Will Millennial CISOs cause a cyber security landslide?
By Gabriella Mousa, CISO @Fora, Sweden & Eward Driehuis, CRO at SecureLink
Yes, you read it well: millennials. That young impatient I want it all, and I want it now, and I am used to getting it all generation. They evolve as fast as technology does, but your environment doesn’t always keep up.
One thing is for sure these new-gen employees who are born with technology are becoming a large part of your workforce. Just like threats, they won’t wait for you to be ready. They’ll install the latest gadgets and won’t ask for your approval, trust me.
The mindset of the CISO contributes to vulnerability
Keeping everything in the well-known fortress is passé. The old model where everything is fully walled doesn’t work for millennials. Many CISOs are already familiar with the result thereof: shadow IT. It is time for CISOs to realize that they need to let their (young) employees run free, in a safe way.
Young, wild & free
How do you let these young foals run free in a secure meadow? As a CISO, it is essential to realize that you manage more than boxes and environments. You manage people. That is why Identity & Access Management (IAM) is of utmost importance. Every employee should get access to the applications and data that are important to perform his/her job, from anywhere, on any device and anytime. However, if you want to add security controls, you can’t make things too complicated. Millennials won’t accept it and will find ways around it.
It’s all about risk management
If they will always find ways around it, then the most important thing to do, is raise end-user awareness. Make them think! It is all about risk management. Moreover, in this case, you can better be on top of it. They’ll do it anyways. So, if they want to share files for example, just provide safe alternatives.
The power of language
Management already knows about cybersecurity. And if they don’t, they aren’t worthy of the C-level position. So, as a CISO, you need to invest more in colleagues that work on an operational level too. Go out and talk to them! They are your ambassadors, your influencers. Don’t ever underestimate their power. You rely on them to protect your business. But in order for them to do so, they need to be aware of the cybersecurity risks first. Don’t talk to them about compliance to framework X and Y. Just, don’t be dramatic about security in general. Speak a language they understand and even involve risks regarding their personal life for example. This will definitely help raise involvement and awareness. This ‘language they understand’ can be different for each department, and every individual.
Millennials are our white hats
Millennials may seem a threat to many, but those ‘many’ are wrong. So wrong. They have a great asset: they challenge the security program. They see things that we don’t see. They question things. They question you. You must realize that their feedback is worth gold!
They might go out and download things recklessly, but it is your job to teach them what they need to pay attention to. This impulsive millennial behavior serves as an extra argument when talking to the board about cybersecurity investments.
Millennials want candy
Millennials millennials… Apart from being used to getting all they want, they want to be rewarded for it as well. As a CISO, this is important knowledge. When they indicate vulnerabilities or when they have passed your phishing tests for example, they expect a pat on the back. Just give it to them. Giving compliments is not that hard, and you get their buy-in in return.
Behind every CISO is a …
As a CISO, you can’t have it all. No, you really can’t. That is why every CISO needs a great team. If you are not the most technical man or woman, then have someone in your team who is. If you don’t know all about the legal stuff, then maybe your DPO can help you out. Maybe there is also a security manager and if you don’t have any of these or if you don’t have enough people to help you out in general, you can always call us, SecureLink.
Meet Gabriella Mousa
She will be a keynote speaker at our Security Bootcamp this fall, in Gothenburg September 27th, Stockholm October 3rd and Malmö October 15th. Register here.
Do you want more information, please don’t hesitate to contact us.