By Vanya Ivbule, Vice President with Kingsley Gate Partners
Cybercrime is on the increase. In the first half of 2021, 635 Suspicious Activity Reports relating to ransomware were notified to the Financial Crimes Enforcement Network bureau by financial institutions in the US. This compared with 487 for the whole of 2020. And the total value of ransomware-related transactions over the same period was $590 million (median average payment $102,273), compared with $416 million for all of 2020.
This is not just a problem for financial services in the US, either, as the recent State of Ransomware in Financial Services 2021 report, by British security software and hardware company Sophos, shows. Its independent survey of 550 IT decision makers in financial services highlights the extent and impact of ransomware attacks on mid-sized finance organizations worldwide during 2020. Overall, 34% of the financial services organizations surveyed were hit by ransomware in 2020, with the attackers succeeded in encrypting the organisation’s data in just over half of those cases.
The cybersecurity workforce gap
Clearly, financial services firms are among the most popular targets for ransomware attacks. As a result, and given their importance in the global economy, it is vital that they are able to recruit and retain, the necessary expertise to meet their cybersecurity needs.
However, a major challenge for financial services sector is the shortage of cyber security professionals as highlighted in a recent major workforce study by IT security non-profit (ISC)² which states that in 2020 there was a global cybersecurity workforce gap of 2.7 million employees. And, two-thirds (60%) of participants worked for organizations experiencing staffing shortages that placed their organisation at risk. There were some 500,000 open cyber security jobs in the US alone this autumn, for example.
Some strategies for attracting cybersecurity talent
While there is no simple solution to this shortage of specialist skills, here are some examples of strategies that can help firms solve their cybersecurity hiring issues and better protect themselves from costly cyber threats:
Hiring outside the box. Look beyond the obvious sources of cyber talent. Candidates who have exposure to cyber, such as IT or Cloud SaaS, should be considered from outside the immediate industry. Or individuals with a non-traditional education in cyber, such as CISSP (Certified Information Security Systems Professional) and ISACA certifications that are holistic and helpful for senior leadership and management positions. Equally, it is possible to hire on attitude and culture from non-technical functions such as marketing and finance, then train necessary skills. In the (ISC)² workforce study, for example, participants identified ‘strong problem-solving abilities’ (38%) and ‘curiosity and eagerness to learn’ (32%) as some of the most important skills for new entrants.
On the move? Another tactic is to identify reluctant relocaters. For example, individuals asked to relocate from the City to Europe post-Brexit may be more open to opportunities in the cyber industry. Equally, individuals who are post-IPO lockup and looking for their next career challenge may be good candidates. While M&A activity generally, such as the ongoing IHS Markit-S&P Global merger, is also a potential source of recruits.
Adequate compensation. Talent retention is essential in such a highly competitive area. For a start, firms should ensure executive compensation plans are in line with the market and, if not, consider revising. It may be necessary to introduce new components, such as LTI’s or additional equity for top performers, to increase engagement and mitigate employee churn. As a guideline, the (ISC)² workforce report revealed an average salary before taxes of US $90,900 for cybersecurity professionals globally in 2021, up from US $69,000 in 2019.
A flexible approach. Financial compensation is only part of the picture. Firms may also need to re-evaluate and revise company perks in order to create a secure and attractive environment for cybersecurity professionals. A good example is the demand for more flexible working conditions which was identified in the (ISC)² study as the second most important factor when it comes to investing in people and closing the talent gap. With some financial services majors spearheading a return to the office, it may create an opportunity for hiring companies offering employees the option of hybrid-working.
Use diversity to increase the talent pool. Finally, organizations should put in place diversity and inclusion policies to help address gaps and attract talent. This was another key takeaway from the (ISC)² study which also noted that cybersecurity professionals are not only aware of how DEI can contribute to solving the skills gap, but they also expect their employers to act on issues such as diversity, equity, and inclusion initiatives.
Vanya Ivbule is a Vice President with Kingsley Gate Partners, a global retained executive search firm, and heads up the EMEA Cyber Security Practice in London. Vanya specialises in supporting PE backed portfolio companies on go to market strategy, scaling and transformation as they prepare for acquisition or IPO.