. I can I can publicly talk about this now. Wiley Tech is interested in me writing some books on my own for them. I've been discussing that with the publisher, so so there might there might be a title or two coming out in the next couple of years that I've written on my own. Phil and I have discussed co-writing again as well. If I ever write anything about pentesting ever again, it's going to be with Phil Wiley because he knows his stuff. Um, I am doing threat research for a major Canadian bank. My NDA prevents me from saying which Canadian bank it
18:56
No problem.
18:59
I'm doing anti virus software testing, which is out of my comfort zone because I'm used to just writing about stuff. But yeah, I know, I never have one job or one company that I work for. I always have to work for lots of different companies at once because I'm self employed, and I'm an independent contractor.
19:21
Yeah, that's right. I forgot about that. So based on your experience, and struggles being Neurodiverse, what what obstacles? Can you share what obstacles you faced and how you how you overcame them?
19:37
Yeah, that's a good question. Um, I had to learn to teach myself I had to be self educated because I wasn't able to graduate high school. Normally, my Developmental Disabilities weren't diagnosed. So I was blamed for my own academic struggles. I did eventually get my GED in my 20s, I worked on getting it certifications like the CompTIA A+ plus and Security+ and Network+. That's all stuff that I did outside the classroom that I had to pursue on my own. So everything that I know about my field, I had to go out there and learn on my own. So I think if school went well, for me, my life would have went a different direction. Yeah, there's there's a lot that I had to learn over the years. Obviously, when Autistic people get older, they learn how to mask better. Unfortunately, I've had to learn how to mask. Yeah, I mean, it took a lot of struggle and a lot of failure to get where I am today. You don't you don't get a job where you're paid to write about cybersecurity overnight. You don't get that kind of job from getting a college degree and then getting hired out of school. Those are, those are careers that you do that kind of work for years before you get to a position where people pay for what you do. So it takes a lot of perseverance.
21:29
That's why you're awesome.
21:30
If your kid was in a rock band, you would tell your kid, get a day job, you're gonna have to work that day job for a lot of years, before you start making money from your music career. It's like that.
21:45
You know, you brought up a very interesting point, because there's also a cultural or family or historical point of view as well. Because in very traditional families, that's how it is. Being Neurodiverse is like being flawed. And for a lot of families in certain cultures, it's potentially even fatal for some people. So that's the sad part, which a lot people don't talk about. How some people they just suffer alone. That's why I think what you do and your life, it is amazing, and it's a really good success story.
22:19
Thank you. Did you come from a family where your parents really pushed you to do well in school and then go to medical school and get a medical degree?
22:29
Oh, yes, that's the constant push people always face. I'm in an Asian family and expectations is for us to become either lawyers or doctors, very traditional. Even talking about these things. It's very hard among Asians is like, a cultural taboo. We can not talk about it. Ironically, I've heard that it's easier to talk about it on a movie or on a TV show compared to talking with your own family. And I think a lot of people can identify with that.
23:01
My dad was a novelist. So so he did encourage my creative pursuits.
23:13
And that is also an important piece. Sounds like you got a lot of support from your parents.
23:18
Not my mother, but my dad. Definitely. Yeah.
23:22
Yeah. So next question is. What message do you have for people who are Neurodiverse and they want to work in cybersecurity, but they feel that the industry and society puts up all these barriers and tells them no, you don't belong here. What message do you have for them?
23:39
Hmm. It's, it's, it's unfortunate, but you might I think a lot of Autistic people would benefit from being coached on how to do a job interview. job interviews are a huge barrier to people with developmental disabilities. Because job interviews are all about professional bullshitting.
24:09
Yes.
24:11
A lot of like Neurotypical people they tend to learn, okay, a job interview isn't a chance to answer questions, honestly. It's a chance to say whatever the interviewer wants to hear so that you get the job. They pick up on that more often. A lot of Autistic people, they don't, they need to have that explained to them. So I think if maybe someone who's Autistic who has done job interviews, well, like me, can coach them one on one being like, you're going to be asked these questions in a job interview. These are good answers for you to give them. It's very difficult not to stim or fidget during a job interview. But if there's anytime, when unfortunately, you have to hold on to your stims and not stem, it's in a job interview. When you get a job and they assign a cubicle to you, and you've already got the job, then maybe you can find a quiet, subtle way to stim at your desk.
25:20
That's a good point. That's a good point. That could be another book idea for you. I think because I think you are right, the interview process is very much flawed. It is more about saying the right things. It needs to change, it should be more about ability, that the person being interviewed should bring to the table. This is what I can do. It should be more like that.
25:48
Yeah, it's it's one of those things about life that's unfortunate. But if you want success then you're gonna have to play the game. .
25:59
Unforunately that's true. And oh, and I think another thing you brought up earlier in the segment, is how you got your Autism diagnosis.
