Cybersecurity talent shortage in banking expected to grow

With the shortage of professionals available to fill high-paying cybersecurity jobs in the U.S., and compensation for the same positions higher in tech than in finance, banks face an uphill battle fulfilling their cybersecurity needs. Experts disagree about how firms ought to address the shortage.

According to Cyberseek, an initiative of the U.S. National Initiative for Cybersecurity Education and private partners, the U.S. has only enough cybersecurity workers to fill 68% of the jobs that employers are looking to fill. In finance and insurance, the total number of cybersecurity job openings is 168,000 while the total employed workforce in those industries is 234,000. Across industries, the total employed workforce of cyber professionals exceeds 1,000,000.

With cybersecurity job openings set to grow at one of the fastest paces across the economy over the next 10 years, and tech firms having a firm leg up on hiring initiatives, the years-old talent gap could prove to be a liability for banks also facing a rise in cybercrime.

Annual wages for information security analysts — one of the most common titles in cybersecurity — are on average $24,000 greater in the tech industry compared to finance and insurance, according to the Bureau of Labor Statistics. The figures come from May 2021, when the median annual wage for an information security analyst was $102,600.

That wage is higher than computer occupations at large, which the bureau said typically pay $97,430 annually. Salaries may also be set to rise as job openings grow, as the numbers of cybersecurity workers in the U.S. and globally have not kept pace with demand.

Between 2020 and 2030, the BLS anticipates that employment will grow 8% across all occupations and 13% in computer occupations specifically. Information security analysts, by comparison, are set to see a 33% increase in employment during the same period.

Banks' struggle to hire cybersecurity talent has been a years-long slog. They have looked to military veterans, partnered with educational institutions and used "reskilling" and "upskilling" to close the gap. Tech firms have also engaged these strategies since at least 2018. Yet the gap in banking and across sectors remains stark by most estimates.

Mark Nicholson, a financial services industry leader for Deloitte's cyber practice, said banks were among the earliest organizations to be aware of the cyber talent gap. The sheen of financial district offices has faded as cyber workers demand more flexible work arrangements. This gives banks, many of which do offer remote options, little advantage over other industries offering the same.

"Twenty years ago, banks were able to attract top talent coming out of universities, as those new professionals wanted to work on Wall Street," Nicholson said. "Today, that may be less the case as workplace and corporate cultural trends swing continued toward remote or hybrid work and increased work hour flexibility — both of which we know cyber professionals appreciate."

According to a survey conducted by American Banker's parent company, Arizent, bank executives express greater interest in training existing employees on cybersecurity than hiring that talent from outside.

When asked what their top operational concerns related to cybersecurity policies and practices are, 55% of the 98 survey respondents in banking selected cybersecurity training for existing staff as a priority while 42% said hiring cybersecurity talent was a priority. The gap was larger for insurance and wealth management firms, which also expressed greater interest in training over hiring.

The dearth of cybersecurity talent in banking is also one of six priorities for protecting financial systems against cyber threats, according to a report from the Carnegie Endowment for International Peace. The problem leaves emerging economies particularly exposed, according to Paul Makin, a consultant for the consulting firm Digital Financial.

"I've met a number of excellent cybersecurity people in banks in East Africa, but once their profile rises, they're poached by banks or fintechs in Europe and North America," Makin told the authors of the Carnegie Endowment's report. "This brain drain leaves Africa exposed. Creating a much broader pool is clearly the answer, but that's going to take a long time."

To bolster the number of cybersecurity workers the U.S. can source domestically, higher education may need more degree paths that lead into cybersecurity, according to Chris Reffkin, chief information security officer at the IT firm HelpSystems.

The typical level of education required for entry-level cybersecurity jobs is a bachelor's degree, according to the BLS. But that typically means a degree in computer science — another area where demand from employers exceeds the pool of qualified workers.

"We need to start being creative about recruiting specialists from a more diverse set of disciplines into security and growing our own talent pipelines," Reffkin said. Part of that will require promoting the benefits of a career in cybersecurity.

In the shorter term, banks must decide whether to hire their own cybersecurity talent or contract with companies that offer those services for them. Bryan Hornung, CEO of the cybersecurity firm Xact IT Solutions, said managed service security providers (MSSPs) are some of the best equipped to help banks with their cybersecurity challenges.

"Cybersecurity talent at MSSPs works with people like them [other tech professionals], creating a better work environment," Hornung said. "MSSPs can offer a better and longer career path for cybersecurity talent versus internal IT departments, where talent usually needs to go elsewhere to advance their career." These factors, he said, keep cybersecurity talent longer at MSSPs than a typical bank IT department would.

Others say firms need to have their cybersecurity talent in-house, and that talent should also come from within. The labor market data company Emsi argued as much in a 2020 report, which said the solution to the gap in cybersecurity talent would be to reskill existing employees rather than recruit outside talent that is already extremely hard to get.

Whether hiring from within or going to the market for cyber talent, Kane Carpenter, practice lead at the employer branding consulting firm Daggerfinn, said the talents needed are both hard to teach and hard to find.

"The best cybersecurity professionals think like hackers, because how can you defend something that you've never really thought about?" Carpenter said. "This mentality is hard to find, which makes hiring in cybersecurity challenging, too."