Report on the damaging impact of ageism in cyber security

Considered a modern field, the cyber security industry faces challenges brought upon by a number of structural obstacles that comes with being a newer industry. Along with diversity issues, with cyber professionals being predominantly male, ageism is another challenge that is contributing to the large skills gap in the industry.

In a study conducted by ISSA, 95% of respondents said the cyber security skills shortage and the impact of this gap have not improved over the past few years.

Today’s workforce consists mainly of three generations: 

• Baby boomers, those born between 1946 and 1964
• Generation X, born between 1965 and 1976
• Millennials, people born between 1977 and 1996.

The different experiences and different levels of exposure to technology these generations have lived through means not only do they respond differently to cyber issues, but they are treated differently by organisations as a result.

Looking at ageism within businesses more broadly, Henry Rose Lee (pictured below), Inter-Generational Diversity Expert and Speaker, who conducted research with security company, Appgate, on generational differences and the impact it has on cybersecurity, said: “We have ageism at both ends. Ageism exists when people are young and then they can't get a job because they haven't got the experience and need the experience to get a job.” 

“There's ageism at the other end. Statistically, if you are in your fifties to your seventies, the chances are that if you are in an industrialised, westernised, democratised society, you are probably seen as getting towards your sell-by date. You're often seen as becoming too old and therefore becoming less valuable when the truth of the matter is that nothing could be further from that,” she continued.

Lee’s research looked into ageism in cyber and how to leverage multigenerational expertise to close the cybersecurity skills gap. With Appgate, Lee found that knowledge and experience make the real difference to effective cybersecurity resiliency, not the latest-generation technology and infrastructure.

Adding to this, the findings highlighted that businesses are at risk of creating their own cybersecurity abyss.

As baby boomers look to retire, a significant amount of experience and knowledge can be lost including the ability to manage and integrate legacy platforms into secure Zero Trust security environments.

Eradicating the ‘out with the old’ mentality 

Considering the cyber security industry with this issue, Lee explained that the older generation is often left behind in terms of training as there is a high chance they will leave soon to retire.

This dismissal is particularly damaging when looking at research from the World Economic Forum that explains problem-solving, critical thinking and emotional intelligence are all skills that are key to thriving in the fourth industrial revolution. All of these skills are ones that develop with age and are found more within older generations.

“If you don't need that in cybersecurity, I don’t know what you need,” said Lee.

“Let's say you have a cyber threat, so it might be ransomware or it might be a virus that's introduced into the system. To overcome this, you really need a lot of cognitive thinking about what are the best steps going forward. So that is a powerful opportunity for infrastructure software, technology and people to get together. On the people side of it is really managing communications, learning from any fallouts and managing how people get together in teams to solve problems. The future according to the World Economic Forum is much more about human-centred capabilities, us thinking and talking. We might not even have the answer, but at least we're having the conversation. Our critical thinking skills, our ability to think outside the box to use our experience to think about what we did and learn are all really powerful. That's much more valuable than infrastructure and technology,” she continued.

With these key skills needed within technology-focused industries, it is important for a diverse range of ages to be found within cyber security teams. Lee outlined, however, that many people aged 50-60 within the cyber industry are leaving or taking early retirement, and as a result heightening the already prevalent skills gap.

Digital natives within cyber security 

Looking at the younger professionals in the industry, with their digital native mindset, they respond to challenges and threats a lot differently. Being digitally native means this generation is a lot more technologically savvy and have skills in the field that would be second nature to them, but not to those older.

However, with a lack of experience, paired with a heightened sense of confidence in technology, younger people tend to be more vulnerable to certain attacks as they are more trusting in the internet and other technologies compared to their older counterparts.

This trust, and lack of experience, leaks into the cyber industry as Gernot Hacker, Sales Engineering Manager at Appgate explained: “We only learn by errors. And this ties into ageism. If you burn your fingers, eventually you won't touch the hot plate. 15 people can tell you don't do that. Eventually, because you're curious, you try it out. Obviously, that’s different in larger entities because of the obligations that could cost you your job. But still, the premise remains, with age comes experience, probably bad experiences in cyber, and only then do you have more knowledge on how to tackle a problem.”

“Younger people tend to take things for granted in terms of technology because they are digital natives. By taking things for granted, you literally don't think twice about it and this obviously has a real effect in terms of security,” he added.

On top of this, the digital native younger generation is more accustomed to having access to information faster, and without issue. Lee explains this makes them more likely to pay a ransom when they become victims of a cyber attack.

“That sends a message to cybersecurity criminals that crime pays,” she commented.

However, Hacker did note that it is not just the younger generations that experience vulnerabilities. Explaining that he has advised older people when facing this challenge Hacker urged them to learn how to “protect themselves from hard drive vulnerabilities better”. 

Paying a ransom is “a gamble” he said. But, sometimes by not taking the gamble, companies have “to start from scratch as they would lose everything if they didn’t.”

Creating the right approach to tackle ageism

Stressing there is no one size fits all approach when it comes to addressing this problem within cyber security, Lee believes by encouraging the baby boomer generation to return to their roles in a consultancy position could really help redress the skills gap brought about by ageism and create more of a dialogue between generations.

Adding to this, she suggests: “At the top of the business, if you have a leadership team in cybersecurity, you can have a shadow leadership team who are a mix of different ages who perhaps could troubleshoot cases or situations for what might happen in a doomsday plan. So that helps the generations work with each other, mentoring and reverse mentoring from older and younger and younger and older.”

Then, Lee concludes, looking at training the older generations to become more digitally savvy is crucial, along with the diversification of the hiring process, she noted: “A good way to do this is getting advice from universities, certain universities will specialise in certain areas and they often know interest groups that cyber professionals could contact.”