Microsoft recently announced a major new initiative to boost cybersecurity education to hopefully fill a desperate need for more qualified professionals. As an industry that requires great cybersecurity, are financial service institutions taking on this responsibility, as well?
Last week, the computing industry Goliath announced a plan to provide scholarships and additional financial assistance to at least 25,000 cyber-focused students every year, and support faculty at 150 two-year colleges across the United States, which offer IT security programs. The program aspires to fill 250,000 cybersecurity jobs over four years. According to a recent Commerce Department study, there are almost half a million cyber jobs sitting unfilled in the United States alone; globally the number is estimated to be nearly 3 million.
“Although these initial offers from IBM, Microsoft, and others to solve the cyber skills challenges are a great start, we need to take more action to solve the root of the problem,” said Brian Murphy, founder and CEO of ReliaQuest, an endpoint-focused security vendor. “There are enough people ready to raise their hand and help with this issue, but we need to better equip them with the right skills.”
In the interest of "getting them while they’re young," companies like ReliaQuest are promoting cybersecurity education even to students in elementary, middle and high school. James Hadley, CEO and founder of Immersive Labs, a cybersecurity training firm that counts Citibank, Bank of Montreal and Deutsche Bank among its customers, said, “In the face of unprecedented hacking threats, it’s increasingly alarming that there’s a disproportionate number of cyber professionals working to combat them.”
Since the financial industry is especially in need of qualified cybersecurity professionals, given the omnipresent threat of attack, the question remains: What is the role and responsibility of FSIs in priming the cybersecurity professional pump?
“With FSIs turning their focus to cybersecurity, there is certainly a need for more qualified professionals,” said Jonathan Tanner, senior security researcher at Barracuda. “There is a need for initiatives around expanding qualifications to promote more diversity in the industry.”
While cybersecurity certifications are meaningful, Tanner said he believed they are designed more for “existing professionals to showcase their knowledge rather than to create opportunities for entry-level candidates.” The vast majority of these certificate programs are “very expensive... and for someone trying to get into the industry, these costs can be quite restrictive,” he said.
In its most recent Cybersecurity Workforce Estimate, (ISC)2 noted that the number of existing cybersecurity professionals has jumped to 4.2 million worldwide, after adding 700,000 new personnel in the past year alone. While the study found that the gap is gradually closing, there’s still a global shortfall of 2.7 million cybersecurity professionals (down from 3.1 million in 2020), according to (ISC)2.
“To narrow the cybersecurity workforce gap, we must widen the talent pool and break down barriers to entry by shifting away from a technology-first mindset, instead looking for strong nontechnical skills that are necessary to succeed in cybersecurity," said Clar Rosso, CEO for (ISC)2. For FSIs especially, with a huge and growing demand for qualified IT security professionals, experts recommended that recruiting FSIs “find pathways for people without IT or technology and cybersecurity backgrounds to enter the profession.”
“If a candidate doesn’t check all the boxes in the job description, organizations could be turning away good talent that could provide the cybersecurity team with new approaches to challenges and provide the necessary relief that comes when more people are dedicated to managing security,” said Rosso. “Organizations should also revise job descriptions in favor of using neutral language and work with the security team to determine what qualifications and skills are necessary for the role. Good candidates, especially individuals underrepresented in cybersecurity, won’t apply if they don’t meet all the requirements.”
(ISC)2 recently announced its own entry-level certification program for younger professionals and first-time cybersecurity workers, in effort to address the “misconception that cybersecurity is a career only for those with highly technical training and experience,” Rosso said.
Andrew Howard, CEO of Kudelski Security, said he sees their FSI clients taking two major approaches to mitigate their IT security talents risks. “First, they are automating everything they can to reduce the need for additional headcount,” said Howard, adding that the increasing moves to automation demand an even more skilled cyber professional, to help make efforts efficient, as well as effective. “Second, [FSIs] are looking at non-traditional candidates for cybersecurity roles and training them. This includes recruiting from traditional IT or risk talent pools as well as the removal of bachelor degree requirements to increase the number of eligible candidates.
“If FSI organizations cannot recruit the talent, they will create the talent,” Howard added. “No organization is immune to the current talent challenges in cybersecurity. FSIs often have the upper hand with more generous compensation packages and well-developed university talent pipelines, but there just is not enough talent to go around.”
(ISC)2 recommends that U.S. FSIs take these steps to attract more professionals to the cybersecurity profession:
- Understand your organizational gap: What are the job categories that are missing from your existing team and what kind of risk does that represent? The specialized skills and roles organizations lack, according to the (ISC)² Cybersecurity Workforce Study, are Securely Provision (48%); Analyze (47%); and Protect and Defend (47%) as their top areas of need.
- Rethink how you hire: Evaluate both internal and external prospects for the non-technical skills and attributes professionals describe as vital for a successful cybersecurity career. Hire for aptitude and attitude and recruit people from different backgrounds who are attracted to the challenges and rewards of a cybersecurity career and are willing to learn.
- Put people before technology: Recognize that technology is not a substitute for the human element. Skilled cybersecurity professionals are vital for any security program. Organizations cannot spend their way out of their own workforce gap. They need to invest in their people and smartly build their teams for long-term success. This means investments in training and skills development as well as career pathing, mentorship programs and more.
- Embrace remote work: Remote work enables organizations to cast a much wider net geographically and breakdown geographical barriers when recruiting, which also fosters a more diverse pool of applicants.
- Empower change with DEI: Reconsider the qualities that make a successful cybersecurity professional, and prize those that transcend technology, like creative thinking and the ability to work in a team environment. Cybersecurity professionals are not only aware of how DEI can contribute to solving the skills gap, but they expect their employers to act to add diversity of thought and experience to their teams.