latest-news-headlines Market Intelligence /marketintelligence/en/news-insights/latest-news-headlines/pandemic-has-turned-cybersecurity-skills-gap-into-full-blown-problem-for-banks-60658007 content esgSubNav
Discover more about S&P Global’s offerings
In This List

Pandemic has turned cybersecurity skills gap into 'full-blown problem' for banks
Blog

The Party is Over: Tupperware’s Failure

Podcast

Private Markets 360 - Episode 17: European Credit Opportunities

Blog

Engineering and Construction Cost Indicator declined in September as cost increases for materials and equipment moderate

Podcast

Next in Tech | Ep. 186: B2B Payments Technology and Markets


Pandemic has turned cybersecurity skills gap into 'full-blown problem' for banks

Amid a pandemic-driven uptick in cyberattacks, banks and other financial firms have had to bolster their cybersecurity teams. The problem is there are simply not enough qualified professionals to meet the security challenge organizations face, prompting them to look for talent in new places, according to speakers at Sibos 2020.

"The biggest constrained resource that any of us have is our skilled security engineers," said Jonathan Allen, director for enterprise strategy at Amazon Web Services Inc., a cloud services platform used by financial companies. "There are simply not enough humans in the world with the right skills to do all the security work that we collectively have."

The cyber resource challenge predates the pandemic. Research by industry association (ISC)² estimated in 2019 that there are 2.8 million cybersecurity professionals globally, but that the world needs another 4.07 million to close the cyber workforce gap.

COVID-19 has "further intensified" this skills gap, said Tanuj Kapilashrami, group head of human resources at Standard Chartered PLC. As cyberattacks increased during the pandemic, so did the need for cybersecurity professionals, she said.

The coronavirus crisis has created the perfect climate for cybercriminals, with attacks against the financial sector increasing 238% globally from the beginning of February to the end of April, according to data by VMware Carbon Black, a provider of cybersecurity services.

For many financial companies, the pandemic turned the cybersecurity resource challenge into "a full-blown problem," said Lucy Kerner, a cybersecurity strategist at software company Red Hat.

Not only did the threat increase as the pandemic hit, many organizations also had to direct their security teams to support general IT operations and enable remote-working capabilities, causing "security to be overlooked or put on the back burner in many cases," Kerner said.

Searching new places

The growing resource gap has prompted banks to look beyond the traditional cybersecurity talent pool. Standard Chartered, for one, has actively been targeting women and "school-leavers" to broaden the supply of talent when hiring externally, Kapilashrami said.

This involves launching a 2-year cyber apprentice program last year, she said, in which half of the admitted apprentices were directly out of school, and half were women. The bank is also training recruiters and line managers in unconscious bias to ensure that the bank is hiring "expansively," she said.

"We realized very early on that we have preconceived biases for the kind of people that we wanted to get in," Kapilashrami said.

Another way organizations are addressing the challenge is by reskilling existing staff that are not necessarily cybersecurity professionals. Allen said he has seen efforts among AWS's financial customers to "reskill everybody to be a champion of security," a strategy that AWS has also used itself.

"It's far easier to train a developer in security than to train a security expert to be a developer," Allen said.

Kapilashrami said Standard Chartered is increasingly looking to fill cybersecurity roles internally by upskilling its existing workforce. For example, the bank has expanded its internal academy for cyber skills to target not only on cybersecurity professionals, but also "job families" where the bank sees an "easier opportunity" to reskill them for cyber positions.

"Our experience and our point of view very strongly are that we cannot meet this skills gap by having a strategy which only relies on buying talent from externally," she said.

Last year, Standard Chartered added approximately 500 cybersecurity staff, of which 30% to 35% were recruited internally. The bank aims to bring this number up to 50% in the short-to-medium term, and 70% in the long term, Kapilashrami said.

Focus on retention

Cybersecurity professionals are not only hard to find; they are also hard to hold on to. Due to a high rate of burnout, the average tenure of a chief information security officer, or CISO, is just 26 months, according to a study by Nominet earlier this year, which interviewed 400 CISOs and 400 C-Suite executives in the U.S. and U.K.

"You're not always rewarded for doing security, like you are when you develop a new business application quickly. This usually leads to cybersecurity teams being understaffed and overworked," Kerner said.

As such financial firms need not only focus on how to make their organization an appealing place to join, but also a rewarding place to stay, Kerner said. She said firms should ensure they offer staff opportunities to develop their skills in what is a "continuously evolving area," be it through internal security training, certifications or professional development programs and mentorship.

Organizations also need to work on creating a culture of "cross-collaboration," she said, with cross-organizational information sharing and training "so that security is no longer just the responsibility of the security teams."