Countering the Cyber Skills Gap
It’s probably not a surprise that cyberattacks remain one of the top concerns of banks and credit unions. Financial service providers, after all, represent a veritable goldmine of personal information – from customers’ home and email addresses to Social Security numbers, income information, saving and investment accounts, and more – which cybercriminals can access for their own gain or to sell on the Dark Web.
According to Joost Heins, Vice President of Global Business Insights at Randstad Sourceright, financial service firms are 300 times more likely to be targeted by a cyberattack than companies in any other industry. Joost writes that 63% of financial institutions experienced a rise in cyberattacks in 2022, resulting in a third of them increasing their cybersecurity budgets by as much as 30%.
While there are numerous steps financial service providers can take to increase security and lessen the likelihood of cyberattacks, institutions have been hard-pressed to respond to the industrywide shortage of cyber talent. According to Cybersecurity Ventures, there are more than 3.5 million unfilled cybersecurity jobs across all industries worldwide, of which more than 750,000 are in the U.S.
What can financial service providers do to counter this trend and, in doing so, begin to build a solid foundation of cyber workers to protect them against future cyberattacks? With so many in-house cybersecurity teams stretched thin and unable to keep up with the day-to-day demands of the job, much less the pressure of dealing with an active cyberattack, some institutions have turned to offshoring as a stop-gap solution. Generally, though, the industry seems reluctant to pursue what many regard as an extreme solution – particularly given the sensitive nature of the information to be protected.
A more widely used tactic to attract top-notch cybersecurity professionals is to simply offer a more competitive benefit package than other companies in search of cyber experts. This typically involves offering higher salaries, signing bonuses, on-the-job training, and other benefits, including flexible work schedules, work-from-home options, and performance-based bonuses. While this approach can be successful, particularly in meeting the short-term demand for cyber talent, its obvious downside is the fact that there will always be a competitor willing to offer even bigger bonuses, higher salaries, and a wider array of benefits designed to convince cyber professionals to jump ship and follow the money.
With that in mind, many financial service providers have determined that the best way to address the dearth of highly skilled cyber professionals is to expand the pool of prospective employees. This can be done in several ways, beginning with the actual job description. Professional search firms believe that creating a job description which enumerates every conceivable skill that a successful job candidate may (or may not) need and every situation that might be encountered often leads to applicants excluding themselves because they lack one or more of those required skills. Recognizing this, banks and credit unions increasingly are focusing on attracting professionals who already possess the expertise to handle the essential, day-to-day work associated with the position, with an eye toward upskilling them as needed in the future.
This emphasis on current skills as opposed to skills to deal with every conceivable situation has led many financial service providers to de-emphasize requirements for specific academic degrees and professional credentials. This so-called skills-based approach to hiring enables banks and credit unions to seriously consider candidates who may lack specific credentials but possess the on-the-job experience to capably handle most of the routine tasks associated with the job.
Far from lowering job standards, this approach to broadening the cybersecurity talent pool enables financial service providers to ensure that they have a full complement of qualified workers who potentially can also bring new, on-the-job skills – including such soft skills as leadership, effective communication, and problem-solving – into the workplace environment.
With that in mind, some banks and credit unions have adopted a policy of hiring or promoting workers who already understand business strategy or finance or operations and then equipping them with the necessary cybersecurity skills. Training current employees to meet the organization’s cybersecurity needs also enables the organization to avoid the expensive and time-consuming process of hiring and vetting prospective candidates and take advantage of institutional knowledge its own workers already possess.
Regardless of the methodology financial service providers employ to expand their cybersecurity workforce – and regardless of the expertise those employees have – they eventually will need additional training. This training could take the form of upskilling so that those with more street smarts than academic credentials can obtain key certifications, such as CompTIA Security+, CompTIA Network+, or CompTIA A+. Training is also essential because cybercriminals are constantly finding new ways to launch cyberattacks and the institutions’ cyber teams must be prepared to respond if the worst happens. “
Increasingly, banks and credit unions are turning to cybersecurity workforce development organizations, community colleges, and other expert providers to provide affordable training opportunities that will prepare their workers to acquire the skills they need to enter or advance in the cybersecurity field.
Cybersecurity workforce development organizations, for example, provide specialized skill-based training programs on topics ranging from network security and digital forensics to compliance and governance, as well as industry certifications, online and evening courses, and satellite locations to accommodate busy schedules. As a result, they are partnering with banks and credit unions to develop curriculum that incorporates the latest cyber trends, technologies, and best practices, and with area community colleges to provide students with hands-on experience using such advanced tools as cyber ranges – a sophisticated system that uses real-world scenarios to simulate cyberattacks.
Clearly, the rise in cybersecurity threats, coupled with the intense competition for cyber professionals, is creating a situation which is forcing financial service providers to think outside the box to prevent the financial and reputational damage that cyberattacks can cause. By taking a more practical approach in hiring and providing the training opportunities needed to attract and maintain a top-flight cybersecurity team, these institutions are preparing themselves not only to deal with all manner of cyberattacks but also to create a pipeline of cybersecurity talent to sustain them going forward.
Michael Spector is the President at BCR Cyber where he leads the company’s growth and expansion strategy. Established in 2017, BCR Cyber (formerly Baltimore Cyber Range) is dedicated to delivering exceptional training solutions to both government and commercial clients. BCR Cyber has trained thousands of individuals and successfully placed over 83 percent into employment. The BCR Cyber Range is the first such facility in the world specifically dedicated to workforce development in the cybersecurity sector. For more information, visit www.bcrcyber.com.