Cybersecurity’s in a pressure cooker

Not to sound too flippant, but one can say this about cyber criminals today: Unfortunately, they are creating a burgeoning job market for legitimate cybersecurity professionals.

The astronomical cost of their misdeeds has succeeded in gaining the attention of top industry leaders and influencers, including the Federal Reserve and corporate boards of directors, not to mention C-level executives across the corporate spectrum. These are either starting to advocate, or have already committed to, even further investment in the newest cyber defenses—as well as the people who know how to apply them.

At the same time, college students and graduates today see all this and are waking up to how they personally can make the biggest difference in fighting and mitigating cyber threats.

In short, top-down pressures and bottom-up pressures are cooking up a white-hot environment for cybersecurity.

Putting some numbers on threat

First, some absolutely hair-raising statistics, just to set the stage.

Research by Juniper Research predicts that global business spend on cybersecurity solutions will grow by 33% over the next four years, reaching $134 billion annually by 2022. Significantly, by 2022, nearly 70% of that amount will originate from medium-sized businesses—which the criminals would deem as easy targets or, as Juniper says, “low-hanging fruit.”

As big as that number sounds, the research company adds: The cumulative cost of data breaches between 2017 and 2022 will reach $8 trillion.

If that number sounds way out of bounds, it probably isn’t.

LexisNexis Risk Solutions estimates that for every dollar of fraud actually stolen by cybercriminals, financial services companies incur $2.67 in costs, which includes chargebacks, fees, interest, and labor.

Mid-to-large digital financial services companies, which earn at least $10 million in annual revenues, half of which is through online and/or mobile channels, pay $3.04 for every dollar of fraud.

“As digital channels become more prevalent, particularly with consumer demand for mobile banking, fraud is a significant drain on financial services companies’ revenues—more than just the value of the fraud itself,” says Paul Bjerke, vice-president at LexisNexis Risk Solutions.

One other indication of how cybercrime is amping up—FICO says 10% more debit cards were compromised at U.S. ATMs and merchant card readers in 2017, compared to the year before. “While most devices are safe, fraudsters are developing new technology and methods for hacking ATMs,” says T.J. Horan, vice-president, FICO.

Boards of all sizes focus on cyber

Once relegated to the IT arena, this state of affairs has become a consistent board agenda item. Witness a recent address by Randal Quarles, Federal Reserve vice-chairman for supervision, to the Financial Services Roundtable.

He makes the point that cybersecurity “continues to be a high priority for the Federal Reserve.”

“While we know that successful cyber-attacks are often connect to poor basic information technology hygiene,” he continues, “and firms must continue to devote resources to these basics, we also know that attackers always work to be a step ahead, and we need to prepare for cyber events.”

In particular, Quarles says, public and private entities should boost their sharing of threat intelligence, particularly through agencies such as the Financial Services Information Sharing and Analysis Center.

Looking more in-house, a particularly informative white paper by Protiviti, in conjunction with the North Carolina State University’s ERM Initiative, summarizes things this way: “Companies today fall into two groups—those that have been breached and know it, and those that have been breached but don’t know it.”

Its recent survey of 700-plus directors and C-level executives ranked cyber risk as a top-three risk overall, with a “significant impact” on risk for financial services businesses, among others. The directors and CEOs who responded to the poll ranked cyber as the second-highest risk.

This white paper summarizes views of 18 active directors during a round-table discussion at a National Association of Corporate Directors event. More on that in a bit.

Cyber’s human element

Talking about C-level execs, Robert Half Technology polled 2,600 U.S. CIOs and found significant efforts to invest in cybersecurity. Among the results: 66% use multifactor authentication processes such as tokens and biometrics, up 25 percentage points from 2015; 63% are enhancing employee training on IT security best practices; and 58% claim they are vetting firms that have access to their data more closely.

One telling observation: “Having a strong IT security team in place can provide an even greater defense against attacks, but these professionals can be hard to find in today’s job market,” says Jeff Weber, executive director of Robert Half Technology.

Here precisely is where the job market boom emerges. A non-profit organization called (ISC)² sponsored a blind online survey of 250 cybersecurity professionals in the U.S. and Canada. The primary result: Only 15% say they have no plans to switch jobs this year, while 14% plan to look for a new job and 70% are open to new opportunities.

Perhaps a more telling survey result is this: When asked what’s most important for cybersecurity professionals’ personal fulfillment, salary (49%) is not the top priority. Instead:

• 68% want to work where their opinions are taken seriously.

• 62% want to work where they can protect people and their data.

• 62% want to work for a company with clearly defined ownership of cybersecurity responsibilities.

• 59% want an employer that views cybersecurity more broadly than just technology.

• 59% want to work for an employer that adheres to a strong code of ethics.

“It is more critical than ever for organizations to ensure their recruitment and employment retention strategies are aligned with what cybersecurity professionals want most from an employer,” says Wesley Simpson, chief operations officer of (ISC)².

Training cyber-crimefighters

Perhaps one harbinger of hope lays in the increasing interest of students for cybersecurity careers. An example of this may be seen in the fact that teams of students from 15 universities recently competed in a cyber challenge staged by Deloitte Risk and Financial Advisory Cyber Risk Services. They were rated on their analysis and incident response approach. This was the fourth such annual challenge. (Virginia Tech won.)

To put it in perspective, says Anthony Russo, principal at Deloitte & Touch LLP, “Despite efforts from many organizations, closing the cyber skills gap continues to be a forefront challenge, with an anticipated 3.5 million unfilled positions by 2021.” Russo was citing independent research by Cybersecurity Ventures.

Once again, here is another hair-raising number, and one that undoubtedly should attract attention at the highest levels of corporate governance. 

What boards want to know

Going back to that Protiviti white paper, the roundtable of directors, among many other insights, listed these key areas any board should be informed of by management:

• The number of system vulnerabilities.

• The length of time required to implement patches.

• The length of time to detect a breach.

• The length of time to respond to a breach.

• The length of time to remediate audit findings.

• Percent of breaches perpetrated through third parties.

• The number of security protocol violations.

Between such top-down scrutiny and bottom-up career potential it seems possible that some headway may be made in the always-escalating war against cyber attacks.