FinCyber Strategy Project: Working Group on Cybersecurity Workforce

In April 2020, Carnegie’s Cyber Policy Initiative launched a working group dedicated to cybersecurity workforce as part of its FinCyber Strategy Project focused on developing an “International Cybersecurity Strategy for the Global Financial System (2021-2024).” This working group consists of several major financial institutions and independent experts listed below. The working group will convene regularly over the coming months to identify lessons learned and best practices of existing models to help address the workforce challenge for the financial services sector and in turn across sectors more broadly. A more detailed description of the group’s theory of change, assessment of the problem, existing initiatives, and focus is outlined below and in this memo.

Financial Institutions

• Bank of America
• Capital One
• HSBC
• Intesa Sanpaolo
• JP Morgan Chase
• Morgan Stanley
• Options Clearing Corporation
• Standard Chartered
• UBS Group AG
• Visa
• Zurich Insurance

Independent Experts

• Laura Bate
• David Forscey
• Simone Petrella
• Natasha de Teran

Carnegie Points of Contact

• Chris Finan
• Tim Maurer

Problem Statement

Shortage in the supply of cybersecurity professionals. While numbers vary, experts agree that a significant gap exists between supply and demand in the cybersecurity workforce across sectors. A 2019 projection by the nonprofit group (ISC)² outlined that the workforce needed to grow by 145 percent to meet the current global demand with a current global cybersecurity gap of approximately 4 million workers.¹ Two years ago, a report by Frost & Sullivan projected the gap would be around 1.8 million by 2022.

The financial sector has always been one of the largest demanders of cybersecurity talent. One reason is that cyber criminals have targeted financial institutions since the early days of the internet. “Both banks and financial market infrastructures [in Europe] are struggling to find staff with the skills and experience needed to fend off cyber-attacks,”² a member of the Executive Board of the European Central Bank noted in 2019.

Financial sector demand for cybersecurity talent has been growing. Multiple factors explain this growing demand. One main reason is higher expectations from financial regulators, especially following the 2016 Bangladesh incident, which was a wake-up call for supervisory authorities and central banks. A year later, in 2017, eighteen of the twenty-five member jurisdictions of the Financial Stability Board reported that they were planning to release new rules that addressed cybersecurity in the financial sector.³ The rapid increase in regulatory activity worldwide with respect to cybersecurity explains why financial chief information security officers (CISOs) reported in a recent survey that close to 40 percent of their time was spent “reconciling cybersecurity and regulatory frameworks.”⁴ Other factors include the evolution of the cyber threat landscape generally and growing awareness about the importance of cybersecurity among senior executives.⁵

Other actors—including governments and central banks—have difficulty competing with the financial industry for cybersecurity talent. The finance industry offers the highest salaries for cybersecurity professionals globally.⁶ An unintended consequence of updated financial regulations focusing on cybersecurity is that such regulations will drive well-resourced financial institutions to siphon an even higher number of cybersecurity professionals from the already limited pool. Carnegie plans to tackle the workforce challenge faced by central banks and government agencies through a separate project.

Existing Efforts to Address the Problem

Existing cybersecurity workforce initiatives range from internal upskilling and retraining programs to cybersecurity competitions, partnerships with postsecondary education institutions, apprenticeships, and others.⁷ They can be grouped into five approaches to tackle the current shortage:

1. Expand the supply pipeline producing new talent.
   This means expanding the size of the existing workforce, for example, by encouraging more high school students to pursue computer science degrees.
2. Identify and match existing supply better with those seeking such talent.
   This means maximizing the use of the existing workforce, such as through diversity initiatives attracting talent that is otherwise neglected.
3. Retrain existing staff in other areas to become part of the cyber workforce.
   This includes initiatives undertaken as part of “Future of Work” planning efforts.
4. Reduce demand through technological innovation.
   This includes, for example, replacing technology to reduce the attack surface and thereby limiting the amount of work required to protect it or a migration to the cloud or use of pooled services e.g. with respect to threat intelligence.
5. Improve retention of the current workforce.
   This includes offering competitive salaries, opportunities for promotion, a more inclusive culture, etc.

Financial institutions themselves have been advancing a series of initiatives, including:

• Apprenticeships—for example, Zurich Insurance Group’s Cyber Security Apprenticeship program built on its broader apprenticeship experience.⁸ The Cybersecurity Workforce Alliance (NYC), founded by the Securities Industry and Financial Markets Association and CISOs of major financial institutions, has partnered with educational institutions to provide students with courses, mentors, and apprenticeships in cybersecurity.⁹
• Educational Partnerships—for example, JPMorgan Chase has provided funding to support the Florida Center for Cybersecurity based at the University of South Florida, and the Capital One Foundation has provided grants to community colleges seeking to develop cybersecurity career programs.¹⁰
• Public-Private Partnerships—for example, Mastercard helped launch the Cybersecurity Talent Initiative, which provides college graduates with a two-year placement at a federal agency and, upon completion of the placement, a full-time position with Mastercard or other private partners and $75,000 in student loan assistance.¹¹
• Nonprofit Partnerships—for example, the U.S. Bank has invested in youth-focused cybersecurity programs, working with nonprofits like Technovation, Girls Who Code, and the Girl Scouts of Western Ohio to attract interest in cybersecurity careers.¹²
• Reskilling Programs—for example, JPMorgan Chase is piloting a program called “skills passport” within the bank’s IT department to assess which employees could be retrained for cybersecurity roles.¹³
• Cybersecurity Competitions—for example, Barclays hosted a cybersecurity competition in 2018 to attract talent.¹⁴
• Grants—for example, in 2018, the Monetary Authority of Singapore unveiled a Cybersecurity Capabilities Grant to assist local financial sectors’ cyber resilience, including workforce development.¹⁵

Focus of Carnegie Working Group

The existing initiatives are important and much needed to address the workforce shortage, but they raise a series of questions: Which of the existing initiatives are more effective? Which can be scaled more easily? Which have the greater return on investment? Such a comparative analysis does not exist yet. Relatedly, more granular insights are needed. For example, it is unclear how the financial sector’s demand for talent is distributed across entry-level, mid-level, and senior-level positions. Filling entry-level positions is a different challenge than filling mid- and senior-level positions.

