Citrix\u2019s CSO Stan Black has been in the cybersecurity field for 20 years. He has seen generations of employees come and go at the software and data security company. There are three generations working side by side at Citrix \u2013 and a fourth on the way. Citrix has 9,500 employees with 51 percent being Millennials. With each generation comes a new security challenge that employers need to be overcome so that eventually enterprise security is second nature by the time future generations are in the workforce.\u00a0CSO Managing Editor Ryan Francis recently asked Black how these challenges can be lessened in future generations.\u00a0\u00a0\u00a0What is the biggest security issue you see of new employees?One of the biggest challenges new employees face is security integration with new policies and procedures. Security varies by organization\u00a0\u2013\u00a0policies, devices, access permissions, etc. The challenge is educating each new employee at the ground level about their role in security and keeping business and their personal information safe and secure. The key is to impart the security business challenges and goals, the employee\u2019s role keeping information locked down, and expectations around access.\u00a0How has security evolved with the different generations of employees? Security has always been a part of technology. It\u2019s just now getting its day in the sun. Up to the early 2000s there was a clear division of work and personal life. Employees had a 9-to-5 schedule, but that\u2019s not the norm anymore. Now that personal and professional lives are blending and employees use multiple devices from various locations throughout the day to access work and personal information, we as security professionals have to focus on securing all that data on every device. It\u2019s really no longer about locking down a specific device, it\u2019s about locking down the applications and data that devices can access so information is secure on every device, everywhere.\u00a0What security characteristics can you connect to each generation?The challenge is that each generation has had a different experience or holds a different mindset with security. We recently commissioned a study with the\u00a0Ponemon Institute\u00a0which found that:\u00a0\u00a055 percent of security and business respondents said that Millennials, born 1981 to 1997, pose the greatest risk of any age group of circumventing IT security policies and use of unapproved apps in the workplace.\u00a033 percent said Baby Boomers, born 1946 to 1964, are most susceptible to phishing and social engineering scams.\u00a030 percent said Gen Xers, born 1965 to 1980, were most likely to exhibit carelessness in following the organization\u2019s security policiesWe need to take each of these vulnerabilities into account and provide education at each level.There isn't a single explanation for why Millennials are more likely than other age groups to use\u00a0unsanctioned technology in the workplace, and it\u2019s important for organizations to recognize that this threat still comes from all generations. Different generations of employees hold different mindsets about security, but it\u2019s important to keep in mind that any employee could fall victim to any type of security incident, regardless of age.For instance, attackers are not targeting a specific demographic when they are looking to steal information; they\u2019re looking to get the most out of their attacks for the least amount of effort. Creating a security program that educates about the various risks, especially those that take advantage of users, is essential to helping all employees understand what may pose a threat. While incidents that may be out of a user\u2019s control, such as having a device stolen, may appear to be a quick fix, if there\u2019s any sensitive corporate data stored on that device, the event becomes a much bigger issue for the security team. Millennials, as with any generation of workers, may not know when they\u2019re putting the organization at risk, so education must be the foundation.How do you balance security awareness training for a diverse workforce made up of those who may be starting in their first professional role and those who may be 20 years into their careers? While it may seem that there\u2019s a world of differences between employees that are new in their careers and those with decades of experience, in terms of security, work experience is not a reliable measure of one\u2019s security smarts. Security programs differ from organization to organization so allocating resources to educating all employees on your organization\u2019s policies is a crucial first step. Additionally, organizations need to focus on the basics and deliver repeatable, consistent content and guidance. How many people, Boomers or not, fail to perform a basic test of verifying a sender\u2019s email address in a potential phishing attack? Or mouse-over the links in a message to see that \u201cbutton\u201d doesn\u2019t go to any domain that could possibly be associated with the vendor supposedly sending the email? These are just a couple of the basics, and if\u00a0everyone\u00a0practiced the basics we could significantly reduce, if not eliminate, the efficiency of phishing attacks.Can you put a timeline on a security education program? How do you determine what policies and programs need to be shared within the first few weeks of hire and what can wait until the employee is more settled? The vast majority, if not all, security education should be delivered in the first 90 days of employment, and some (like incident response training for relevant staff) should be delivered prior to normal schedules and duties \u201ckicking in.\u201d That said, security education should be a continuous process so employees are aware of\u00a0the\u00a0evolving trends in the attack landscape and can be on alert for anything that looks out of the norm in their work environment. Additionally, with any organizational restructure, such as expanding a BYOD program, employees should be versed on how this impacts security.What advice would you give to security teams that are looking to revamp their employee awareness programs, especially as we prepare for Generation Z, an even more tech savvy group than Millennials, entering the workforce?Educate on the basics, communicate expectations early and often, and invest in detection and enforcement capabilities. Make counsel around enforcement an educational process in the beginning\u2014i.e., don\u2019t start suspending or sacking people straight away for violations, and document the violations and resulting conversations with the employee as \u201clessons learned.\u201d Use those lessons to improve communications, awareness content,\u00a0and educational materials for incoming employees. Millennials and Generation Z grew up in a technology-centric world and while they may be more comfortable with digital platforms across a number of devices, the same precautions should be taken to ensure they are educated on how to protect the information they\u2019re sharing or accessing.