Sometimes, a small percentage can make a huge difference. To see this in action, consider the game of blackjack. Play blackjack in a casino with the perfect strategy, and the house is favored by less than 0.5 percent. Count cards, though, and you are favored by about 1 percent. In this case, this spread — a total of less than 2 percent — quite literally means the difference between a multibillion-dollar revenue stream for the casino and a threat considered so dangerous that you are barred from setting foot inside if you are caught.

Similarly, in security management, you want as many of the odds in your favor as you can get. Doing this in practice can involve many factors, and there are an infinite number of ways to improve your game. However, one way to get a clear edge with relatively minimal effort is to improve how you manage talent — in other words, to improve your ability to find, hire and retain the best people you can afford.

Talent management has never been easy, but it has changed and evolved over the past few years. What’s driving this change? Millennials, or those individuals who were born between 1980 and 2000. As millennials continue to enter the workforce in droves, it’s becoming increasingly important that you understand what is important to them and adapt accordingly. Not only is attrition of any staff — millennial or otherwise — a resource drain since finding and training replacements costs money, but younger members of the workforce can also be a source of creativity, energy and innovation. Moreover, you want the best and brightest to go on to become the future leaders of your organization.

Boring Is the New Underpaid

I confess that I always used to hate it when people would make baseless generalizations about my generation (Generation X, if you’re curious), so I’ll try not to do that here. Generalizations aside, though, there has been some systematic research conducted on what millennials find important, respond to and value in the workplace. So while millennials aren’t fungible by any means, having some clue about what they tend to find desirable is a good starting point.

First and foremost, research suggests millennials value jobs that are interesting and challenging. Now, nobody likes a boring job, but millennials are more likely to put their money where their mouth is when it comes to making a decision about salary versus passion. For example, a study from the Brookings Institution found that 64 percent would prefer to make $40,000 at a job they love rather than make $100,000 a year in a job they thought was boring.

Security has an edge in this respect because it’s anything but boring. That said, there are some elements of the job that can be more monotonous than others (log review comes to mind). If there are tasks in your department that are less interesting than others, outsourcing or automating these might be in your best interest from a resource retention standpoint. If you can’t do that, you might rotate personnel so that no one person is doing that mundane task exclusively.

Value Matters

In addition to eschewing jobs that are boring, research also suggests that it matters to millennials that their jobs have value. A 2015 study by Deloitte found that about 60 percent of millennials said that a sense of purpose is a key element of why they choose to work where they do. This means it’s important that they feel like they’re making a contribution and advancing the goals of the organization. This can be a bit tricky in the security world. Why? Because too many organizations struggle with directly tying security activities to business value. That’s not to say there isn’t value — quite the contrary — but it can sometimes be hard to directly articulate that value.

There are a few ways to help show the value security teams provide to the business. Bentley University’s Center for Women and Business suggests that having a feedback loop to demonstrate the impact individuals have on the business can be a good strategy. One way to create that loop is through an internal-facing report or bulletin that leverages available metrics and data to highlight key accomplishments and emphasize value and impact you’ve had on the business. If there is a management dashboard you share with senior leadership, consider publishing an internal version everyone can see. Having a report like this is useful for other purposes beyond team morale since it makes for great marketing back to the business about why the security team should stay involved in the company’s efforts.

Be Flexible

Last, embrace flexibility. Flexible work arrangements such as working from home are important, and working from home in security is not only possible, but often more efficient. However, flexibility in how work gets done is also important, and this is where it’s a little more challenging for some security managers.

For example, maybe team members want to IM each other about the work they’re doing, leverage a software-as-a-service (SaaS) collaboration tool hosted outside your environment or employ open-source technologies such as Docker. Maybe they want to do something that might border on scary because it facilitates how they want to work. It’s important to take these things seriously. And, let’s face it, many security pros are not always known for their willingness to “embrace the new.”

Now, I’m not saying you should immediately take your critical security-relevant information and upload it to some shady SaaS service you don’t trust or that you should allow team members to tweet to each other about security issues they find in the environment; obviously, prudence is warranted. That said, there might be an alternative that lets team members work the way they want to but doesn’t create additional risk. Work with your employees to find a middle ground that lets them work they way they want but is also palatable to the organization from a risk perspective. For many, you caring enough to talk to them about it and work with them collaboratively to find something that will meet their needs will go a long way.

The point is, millennials are a fantastic resource, and creating an environment that is attractive to them can be beneficial to you in return. It may take some flexibility, a willingness to adapt and some sensitivity to make sure the environment is favorable for them to make a home in.

More from CISO

Who Carries the Weight of a Cyberattack?

Almost immediately after a company discovers a data breach, the finger-pointing begins. Who is to blame? Most often, it is the chief information security officer (CISO) or chief security officer (CSO) because protecting the network infrastructure is their job. Heck, it is even in their job title: they are the security officer. Security is their responsibility. But is that fair – or even right? After all, the most common sources of data breaches and other cyber incidents are situations caused…

Transitioning to Quantum-Safe Encryption

With their vast increase in computing power, quantum computers promise to revolutionize many fields. Artificial intelligence, medicine and space exploration all benefit from this technological leap — but that power is also a double-edged sword. The risk is that threat actors could abuse quantum computers to break the key cryptographic algorithms we depend upon for the safety of our digital world. This poses a threat to a wide range of critical areas. Fortunately, alternate cryptographic algorithms that are safe against…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…