While corporates are starting to put ever-greater emphasis on the recruitment of specialists, the first step is identifying exactly which specific skills are needed to reduce the risk of cyber-attacks. One answer could be to look for siloed skills instead of broad, CISO-type domain experts.
The workforce skills shortage is a well-known hindrance for companies looking to improve their security posture—an organization can have all the platforms and solutions in place that it likes, but skilled cybersecurity staff is still a linchpin for success. Global talent mapping and pipelining company Armstrong Craven has carried out a series of projects in the financial services sector, one of the more high-risk industries, to determine if there are tactics that can help companies overcome the lack of skilled all-stars available for hire.
Interestingly, it found that the Association of British Insurers may have hit on a piece of the solution with its call for a central database of cyber-incidents.
The ABI says there is a need for a national, anonymized database recording details of cyber incidents at companies to be established if the UK is to become a world leader in cyber-insurance.
But Armstrong Craven believes the database can be of benefit in other ways too, and could play a role in ensuring the best talent was deployed in the businesses facing the gravest danger.
“One of the biggest challenges facing a business is knowing what skills they require within their organization,” said Brunella Flackett, client partner for financial services and private equity with Armstrong Craven. “The database would allow us to identify which businesses and sectors are most susceptible and then match them with the right structures and skill sets.”
The company recently carried out a succession planning mapping assignment for the role of chief information security officer in a major financial services organization; the role was extremely broad and cyber was one of several skill sets required. The better route, according to Flackett, lies in creating designated roles for more specific cyber-specialists.
“The talent that financial services firms need to attract is very different to the kind of talent they are used to recruiting,” said Flackett. “Candidates are coming from a digital world, often from another sector. Some corporates are going as far as creating dedicated work areas for their digital talent, far removed from the traditional financial services, suit-and-tie environment.”
Armstrong Craven also recently completed an insight project for an insurance client who wanted to understand the optimal organizational structure for a number of different areas, including digital. It wanted to know what best practices looked like in other sectors as well as its own, including how others are addressing the cyber-issue—using this information to drill down into areas of specialized need.
By removing the need to fill positions with those with omnibus skill sets, companies may have an easier time recruiting the talents they need to optimize their cybersecurity posture.
“Because the cyber risk is a fast emerging area, the talent is scarce and therefore in high demand,” said Flackett. “Organizations are moving fast to map and pipeline the best talent in this very specialist field to ensure they have the best possible strategy in place in the event of attack.”
Photo © Marcin Wos