It’s been estimated that just 12% of the cybersecurity workforce is under 35, with gaps between what hiring managers prioritize and what they feel millennials offer as employees. Michael Hill explores
The children now love luxury; they have bad manners, contempt for authority; they show disrespect for elders and love chatter in place of exercise.”
Taking into account the titular topic of this feature, you’d be forgiven for assuming the above might refer to the demographic cohort known as ‘millennials’; that is, the ‘echo boomers’ typically born in the mid-1980s through to the late the 90s and early 2000s.
In fact, the opening words of this article are commonly attributed to Socrates in the 4th century AD, evidence that feelings of discontent and unease towards younger generations are nothing new. However, the issue of how that relates to millennials in the modern-day cybersecurity workforce is particularly interesting.
Definitions of millennials can differ – depending on who you ask, they can be considered tech-savvy, entrepreneurial, pragmatic, liberal and ambitious – surely traits ideally suited to a sector as fast-paced and innovative as cybersecurity? Conversely, it’s not unheard of for them to be colored as impatient, disloyal, ‘all the same’ and even lacking certain basic communication skills – less desirable qualities indeed.
Opinions aside, despite the industry suffering from a major cyber-skills crisis that is − according to the eighth (ISC)2 Global Information Security Workforce Study (GISWS) − expected to result in a shortage of 1.8 million professionals by 2022, statistics have suggested just 12% of the cybersecurity workforce is under the age of 35.
A perplexing conundrum; as the fastest growing demographic, millennials are critical for filling any employment gap, not just that affecting cyber. Nonetheless, the GISWS – which surveyed over 19,000 cybersecurity professionals – showed clear dissimilarities between what hiring managers prioritize and what they feel millennials offer as employees, leaving many to question whether they are the best candidates for cybersecurity roles. As a result, only 6% of UK respondents said their organization will recruit university graduates.
Is there really something about the nature of millennials that makes them unsuitable for the information security workforce? Are companies just getting it wrong when it comes to hiring, managing and getting the best out of them? Is it a combination of the two, or something else entirely?
“Millennials have a lot to offer, but it can be challenging to look beyond the stereotypes to see that”
Is it Mill You’re Looking For?
A good place to start is to assess what hiring managers look for in a security professional. Speaking to Infosecurity, Raj Samani, chief scientist and fellow at McAfee, says that whilst the skills required for a role can vary depending on the job, he considers a good attitude and passion as the most important traits to look for.
“It is all about having a genuine enthusiasm for the work we do,” he adds. “Whether an applicant is a millennial or if they have over 20 years of experience under their belt, as long as they have that enthusiasm and can demonstrate this then they will be able to slot perfectly into my team. We recognize that different backgrounds mean not everyone has equal access to education, making that initial enthusiasm more important to us.”
Darren Thomson, CTO & vice-president EMEA for Symantec, explains that whilst technical skills can help get candidates through the door, in such a rapidly evolving industry, anyone who wants to get into cybersecurity based purely on their technical skills will get left behind.
“We [therefore] look for open minds, resilience and people who demonstrate the ability to absorb a wide range of information whilst retaining an eye for detail,” he says. “A successful career will be defined by the candidate’s adaptability and resilience.”
Amanda Finch, general manager at the Institute of Information Security Professionals (IISP), explains that when measuring the competency of security professionals, the IISP would expect them to demonstrate interpersonal skills, understand business requirements and be able to work effectively with their peers.
When it comes to millennials, she adds, they should be “bright and inquisitive, with a thirst for knowledge and enthusiasm to make a difference. “The cybersecurity industry needs a diverse range of learnt and natural skills.”
So, for Samani, Thomson and Finch, passion, adaptability and a willingness to learn are some of the key attributes of a security professional. What’s noticeably apparent is that years of experience is not considered a necessity in their opinions. That would come as good news to many millennials looking for their first step in a career in information security.
However, this is at odds with findings from the GISWS, which indicated that many employers are closing the door on much of the millennial generation by refusing to hire and train inexperienced recruits. Only 10% of UK respondents said that the most demand for new hires is at entry level, with 93% admitting previous cybersecurity experience is an important factor in their hiring decisions.
What’s clear is that whilst some hiring managers are willing to look past the traditional ‘five-year hires’ to unearth talent with raw qualities that can be nurtured instead of purely focusing on experience, there are many that are not.
“The complexities and increasing breaches and attacks often force organizations to focus on staffing experienced people that are ready
to perform, clouding the appreciation for short- and long-term cybersecurity capabilities,” says David Shearer, CEO, (ISC)2.
With companies simply looking for experienced hires, people wanting to break into the profession struggle to get their first breaks, Finch points out.
“It’s absolutely critical that organizations understand what millennials value in an employer”
Mill Misconceptions
Could this actually go beyond a reluctance to hire millennials based only on a lack of experience though? Could stereotypes and misconceptions about the generation be contributing factors that damage their chances of getting employed in the industry? Shearer thinks this is something that certainly can, and does, happen.
“Stereotypes are often a result of failing to understand our differences,” he explains. For example, older generations are more accustomed to staying in a job and a company for long portions of their career, whereas millennials enjoy changes in work responsibilities and environments, and so are more likely to seek career moves. “This can be misconstrued as lacking loyalty.”
