April 27, 2015 By Ed Moyle 4 min read

Sometimes, a small percentage can make a huge difference. To see this in action, consider the game of blackjack. Play blackjack in a casino with the perfect strategy, and the house is favored by less than 0.5 percent. Count cards, though, and you are favored by about 1 percent. In this case, this spread — a total of less than 2 percent — quite literally means the difference between a multibillion-dollar revenue stream for the casino and a threat considered so dangerous that you are barred from setting foot inside if you are caught.

Similarly, in security management, you want as many of the odds in your favor as you can get. Doing this in practice can involve many factors, and there are an infinite number of ways to improve your game. However, one way to get a clear edge with relatively minimal effort is to improve how you manage talent — in other words, to improve your ability to find, hire and retain the best people you can afford.

Talent management has never been easy, but it has changed and evolved over the past few years. What’s driving this change? Millennials, or those individuals who were born between 1980 and 2000. As millennials continue to enter the workforce in droves, it’s becoming increasingly important that you understand what is important to them and adapt accordingly. Not only is attrition of any staff — millennial or otherwise — a resource drain since finding and training replacements costs money, but younger members of the workforce can also be a source of creativity, energy and innovation. Moreover, you want the best and brightest to go on to become the future leaders of your organization.

Boring Is the New Underpaid

I confess that I always used to hate it when people would make baseless generalizations about my generation (Generation X, if you’re curious), so I’ll try not to do that here. Generalizations aside, though, there has been some systematic research conducted on what millennials find important, respond to and value in the workplace. So while millennials aren’t fungible by any means, having some clue about what they tend to find desirable is a good starting point.

First and foremost, research suggests millennials value jobs that are interesting and challenging. Now, nobody likes a boring job, but millennials are more likely to put their money where their mouth is when it comes to making a decision about salary versus passion. For example, a study from the Brookings Institution found that 64 percent would prefer to make $40,000 at a job they love rather than make $100,000 a year in a job they thought was boring.

Security has an edge in this respect because it’s anything but boring. That said, there are some elements of the job that can be more monotonous than others (log review comes to mind). If there are tasks in your department that are less interesting than others, outsourcing or automating these might be in your best interest from a resource retention standpoint. If you can’t do that, you might rotate personnel so that no one person is doing that mundane task exclusively.

Value Matters

In addition to eschewing jobs that are boring, research also suggests that it matters to millennials that their jobs have value. A 2015 study by Deloitte found that about 60 percent of millennials said that a sense of purpose is a key element of why they choose to work where they do. This means it’s important that they feel like they’re making a contribution and advancing the goals of the organization. This can be a bit tricky in the security world. Why? Because too many organizations struggle with directly tying security activities to business value. That’s not to say there isn’t value — quite the contrary — but it can sometimes be hard to directly articulate that value.

There are a few ways to help show the value security teams provide to the business. Bentley University’s Center for Women and Business suggests that having a feedback loop to demonstrate the impact individuals have on the business can be a good strategy. One way to create that loop is through an internal-facing report or bulletin that leverages available metrics and data to highlight key accomplishments and emphasize value and impact you’ve had on the business. If there is a management dashboard you share with senior leadership, consider publishing an internal version everyone can see. Having a report like this is useful for other purposes beyond team morale since it makes for great marketing back to the business about why the security team should stay involved in the company’s efforts.

Be Flexible

Last, embrace flexibility. Flexible work arrangements such as working from home are important, and working from home in security is not only possible, but often more efficient. However, flexibility in how work gets done is also important, and this is where it’s a little more challenging for some security managers.

For example, maybe team members want to IM each other about the work they’re doing, leverage a software-as-a-service (SaaS) collaboration tool hosted outside your environment or employ open-source technologies such as Docker. Maybe they want to do something that might border on scary because it facilitates how they want to work. It’s important to take these things seriously. And, let’s face it, many security pros are not always known for their willingness to “embrace the new.”

Now, I’m not saying you should immediately take your critical security-relevant information and upload it to some shady SaaS service you don’t trust or that you should allow team members to tweet to each other about security issues they find in the environment; obviously, prudence is warranted. That said, there might be an alternative that lets team members work the way they want to but doesn’t create additional risk. Work with your employees to find a middle ground that lets them work they way they want but is also palatable to the organization from a risk perspective. For many, you caring enough to talk to them about it and work with them collaboratively to find something that will meet their needs will go a long way.

The point is, millennials are a fantastic resource, and creating an environment that is attractive to them can be beneficial to you in return. It may take some flexibility, a willingness to adapt and some sensitivity to make sure the environment is favorable for them to make a home in.

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today