April 27, 2015 By Ed Moyle 4 min read

Sometimes, a small percentage can make a huge difference. To see this in action, consider the game of blackjack. Play blackjack in a casino with the perfect strategy, and the house is favored by less than 0.5 percent. Count cards, though, and you are favored by about 1 percent. In this case, this spread — a total of less than 2 percent — quite literally means the difference between a multibillion-dollar revenue stream for the casino and a threat considered so dangerous that you are barred from setting foot inside if you are caught.

Similarly, in security management, you want as many of the odds in your favor as you can get. Doing this in practice can involve many factors, and there are an infinite number of ways to improve your game. However, one way to get a clear edge with relatively minimal effort is to improve how you manage talent — in other words, to improve your ability to find, hire and retain the best people you can afford.

Talent management has never been easy, but it has changed and evolved over the past few years. What’s driving this change? Millennials, or those individuals who were born between 1980 and 2000. As millennials continue to enter the workforce in droves, it’s becoming increasingly important that you understand what is important to them and adapt accordingly. Not only is attrition of any staff — millennial or otherwise — a resource drain since finding and training replacements costs money, but younger members of the workforce can also be a source of creativity, energy and innovation. Moreover, you want the best and brightest to go on to become the future leaders of your organization.

Boring Is the New Underpaid

I confess that I always used to hate it when people would make baseless generalizations about my generation (Generation X, if you’re curious), so I’ll try not to do that here. Generalizations aside, though, there has been some systematic research conducted on what millennials find important, respond to and value in the workplace. So while millennials aren’t fungible by any means, having some clue about what they tend to find desirable is a good starting point.

First and foremost, research suggests millennials value jobs that are interesting and challenging. Now, nobody likes a boring job, but millennials are more likely to put their money where their mouth is when it comes to making a decision about salary versus passion. For example, a study from the Brookings Institution found that 64 percent would prefer to make $40,000 at a job they love rather than make $100,000 a year in a job they thought was boring.

Security has an edge in this respect because it’s anything but boring. That said, there are some elements of the job that can be more monotonous than others (log review comes to mind). If there are tasks in your department that are less interesting than others, outsourcing or automating these might be in your best interest from a resource retention standpoint. If you can’t do that, you might rotate personnel so that no one person is doing that mundane task exclusively.

Value Matters

In addition to eschewing jobs that are boring, research also suggests that it matters to millennials that their jobs have value. A 2015 study by Deloitte found that about 60 percent of millennials said that a sense of purpose is a key element of why they choose to work where they do. This means it’s important that they feel like they’re making a contribution and advancing the goals of the organization. This can be a bit tricky in the security world. Why? Because too many organizations struggle with directly tying security activities to business value. That’s not to say there isn’t value — quite the contrary — but it can sometimes be hard to directly articulate that value.

There are a few ways to help show the value security teams provide to the business. Bentley University’s Center for Women and Business suggests that having a feedback loop to demonstrate the impact individuals have on the business can be a good strategy. One way to create that loop is through an internal-facing report or bulletin that leverages available metrics and data to highlight key accomplishments and emphasize value and impact you’ve had on the business. If there is a management dashboard you share with senior leadership, consider publishing an internal version everyone can see. Having a report like this is useful for other purposes beyond team morale since it makes for great marketing back to the business about why the security team should stay involved in the company’s efforts.

Be Flexible

Last, embrace flexibility. Flexible work arrangements such as working from home are important, and working from home in security is not only possible, but often more efficient. However, flexibility in how work gets done is also important, and this is where it’s a little more challenging for some security managers.

For example, maybe team members want to IM each other about the work they’re doing, leverage a software-as-a-service (SaaS) collaboration tool hosted outside your environment or employ open-source technologies such as Docker. Maybe they want to do something that might border on scary because it facilitates how they want to work. It’s important to take these things seriously. And, let’s face it, many security pros are not always known for their willingness to “embrace the new.”

Now, I’m not saying you should immediately take your critical security-relevant information and upload it to some shady SaaS service you don’t trust or that you should allow team members to tweet to each other about security issues they find in the environment; obviously, prudence is warranted. That said, there might be an alternative that lets team members work the way they want to but doesn’t create additional risk. Work with your employees to find a middle ground that lets them work they way they want but is also palatable to the organization from a risk perspective. For many, you caring enough to talk to them about it and work with them collaboratively to find something that will meet their needs will go a long way.

The point is, millennials are a fantastic resource, and creating an environment that is attractive to them can be beneficial to you in return. It may take some flexibility, a willingness to adapt and some sensitivity to make sure the environment is favorable for them to make a home in.

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today