Citrix’s CSO Stan Black has been in the cybersecurity field for 20 years. He has seen generations of employees come and go at the software and data security company. There are three generations working side by side at Citrix – and a fourth on the way. Citrix has 9,500 employees with 51 percent being Millennials. With each generation comes a new security challenge that employers need to be overcome so that eventually enterprise security is second nature by the time future generations are in the workforce. CSO Managing Editor Ryan Francis recently asked Black how these challenges can be lessened in future generations.
What is the biggest security issue you see of new employees?
One of the biggest challenges new employees face is security integration with new policies and procedures. Security varies by organization – policies, devices, access permissions, etc. The challenge is educating each new employee at the ground level about their role in security and keeping business and their personal information safe and secure. The key is to impart the security business challenges and goals, the employee’s role keeping information locked down, and expectations around access.
How has security evolved with the different generations of employees?
Security has always been a part of technology. It’s just now getting its day in the sun. Up to the early 2000s there was a clear division of work and personal life. Employees had a 9-to-5 schedule, but that’s not the norm anymore. Now that personal and professional lives are blending and employees use multiple devices from various locations throughout the day to access work and personal information, we as security professionals have to focus on securing all that data on every device. It’s really no longer about locking down a specific device, it’s about locking down the applications and data that devices can access so information is secure on every device, everywhere.
What security characteristics can you connect to each generation?
The challenge is that each generation has had a different experience or holds a different mindset with security. We recently commissioned a study with the Ponemon Institute which found that:
- 55 percent of security and business respondents said that Millennials, born 1981 to 1997, pose the greatest risk of any age group of circumventing IT security policies and use of unapproved apps in the workplace.
- 33 percent said Baby Boomers, born 1946 to 1964, are most susceptible to phishing and social engineering scams.
- 30 percent said Gen Xers, born 1965 to 1980, were most likely to exhibit carelessness in following the organization’s security policies
We need to take each of these vulnerabilities into account and provide education at each level.
There isn't a single explanation for why Millennials are more likely than other age groups to use unsanctioned technology in the workplace, and it’s important for organizations to recognize that this threat still comes from all generations. Different generations of employees hold different mindsets about security, but it’s important to keep in mind that any employee could fall victim to any type of security incident, regardless of age.
For instance, attackers are not targeting a specific demographic when they are looking to steal information; they’re looking to get the most out of their attacks for the least amount of effort. Creating a security program that educates about the various risks, especially those that take advantage of users, is essential to helping all employees understand what may pose a threat. While incidents that may be out of a user’s control, such as having a device stolen, may appear to be a quick fix, if there’s any sensitive corporate data stored on that device, the event becomes a much bigger issue for the security team. Millennials, as with any generation of workers, may not know when they’re putting the organization at risk, so education must be the foundation.
How do you balance security awareness training for a diverse workforce made up of those who may be starting in their first professional role and those who may be 20 years into their careers?
While it may seem that there’s a world of differences between employees that are new in their careers and those with decades of experience, in terms of security, work experience is not a reliable measure of one’s security smarts. Security programs differ from organization to organization so allocating resources to educating all employees on your organization’s policies is a crucial first step. Additionally, organizations need to focus on the basics and deliver repeatable, consistent content and guidance. How many people, Boomers or not, fail to perform a basic test of verifying a sender’s email address in a potential phishing attack? Or mouse-over the links in a message to see that “button” doesn’t go to any domain that could possibly be associated with the vendor supposedly sending the email? These are just a couple of the basics, and if everyone practiced the basics we could significantly reduce, if not eliminate, the efficiency of phishing attacks.
Can you put a timeline on a security education program? How do you determine what policies and programs need to be shared within the first few weeks of hire and what can wait until the employee is more settled?
The vast majority, if not all, security education should be delivered in the first 90 days of employment, and some (like incident response training for relevant staff) should be delivered prior to normal schedules and duties “kicking in.” That said, security education should be a continuous process so employees are aware of the evolving trends in the attack landscape and can be on alert for anything that looks out of the norm in their work environment. Additionally, with any organizational restructure, such as expanding a BYOD program, employees should be versed on how this impacts security.
What advice would you give to security teams that are looking to revamp their employee awareness programs, especially as we prepare for Generation Z, an even more tech savvy group than Millennials, entering the workforce?
Educate on the basics, communicate expectations early and often, and invest in detection and enforcement capabilities. Make counsel around enforcement an educational process in the beginning—i.e., don’t start suspending or sacking people straight away for violations, and document the violations and resulting conversations with the employee as “lessons learned.” Use those lessons to improve communications, awareness content, and educational materials for incoming employees. Millennials and Generation Z grew up in a technology-centric world and while they may be more comfortable with digital platforms across a number of devices, the same precautions should be taken to ensure they are educated on how to protect the information they’re sharing or accessing.