Carnegie has therefore created this dedicated working group, consisting of several major financial institutions and other interested parties, to compare and assess different existing workforce initiatives with the goal of ranking their effectiveness and scalability.

Financial institutions have their own firm-specific interest to find answers to these questions. Moreover, preliminary research suggests that financial institutions consider this to be a sectorwide problem, not only a firm-specific problem, and that they are willing to share data from a win-win rather than through a competitive win-lose lens. In addition, investing in the future of the cybersecurity workforce aligns with broader corporate responsibility initiatives and could address the broader public policy problem. Meanwhile, financial regulators have incentives to minimize unintended regulatory consequences and to support the private sector to achieve this objective. More details about the findings of this working group will become available on this website in the coming months.

Endnotes

¹ “Strategies for Building and Growing Strong Cybersecurity Teams: (ISC)2 Cybersecurity Workforce Study 2019,” (ISC)2, 2019, https://www.isc2.org/-/media/ISC2/Research/2019-Cybersecurity-Workforce-Study/ISC2-Cybersecurity-Workforce-Study-2019.ashx.

² Sabine Lautenschläger, “Towards a More Cyber Secure Financial System: The Role of Central Banks,” (statement delivered at the G7 2019 conference “Cybersecurity: Coordinating Efforts to Protect the Financial Sector in the Global Economy,” Paris, May 10, 2019), https://www.ecb.europa.eu/press/key/date/2019/html/ecb.sp190510_1~5803aca48c.en.html.

³ “Summary Report on Financial Sector Cybersecurity Regulations, Guidance and Supervisory Practices,” Financial Stability Board, October 13, 2017, https://www.fsb.org/wp-content/uploads/P131017-1.pdf.

⁴ For more information, see https://fsscc.org/Financial-Sector-Cybersecurity-Profile.

⁵ For more details, see “Timeline of Cyber Incidents Involving Financial Institutions,” Carnegie Endowment for International Peace, https://carnegieendowment.org/specialprojects/protectingfinancialstability/timeline.

⁶ “2020 Cybersecurity Salary Survey Results,” Cynet: Autonomous Breach Protection, 2020, https://go.cynet.com/hubfs/2020-Salary-Survey-Report.pdf.

⁷ Aspen Cybersecurity Group, “Principles for Growing and Sustaining the Nation’s Cybersecurity Workforce,” Aspen Institute, November 8, 2018, https://www.aspeninstitute.org/publications/principles-for-growing-and-sustaining-the-nations-cybersecurity-workforce/.

⁸ Ill Schaumburg, “Zurich Insurance Launches Cyber Security Apprenticeship to Address Growing Demand for Cyber Security Professionals,” Zurich American Insurance Company, September 18, 2018, https://www.zurichna.com/about/news/news-releases/2018/zurich-insurance-launches-cyber-security-apprenticeship.

⁹ “iQ4 Corp. Launches Virtual Apprenticeship Challenge With Global Public, Private and Educational Sector Backing to Create Skilled and Qualified Cyber-Savvy Workforce” press release, Business Insider, October 8, 2019, https://markets.businessinsider.com/news/stocks/iq4-corp-launches-virtual-apprenticeship-challenge-with-global-public-private-and-educational-sector-backing-to-create-skilled-and-qualified-cyber-savvy-workforce-1028584152.

¹⁰ Malena Carollo, “JPMorgan Chase Donates $150,000 to University of South Florida Cybersecurity Center,” Tampa Bay Times, February 25, 2019, https://www.tampabay.com/business/jpmorgan-chase-donates-150000-to-university-of-south-florida-cybersecurity-center-20190225/.

¹¹ “Top Companies Team Up With Federal Agencies and Nonprofit to Launch First-Of-Its-Kind Cyber Talent Initiative to Protect Against Cyberattacks,” Partnership for Public Service (blog), accessed March 9, 2020, https://ourpublicservice.org/publications/cybersecurity-talent-initiative-launch/.

¹² Susan Beatty, “U.S. Bank Announces 2018 Cybersecurity Scholarship Recipients,” U.S. Bank, November 13, 2018, https://www.usbank.com/newsroom/stories/us-bank-announces-2018-cybersecurity-scholarship-recipients.html.

¹³ Lauren Weber, “Why Companies Are Failing at Reskilling,” Wall Street Journal, April 19, 2019, https://www.wsj.com/articles/the-answer-to-your-companys-hiring-problem-might-be-right-under-your-nose-11555689542.

¹⁴ “Barclays Partners With Cyber Security Challenge UK to Attract Cyber Talent,” press release, Barclays, July 20, 2018, https://home.barclays/news/press-releases/2018/07/barclays-partners-with-cyber-security-challenge-uk-to-attract-cy/.

¹⁵ Eileen Yu, “Singapore Banks Offered $21M in Funds to Boost Cybersecurity Capabilities,” ZDNet, December 3, 2018, https://www.zdnet.com/article/singapore-banks-offered-21m-in-funds-to-boost-cybersecurity-capabilities/.