26:08
Mm hmm.
26:08
I think even now, getting tested and diagnosed is still not covered by insurance. Like that is wrong.
26:15
I live in Canada, which is a country where most medical services are paid for through public health care, regardless of how rich or poor you are. But our public medical system still does not cover adult Autism diagnosis.
26:34
Yep. It's similar in the US. It's not covered.
26:37
Yeah.
26:37
Sad. Like that has to change. That really has to change.
26:41
Um, that's one of the reasons why I didn't get my diagnosis until I was in my 30s. Because when I was in my 20s, I wasn't making enough money to spend $3,000 on something.
26:52
Yep. That is a lot of money.
26:54
Yeah.
26:55
A lot of money, especially now with COVID. A lot of people are losing their jobs. I don't think many people can afford that.
27:01
Yeah, it's it's, it's not it's not fair. But yeah, it's pretty shitty, which is one important message that I have is that I support self diagnosis. Because for a lot of Autistic people, diagnosis is not accessible. Chances are someone who identifies as Autistic without being formally diagnosed, spent a lot of time researching Autism in the Autism community to figure out that they are Autistic.
27:36
Yep, that that that is the route I went too. I read I just read a lot of books, read a lot of blogs and read, most important part of all. Read the stories of all people who are Autistic and their daily struggle. And for me, it just started to click because like, this is definitely sounds like me.
27:57
Self diagnosis is valid. You tell them you're autistic, you're autistic.
28:03
Yeah, totally agree. Okay, so next question, Kim. Besides reading and speaking about cybersecurity and Neurodiversity, what what else are you passionate about?
28:14
You probably know I love JRPGs when I'm not working I spend a lot of time playing Japanese role playing games. I am a I'm a hardcore persona fan. Like I even have I have persona related tattoos even.
28:34
Love it.
28:35
I'm I'm really into a lot of Falcon franchises like Ease and Trails in the Sky and Charles Cold Steel. Yeah, I mean, I like all kinds of video games, not just JRPGs but JRPGs are definitely my favorite. I live in a really beautiful city that has a lot of great culture, in Toronto. And until the pandemic hit, Toronto had like lots of like really great restaurants. And so one of my hobbies was definitely going downtown Toronto or going to like different neighborhoods like Little Italy or places like that. And just trying trendy new restaurants that are advertised.
29:23
I love to do that to, I'm a foodie. But compared to when we were growing up, now, people are playing games competitively and people are even getting paid to just play games, they just have people just watch on on video, like wow.
29:43
I don't think I could be an Esports athlete. Because I think I think when you are an Esports athlete, you're not playing games to have fun anymore. You are trying to do your job. When it becomes a job, it's not fun anymore.
30:06
That's a good point.
30:08
$100,000 is on the line. So you better shoot more people in this game than the other guy if you want that prize.
30:16
And it reminds me of one of the old school movies. It's called Wizard. Starring Tobey Maguire. It's just him being Neurodiverse and playing Super Mario Brothers. Like I remember that movie growing up.
30:32
Yeah, that that was excellent marketing on Nintendo's side. I remember when a big deal Super Mario Brothers three was.
30:44
Okay, and so one more question. Besides Neurodiversity, what what advice do you have for people to take off their masks and be themselves?
30:58
It really differs according to the situation. There are situations in my life where I don't mask at all. And there are other situations where masking is a necessary evil. In an ideal world, we would never have to mask anywhere at all. And it's better for our mental health as Autistic people to not have to mask. Unfortunately, if you want to keep a job, if you want to go to the store and buy things and have the people working at the store treat you like normal person. If you want people outside of your home to treat you like normal person, you might be in a situation where you're forced to mask a little bit. Like when I am home alone, I stim like crazy. And I work from home. So there's and I live alone. So there is no reason when I'm writing something to not be stimming constantly while I'm doing it. But when I am on the subway, I don't sit and stim. When I'm riding the subway. I wish the world would change. So I could do that with people without people staring at me and thinking that that's abnormal. But until then, you kind of and also you probably know from firsthand experience, it takes a lot of mental energy to mask.
32:26
Yes.
32:27
So it's great to come home and have privacy and just be with your family. Or be with people who know you well and love you. And just be yourself there. And if you didn't have your own bedroom, and you can close the door and privacy in your own home, masking 24/7 would would just drive you insane.
32:50
Yeah, it reminds me of software based virtualization emulation, it just eats up all your CPU cycles, and just mentally crash.
33:00
I want to fight for a world where we can sit on the bus and stim and no one stares at us
33:07
Totally agree.
33:09
And so then we gotta like make practical decisions, I guess.
33:15
Yep, totally agree. Okay, and that wraps up today's session and thanks Kim for coming on. Really appreciate it.