Cybersecurity’s Age Old Question

Written by

James Coker explores an under-discussed area of diversity in context of information security – age – and asks whether age really does mean wisdom when it comes to working in the industry

If you’re good enough, you’re old enough’ is a mantra used in many contexts, notably sport. It is a laudable attitude, but one which shouldn’t come at the expense of appreciating the value that older workers, such as Gen-Xers (born 1965-80) and Baby Boomers (1946-64), can bring to many industries.

Henry Rose Lee, an intergenerational specialist and author, believes there is currently a distinct lack of research and understanding of this area. “My research has shown that there is generally a lack of focus on age diversity in all industries,” she explains. As a result, it receives significantly less attention than other aspects of diversity, such as gender and race. “If you look on search engines, you will find a lot on gender and ethnicity and other areas of diversity and inclusion, but there’s very little about age.”

While older generations certainly aren’t underrepresented or discriminated against at the board or C-suite levels, the situation is less clear among the general workforce. Gallup research from 2019 found that many workers in their 50s and 60s felt they were becoming invisible career-wise and were not being offered training opportunities. “Many organizations tend to look at older generations and think ‘they cost us too much money,’ and stop training them as much,” observes Lee.

This is a particular issue in the tech sector, including cybersecurity, as “there is a common misconception that older people can’t or don’t want to use technology,” notes Lorna Armitage, co-founder at CAPSLOCK, a company that reskills adults in cybersecurity. This misconception appears to be getting borne out in the real world. According to a 2018 study by Biscom, nearly half (42%) of the tech workforce are Millennials (1981-96), which compares to 35% of the overall US workforce. Additionally, in the tech space, most professionals are about five years younger than their non-tech counterparts, including those in managerial roles.

Older workers appear to be getting forgotten in the push to build up cybersecurity’s depleted workforce stock, with these generations often viewed as too set in their ways to retrain in such a complex field. Tamzin Greenfield, a 19-year-old junior security analyst at Cyber Security Associates, has observed this dynamic in the early stages of her career. “The world definitely is biased in favor of the young person,” she acknowledges. “We don’t give enough credit to the older generation for paving the way, let alone for making up a significant portion of the people engaging in programs like cyber apprenticeships (which are marketed mainly towards younger people). It’s a monumentally courageous decision to make, entering a new sector that seems entirely marketed at the young generation.”

It doesn’t take a genius to work out that recruiting and retaining older workers could play a major role in closing the well-publicized cyber-skills gap. Considering many societies in the West are aging, “it’s an immense wealth of resource that we can tap into,” points out Armitage.

In addition to widening the cybersecurity talent pool, to paraphrase Bryan Mills in the film Taken, older workers offer a particular set of skills, acquired over a very long career. So what are these exactly?

“It’s an immense wealth of resource that we can tap into”

A Secure Mindset

Earlier in 2022, Lee collaborated with cybersecurity company Appgate to produce the report How Do Generational Differences Impact Enterprise Cybersecurity Teams? This study set out how Baby Boomers and Gen-Xers have many attributes that can significantly benefit cybersecurity teams. Interestingly, one of the benefits was that they tend to be far more security conscious in the digital world than their younger counterparts, whose desire for quick resolutions and ease of access makes them more likely to engage in insecure behaviors. For example, according to the Biscom survey, Millennials are three times more likely to avoid security policies, and 60% admitted they would take the easiest option when handling confidential documents. Additionally, a 2019 study by NTT found that 39% of Millennials admit they would pay a ransom demand, which is nine percentage points higher than those over 30.

“Older generations have a more realistic view that things take longer and are harder to do, whereas young digital natives want speed, flexibility, and frictionless, seamless experiences – that can have a downside,” comments Lee.

Older workers also tend to be able to think deeply through a challenge, avoid distraction and fully focus when required. This is born out of spending their formative years with limited technological assistance compared to today’s world, meaning they are used to finding complex solutions. “They are clever at problem-solving, and they’ve retained those skills,” points out Lee. Such an approach is crucial in cybersecurity, where teams regularly have to focus on mitigating a specific problem or incident.

Teenage coder Greenfield says she “envies” this mindset in her older colleagues. “I find that when people are older, they focus on cultivating one specific thing – so they have one goal and achieve it, and then move onto the next one. This mindset isn’t shared with people my age really. Anyone who knows me knows that I usually have a lot of things on at once; these projects usually share a common goal, but they’re distinctly different. If I had to describe it, I’d say it comes down to a difference in the world we grew up in,” she explains.

