Winning the Cyber Talent War
Posted by Jim Eckenrode, executive director, Deloitte Center for Financial Services, Deloitte Services LP, on June 26, 2014
I have often said that the most innovative ideas in financial services these days are coming from cyber criminals. The rapidity with which new methods of compromise are devised and implemented, whether by a bored teenager, a disgruntled ex-employee, or someone with larger aims to steal or disrupt, the creativity exhibited by these elusive individuals "behind the keyboard" is challenging the financial services industry to respond. But how?
With that in mind, I eagerly took my seat yesterday to listen in on an event co-hosted by Deloitte and BITS, the technology policy division of the Financial Services Roundtable, entitled Cybersecurity in financial services: Creating a resilient environment for a stronger tomorrow. Representatives from financial institutions, law enforcement, government agencies and law firms discussed the need for improved cybersecurity programs, improved communication and collaboration between public and private sectors, and the need to shift the discussion from a compliance-oriented, "check the box" exercise to a business-led strategic imperative.
Panelists repeatedly mentioned the challenges presented by both the rapid pace of development in technology offerings as well as acceleration in the evolution of threat actors and methods. Also highlighted was the notion that cyber risks are not monolithic. For example, different lines of business are targeted by different threat actors, and not all data is sensitive for the same amount of time: some for only seconds, other data for minutes or days, and some data permanently. Finally, information sharing between financial services firms, and also with law enforcement, was also mentioned as a critical factor in combatting the threats.
What I found most interesting, though, was a subject that isn't necessarily top of mind when one thinks about cybersecurity: talent. This notion reflects a growing perception that the best way to counter the innovation coming from threat actors seeking to exploit technology vulnerabilities is to fight fire with fire.
Over and over again, speakers mentioned talent as an important factor in the war against cyber attacks. One example: we polled the audience to understand their views on investment priorities for cyber risk management over the next 12-18 months. While application security was the number one response, with 39 percent of the audience citing this as the major priority, talent was second on the list at 29 percent.
Panelists agreed: one mentioned the challenges in finding and retaining talent, with a particular emphasis on the issues around location. Most agreed that they were most interested in finding the right talent, regardless of where they lived. And some referenced the fact that they are continually interviewing candidates, even if they don't have openings, just to maintain a pipeline and to keep an eye on continuous improvement.
What kind of talent are they looking for? Although data scientists and other techy-types were mentioned, it seemed that ideal candidates have a strong fusion between technology and business skills. The need for people who understand technology, as well as what they're protecting, was emphasized. In other words, the next generation of cyber experts must have the ability to speak the language of business. Firms also are looking for individuals that can build trust across their organizations; assemble a business case for cyber risk management investments; and that have the ability to hire, develop, and retain cyber risk management talent.
Talent is not just an issue for financial institutions. As law enforcement continues to evolve from cyber crime investigation and prosecution to crime prevention, the need for different kinds of talent naturally follows in its wake. Boards of directors, too, are an area that was mentioned as having a talent gap. Even regulators are expecting FSI boards to have individuals that understand the nature of cyber risk and can ask the right questions.
As one panelist put it, "the best analytical engine is the human brain." Talent was viewed by this individual as the scarcest resource in the war against cyber crime. It should be said, however, that the need to move at machine speed was also discussed during the day. One comment was that notification of an impending attack from law enforcement to the CISO of a financial institution can't happen via telephone; it must happen in an automated fashion. Similarly, although the brain is a wonderful analytical tool, it cannot handle the volume of information associated with effective cyber risk management on its own. And so data visualization and other information and data management tools were mentioned as important components in an effective cyber risk architecture.
Ultimately, though, the message that fighting cyber crime is not exclusively a technology problem but a first-class business risk was loud and clear. In the final analysis, panelists believed that effective management of cyber attacks is comprised of technology, process, and people.
What do you think? Should talent be at the center of an effective cybersecurity program? Or is the technology — and the threats — evolving so rapidly that humans cannot hope to keep up?
As used in this document, "Deloitte" means Deloitte LLP and its subsidiaries. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.