a screen showing the title slide of a new talk called red flags or reasonable adjustments

Red Flags or Reasonable Adjustments

disability| neurodiversity at work | Managing Change| Neurodiversity| future of work| Work| Autism| adhd
September 06, 20255 min read

Red Flags or Reasonable Adjustments: A Practical Approach to Inclusive Risk Management in Cyber

I gave a new talk at BSides Bristol in September 2025 on this exact topic and I wanted to share a bit more widely. The points in this post could be relevant to any role or team working in any high stakes environments - law enforcement, security or intelligence operations.

If you work in cyber, you already know the pressure points: alert noise, time-critical change windows, shifting vendor landscapes, and the expectation to “get it right” first time. Add a tight labour market and rising stress and it’s clear - human performance is now a core security concern, not a soft topic.

This post is about making that practical. I’m arguing that what HR calls reasonable adjustments are, in cyber terms, risk controls for people. They are small, proportionate changes to process, environment, tooling, or timing that reduce error, improve resilience, and help us keep great people.

Why this matters now

  • Capacity and continuity: Teams are lean. When we lose people—or when talented colleagues are operating at the edge of burnout—risk increases.

  • High-stakes work: Patching, identity changes, incident response and supplier hand-offs are all human-intensive. Mistakes here are costly.

  • Expectations of newer generations: Many early-career professionals look for psychological safety, flexibility, and clear communication. If they can’t see it, they don’t stay.

This isn’t about lowering standards. It’s about removing avoidable friction so people can meet those standards consistently.

From “reasonable adjustments” to risk controls for people

In UK law, employers have a duty to make reasonable adjustments for disabled staff where a policy, practice, physical feature, or need for an auxiliary aid causes substantial disadvantage. In a security context, translate that into: set up the work so capable professionals aren’t fighting unnecessary barriers - especially when they’re autistic, ADHD, dyslexic, or simply operating under sustained load.

Examples that reduce risk immediately:

  • Written instructions and decisions: Verbal-only handovers are fragile. Capture actions, owners and deadlines in writing.

  • Protected focus blocks for high-risk changes: During patching or privileged identity work, minimise interruptions and multitasking.

  • Clear, short meetings with agendas in advance: One topic, time-boxed, decisions documented.

  • Shared task boards (Jira/Trello/Notion): Visible work, fewer dropped tasks, easier handovers.

  • Noise control / quiet zones; headphones allowed: Better signal detection, lower cognitive load in the SOC.

  • Fixed desk on request: Predictability reduces setup friction and sensory stress.

  • Short, regular breaks: Attention resets reduce error and rework.

  • Weekly 1:1 priority check-ins: Align expectations; remove blockers early.

These are not “extras”. They are small controls that improve accuracy and throughput.

How behaviours are misread - and what to do instead

Autistic and ADHD colleagues are already in our teams. The issue is not capability; it’s fit between the person and the way we’ve designed the work. Behaviours that are often misread as “red flags” are frequently signals to adjust the system.

Common misreads and simple responses

  • Direct or brief communication → “rude”.
     Response: Agree tone/format guidelines; encourage bullet points. Clarity is the goal.


  • Camera off or limited eye contact → “disengaged”.
     Response: Normalise camera-optional calls; ask for a short written update afterwards.


  • Requests for written instructions → “slow learner”.
     Response: Treat written decisions as standard in change and incident work.


  • Struggle with interruptions/time blindness (ADHD) → “unreliable”.
     Response: Use checklists, do-not-disturb change windows, micro-steps and visible rotas.


  • Hyperfocus or many ideas, weaker follow-through (ADHD) → “impulsive/flaky”.
     Response: Limit work-in-progress; use a “pause & peer-check” before risky actions; capture ideas in a parking lot.

When we respond to the signal rather than judging the person, we get fewer mistakes and more consistent delivery.

A practical strategy for managers

1) Recognise, don’t rationalise

If a colleague is struggling with priorities, focus, or environment, pause before assuming intent. Ask yourself: What barrier might be at play?

2) Ask, don’t assume

Use straightforward questions:

  • “What helps you do your best work on this?”

  • “Is there anything about the setup, timing, or format that’s getting in the way?”

3) Adjust, don’t excuse

Agree one or two proportionate changes. Keep standards the same; change the path to reach them. Trial, review, iterate.

4) Lead, don’t wait

Make good practice universal: written decisions, checklists for high-risk work, short meetings with agendas, and protected focus time. Don’t rely on perfect disclosure to justify sensible controls.

Here is a pathway you can use: Identify barrier → Trial adjustment(s) → Review impact → Document → If performance is still below standard, proceed through a fair capability route. This protects both the person and the business.

Want some quick implementation tips for cyber teams

  • Change windows: Can you protect 45–60 minutes; no interruptions; use a pre-commit checklist; require a peer-check on privileged actions.

  • Meetings: Have one topic, send an agenda in advance, decisions captured and shared. Keep them short by default.

  • SOC hygiene: Allow headphones/quiet space; one channel per incident thread; rotate alert monitoring; use checklists consistently.

  • Help desk / IAM: Create Verification scripts; embed “two-minute pause” rule before high-risk changes; insist on written confirmation of requests.

Neuro-inclusive practice is not a side project or a branding exercise. It’s a practical way to reduce error, shorten incidents, retain talent, and lower cost. Call them reasonable adjustments if you’re talking to HR. When you’re with your cyber team, call them what they are: risk controls for people.

We don’t need to lower the bar on performance. We need to remove the avoidable barriers that stop capable people from reaching it, especially when the stakes are high.

If you want practical, low-cost ways to reduce human error and retain brilliant people, let’s chat.

Lucy Smith is an expert in organisational change and neurodiversity, working with cyber leaders to turn inclusion into risk controls for people.

[email protected]

Visit our website to see how we support teams, run workshops, and build manager toolkits.




neurodiversity in cyber securityreasonable adjustments UKpeople risk controlsinclusive cyber teams human factors in cybersecuritySOC human erroradhd at work cyber autism in cyber securityequality act 2010 reasonable adjustmentscyber burnoutCISO people riskinclusive risk managementcyber skills shortage UK Gen Z access to work UKinclusive change management
Founder of Inclusive Change

Lucy Smith

Founder of Inclusive Change

Back to Blog