Nuke the Checkbox Audit from Orbit, or Alienate the Millennials

We have said it before, but it warrants repeating: the Millennials are taking over, and there is no stopping them.  In 2025, Millennials (born 1976-1990) will comprise 75% of the workforce, with GenXers consuming about 15%, and GenZ (born 1990-2010) taking up the rest.  There will be few, if any, Baby Boomers left in the workforce in 2025.

This means your workplace culture, as well as your information security program, must adapt to the growing influence of Millennials.  We have studied this demographic shift at Anitian over the past year.  Our findings show that few organizations are prepared for this change.  This represents an increased risk, both to the ongoing viability of the security program, as well as from insider threats.

Among our many findings, Millennials have a strong affinity toward authentic leadership.  This is a style of leadership where executives and managers are “in the trenches” with their team.  Traditional structures of hierarchy are downplayed as leaders and staff work together.

Honesty, transparency, and strong ethical values are some of the quintessential qualities of authentic leaders.  It is not enough to say, “We do the right things”; authentic leaders must embody those values every day.  Authentic leaders consistently frame workplace challenges from an ethical or moral standpoint.  For example, an authentic healthcare leader may say, “We must complete this project because we believe in caring for the sick.” For Millennials, authority does not come from a title, but from a consistent, honest, and positive engagement with the team.

It follows, then, that honesty, ethical values, and positivity are all valuable qualities for an information security leader.  However, many organizations completely destroy this authenticity when they engage in the dreaded act of checkbox auditing.

Checkbox auditing is a style of security assessment that puts overwhelming focus on the formality and process of completing an assessment at the expense of accuracy.  Checkbox auditors go through the motions of an assessment, and issue certifications without providing any real assurance.  Some of the providers of these services are brazen in their promotion of these fraudulent assessments, using euphemisms like “compliance-as-a-service” or “compliance-in-a-box.”  They employ inexperienced, underpaid, junior auditors who have limited (or no) hands-on technology experience.

Checkbox audits are a dangerous practice for many reasons, not least of which is their promotion of seeming compliance while still leaving an organization vulnerable to threats.  However, one of the subtler yet highly destructive effects of these audits is that they cause employees to disengage…especially Millennials.

For many Millennials (and plenty of others as well), checkbox auditing is a throwback to Enron-style business practices, when the leaders would lie and cheat their way to huge profits.  Millennials place great importance on working for leaders they believe in.  Checkbox audits are a form of lying, destroying any trust the Millennial might have in the integrity of a leader who endorses them.  When people do not respect their leaders, they do not respect their employer.  This causes the Millennial to disengage from their job, and ultimately ignore security policies.

The information security program of the future must not only stop performing checkbox audits, it must be conspicuously vocal in its opposition to it.  Leadership must not merely say security is important, they must take tangible and highly visible steps toward authentic security (as well as authentic leadership). That means terminating vendors, practices, and policies that fuel checkbox assessment efforts.

However, we must avoid conflating formality with accuracy.  Checkbox auditors often overcompensate for technical inadequacy with nitpicking and formality.  This presents an appearance of authenticity, without any real substance.  Developers and system administrators see through this and dismiss a clueless auditor who uses formality or intimidation as their sole method of establishing credibility.  Moreover, those developers will transfer that disrespect to leadership, since leadership selected the auditor.  Formality and structure are necessary for any audit practice, but they should be used to support the auditor with consistency, and not serve as a replacement for experience.

Authenticity is a difficult concept to pinpoint.  It is a complex balance of knowledge, experience, and attitude.  However, a lack of authenticity is very easy to spot.  Leaders must remain vigilant that they not only select technically competent auditors, but ones who can build rapport and credibility with technical staff.  The more each side respects each other, the more likely your auditing process will be rewarding and beneficial.

Furthermore, information security leaders need to break down traditional hierarchies and start building a more authentic program.  Nuking checkbox auditors out of your program is a decisive and highly visible first step toward demonstrating your commitment to authenticity.  Not only will this lead to a stronger, more adaptable security program which is better equipped to handle the threats of tomorrow, but it also builds a stronger, more adaptable workforce, better equipped to handle these threats.

Like it or not, the Millennials are taking over.  We must adapt our work place as well as our information security if we want to remain competitive and secure.

Leave a Reply