Automate Security or Face the Wrath of the Millennials

Like it or not, Millennials will dominate the workforce of the future. Right now, Millennials comprise about 38% of the workforce, and by 2025, that will rise to 50%. For the past year, Anitian has been researching the impact this trend will have on workforce development and information security. In short, most companies are not equipped for this change. Among the many issues we have uncovered,automation is one of the most disruptive to information security.

The Millennial generation has grown up surrounded with ubiquitous Internet access. Moreover, they have also grown up in a world where significant aspects of their lives are automated.

Consider an obvious example:  Google. Prior to the 1990s, if you did not know something, you had to go to a library or search through a book. This was time consuming, which meant you were motivated to remember whatever you looked up. Google changed all that. It put nearly unlimited information a few keystrokes away and automated the process of searching. The mere fact that Google is a verb proves this. Don’t believe me? Well, Google it.

Consequently, we have a generation of workers who are extremely accustomed to this kind of automation. There are countless other examples:  iPhones, Netflix, Facebook, Instagram, Amazon.com, and so forth…all of these are highly automated platforms with ubiquitous access to data that can do a lot of the tedious work of storing, searching and cataloging. They also provide automated ways to alert or remind us of events.

Millennials expect this kind of access and automation. Nothing is more frustrating to a Millennial than being forced to use manual, time-consuming processes. They seem archaic and stupid. This results in disengagement, and eventually, they quit and go elsewhere. Millennials trust the cloud more than they trust a piece of paper.

Information security is not immune from this issue. Sitting at consoles chasing down every virus alert is stupid to a Millennial (I think it is stupid as well, and I am a GenXer). They expect this kind of work to be automated. However, for older executives and directors, this kind of automation is frightening. We hear it all the time in our assessments:  “We cannot allow security to impede the business.”

Except, that is exactly what is happening. The lack of automation is creating an environment where attack, compromise and theft are more likely. It is naive to think that humans (or any internal incident response process) can work at the speed of the attackers. The “bad guys” leverage automation in every conceivable way possible. The notion that hackers are all hoodie-wearing kids with tattoos tapping away on keyboards is the stuff of TV shows, not reality. The bad guys are global, sophisticated and highly automated. The sophistication of today’s attackers can outclass some of the largest software vendors in the world. And while a living person may monitor all the attacks, it is the compromised servers and content distribution networks that do all the work.

Millennials know this, implicitly. Their whole life has been about automating anything they could. And for them, it seems positively archaic to reject automation, when your enemies have completely embraced it. This means if your information security program is going to be effective with the workforce of the future, it must automate.

The good news is automation is getting easier. The growth of security analytics platforms is allowing organizations to unify and automate large portions of their security monitoring. Leading security analytics market are companies like Cisco, IBM, Blue Coat, Forcepoint (formerly Raytheon|Websense), Palo Alto Networks and Fortinet. Emergent companies like Phantom are exciting, as they can provide cross-platform automation.

Your workforce is changing and your information security must change along with it. If you want to build the next generation security program, then you need to listen to what the next generation is saying. And they have made a very clear statement:  automate or we are out of here.

Andrew Plato will speak on Insider Threats at the North America CACS 2016 2-4 May in New Orleans, Louisiana. He is a veteran author, speaker and industry analyst on matters of IT security, risk management and compliance.

Andrew Plato, CISSP, CISM, QSA, President/CEO, Anitian

[ISACA Now Blog]