Cyber-Attacks: What Risk Does The Cyber-Security Skills Gap Pose?

“In December 2016 and January 2017, SAI Global, in association with Risk.net, conducted a global poll of financial services companies, about current trends in risk management and governance. 32% cited cyber security as the biggest challenge for operational risk in their organisation for the next 12 months. The survey results suggest that many firms are looking to enhance their software and systems during 2017 as they attempt to better face up to the rising tide of risk.”

With cyber-security being a growing concern, one problem dogs those within the financial service industry that want to counter the attacks: a shortage of cyber-security skilled personnel. The Independent newspaper goes as far as to suggest that the “UK faces dramatic cyber-security skills ‘cliff edge’ and is chronically under prepared for hacker attacks, study finds.”


Josie Cox, Business Editor for The Independent, cites a global survey by (ISC)2 of 20,000 security professionals in the article of 13th February 2017. The study was carried out across banks, governments and multi-nationals.  The study also finds that companies are “chronically underprepared for attacks”, and that the UK’s workforce is growing older. It claims that this is “exacerbating an already gaping cyber-security skills rift” with only 12 percent of the workforce being under the age of 35, and 53 percent of the workforce over the age of 45. To complicate matters only 6 percent of UK companies are recruiting graduates, and this is in spite of the fact that they are much needed to fill the skills gap.

David Trossell, CEO and CTO of data acceleration company Bridgeworks, says he’s not surprised by the situation: “It’s not just occurring in the cyber-security world; it’s happening across all sectors in IT at the moment.” He adds that cyber-security is a one against many scenario. “It only takes one hacker to attack thousands of organisations, and each of them needs a full-time team of cyber-security experts to protect themselves”, he says. He claims that “anonymous money” via Bitcoin has created many opportunities and bigger rewards – “especially as we are seeing websites that are providing ready-made packages for hackers, creating Crime-as-a-Service.”

Widening threat

Lars Lunde Birkeland, Marketing Director of Promon, says the usage of technology is ever more pervasive today with financial services companies. With Bring Your Own Device  (BYOD) in mind, he rightly says that some of the devices and software used are not sanctioned by IT. He explains that the range of internet-connected devices – including mobile phones and tablet PCs – broaden the “threat surface for would-be attackers to carry out their activities, and at a time when they are demonstrating ever-increasing sophistication in terms of their skills.”

To beat them, all organisations – not just those operating in financial services – must recruit new cyber-security talent to stay several steps ahead of the hackers. Birkeland agrees with SAI Global’s view that “not enough is being done to get the right staff on board to bring this proactive approach to fruition.” He adds, citing the recent Wonga attack, that the regularity of “successful breaches also demonstrates that preparedness is not where it should be.”

Right people

In other words, it is essential for financial services organisations – and others – to have the right people within their organisations to address these issues. These people will have a range of skills, noting that some of them will need to ensure that their IT is forearmed because of the heightened need for regulatory compliance in the financial services sector. Part of this involves insuring that sensitive and personal data is held securely and in a way that will prevent it from being used and even abused by unauthorised people within or outside of each organisation.

Birkeland adds that they also need technical employees who can understand the workings of malware and security systems. The C-Suite needs to be involved too, promoting cyber-security while also incorporating it into the overall corporate strategies of their organisation. “Without this approach, there is an increased likelihood that more data breaches will be successful”, he warns. This should include the hiring of highly skilled Millennials – encouraging them to embark on a cyber-security career by making it both rewarding and attractive to them.

Take responsibility

“As a nation, we want pre-skilled engineers as very few companies want to undertake the responsibility of growing or upskilling their own engineers or gradates – leaving the task to someone else”, says Trossell. This approach has led to skills shortages across many of the engineering sectors. With many engineers expected to retire within the next 10 years, this way of thinking has to change, and this includes the adoption of new cyber-security and IT recruitment practices in the financial services sector. The cloud is making the need to fill the cyber-security skills gap ever more crucial as it has increasingly been the focus of many recent hacking attacks.
Birkeland concludes that the change in thinking won’t happen overnight. The first step in his view requires financial services organisations to update their cyber-security systems, and this involves auditing their existing cyber-security software to enable them to “implement solutions that are optimised to cope with the latest threats.” This will allow the C-Suite time to incorporate cyber-security into the wider structure and culture of the organisation. With this change of culture should come new and younger cyber-security professionals to protect their financial services companies.

Webinar recording: Cybersecurity and the New Definition of ‘Adequate’

Cyber-Attacks: What Risk Does The Cyber-Security Skills Gap Pose? 1The threat landscape for financial institutions has changed considerably since the DDoS attacks of 2012. Watch this webinar with Rich Bolstridge, Chief Strategist, Financial Services, at Akamai Technologies for an overview of how the definition of “adequate cybersecurity” has shifted.