April 27, 2015 By Ed Moyle 4 min read

Sometimes, a small percentage can make a huge difference. To see this in action, consider the game of blackjack. Play blackjack in a casino with the perfect strategy, and the house is favored by less than 0.5 percent. Count cards, though, and you are favored by about 1 percent. In this case, this spread — a total of less than 2 percent — quite literally means the difference between a multibillion-dollar revenue stream for the casino and a threat considered so dangerous that you are barred from setting foot inside if you are caught.

Similarly, in security management, you want as many of the odds in your favor as you can get. Doing this in practice can involve many factors, and there are an infinite number of ways to improve your game. However, one way to get a clear edge with relatively minimal effort is to improve how you manage talent — in other words, to improve your ability to find, hire and retain the best people you can afford.

Talent management has never been easy, but it has changed and evolved over the past few years. What’s driving this change? Millennials, or those individuals who were born between 1980 and 2000. As millennials continue to enter the workforce in droves, it’s becoming increasingly important that you understand what is important to them and adapt accordingly. Not only is attrition of any staff — millennial or otherwise — a resource drain since finding and training replacements costs money, but younger members of the workforce can also be a source of creativity, energy and innovation. Moreover, you want the best and brightest to go on to become the future leaders of your organization.

Boring Is the New Underpaid

I confess that I always used to hate it when people would make baseless generalizations about my generation (Generation X, if you’re curious), so I’ll try not to do that here. Generalizations aside, though, there has been some systematic research conducted on what millennials find important, respond to and value in the workplace. So while millennials aren’t fungible by any means, having some clue about what they tend to find desirable is a good starting point.

First and foremost, research suggests millennials value jobs that are interesting and challenging. Now, nobody likes a boring job, but millennials are more likely to put their money where their mouth is when it comes to making a decision about salary versus passion. For example, a study from the Brookings Institution found that 64 percent would prefer to make $40,000 at a job they love rather than make $100,000 a year in a job they thought was boring.

Security has an edge in this respect because it’s anything but boring. That said, there are some elements of the job that can be more monotonous than others (log review comes to mind). If there are tasks in your department that are less interesting than others, outsourcing or automating these might be in your best interest from a resource retention standpoint. If you can’t do that, you might rotate personnel so that no one person is doing that mundane task exclusively.

Value Matters

In addition to eschewing jobs that are boring, research also suggests that it matters to millennials that their jobs have value. A 2015 study by Deloitte found that about 60 percent of millennials said that a sense of purpose is a key element of why they choose to work where they do. This means it’s important that they feel like they’re making a contribution and advancing the goals of the organization. This can be a bit tricky in the security world. Why? Because too many organizations struggle with directly tying security activities to business value. That’s not to say there isn’t value — quite the contrary — but it can sometimes be hard to directly articulate that value.

There are a few ways to help show the value security teams provide to the business. Bentley University’s Center for Women and Business suggests that having a feedback loop to demonstrate the impact individuals have on the business can be a good strategy. One way to create that loop is through an internal-facing report or bulletin that leverages available metrics and data to highlight key accomplishments and emphasize value and impact you’ve had on the business. If there is a management dashboard you share with senior leadership, consider publishing an internal version everyone can see. Having a report like this is useful for other purposes beyond team morale since it makes for great marketing back to the business about why the security team should stay involved in the company’s efforts.

Be Flexible

Last, embrace flexibility. Flexible work arrangements such as working from home are important, and working from home in security is not only possible, but often more efficient. However, flexibility in how work gets done is also important, and this is where it’s a little more challenging for some security managers.

For example, maybe team members want to IM each other about the work they’re doing, leverage a software-as-a-service (SaaS) collaboration tool hosted outside your environment or employ open-source technologies such as Docker. Maybe they want to do something that might border on scary because it facilitates how they want to work. It’s important to take these things seriously. And, let’s face it, many security pros are not always known for their willingness to “embrace the new.”

Now, I’m not saying you should immediately take your critical security-relevant information and upload it to some shady SaaS service you don’t trust or that you should allow team members to tweet to each other about security issues they find in the environment; obviously, prudence is warranted. That said, there might be an alternative that lets team members work the way they want to but doesn’t create additional risk. Work with your employees to find a middle ground that lets them work they way they want but is also palatable to the organization from a risk perspective. For many, you caring enough to talk to them about it and work with them collaboratively to find something that will meet their needs will go a long way.

The point is, millennials are a fantastic resource, and creating an environment that is attractive to them can be beneficial to you in return. It may take some flexibility, a willingness to adapt and some sensitivity to make sure the environment is favorable for them to make a home in.

More from CISO

Empowering cybersecurity leadership: Strategies for effective Board engagement

4 min read - With the increased regulation surrounding cyberattacks, more and more executives are seeing these attacks for what they are - serious threats to business operations, profitability and business survivability. But what about the Board of Directors? Are they getting all the information they need? Are they aware of your organization’s cybersecurity initiatives? Do they understand why those initiatives matter? Maybe not. According to Harvard Business Review, only 47% of board members regularly engage with their CISO. There appears to be a…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

C-suite weighs in on generative AI and security

3 min read - Generative AI (GenAI) is poised to deliver significant benefits to enterprises and their ability to readily respond to and effectively defend against cyber threats. But AI that is not itself secured may introduce a whole new set of threats to businesses. Today IBM’s Institute for Business Value published “The CEO's guide to generative AI: Cybersecurity," part of a larger series providing guidance for senior leaders planning to adopt generative AI models and tools. The materials highlight key considerations for CEOs…

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today