Take Your TPRM Program to the Next Level
An AuditBoard survey of over 800 risk and compliance professionals found nearly 37% rated their business’s third-party risk program maturity as either nonexistent or simply reactive. This report explores key third-party risk management principles, as well as practical tips for building a successful TPRM program.
By Anthony Lim, CSSLP
Millennials and older members of Gen Z will by 2025 make up the majority of the global workforce. They are challenging traditional processes and deploying new technologies for work, home, play, communications, transactions and social activities. As such, it’s essential to understand the millennials’ impact on every industry, and in particular, ours.
Millennials’ immersion in the latest technologies is the force behind accelerating digital transformations (DX) of economic and social relationships. DX-driven businesses such as Amazon, Netflix and PayPal have not just been successful; they have rendered many non-digital legacy competitors obsolete.
In the workplace — before and in response to the then-evolving COVID-19 pandemic — mobile computing, cloud services, online banking and shopping, bring-your-own-device (BYOD) models and big data analytics are standard DX drivers.
Newer technologies such as artificial intelligence (AI), augmented reality (AR) or virtual reality (VR) are now essential to working millennials and Gen Z (and thus by extension, as you can imagine, blockchain, Metaverse, NFTs, Web3). These generations are often dissatisfied with older technologies in the office and, studies show, prefer high-tech offices equipped with AR/VR and good 24x7 connectivity over prior popular perks such as free snacks or a game room.
That is, if they even spend time at the office. Like all employees, they’ve become accustomed to working from home since 2019/2020 and, at best, prefer a hybrid work environment as they seek a better work-life balance, even as the pandemic lockdowns ease.
Understanding the Millennial Cybersecurity Gap
The proliferation of devices added to corporate networks is rapidly stretching the attack surface and creating unforeseen vulnerabilities. While 45% of millennials say they do not trust companies to keep their personal data safe and do not share it, they tend to be relatively careless about device and application security. A survey of 3,359 people between the ages 18 and 26 in nine countries found:
- 63% click on potentially dangerous links
- 42% share passwords with non-family members
- 74% in the U.S. use unsecured public Wi-Fi despite well-documented security risks
One such reason for their apparent lack of vigilance in such cases is their seeming need for “instant gratification” amid multi-tasking on their electronic devices. So, they don’t wait to double-check if a link is safe to click on or a public Wi-FI is safe to use, and if a web page or service takes too long to load (the wheel icon rotating on a grayed-out screen), they will not bother to wait, and immediately switch to another service or do something else.
Millennials eager to reap the benefits of new technologies must be mindful of keeping valuable data within their devices secure, and understand why protecting devices and accounts is essential to growing an organization and critical to driving cybersecurity efforts.
Rapid technology change. Technology product and service lifecycles are getting shorter, and the pace of change is even faster for consumer devices. Cybersecurity teams must be more agile than ever to quickly understand how to defend a technology or business process before they evolve, or become a new attack vector for the hacker or malware.
Threat landscape dynamics. New technologies expand the threat landscape in unexpected ways. Photos or videos shared on social media can contain hidden malicious code that breaches the corporate network, and unsecured IoT devices on the network can become access points for threats. Additionally, newer AR, VR and AI devices are just as vulnerable to breaches. Furthermore, photos or data shared freely on public social media networks may be exploited and lead to “external threat intelligence” issues.
Seamless security. Clunky, elaborate passwords and one-time security codes often negatively interfere with user experience and delay a product’s access time. Biometric fingerprint sensors, face recognition and single sign-on access offer more user-friendly security that doesn’t inhibit device interaction.
Increasing oversight. Many governments, industry groupings and businesses are increasing regulation and oversight of digital processes, in particular, to safeguard personal data (in the spirit of, for example, the far-reaching GDPR, the European Union’s General Data Protection Regulation). And in response to a proliferation of malicious content, Facebook/Meta, Google/YouTube, Instagram and Twitter have at least attempted to or are considering to crack down on provocateurs of it, and remove unacceptable content posted.
Best Practices for Cybersecurity Leaders
Measures to build security into products and services need to consider the user dynamics of millennials and future generations. Following are some best practices security leaders can take to align cybersecurity with DX:
- Recognize the reality of DX.
Digital transformations generate tremendous opportunities for business owners (and cybercriminals alike). The best way to avoid malicious threats is to force the bad actors to react to your moves rather than the other way. Transparency and unified controls across the entire attack surface and the different security elements that comprise the security infrastructure are required. It also involves streamlining and automating security workflows and threat intelligence, helping overburdened security teams to keep up with the advanced threat landscape, and shrinking the windows for time to detection to prevention and time to intrusion to response/remediation. On top of this, smart buildings, smart cities and even smart nations are a reality today, accompanied by 5G telecoms and emerging Industry 5.0.
- Build security into new initiatives – take a risk-based approach.
Every business spending plan should include a section covering cybersecurity risks, countermeasures, investments and operational processes to safeguard the initiative — such fond intentions are not new but over the past couple of decades have not been as quick to be deployed as desired. Unexpected events or breaches can uproot even the most well-conceived plans in which cybersecurity, safety and risks have been overlooked.
- Speed threat detection, assessment and remediation.
Focus new cybersecurity investments on improving real-time threat intelligence, threat analytics, asset and risk prioritization and response-and-recovery capabilities. Due to the emphasis of DX on mobile and widely distributed, often cloud-based IoT devices and services, endpoint protection and network access control should also be emphasized (hence today’s “XDR” — extended detection and response, formerly “EDR” — endpoint detection and response offerings). Nonetheless, it will take a more integrated approach to traditional desktop/laptop-focused endpoint protection. (Don’t forget the mobile phones and laptops, and soon the Metaverse AR/VR devices, also the Fitbits, Teslas and other IoT devices — at work, at home and in industry.)
- Understand government regulations.
Knowing the regulatory, compliance and legal implications of ongoing and new digital business initiatives is essential. Even industry (e.g., banking and finance, healthcare, telecoms, energy, supply-chain, cloud …) and geographically defined standards and frameworks can influence legislation beyond immediate impact areas. They can also set user expectations for global fair practices.
- Hire more millennials on your security team.
Millennials can bring an organization up to speed with insights on new technologies and how to secure them. No one knows better how their generation perceives and reacts to cybersecurity measures. However, we must remember to appropriately and sufficiently empower them in the work technologies planning, research and management space, so as to reap the benefits of deploying what they see and how they think into to our business and organizational practices and offerings. (Otherwise, they will not hesitate to just quit.)
Millennials and Gen Z have set the bar for the global economy and cybersecurity. As these generations continue to enter the workforce, and also become the managers and entrepreneurs, we need to be prepared for the development of more innovative, industry-bending products and services incorporating the latest technologies. Security leaders must keep cybersecurity at the forefront of best-practice initiatives to ensure future innovations remain both life-changing and safe for one and all.
Anthony Lim, CSSLP, is the ISC2 Singapore Chapter’s advocate and was also on the team that built the CCSP. He is also a father to two millennial daughters. The original version of this feature was published in Fortinet’s CISO Collective and the Management Development Institute of Singapore’s blog.