The following is a guest post by a 2016 Secure360 Twin Cities Gold Sponsor Anitian.
Like it or not, Millennials will dominate the workforce of the future. Right now, Millennials comprise about 38% of the workforce, and by 2025, that will rise to 50%. For the past year, Anitian has been researching the impact this trend will have on workforce development and information security. This post is the beginning of a series of articles, blog-entries, and presentations Anitian will produce based on our research.
Our research shows that few companies are prepared for this change. Among the many issues we have identified, the expectation of automation is one of the most disruptive issues for information security.
The Millennial generation (and to some extent GenX) has come of age in a world of ubiquitous Internet access. Moreover, they have also grown up in a world where significant aspects of their lives are automated.
Consider an obvious example: Google. Prior to the 1990s, if you did not know something, you had to go to a library or search through a book. This was time consuming, which meant you were motivated to remember whatever you looked up. Google changed all that. It put nearly unlimited information a few keystrokes away and automated the process of searching. The mere fact that Google is a verb, proves this. Don’t believe me? Well, Google it.
Consequently, we have a generation of workers who are extremely accustomed to this kind of automation. There are countless other examples: iPhones, Netflix, Facebook, Instagram, Amazon.com, and so forth…all of these are highly automated platforms with ubiquitous access to data that can do a lot of the tedious work of storing, searching, and cataloging. They also provide automated ways to alert or remind us of events.
Millennials expect this kind of access and automation in their lives and workplace. Nothing is more frustrating to a Millennial then being forced to use manual, time-consuming processes. They seem archaic and stupid, which causes them to disengage and quit. Millennials trust the cloud more than they trust a piece of paper.
Information security is not immune from this issue. Staring at consoles chasing down every virus alert is stupid to a Millennial (I think it is stupid as well, and I am a GenXer). They expect this kind of work to be automated. Yet, for older executives and directors, this kind of automation is frightening. We hear it all the time in our assessments: “we cannot allow auto-blocking to impede our business.”
Except, that is exactly what is happening. The lack of automation is creating an environment where attack, compromise, and theft are more likely. It is naive to think that humans (or any internal incident response process) can work at the speed of the attackers. The “bad guys” exploit automation in every conceivable way possible. The notion that hackers are all hoodie wearing kids tapping away on keyboards is the stuff of TV shows, not reality. The sophistication of today’s attackers can outclass some of the largest software vendors in the world. And while a living person may monitor the attacks, it is the compromised servers and content distribution networks that do all the work.
Millennials know this, implicitly. Their whole life has been about automating anything they could. And for them, it seems positively archaic to reject automation, when your enemies have completely embraced it. This means if your information security program is going to be effective with the workforce of the future, it must automate. (It must do other things as well, which we will address in future posts and articles.)
The good news is automation is getting easier. The growth of Security Analytics platforms is allowing organizations to unify and automate large portions of their security monitoring. Leading Security Analytics market are companies like Cisco, IBM, BlueCoat, ForcePoint (formerly Raytheon/Websense), Palo Alto Networks, and Fortinet.
Emergent companies, like RSA’s Innovation Sandbox winner Phantom, are also developing ways to automate security operations and analysis across disparate platforms. Cisco’s Martin Roesch specifically addressed automation in his RSA Conference keynote as a crucial initiative for their future plans.
Your workforce is changing and your information security must change along with it. If you want to build the next generation security program, then you need to listen to what the next generation is saying. And they have made a very clear statement: automate or we are out of here.