Author: Philip Young, Consultant, Leathwaite. 

A variety of high profile cyber security attacks within large companies such as JPMorgan and Sony have further propelled the importance of cyber security protection into the public domain. This is set to continue as attacks become more sophisticated. For financial services firms, cyber security is of particular importance given the amount of sensitive data they hold. As a result, we have seen a significant increase in demand for individuals with cyber security skills which, given the dearth of talent in this space, has led to one of the industry’s most pressing skills shortages. The complex requirements for roles within cyber security create a significant challenge for companies looking to bolster their cyber security credentials.

Given the high profile nature of cyber security issues across the financial services sector, it is becoming a board level discussion. As this has become the case, a need for heads of cyber security that can engage at this level, and also liaise with regulators on a regular basis, is becoming more commonplace.

Since the depth of talent within cyber security across financial services is well below the level of demand within the sector, increasingly banks, insurers, asset managers etc are looking further afield when hiring. Typically, the alternative areas from which banks are hiring include government agencies and the intelligence community, as well as other commercial sectors such as telecoms, media, manufacturing and retail. A recent example of this is Troels Oerting, hired by Barclays as its Group CISO from Europol, where he had been the Head of the European Cybercrime Agency.

Given the impact that technology is having on the financial services sector more broadly and the growing threat from technology firms such as Apple and Google entering the banking market, the established banks are having to adapt their operating models. They are seeking new ways of working, focusing on digitising their businesses and concentrating more on data analytics. In the way that the technology firms have been managing cyber security, employing ‘ethical hackers’ to continually test the defences of their infrastructure, banks are having to operate and react in the same vein. Banks are employing teams of security engineers, tasked with driving innovation around security, identifying issues in their own technology platforms, focusing on both the legacy infrastructure and the future state, creating solutions before those gaps can be exploited.

The question for banks is how they attract individuals into the sector from hi-tech organisations that are not hindered by a legacy estate and use leading edge technology. These cyber security professionals’ agenda is less driven or obfuscated by regulatory control and more motivated by the technology they deliver as an end product. This creates some barriers when trying to hire from these areas. However, securing the financial services sector is seen by some as the pinnacle of cyber security challenges, where they can make a significant impact to a global and high profile industry facing some of the most significant threats.

In the next three to five years the demand for cyber security talent will most likely continue to exceed supply and the movement across different sectors and upward pressure on compensation is likely to remain. Given the on-going digitisation of the banking sector, how robust a bank is to cyber attacks is likely to have an increasing impact on how a bank is perceived by its clients and the regulators and will therefore have a highly commercial part to play.

With the awareness of these issues firmly in the public domain, we are seeing a strong reaction to the cyber security threat, with training and education already focusing more intently on cyber security than ever before. This will augment the number of internally trained and educated cyber security experts, however this will take time. For now, it depends on the willingness of board members and executive committees acknowledging the cost-benefit of investment in cyber security and their willingness to bring talent into the organisation from other sectors, concomitantly bringing a different perspective and set of experiences to combat the cyber security issue.

Into whom the head of cyber security / CISO reports is regularly debated; whether it sits with the CIO, the COO or the CRO. As banks continue to focus on digitising their businesses, cyber security is a necessity and could be a major differentiator with commercial implications. With the cyber security issue increasingly being perceived as a major business risk, the CISO and cyber security functions are being elevated and aligned under the CRO or COO.

Ultimately the issue of cyber security is one that will grow exponentially for financial services firms. Organisations are obliged to find a way to overcome the skills shortage and it will no doubt need to be a strong combination of making key senior experienced hires coupled with a greater degree of training and education.