What do the IT security generations look like?

Matt Tett

Matt Tett is the Managing Director of Enex TestLab, an independent testing laboratory with over 22 years history and a heritage stemming from RMIT University. Matt holds the following security certifications in good standing CISSP, CISM, CSEPS and CISA. He is a long standing committee member of the Australian Information Security Association (AISA), Melbourne branch, and is also a member of the Information Systems Audit and Control Association (ISACA). Enex TestLab can be found at http://www.testlab.com.au blog at http://enextestlab.blogspot.com and can be found on twitter as @enextestlab.

I have been working in the security industry for over 18 years, and in that time I have often pondered the ‘generation differences’.

At Enex, we report to quite a number of CSOs and also work with their teams; including engineers, architects, project managers and vendors. The age range in these professions is considerable.

I am a very late 30-something and have a background in technical, network and security engineering. Many of my peers are now transitioning from middle management to senior management, and this move invariably means forfeiting the reason that they were attracted to the industry in the first instance: to play with hardware and software and find solutions to complex issues.

The senior managers that my peers are replacing are the last of the first generation (50+). These old skool fellows know what it was like to have no internet, email or converged devices; they know what 10BT networking was and probably have some background in environments such as Novell. That was when they were ‘technical’ before moving to management. In those days, security was the last thought; performance was key - ensuring that the system only crashed once or twice a day.

This generation did not expressly work in the security industry, but rather they were more ‘computing generalists’. You could argue that this is what has caused a ‘brick wall’ from many who are stuck in their older ways, ways that they understand. And, often, the policies and procedures that they support mirror this. What sets this generation apart, however, is that they usually learnt via word of mouth. They therefore have a key attribute, one which is very much undervalued; they are not possessive and are willing to freely share information. This mentoring role is key!

The second generation (40+) grew up with some level of computing from school, albeit using an Apple IIe or Commodore 64, and Appletalk and 10BT was the natural progression as they commenced their careers. While they were being managed and mentored by senior engineers this generation was growing with the technology, not having it forced upon them. Their curiosity, and desire to pull things apart to work out how they operate, and their exploration of the emerging data networks led them to adopt the traditional term “hacker”. And all the while, university, government and corporate networks and the Internet evolved under their technical watch.

It will be very interesting to see their transition as more and more of their technical time is replaced in-turn by management and mentoring responsibilities. The issue with this generation is political, because some profess to have a skill set which they may not be completely proficient. They can therefore be possessive over information when required to mentor for fear of being ‘outed’. While the sceptics might say that this is perfect for a management role, the issue is that when the technical push comes to shove these people will not be able to step in and lead their younger team members. Unfortunately we are seeing this possessiveness more and more as managers try to climb the ladder without failure, and it does little to help the next generations.

The next generation (30+) is the technical “in-between”, generally having gained a university degree in a generalist field of computing and then, combined with work experience, have moved into specialist areas, such as security. As a result, this group is often stereotyped by their verticals. In the early days of vehicle design, a team of designers developed the entire vehicle. Today it takes an entire technical design team just to design door handles. So with such specialisation, does this generation still have the passion for exploration? Or does it simply work according to the theory and vendor training and get the work done as prescribed?

The latest generation (20+) has the most theory and practical history to learn and absorb. Granted, these will be the most technically specialised, with many universities now offering tailored courses and degrees in computing science. However, has growing up with handheld gaming consoles and mobile phones left this generation with the passion and attention to apply itself to the exploratory nature of the IT industry ? And will it be shackled by its former generations’ lack of mentoring be able to sufficiently mentor and pass on their skills.

I am not intending to be offensive, any of these generations will always have exceptions to the case. Everything is good in hind-sight, so with rose-tinted glasses, let’s try to take advantage of each generation’s qualities, and see where we go.

Your thoughts, comments and feedback are welcome.