According to Lee’s research, Baby Boomers and Gen-Xers are also highly adaptable, including to technology changes. This comes from experiencing numerous changes to how they work throughout their lives, for example, transitioning from mainframe to personal computing. This flies in the face of conventional wisdom about older workers’ ability and desire to embrace modern technologies. Again, it is a mindset well suited to cybersecurity, where there is continuous evolution in technologies used and techniques employed by cyber attackers.

It is an attribute CAPSLOCK’s Armitage observes every day. She estimates that 20-30% of those who enroll in the firm’s cybersecurity reskilling programs are over 40, with these candidates having “excellent outcomes.” Indeed, “the feedback we get from employer partners is that they’re head and shoulders above anybody else that they take in at this level.”

“The feedback we get from employer partners is that they’re head and shoulders above anybody else that they take in at this level”

Imparting Wisdom

In March 2022, telecom giant BT announced a cybersecurity reskilling program for its employees in collaboration with CAPSLOCK. Two Gen-Xers who successfully completed the program’s first cohort, Bhupendra Sonney and Gemma Mullins, tell Infosecurity about their experiences in retraining in cybersecurity following many years of customer-facing roles at BT. Mullins describes the program as “the most intensive study I’ve ever experienced.” She continues: “So I know I needed to put the hours in to understand and retain the information.” Sonney demonstrated similar fortitude, paying tribute to his family for allowing him the time to study at home.

Both acknowledge they did not have the same knowledge of modern technologies as their younger counterparts on the course (although they have experience in technical-based roles). “I’ve been brought up with pen and paper,” notes Mullins. However, they pointed to the importance of the soft skills they had developed, such as communication and mindset, in completing the course. Encouragingly, these were attributes that they were able to impart to younger colleagues. In an especially heartfelt example, Mullins read out feedback she received from a 23-year-old woman she collaborated with closely on the course:

“She’s taught me to be confident in asking questions and networking as much as possible. In this course, working as a team isn’t all about helping each other technically; it is also about emotional support when things get intense and Gemma has been the biggest supporter to all of us and has shown me that no matter what point I’m at in life I can still aim for something bigger and I can still go for what I want.”

Sonney was similarly able to demonstrate the importance of communication and attitude to younger colleagues. Among the key lessons they gained from working with him were “confidence goes a long way,” “ask questions” and “keeping calm while working with others under tense times pays off.”

This impact isn’t surprising when you think about it. Armitage notes: “You can’t discount people’s life experiences; for example, a lot will have families. So I think it’s looking at those all-round transferable skills they bring, from general life experience and the careers they’ve already had.”

In her experience, 19-year-old Greenfield agrees that older workers’ life skills can greatly benefit younger co-workers with limited life experience. “There are loads of attributes that older workers have that are truly enviable. Most prominent is their self-confidence. Obviously, this is a question that incites a lot of generalizing, but I do admire older workers for their maturity and confidence in the workplace.

“They can be an incredible support for younger workers, especially people like myself who joined at a very young age, as they have a better understanding of the workforce and how jobs work.”

One Piece of the Diversity Puzzle

It is clear that cybersecurity teams would benefit enormously from attracting and retaining a larger portion of older workers. This is in terms of the size of the talent pipeline, particularly as societies and retirement ages get ever older, but also regarding the unique skills and experience they can bring to teams. The cases of Mullins and Sonney demonstrate that negative perceptions about the abilities of older generations to develop new skills, including in tech, are misplaced. In the right environment, with proper support and encouragement, these individuals can thrive. This includes helping them overcome ‘imposter syndrome.’ Prior to the course, Mullins explains how BT “assured me I was capable so I thought ‘if they believe in me then I believe in me,’ and I’m eternally grateful.”

Sonney thinks that if approached correctly, cybersecurity can be a very attractive industry for older workers. “Across the board, cybersecurity roles offer competitive pay, growth opportunity, job security, exciting day-to-day tasks and the chance to make a difference. Dive in with both feet and don’t look back,” he advises.

Overall, age should be seen in the broader diversity context, another opportunity for cybersecurity teams to gain a wider range of perspectives and skills. This is increasingly important amid rapidly evolving tactics and techniques from cyber-threat actors. Diversity of age, alongside more commonly discussed aspects like gender, race and neurodivergence, all need greater emphasis for the cybersecurity sector to cope with growing pressure over the coming years.

Perhaps 19-year-old Greenfield says it best: “Our workforce only benefits when we recognize and value the input of all people, old, young, technical and non-technical. Why would we not want to take advantage of that?”

It’s time to put those particular sets of skills to use.

What’s hot on Infosecurity Magazine?