Security and the Generational Divide

The generation gap. It’s a term that has been used for decades to describe the differences between people in various age groups. Corporations are constantly considering what makes different generations tick when it comes to recruiting and retaining employees. But security experts say companies also need to examine age-based perspectives and habits when it comes to risk assessment and policies. Cultural analysts generally divide today’s workplace personnel into three generations: Baby Boomers, Generation X and Generation Y, also known as Millennials. The stereotypes typically go like this:

• Gen Y employees, workers born after 1980, are tech savvy and have a short attention span
• Baby Boomers, born between 1946 and 1965, are loyal and dependable, the original workaholics
• And Gen Xers, once known as the slacker generation born between 1965 and 1980, tend to be cynical and independent.

Companies need to relate to all perspectives in order to create and communicate effective security policies as well as to diffuse ‘potentially explosive situations.’

Stereotypes are useless for predicting the actions and reactions of any one individual. Yet these characteristics do tend to ring true in the workforce at many organizations, according to Roberta Chinsky Matuson, president of Human Resource Solutions, a Massachusetts-based consultancy that regularly advises corporations on generational differences. Companies need to find ways to relate to all perspectives in order to create and communicate effective security policies as well as to diffuse what Matuson terms “potentially explosive situations.”

“From a security standpoint there is a lot of opportunity for misunderstandings,” said Matuson. “We need to educate people about what those are.”

According to the security and HR experts CSOonline spoke with, each generation is prone to engage in risky behavior of different types, and may not understand how their habits are compromising a company’s risk level. A clear example is recent research from security software-maker Symantec. The survey, which was released earlier this year, found that IT managers are at odds with Millennial workers. Among respondents, 66 percent of Millennials said they use Web 2.0 technologies, such as Facebook and YouTube, while at work. Only 13 percent of older workers admitted to logging on to these kinds of Web sites in the office. Meanwhile, Symantec also surveyed IT managers and 50 percent said they have policies specifically banning Web 2.0 applications such as social networking, iTunes, streaming video, and gaming applications. [See Web 2.0 Applications and Sites (and Security Concerns) for specific examples of such sites and application and their attendant risks.]

“For Millennials, there is more blurring of the lines between work and home,” said Samir Kapuria, a managing director with Symantec Advisory Consulting Services, the group that conducted the survey. “They tend to use what they have at home while at work, and this is really forcing corporations to rethink IT risk management.“

The risk, according to Kapuria, is Web 2.0 programs are a huge target now for phishing scams and malicious code attacks. And the implications from these Millennial habits go further than simply putting a corporate IT infrastructure at risk of attack. There are privacy issues to consider, too.

The poll found younger workers regularly store corporate data on personal devices, such as PCs and USB drives, much more than older counterparts. This flies in the face of the 75 percent of corporate IT managers that said they have policies that restrict corporate data and information on personal devices. Symantec also found 85 percent of corporate IT managers have policies restricting download and installation of software on work PCs for personal use.

In Kapuria’s opinion, the key to minimizing risk from younger workers is education.

“I don’t think there is any kind of malicious intent or rebellion on the part of this generation,” said Kapuria. “Companies should consider education programs tailored to this audience as part of their security approach.”

However, educating older workers is equally important, according to Aaron Wilson, chief technology officer in the Managed Security Services division of Science Applications International Corp. Boomers’ lack of familiarity with new technology may make them a risk, too.

“Gen X/Y/Z employees often understand the nuances of the new technologies they bring, whereas Boomers may be equipped with the same technology but not as familiar with all of the functionality,” said Wilson. “This can be dangerous from a security standpoint, for example when understanding the subtle difference between encrypted email on a corporate RIM device versus an unencrypted email on an iPhone. To the uninitiated, it’s all email. To the security team, it’s safety versus possible unintentional exposure of sensitive data.”

Access control and security habits

Security consultant Jack Dowling remembers a simpler time when it came to building access and security.

“There was a time when a new system was put in place and there was an understanding that it took time to get used to. Now, as soon as something doesn’t work&..,” Dowling said, sounding like age-wise veteran reminiscing about the old days. “There are always going to be bugs in electronics. But now glitches are perceived as incompetence on the part of the company.”

Dowling, the president of JD security Consultants LLC in Pennsylvania, has a resume in the field that dates back to the 70’s. He thinks both a high level of technical proficiency, coupled with a lot of impatience on the part of younger workers, makes it difficult for organizations to smoothly integrate new security systems and policies these days.

But despite their youth, it’s actually not Millennials that Dowling thinks pose the biggest threat when it comes to access. Instead, their slightly older peers are the ones you might want to watch out for if you are concerned about access. While Gen Xers have matured and evolved considerably beyond their so-called rebellious earlier days, Dowling says it is still important to key an eye out for this group, which in today’s workforce means workers between 28 and 43 years old.

“They like to reject the rules. The have their own way of doing things,” said Dowling. “They tend to look for ways around the system, may not realize the security value and are probably less likely to comply.”

On the other hand, Millennials, a group whose young lives were defined by 9/11 and who are comfortable with high-security systems, are more likely to comply, said Dowling. But then there is that impatience and short attention span thing again.

“Queuing problems for instance,” said Dowling. “They may be more likely to get frustrated and less likely to comply if that is the case.”

Queuing, or waiting in line, can sometimes be an issue in a security system, depending on how entry control works, said Dowling. For example, an optical turnstile or other system of control may have a line. Impatient users may view this as a waste of time and try to gain access through an exit door and bypass the security protocol for entry, he said.

And as for his own Boomer generation?

“A new system comes into place and they have an understanding that it is there for a reason. They are going to use it and use it the right way.”

Spoken like a true Boomer.

Can’t we all just get along?

All of these different perspectives can no doubt lead to tension among workers. Workplace confrontation is a real concern when it comes to generational differences, according to Matuson.

Understanding different styles of communication is the first step to easing the frustration many older workers may have about their youthful colleagues.

“Some of my more mature clients think younger people are from another planet and don’t have any respect for their elders,” said Matuson. “I think what some of the older workers need to understand it that it’s not that these younger workers don’t hear them. It’s that they listen in a different way.”

In other words, said Matuson, have patience. Understand that while a Millennial is texting in a meeting, he is still listening. He just listens in a different way. If the concept seems a little hard to swallow, consider Matuson’s next piece of advice.

“I often say to clients: When is the last time you successfully changed your childrens’ ways?’ You need to change your approach instead.'”

Joseph A. Kinney, a security consultant in Pinehurst, N.C., often advises clients to develop mentor programs

“I think it’s great if a 50 year old can just go to lunch with a 20 year old and discuss things,” he said.

Hip to be secure

When implementing security policies and systems, corporations need to remember that each generation will see them differently and adhere in their own way. And in some cases, the system may be intimidating for mature employees who aren’t used to technology.

Matuson points to a story she heard from an older client who was waiting in a lobby for a job interview. As the watched scores of younger workers breeze through the building’s very high-tech screening system, he said he had one thought: “I’m not cool enough to work here.”

How effective is a security system if it’s keeping potentially valuable employees away? Organizations should remember that when going forward and make sure every group considered in security—and security communication&plans, Matuson said.