Re: Security and the Under 30 User

[krymson () gmail com]

(Disclaimer: I'm over 30, but not by much.)

This is a huge topic, and very important as the under-30 crowd comes of age and moves into the workplace. Keep in mind, 
these people have never lived in an age without the Internet. I'm 30, and I barely remember life before my first 
computer opened so many doors... Keep that in mind...it's simply called a generational gap.

Now, you also have really three distinct topics here (and another half topic).
1) Resistence to security measures.
2) Cyber-security indifference.
3) The perceived need for younger people (typically) to be always connected.
3.5) Using security as a crutch for poor management and poor productivity practices.

I really think any discussion should separate the two as much as possible.


1) Resistence to security measures.
This occurs everywhere with people of all ages, and can be likened to the resistence of change, or moving of cheese. 
That's really all it is. I can do my work today, but your security measure means my job flow breaks tomorrow. As 
secgeeks, we need to be transparent, open, and clear with everything we do. We need to make sure we do not impact the 
business negatively, and justify the measures we implement. Too many mistakes made in the name of obscure security 
measures that we don't explain only lead to animosity and disdain, if not outright hatred.

Yup, this can be solved by brute force stiff-arming and saying this is just how it is. That's life, and that's 
sometimes how things are done, especially if people are being unreasonable in expecting insecure freedoms at work. 
Sorry, but some people need to just be told how it is, rather than coddled into it. But many people do need to be 
coddled into it. It's part of the art of implementing security and creating a vibrant, productive, and yet secure work 
environment. :)


2) Cyber-security indifference.
I think people who really don't believe in AV and other security measures simply don't have the energy or time or 
inclination to keep up with such things like us geeks do. That's fine, especially since it really does seem inevitable 
that insecurity will occur.

When you wash your car, do you avoid all puddles and get mad when someone drives slow in front of you, dirtying your 
car? Or do you simply accept that it will eventually get dirty, so don't worry about it?

Hopefully that may illustrate the state of mind on such feelings...


3) The perceived need for younger people (typically) to be always connected.
Do you ever make phone calls of a personal nature? Do you think your grandfather maybe wondered wtf you did that, 
because back in his day...  Seriously, the internet and connectivity is a part of our culture now, especially for young 
people. This defines their social lives. If you actively don't accept that are start to take it away, you will get back 
to the "security sucks" mentality, and likely lose worker loyalty.

The best I can do is explain where that comes from: growing up with the Internet and cell phones. That's progress, both 
technologically and socially, and I feel for you if you want to sit in your 80s/90s values. Definitely not a new 
problem, these generational gaps. :)

That's not to say I think we should all allow IM at work, and texting at work, and Facebook/MySpace/blogging while at 
work, but we really cannot just kneejerk reject it and fight against the flow of culture. Always keep an open mind, 
even when writing that policy outlawing webmail and IM in the workplace...

Besides, do you really want to spend time and energy trying to stop that flow of our culture, or rather work with it? I 
think we try to work with it as much as we securely can.


3.5) Using security as a crutch for poor management and poor productivity practices.
As a culture, we Americans are obsessed with milking every ounce of productivity in the workplace, everything else 
(including the physical and mental health of our employees!) bedamned. I really hate hearing when something is done in 
the name of security when in fact it is managers having poor mgmt skills or HR hiring the wrong people. Yes, things 
like web filtering can be done with a nod to security, but IT/security should never be the moral conscience of a 
company. And when controls blur, like in web filtering, the difference should be made apparent.