Likewise, millennials prefer technology-based communications such as instant messaging services, leading to concerns about whether they have enough patient, interpersonal communication skills for the enterprise. There are also worries about how distinctions in privacy between the workplace and home can be problematic for a cohort so accustomed to using services like social media to share information on a daily basis.
“Millennials have a lot to offer, but it can be challenging to look beyond the stereotypes to see that,” Shearer admits. “We need to get beyond such generalizations, and understand what genuinely motivates millennials.”
Appeal to the Mill
An ageing cyber-workforce is inevitably edging ever-closer towards retirement, and not only do the gaps left behind need to be filled by the younger generation, but they need to be filled differently than they have in the past. That is something that hiring companies not only have to accept but the responsibility will fall on their shoulders to do something about it.
“All organizations [therefore] need to rethink how they recruit millennials,” says Shearer. “It’s absolutely critical that organizations understand what millennials value in an employer – like mentorship, training and sense of purpose – and position themselves an attractive, rewarding career opportunity for this generation.” Shearer is accurate: 65% of millennials believe organizational training programs are very important.
Finch agrees, adding that, with the high cost of recruitment, you want people to stay for at least three to five years to maximize investment in them. However, as millennials are the most likely to voluntarily change or turn down jobs if they feel what they’re being offered isn’t enough, it’s important to create an enticing working environment that appeals to them in the first place.”
“As millennials develop they should be encouraged to recognize their own skill sets and mentoring will help them to realize their full potential and select the right career paths,” says Finch. “Apprenticeship schemes provide an ideal earn as you learn pathway to nurture and rapidly shape new talent to fill much needed roles at relatively lower wage levels. The investment in teaching and mentoring more than balances the endless spend on the recruitment of experienced hires.”
It’s also about debunking “many prevailing misconceptions about what it means to be a cybersecurity professional,” adds Shearer, and in doing so, creating a culture of diversity that appeals more to the millennial cohort than any other (46% of millennials think role diversity is very important compared to 31% of boomers and 33% of Gen X, according to the GISWS).
“Cybersecurity is much broader than people often think and creates exciting, enriching career opportunities throughout organizations, touching every department.” Recruitment messaging should be tailored around that diversity.
A diverse role is also likely to be a flexible one, and there is a wide range of research which shows that millennials are not only well-suited to that but consider having the option to work from home/remotely, travel for business, choose flexi-time hours and bring their own devices into the workplace to be some of the most important aspects of a role.
“In order to recruit and retain the best talent, businesses have to adapt,” Thomsom advises. “For us, the best approach is allowing enough flexibility for each individual to find the most productive way of working – meeting their personal needs alongside that of the company.”
As Francesca MacFarlane, a 28-year-old consultant at cybersecurity company Templar Executives, tells Infosecurity, getting those things right can make a big difference in attracting millennials into the industry.
“As a millennial, being tested and pushed out of my comfort zone is important to me, as is achieving tangible goals,” she explains. “Cybersecurity was attractive to me because I wanted to go into a career where I felt I was genuinely helping protect people and an industry I deemed most exciting and one that is constantly changing.”
Where There’s a Mill, There’s a Way
Rethinking hiring processes, looking beyond ‘off-the-shelf’ experience to put money and time into long-term training, trusting in the ability and potential of a cohort of society of whom there are so many misconceptions – the obvious question companies will ask is: Why? Other than plugging gaps, what do millennials and the younger generation offer the security industry that older workers might not?
For Fiona Boyd, head of security operations, EMEIA, Fujitsu, the answer is clear: “Young people bring energy and insight into our organization – their enthusiasm is limitless and the existing team relish mentoring and working alongside new talent. Their views help us in many ways, bringing new insight into views on cyber-attacks but also what attracts and retains talent.”
Macfarlane agrees, adding that “millennials have had the benefit of growing up with constantly changing technology and therefore expect developments – they aren’t scared by them and adapt to them intuitively.”
So can the way in which millennials understand and manipulate data actually open doors to new, even better security approaches?
Their views and judgement will affect all of us as they manage the next data breach and security models governing our private information, says Morey J. Haber, vice-president of technology, Office of the CTO – BeyondTrust.
“Their choices may change the way we secure information and what is actually considered sensitive, and what is not. To that end, exploring their views on what is personally identifiable information, what is immoral data, and what can be shared publically will change the way we view the world for the next generation.”
The time has come for companies to fully turn their focus to hiring millennials into the security industry. There are growing numbers of millennials studying cyber-related courses at school and university, with more and more educational bodies offering them the opportunity to do so. As a result, we will see more young people leave education eager for an opportunity to apply their learned knowledge in the working world. In the same breath, it’s never been clearer that information security is not solely a technical discipline anymore and requires just as many ‘soft skills’ as tech knowhow – suggesting there is a real place for all-comers with the right attitude and an eagerness to make a difference.
What could be more disappointing for information security than losing out on those very people just because they don’t have years of experience? Equally, it would be tragic to lose them based on a misconception that a career in cybersecurity is not inclusive, diverse or exciting enough, especially given the knowledge that it absolutely is.