The most desirable employee in banking: cybersecurity skills
Rob Lay, Optiv: changing the mindset from “outside, in” to “inside, out”
Financial chief information security officers (CISOs) across the globe have identified employee training as fundamental to improving institutional cybersecurity, with 35% of top financial CISOs having revealed that they’re making it one of their top priorities for securing the organisation against cyberattack (according to the Financial Services Information Sharing and Analysis Centre, FS-ISAC).
Is it time for a cultural change within the financial industry? While it is relatively clear from top of house leadership that there is a strong recognition that banks have now become technology companies, has this filtered down?
This disconnect, where enterprise companies are slow to adapt to the ever-changing role of technology within business, allows dedicated attackers to thrive. The old security mindset of outside, in – where threats are treated as external influencers, leaving organisations in a reactive mode – needs to change.
An inside, out approach, where a security programme is aligned to the business priorities and is adaptable to the changing threat landscape, will see much more success. But that level of expertise is often not available within the walls of even the biggest of enterprise organisations. Sometimes you need to outsource these skills. And in a specialised industry like cybersecurity, it can be a challenge to find an organisation with the right people, processes and technology.
Properly outsourced talent can fill gaps in knowledge and capability within an organisation, allowing your employees to focus on projects and activities to move the business forward, rather than always trying to play catch-up when torn between projects and specialist activities.
The complexities of outsourcing
Information security still has negative employment. The talent gap is very real and there continues to be more jobs than qualified candidates. In a bid not to interrupt business and keep operations flowing smoothly, institutions will frequently look to outsource partners. But outsourcing comes with a unique set of challenges: language barriers, cultural differences, getting everyone “up to speed”, and lags in operations among those.
To prevent the challenges that come with outsourcing, companies must ensure they have staff who are comfortable with institutional knowledge if they want to be successful in the long run. Outsourcing should not be viewed as offloading “the dirty work”, but more as a way to fill gaps, increase efficiency, and achieve better results. Think of the relationship between in-house versus outsourced as any other relationship: communication is key.
Racking up the cyberskills you need
The scale and means of large financial institutions mean there is lots of scope for in-house cybersecurity, and some are doing a good job of this, especially as banks are regarded as technology companies now. We’re seeing large financial institutions conduct whole programmes to on-board the younger workforce.
Why is this necessary? Staff need a basic understanding of today’s key industry regulations, compliance issues and major client concerns. Simply because they are of critical importance, even more so now with the onset of the General Data Protection Regulation (GDPR), as they are problems that concern almost every client and tie together many different security domains.
But finding these highly qualified candidates can be challenging. It can be useful to look to solutions providers who work “in the trenches” every day solving cybersecurity problems. Familiarity with the finance industry, relationships within the security industry, as well as hands-on experience solving security problems in various real world scenarios, can be extremely valuable as your organisation looks to build its own security programme.
Another key factor paramount in retaining cyber talent within the company is building a model that takes technologists and offers them ways of maintaining interest, keeping up to date in fast moving landscape and provides opportunities for future personal growth. Building viable career paths for technologists to follow is vitally important in bridging the talent gap. Cross-team collaboration and exposure to various aspects of the business – cybersecurity should be a board level concern by now – can lead to talent retention, increased institutional knowledge and a more successful security posture.
Good security is not about the best tools. Those change far too often. It starts with culture and people. Value those and your security programme will follow.
What does the future of banking look like?
As the previously siloed security concepts and domains increasingly start becoming more horizontal across financial institutions, certain security challenges or initiatives are more deeply addressed. We see skilled people from various areas of the business working together more cohesively and effectively, for example, around data protection.
Security “takes a village” to succeed. All it takes is one person absent-mindedly clicking on a phishing link and your entire organisation could be at massive risk. Instead of thinking of security as an IT-level concern, it should be treated as a business-level matter. That means making sure every single individual employed at the company – and those third parties who may have access to sensitive data and environments – takes security seriously.
Similarly, security professionals need to be included in business conversations. Having experts focus solely on cybersecurity means executives and board members are not getting extremely important information. In today’s world, cybersecurity is an integral part of your organisation.
Outsourcing is sometimes portrayed negatively in the business world. But as globalisation continues to spread across all markets, the need for talented cybersecurity professionals will only increase. Hackers are not limited by geography and their ply and trade is very cost efficient. The threat is not going away any time soon.
Some organisations may be able to fill the security talent gap in small and possibly large ways. Others will not. Outsourcing will always be a viable and cost effective solution, especially in specialised industries such as cybersecurity where outsourcing can provide broader insight and access to expertise that is challenging for individual businesses to develop.
As long as roles are clear, communication is emphasised, and goals are set, outsourcing your security operations – in part or whole, for long or short time periods – to a trusted advisor can have great results.
Rob Lay, solutions architecture, Europe, Optiv
